我们的应用正在安装根CA配置文件,我想验证它是否已由用户安装和信任。
目前这大致是我们所做的(为核心修剪它)
SecPolicyRef policyObj = SecPolicyCreateBasicX509();
SecTrustRef trustObj;
OSStatus error = SecTrustCreateWithCertificates((__bridge CFTypeRef _Nonnull)(fullChain), policyObj, &trustObj);
SecTrustResultType result;
error = SecTrustEvaluate(trustObj, &result);
CFRelease(trustObj);
CFRelease(policyObj);
return (kSecTrustResultUnspecified == result || kSecTrustResultProceed == result);
问题是这样,一旦安装了配置文件,结果就是kSecTrustResultUnspecified(iOS 10~)或kSecTrustResultProceed(iOS 11~) 但我想检查用户是否信任它(在General-> About-> Trust Settings下)
我在苹果公司的文档中挖掘并没有发现任何内容,而且在SecTrustEvaluate文档中它表示返回值'继续'表示用户信任证书。
proceed— The user explicitly chose to trust a certificate in the chain (usually by clicking a button in a certificate trust panel).
任何人都知道如何做到这一点?我错过了什么?
答案 0 :(得分:1)
@Al Ga改进了Objective-C代码,它在iOS 13/14上进行了测试并可以正常工作
SecPolicyRef policyObj = SecPolicyCreateBasicX509();
SecTrustRef trustObj;
NSString *filePath = [[NSBundle mainBundle] pathForResource:@"certName" ofType:@"crt"];
NSData *certData = [NSData dataWithContentsOfFile:filePath];
CFDataRef certCFR = (__bridge CFDataRef)certData;
SecCertificateRef certSCR = SecCertificateCreateWithData(NULL, certCFR);
NSArray* certArray = @[ (__bridge id)certSCR ];
OSStatus error = SecTrustCreateWithCertificates((__bridge CFTypeRef _Nonnull)certArray, policyObj, &trustObj);
SecTrustResultType result;
error = SecTrustEvaluate(trustObj, &result);
SecTrustResultType结果将包含 uint32_t :
答案 1 :(得分:0)
因此,在挖掘后我发现SecPolicyCreateSSL正在按预期工作,仍然不是100%为什么SecPolicyCreateBasicX509不是。
因此,如果有人遇到这个问题,那么对于将来的参考,这就是我们所做的,
SecPolicyRef policy = SecPolicyCreateSSL(true, NULL);
SecTrustRef testTrust;
OSStatus status = SecTrustCreateWithCertificates((__bridge CFArrayRef)fullChain, policy, &testTrust);
status = SecTrustEvaluate(testTrust, &trustResult);
CFRelease(testTrust);
CFRelease(policy);
return (status == errSecSuccess) && (kSecTrustResultUnspecified == trustResult || kSecTrustResultProceed == trustResult);;
(基本上使用SecPolicyCreateSSL)