iOS - 以编程方式安装SSL证书
我正在编写一个phonegap插件,可以在应用程序钥匙串中安装CA根证书和用户证书。
I'm writing a phonegap plugin that installs both CA root certificate and user certificate in the app keychain.
以下是用于安装证书的代码:
Here is the code used to install the certificate:
NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:certpath];
CFDataRef inPKCS12Data = (CFDataRef)PKCS12Data;
CFStringRef password = (CFStringRef)certPassword;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
if (securityError == 0) {
NSLog(@" *** Certificate install Success ***");
} else {
NSLog(@" *** Certificate install Failure ***");
}
上面的代码工作正常(securityError等于0)。但是,我收到了这些错误:
The code above works fine (securityError equals 0). However, I'm obtaining those errors:
unknown apsd[59] <Warning>: <APSCourier: 0xee1ba80>: Stream error occurred for <APSTCPStream: 0x126940>: TLS Error Code=-9844 "peer dropped connection before responding"
unknown securityd[638] <Error>: CFReadStream domain: 12 error: 8
这表示设备不接受已安装的证书,因此我想知道证书未针对CA进行验证设备上安装了根证书。
That indicates that the device does not accept the installed certificate, so i'm wondering that the certificate is not validated against the CA Root certificate installed on the device.
我是否必须为应用安装CA Root证书?
Do I have to install the CA Root certificate for the app ?
有什么想法?
PS:我是Objective-C和XCode环境的新手。
P.S: I'm new to Objective-C and XCode environment.
编辑:
以下代码用于在钥匙串中存储CA根证书:
The code below is used to store CA root certificat in keychain:
NSString *rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootca" ofType:@"cer"];
NSData *rootCertData = [NSData dataWithContentsOfFile:rootCertPath];
OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);
CFTypeRef result;
NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
(id)kSecClassCertificate, kSecClass,
rootCert, kSecValueRef,
nil];
err = SecItemAdd((CFDictionaryRef)dict, &result);
if( err == noErr) {
NSLog(@"Install root certificate success");
} else if( err == errSecDuplicateItem ) {
NSLog(@"duplicate root certificate entry");
} else {
NSLog(@"install root certificate failure");
}
编辑:
似乎证书没有发送到服务器。我认为每次发出https请求时我都必须手动发送证书...
我正在寻找一种方法来捕捉phonegap中的每个https呼叫。
It seems that the certificate is not sent to server. I think that I have to send manually the certificate each time an https request is made... I'm looking for a way to catch every https call in phonegap.
将证书导入钥匙串是不够的。新的根证书也受到用户或系统的信任。
It's no enough to import the certificate into the keychain. The new root certificate has also be trusted by the user or system.
假设您仍然拥有 SecCertificateRef 变量证书,使用以下代码提高信任级别:
Assuming you still have the SecCertificateRef in the variable certificate, use the following code to raise the trust level:
NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
status = SecTrustSettingsSetTrustSettings(certificate, kSecTrustSettingsDomainUser, (__bridge CFTypeRef)(newTrustSettings));
if (status != errSecSuccess) {
NSLog(@"Could not change the trust setting for a certificate. Error: %d", status);
exit(0);
}
更改信任级别会在弹出窗口中询问用户是否接受改变。
Changing the trust level will ask the user in a popup window if he accepts the change.