我正在使用Apple's example code来评估X509证书。 我修改了一下以从我的包中获取证书(仅更改了文件名)。
当我运行此功能时,它始终会在comment 5 status = SecTrustEvaluate(myTrust, &trustResult);的行中崩溃。我总是EXC_BAD_ACCESS。
- (BOOL)validateCertificate
{
NSString *thePath = [[NSBundle mainBundle] pathForResource:@"user_signed_cert" ofType:@"crt"];
NSData *certData = [[NSData alloc]
initWithContentsOfFile:thePath];
CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1
SecCertificateRef myCert;
myCert = SecCertificateCreateWithData(NULL, myCertData); //2
SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
SecCertificateRef certArray[1] = { myCert };
CFArrayRef myCerts = CFArrayCreate(
NULL, (void *)certArray,
1, NULL);
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
myCerts,
myPolicy,
&myTrust); //4
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); //5 }
NSLog(@"Status: %d", status);
//6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
}
if (myPolicy)
CFRelease(myPolicy);
}
有谁知道这里出了什么问题?
提前致谢!
更新#1:我已将其更改为以下内容,但没有任何更改。 SecTrustEvaluate()上的EXC_BAD_ACCESS相同。
NSMutableArray *temp = [[NSMutableArray alloc] init];
[temp addObject:certData];
OSStatus status = SecTrustCreateWithCertificates((__bridge CFArrayRef)temp, myPolicy, &myTrust);
status之后似乎SecTrustCreateWithCertificates()为空,但不包含错误。
其他任何建议都错了吗?
更新#2:我尝试了下面提到的解决方案并始终接收kSecTrustResultInvalid。我只更改了CA证书创建以将私钥存储在ca.key中,因为在签署请求(client.csr)时,我收到以下错误消息:
Signature ok
subject=/CN=foo-by-ZeeCA
Getting CA Private Key
unable to load CA Private Key
此外,我必须将签名请求命令更改为openssl x509 -CA ca.pem -in client.csr -CAkey ca.key -req -set_serial 1 -out client.pem。 (已添加-CAkey ca.key)
然后我使用了下面解决方案中的代码,并从包中添加了我的路径。另外,我为状态添加了一个switch-case。
/*
# CA
openssl req -x509 -new -subj /CN=ZeeCA -keyout ca.key -nodes -set_serial 1 > ca.pem
openssl x509 -outform DER -out ca.der -in ca.pem
# create andsign client
openssl req -new -subj /CN=foo-by-ZeeCA -CAkey ca.key -keyout client.key -nodes > client.csr
openssl x509 -CA ca.pem -in client.csr -req -set_serial 1 -out client.pem
# format for client identity import
openssl pkcs12 -export -out client.12 -inkey client.key -in client.pem -CAfile ca.pem -password pass:1234
# format for trust.
openssl x509 -in client.pem -out client.der -outform der
*/
NSString *clientPath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"der"];
//NSString *thePath = @"XXXX/client.der";
NSData *certData = [[NSData alloc]
initWithContentsOfFile:clientPath];
CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1
assert(myCertData);
SecCertificateRef myCert;
myCert = SecCertificateCreateWithData(NULL, myCertData); //2
assert(myCert);
SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
NSArray * certArray = [NSArray arrayWithObject:(__bridge id)(myCert)];
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
(__bridge CFArrayRef)certArray,
myPolicy,
&myTrust); //4
NSString *caPath = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"der"];
NSData *caData = [[NSData alloc]
initWithContentsOfFile:caPath];
CFDataRef myCaData = (__bridge_retained CFDataRef)caData;
SecCertificateRef myCA = SecCertificateCreateWithData(NULL, myCaData);
assert(myCA);
NSArray * myCAs = [NSArray arrayWithObject:(__bridge id)(myCA)];
SecTrustResultType xxx = SecTrustSetAnchorCertificates(myTrust, (__bridge CFArrayRef)(myCAs));
if (xxx != noErr) {
NSLog(@"SecTrustSetAnchorCertificates failed: %d", xxx);
}
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); //5 }
NSLog(@"Status: %d", status);
}
if (myPolicy)
CFRelease(myPolicy);
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); //5 }
switch (status) {
case kSecTrustResultProceed: // 1
NSLog(@"Proceed");
break;
case kSecTrustResultConfirm: // 2
NSLog(@"Confirm");
break;
case kSecTrustResultUnspecified: // 4
NSLog(@"Unspecified");
break;
case kSecTrustResultRecoverableTrustFailure: // 5
NSLog(@"TrustFailure");
break;
case kSecTrustResultDeny: // 3
NSLog(@"Deny");
break;
case kSecTrustResultFatalTrustFailure: // 6
NSLog(@"FatalTrustFailure");
break;
case kSecTrustResultOtherError: // 7
NSLog(@"OtherError");
break;
