在iOS上验证分离的PKCS7签名:验证错误:证书目的不受支持

时间:2015-08-06 19:08:39

标签: ios objective-c openssl

我尝试使用以下代码here来验证来自API端点的PKCS7签名

    NSURL *appleRootURL = [[NSBundle mainBundle] URLForResource:@"AppleIncRootCertificate" withExtension:@"cer"];

    NSData *appleRootData = [NSData dataWithContentsOfURL:appleRootURL];


    // Create a memory buffer to extract the PKCS #7 container

    BIO *receiptBIO ;
    receiptBIO = BIO_new_mem_buf((void *)[receiptData bytes], (int)[receiptData length]);

    BIO *dataBIO;
    dataBIO = BIO_new_mem_buf((__bridge void *)base64Encoded, (int)[base64Encoded length]);

    BIO *b_out;

    BIO *appleRootBIO;
    appleRootBIO = BIO_new_mem_buf((void *)[appleRootData bytes], (int)[appleRootData length]);


    PKCS7 *receiptPKCS7 = d2i_PKCS7_bio(receiptBIO, NULL);

    X509 *appleRootX509 = d2i_X509_bio(appleRootBIO, NULL);
    X509_STORE *store = X509_STORE_new();
    X509_STORE_add_cert(store, appleRootX509);

    OpenSSL_add_all_digests();
    OpenSSL_add_all_algorithms();

    int result = PKCS7_verify(receiptPKCS7, NULL, store, receiptBIO, b_out, 0);

    if (result != 1) {
        // Validation fails
        NSLog(@"result is %d", result);
    }

然而,在将它运行到设备后,我收到OPENSSL错误:

1010506260:错误:21075075:PKCS7例程:PKCS7_verify:证书验证错误:pk7_smime.c:342:验证错误:证书目的不受支持

我哪里出错了? : - (

1 个答案:

答案 0 :(得分:0)

我知道这个问题已经过时了,但我们最近经历并解决了同样的问题。

尝试将PKCS7_NOVERIFY作为PKCS7_verify()的最后一个参数传递,以跳过签名者证书上的链验证。你(就像我们一样,做自定义分离签名tomfoolery)可能有一个签名者证书,在这个特定的设置中没有通过链验证。