SecTrustEvaluate()在mac 10.10中返回kSecTrustResultFatalTrustFailure,而prev版本返回kSecTrustResultRecoverableTrustFailure为什么?

时间:2014-08-23 10:55:04

标签: macos ssl-certificate keychain truststore osx-server

当我们调用以下函数时,直到MAC 10.9 

OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result);

我们用来获取返回值为“kSecTrustResultRecoverableTrustFailure”,其中从MAC 10.10我得到的反应为“kSecTrustResultFatalTrustFailure”?

为什么会这样?

=============================================== ===================================

这是评估SSL证书的代码

    //=====================================================================================================================
//     EvaluateSSLCert
//          For a given readstream, evaluates the server ssl certificate
//          returns YES - certificate valid
//          NO - invalid certificate
//=====================================================================================================================
-(BOOL)EvaluateSSLCert
{
     BOOL bValidCert = YES;
     SecTrustRef trust = NULL;
     SecPolicyRef policy = NULL;
     OSStatus retStat;
     CFArrayRef certArray = NULL;
     SecTrustResultType result;
     SecPolicySearchRef search;


          certArray = (CFArrayRef)CFReadStreamCopyProperty(m_StreamRead, kCFStreamPropertySSLPeerCertificates);
          retStat = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &search);
          retStat = SecPolicySearchCopyNext(search, &policy);
          CFRelease(search);
          retStat = SecTrustCreateWithCertificates(certArray, policy, &trust); 
          if(retStat == 0)
          {
               retStat = SecTrustSetAnchorCertificates(trust, NULL); //set to default settings
               retStat = SecTrustEvaluate(trust, &result);
               if(retStat == 0)
               {
                    NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate succeeded");
                    if(result == kSecTrustResultDeny || result == kSecTrustResultFatalTrustFailure)
                    {
                         NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> Invalid Cert. SecTrustEvaluate result = %d", result);
                         bValidCert = NO;
                    }
                    else
                    {
                         //valid cert
                         NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate result = %d", result);
                    }
               }
               else
                    NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate failed");
          }
          CFRelease(policy);
          CFRelease(trust);

     return bValidCert;
}

1 个答案:

答案 0 :(得分:-1)

kCFStreamPropertySSLPeerCertificates不再适用于10.10。您可以尝试使用kCFStreamPropertySSLPeerTrust来检索信任对象和证书对象。

SecTrustRef trust =(SecTrustRef)CFReadStreamCopyProperty(m_StreamRead,kCFStreamPropertySSLPeerTrust);

相关问题
最新问题