我尝试使用以下代码here来验证来自API端点的PKCS7签名
NSURL *appleRootURL = [[NSBundle mainBundle] URLForResource:@"AppleIncRootCertificate" withExtension:@"cer"];
NSData *appleRootData = [NSData dataWithContentsOfURL:appleRootURL];
// Create a memory buffer to extract the PKCS #7 container
BIO *receiptBIO ;
receiptBIO = BIO_new_mem_buf((void *)[receiptData bytes], (int)[receiptData length]);
BIO *dataBIO;
dataBIO = BIO_new_mem_buf((__bridge void *)base64Encoded, (int)[base64Encoded length]);
BIO *b_out;
BIO *appleRootBIO;
appleRootBIO = BIO_new_mem_buf((void *)[appleRootData bytes], (int)[appleRootData length]);
PKCS7 *receiptPKCS7 = d2i_PKCS7_bio(receiptBIO, NULL);
X509 *appleRootX509 = d2i_X509_bio(appleRootBIO, NULL);
X509_STORE *store = X509_STORE_new();
X509_STORE_add_cert(store, appleRootX509);
OpenSSL_add_all_digests();
OpenSSL_add_all_algorithms();
int result = PKCS7_verify(receiptPKCS7, NULL, store, receiptBIO, b_out, 0);
if (result != 1) {
// Validation fails
NSLog(@"result is %d", result);
}
然而,在将它运行到设备后,我收到OPENSSL错误:
1010506260:错误:21075075:PKCS7例程:PKCS7_verify:证书验证错误:pk7_smime.c:342:验证错误:证书目的不受支持
我哪里出错了? : - (
答案 0 :(得分:0)
我知道这个问题已经过时了,但我们最近经历并解决了同样的问题。
尝试将PKCS7_NOVERIFY
作为PKCS7_verify()
的最后一个参数传递,以跳过签名者证书上的链验证。你(就像我们一样,做自定义分离签名tomfoolery)可能有一个签名者证书,在这个特定的设置中没有通过链验证。