在 iphone 应用程序中使用自签名 ssl 证书 [英] Use a self-signed ssl certificate in an iphone app

查看:39
本文介绍了在 iphone 应用程序中使用自签名 ssl 证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

对于这个冗长的问题,我提前道歉.我在使用自签名 SSL 证书时遇到问题,我想记录迄今为止我尝试过的所有内容.

I apologize in advance for the long-winded question. I'm having trouble with a self-signed SSL cert and I want to document everything I've tried so far.

我正在开发一个与 REST 服务通信的应用程序.测试服务器使用自签名 ssl 证书,我可以毫无问题地将其安装在我的计算机上.这是一个 .p12 文件,需要密码才能安装.如果没有安装这个证书,所有对服务器的请求都会返回 403.

I'm working on an app that communicates with a REST service. The test server uses a self-signed ssl certificate that I can install on my computer without issue. It's a .p12 file that requires a password to install. Without this certificate installed, all requests to the server return a 403.

.p12 在 Keychain 中安装三个项目,根证书颁发机构"、根证书颁发机构"颁发的测试用户"证书以及与测试用户"证书关联的私钥.

The .p12 installs three items in the Keychain, a "Root certificate authority", a "test user" certificate that's issued by the "Root certificate authority", and a private key that's associated with the "test user" cert.

我已通过将 .p12 文件通过电子邮件发送给自己,在 iPad 上安装了此证书.我点击附件,输入密码,现在我可以在 Safari 中访问该站点.不幸的是,由于应用程序沙箱,这不足以让我的应用程序与 REST 服务进行通信.

I've installed this certificate on my iPad by emailing myself the .p12 file. I tapped on the attachment, input the password, and I can now access the site in Safari. Unfortunately, because of application sandboxing, this isn't enough to get my app to communicate with the REST service.

我使用 ASIHTTPRequest 与我的应用程序中的 REST 服务进行所有通信.每个请求都是 ASIHTTPRequest 的一个子类.我发现我必须做的第一件事是调用 [self setValidatesSecureCertificate:NO]; 以便它甚至尝试与服务器建立 SSL 连接.如果仅此而已,我会从服务中收到 403 错误代码.

I'm using ASIHTTPRequest for all of the communication with the REST service from my app. Each request is a subclass of ASIHTTPRequest. The first thing I found I had to do was call [self setValidatesSecureCertificate:NO]; so that it would even attempt the SSL connection to the server. If that's all I do, I get 403 error codes back from the service.

现在我似乎无法弄清楚如何获取使用证书的请求.我尝试将这三个项目导出为单独的 .cer 文件,将它们包含在项目中并使用以下代码将它们添加到请求中:

Now I can't seem to figure out how to get the request to use the certificate. I've tried exporting the three items as separate .cer file, including them in the project and adding them to the request using the code below:

NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];

虽然使用这种方法代码执行没有问题,但我仍然收到 403 错误.

While the code executes without issue using this approach, I still get the 403 error.

我什至尝试在我的应用程序中包含 .p12 文件并使用相同的代码导入它.这将失败,因为 SecCertificateCreateWithData 返回 nil.

I've even tried including the .p12 file in my application and importing it using the same code. This fails because SecCertificateCreateWithData returns nil.

我承认我真的不知道我在这里做什么.这一切都超出了我的范围,任何人都可以为我提供任何帮助,我们将不胜感激.

I admit I don't really know what I'm doing here. This is all a little over my head and any help anyone could give me would be greatly appreciated.

推荐答案

好的,我想通了.我有点发错树了.

OK, I figured it out. I was sort of barking up the wrong tree.

我发现的最重要的信息是在 Apple 的关于证书、密钥和信任服务编程的文档中指南,特别是iOS 任务"页面.那详细说明了如何从 .p12 文件中提取安全身份以及如何添加信任例外.

The most important information I found was in Apple's documentation for Certificate, Key, and Trust Services Programming Guide, in particular, the "Tasks for iOS" page. That detailed how to extract the security identity from the .p12 file and how to add a trust exception.

最后一块拼图在 ASIHTTPRequest 关于客户端证书支持的文档中.通过使用我直接从 p12 文件中提取的身份,我能够将其传递给请求并正确验证所有内容.

The last piece of the puzzle was in ASIHTTPRequest's documentation on Client Certificate Support. By using the identity I extracted directly from the p12 file, I was able to pass that on to the request and get everything authenticated properly.

我希望这能帮助其他必须实现类似功能的人.

I hope this helps anyone else that has to implement a similar feature.

这篇关于在 iphone 应用程序中使用自签名 ssl 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