如何在iOS 7中使用SecPolicyCreateRevocation检查x.509吊销

时间:2013-11-12 12:07:41

标签: ios ios7 certificate ocsp

我一直在尝试使用OCSP和CRL在不同时刻检查iOS 7.0中的X.509证书撤销状态,并且评估返回kSecTrustResultUnspecified(这意味着证书是可信的),而不实际检查OCSP或CRL源,只要我通过链中的所有证书。我在下面提出了我认为相关的任何代码,请帮忙!

谢谢!

PS:ocspOnly和crlOnly是布尔值,表示是否要使用任何撤销检查方法; certs是一个NSArray,包含除锚证书之外的所有链中的证书;之前正确设置了锚证书。

int evaluationMethod = kSecRevocationRequirePositiveResponse;

if (ocspOnly) {
    evaluationMethod |= kSecRevocationOCSPMethod;
} else if (crlOnly) {
    evaluationMethod |= kSecRevocationCRLMethod;
} else {
    evaluationMethod |= kSecRevocationUseAnyAvailableMethod;
}


if ((status = SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, SecPolicyCreateRevocation(evaluationMethod), &trust)) != errSecSuccess) {
    NSLog(@"Failed to create trust with certificate and policy: %ld", status);
    return NO;
}

if ((status = SecTrustSetNetworkFetchAllowed(trust, YES)) != errSecSuccess) {
    NSLog(@"Failed to activate network fetch: %ld", status);
}


status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
    NSLog(@"Failed to evaluate trust: %ld", status);
    return NO;
}

if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified)
    return YES;
return NO;

PS-2:iOS开发者论坛here也提出了这个问题。

0 个答案:

没有答案
相关问题
最新问题