我正在使用NEPacketTunnelProvider进行Networkextension。我正在将配置文件与com.apple.vpn.managed有效负载配合使用。此外,我将ClientCertificate身份验证与com.apple.security.pkcs12有效负载配合使用。根据{{3}}文档,我的扩展程序应该可以使用com.apple.managed.vpn.shared钥匙串访问组来检索此身份。
如果我在钥匙串中查询身份,我总是会收到错误代码-25300。根据{{3}},这表示:“找不到该项目。”
代码1: 我尝试使用protocolConfiguration提供的持久引用来检索标识。
class PacketTunnelProvider: NEPacketTunnelProvider {
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
NSLog("vpn-service startTunnel")
let pc = self.protocolConfiguration
NSLog("vpn-service protocolConfiguration " + pc.debugDescription)
if let identity = pc.identityReference {
let persistentRef = identity as NSData
NSLog("vpn-service persistentRef " + persistentRef.description)
var copyResult: AnyObject?
let copyErr = SecItemCopyMatching([
kSecValuePersistentRef as String: persistentRef,
kSecReturnData as String: true
] as CFDictionary, ©Result)
NSLog("vpn-service getCert copyErr " + copyErr.description)
}
}
}
输出为:
Jul 27 10:07:53 Tims-iPhone vpn(libswiftFoundation.dylib)[4994] <Notice>: vpn-service startTunnel
Jul 27 10:07:53 Tims-iPhone vpn(libswiftFoundation.dylib)[4994] <Notice>: vpn-service protocolConfiguration
type = plugin
identifier = 3B39941E-AF39-45CE-B869-68AF392FBCA0
serverAddress = DEFAULT
password = {
domain = user
accessGroup = com.apple.managed.vpn.shared
}
identity = {
identifier = <Subject Name Common Name of the identity installed by the com.apple.security.pkcs12 payload>
persistentReference = <69646e74 00000000 00000011>
domain = user
}
identityDataImported = NO
identityReference = <69646e74 00000000 00000011>
proxySettings = {
autoProxyDiscovery = NO
autoProxyConfigurationEnabled = NO
HTTPEnabled = NO
HTTPSEnabled = NO
FTPEnabled = NO
SOCKSEnabled = NO
RTSPEnabled = NO
gopherEnabled = NO
excludeSimpleHostnames = NO
usePassiveFTP = YES
}
disconnectOnSleep = NO
disconnectOnIdle = NO
disconnectOnIdleTimeout = 0
disconnectOnWake = NO
disconnectOnWakeTimeout = 0
pluginType = <my-bundle-id>
authenticationMethod = 1
Jul 27 10:07:53 Tims-iPhone vpn(libswiftFoundation.dylib)[4994] <Notice>: vpn-service persistentRef <69646e74 00000000 00000011>
Jul 27 10:07:53 Tims-iPhone vpn(libswiftFoundation.dylib)[4994] <Notice>: vpn-service getCert copyErr -25300
代码2:
如果我尝试在没有引用的情况下检索所有身份,我也会得到-25300。
let getQuery: [String: Any] = [
kSecClass as String: kSecClassIdentity,
kSecMatchLimit as String: kSecMatchLimitAll,
kSecReturnAttributes as String: true,
]
var item: CFTypeRef?
let status = SecItemCopyMatching(getQuery as CFDictionary, &item)
NSLog("vpn-service status: " + status.description)
我重新检查了构建结果是否具有钥匙串访问组:
codesign -d --ent:-build / Debug-iphoneos / agent.app / PlugIns / vpn.appex /
Executable=/Users/timb/projects/xcode/ios-client/build/Debug-iphoneos/agent.app/PlugIns/vpn.appex/vpn
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string><my-application-identifier-of-the-network-extension></string>
<key>com.apple.developer.networking.networkextension</key>
<array/>
<key>com.apple.developer.team-identifier</key>
<string><my-team-identifier></string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string><my-team-identifier>.com.apple.managed.vpn.shared</string>
</array>
</dict>
</plist>
如何从钥匙串中获取NEPacketTunnelProvider Networkextension的身份?
答案 0 :(得分:0)
我会回答自己,因为我解决了这个问题:
1:您需要特殊的权限才能访问com.apple.managed.vpn.shared组。创建一个TSI来获取它。这大约需要一个月的时间。 https://forums.developer.apple.com/thread/67613#9
2:确保您的容器应用程序和网络扩展已设置了权利。您可以使用codesign -d --entitlements :- <filename>
它应该像这样:
<key>keychain-access-groups</key>
<array>
<string>com.apple.managed.vpn.shared</string>
</array>
我正在使用XCode 10 Beta,使用GUI时出现问题。它将值设置为<string>$(AppIdentifierPrefix)com.apple.managed.vpn.shared</string>
您必须使用文本编辑器对其进行修复。
3:从钥匙串访问数据。我将发布一些示例代码,以将数据用作base64编码的字符串。
guard let identityReference = protocolConfiguration.identityReference else {
throw ConfigError.errorIdentityNotFound
}
let query: [String : Any] = [
kSecValuePersistentRef as String: identityReference as CFData,
kSecReturnRef as String: true,
]
var copyResult: AnyObject?
SecItemCopyMatching(query as CFDictionary, ©Result)
guard let existingCopyResult = copyResult else {
throw ConfigError.errorIdentityNotFound
}
let identity = existingCopyResult as! SecIdentity
var certificate: SecCertificate!
SecIdentityCopyCertificate(identity, &certificate)
let DERCertificate = SecCertificateCopyData(certificate) as NSData
let DERCertificateStringBase64Encoded = DERCertificate.base64EncodedString(options: NSData.Base64EncodingOptions.lineLength64Characters)
let PEMCertificateString = "-----BEGIN CERTIFICATE-----\n\(DERCertificateStringBase64Encoded)\n-----END CERTIFICATE-----"
var privateKey: SecKey!
SecIdentityCopyPrivateKey(identity, &privateKey)
let privateKeyData = SecKeyCopyExternalRepresentation(privateKey, nil) as! NSData
let privateKeyDataBase64Encoded = privateKeyData.base64EncodedString(options: NSData.Base64EncodingOptions.lineLength64Characters)
let privateKeyPKCS1String = "-----BEGIN RSA PRIVATE KEY-----\n\(privateKeyDataBase64Encoded)\n-----END RSA PRIVATE KEY-----"