OpenSSL和Apple钥匙串集成 [英] OpenSSL and Apple Keychain integration

问题描述

我们正在使用一个应在Windows和Mac上运行的多平台应用程序.我们的应用程序基于作为SSL和相关内容提供者的OpenSSL.它使用客户端证书建立安全连接并识别最终用户.

We're using a multi platform application which should run on both Windows and Mac. Our application is based on OpenSSL as the SSL and related stuff supplier. It uses Client Certificate to establish secure connections and to identify the end user.

我们想使用Windows和Mac本机证书存储来确保最大的安全性. Openssl具有与Windows的证书存储区交互的引擎(CAPI引擎).但是，我们没有为Mac的钥匙串找到这样的解决方案.

We want to use Windows and Mac native certificate storages to ensure maximum security. Openssl has an engine to interact with Windows' Certificate Store (CAPI engine). However, we didn't manage to find such a solution for Mac's Keychain.

OpenSSL和Apple的钥匙串之间是否存在集成?

Is there an integration between OpenSSL and Apple's Keychain?

如果没有，您的建议是什么?

If not, what are your suggestion ?

推荐答案

除了处理客户端证书之外，您还需要验证服务器证书.

In addition to handling the client certificate, you will also need to verify the server certificate.

为此，您将必须为OpenSSL提供一个回调，该回调使用Mac OS X安全框架来验证服务器证书.使用OpenSSL函数SSL_CTX_set_cert_verify_callback设置自定义证书验证回调.您的回调必须将OpenSSL证书转换为SecCertificateRef，为SSL连接创建一个SecPolicyRef，创建一个SecTrustRef并对其进行评估.参见证书，密钥和信任服务参考以获取更多详细信息.

To do so, you will have to provide OpenSSL with a callback that uses the Mac OS X security framework to validate the server certificate. Use the OpenSSL function SSL_CTX_set_cert_verify_callback to set your custom certificate validation callback. Your callback must convert the OpenSSL certificates to SecCertificateRef, create a SecPolicyRef for SSL connections, create a SecTrustRef and evaluate it. See Certificate, Key, and Trust Services Reference for more details.

这篇关于OpenSSL和Apple钥匙串集成的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！