SecTrustEvaluate在iOS 5上返回kSecTrustResultRecoverableTrustFailure [英] SecTrustEvaluate returns kSecTrustResultRecoverableTrustFailure on iOS 5

问题描述

报告无法与Beta5一起使用后，我必须将应用程序更新到iOS5.该问题可归结为以下事实:我们的自定义SSL证书验证不再起作用.

Working to update an application I have to iOS5 after reports of it not working with the beta. The problem is tracked down to the fact that our custom SSL certificate verification is no longer working.

在didReceiveAuthenticationChallenge部分中，我们获得了根证书并调用SecTrustEvaluate.在iOS4上运行良好.

In the didReceiveAuthenticationChallenge section, we obtain our root certificates and call SecTrustEvaluate. This works fine on iOS4.

protectionSpace = [challenge protectionSpace];
    trust = [protectionSpace serverTrust];

    err = SecTrustEvaluate(trust, &trustResult);

    trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));

    if (!trusted) { 
        err = SecTrustSetAnchorCertificates(trust, (CFArrayRef)[EagleAccessAppDelegate getDelegate].rootCertificates);

        if (err == noErr) {
            err = SecTrustEvaluate(trust, &trustResult);
        }

        trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));
    }

    if (trusted) { 
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [[challenge sender] useCredential:cred forAuthenticationChallenge:challenge];
    } else { 
        [[challenge sender] cancelAuthenticationChallenge:challenge];
    }

证书以DER格式存储，作为应用程序随附的资源.

The certificates are stored in DER format as a resources included with the application.

// Load Certificates. 
NSString *devFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-dev-ca.der" ofType:@"crt"];  
NSData *devRootCertificate = [[[NSData alloc] initWithContentsOfFile:devFilePath] autorelease];
SecCertificateRef devRoot = SecCertificateCreateWithData(NULL, (CFDataRef) devRootCertificate);

NSString *prodFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-prod-ca.der" ofType:@"crt"];  
NSData *prodRootCertificate = [[[NSData alloc] initWithContentsOfFile:prodFilePath] autorelease];
SecCertificateRef prodRoot = SecCertificateCreateWithData(NULL, (CFDataRef) prodRootCertificate);

self.rootCertificates = [[NSArray alloc] initWithObjects:(id)devRoot, (id)prodRoot, nil];

我们基本上有自己的CA证书，用于为应用连接到的服务器颁发证书.

We basically have our own CA certificate which we use to issue certificates for the servers where our app connects to.

我可以使用AdvancedURLConnections示例应用程序重新创建它.

I am able to recreate this using the AdvancedURLConnections example application.

推荐答案

问题是证书是MD5签名.这些签名在iOS5上不再受支持.

The issue was the certificate was MD5 signature. These signatures are no longer supported on iOS5.

这篇关于SecTrustEvaluate在iOS 5上返回kSecTrustResultRecoverableTrustFailure的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！