case kSecTrustResultInvalid: // 0
NSLog(@"Invalid");
break;
default:
NSLog(@"Default");
break;
}
}
答案 0 :(得分:0)
我认为您的问题是在数组的数组中。我使用下面的代码 - 即在你称之为myCerts的地方传递一个简单的SecCertificateRef平面数组。
NSMutableArray *serverChain = [NSMutableArray array];
for(int i = 0; i < SecTrustGetCertificateCount(secTrustRef); i++)
[serverChain addObject:(__bridge id)(SecTrustGetCertificateAtIndex(secTrustRef,i))];
SecTrustRef noHostTrustRef = NULL;
OSErr status = SecTrustCreateWithCertificates((__bridge CFArrayRef) serverChain, SecPolicyCreateSSL(NO, nil), &noHostTrustRef);
if (status != noErr) {
NSLog(@"SecTrustCreateWithCertificates failed: %hd", status);
[[challenge sender] cancelAuthenticationChallenge:challenge];
}
NSMutableArray *certRefs = [NSMutableArray arrayWithCapacity:[acceptableCAs count]];
for(Certificate * cert in acceptableCAs)
[certRefs addObject:(id)[cert secCertificateRef]];
status = SecTrustSetAnchorCertificates(noHostTrustRef, (__bridge CFArrayRef)certRefs);
if (status != noErr) {
NSLog(@"SecTrustSetAnchorCertificates failed: %hd", status);
[[challenge sender] cancelAuthenticationChallenge:challenge];
}
status = SecTrustEvaluate(noHostTrustRef, &result);
if (status != noErr) {
NSLog(@"SecTrustEvaluate failed: %hd", status);
[[challenge sender] cancelAuthenticationChallenge:challenge];
}
CFRelease(noHostTrustRef);
如果我把你的代码放在一个简单的cmd行包装器中:
int main(int argc,const char * argv []) {
@autoreleasepool {
// openssl req -x509 -new -subj /CN=foo -out user_signed_cert.crt \
// -keyout /dev/null -outform DER -nodes -set_serial 1
//
NSString *thePath = @"XXXXX/user_signed_cert.crt";
NSData *certData = [[NSData alloc]
initWithContentsOfFile:thePath];
CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1
assert(myCertData);
SecCertificateRef myCert;
myCert = SecCertificateCreateWithData(NULL, myCertData); //2
SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
SecCertificateRef certArray[1] = { myCert };
CFArrayRef myCerts = CFArrayCreate(
NULL, (void *)certArray,
1, NULL);
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
myCerts,
myPolicy,
&myTrust); //4
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); //5 }
NSLog(@"Status: %d", status);
//6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
}
if (myPolicy)
CFRelease(myPolicy);
}
return 0;
并使用明确的证书:
@autoreleasepool {
/*
# CA
openssl req -x509 -new -subj /CN=ZeeCA -keyout /dev/stdout -nodes -set_serial 1 > ca.pem
openssl x509 -outform DER -out ca.der -in ca.pem
# create andsign client
openssl req -new -subj /CN=foo-by-ZeeCA -keyout client.key -nodes > client.csr
openssl x509 -CA ca.pem -in client.csr -req -set_serial 1 -out client.pem
# format for client identity import
openssl pkcs12 -export -out client.12 -inkey client.key -in client.pem -CAfile ca.pem -password pass:1234
# format for trust.
openssl x509 -in client.pem -out client.der -outform der
*/
NSString *thePath = @"XXXX/client.der";
NSData *certData = [[NSData alloc]
initWithContentsOfFile:thePath];
CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1
assert(myCertData);
SecCertificateRef myCert;
myCert = SecCertificateCreateWithData(NULL, myCertData); //2
assert(myCert);
SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
NSArray * certArray = [NSArray arrayWithObject:(__bridge id)(myCert)];
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
(__bridge CFArrayRef)certArray,
myPolicy,
&myTrust); //4
NSData *caData = [[NSData alloc]
initWithContentsOfFile:@"XXXXX/ca.der"];
CFDataRef myCaData = (__bridge_retained CFDataRef)caData;
SecCertificateRef myCA = SecCertificateCreateWithData(NULL, myCaData);
assert(myCA);
NSArray * myCAs = [NSArray arrayWithObject:(__bridge id)(myCA)];
SecTrustResultType xxx = SecTrustSetAnchorCertificates(myTrust, (__bridge CFArrayRef)(myCAs));
if (xxx != noErr) {
NSLog(@"SecTrustSetAnchorCertificates failed: %d", xxx);
}
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); //5 }
NSLog(@"Status: %d", status);
//6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
}
if (myPolicy)
CFRelease(myPolicy);
}
两个似乎都为我做了伎俩?