kSecTrustResultRecoverableTrustFailure 的原因是什么? [英] What is the reason of kSecTrustResultRecoverableTrustFailure?

问题描述

我想通过一些额外的检查来验证我的 ssl 服务器证书.有时我会得到一个

I'd like to validate my ssl server certificates with some extra checks. And sometimes I get a

kSecTrustResultRecoverableTrustFailure 

代替

kSecTrustResultProceed 或 kSecTrustResultUnspecified

如果

• 证书经过 md5 哈希处理 (IOS5)
• 服务器不提供根证书和中间证书
• SecTrustSetAnchorCertificatesOnly(trust,YES)设置并且锚证书仅在内置锚证书中
• 证书已过期
• ?

• the certificate is md5 hashed (IOS5)
• the server does not present the root and intermediate certificates
• the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
• the certificate is expired
• ?

这取决于用于评估信任的 AppleX509TP 策略.

It depends on the AppleX509TP policy used to evaluate the trust.

我的问题是如果链失败我不想信任，但我想信任是否使用 MD5.

My problem is I do not want to trust if the chain fails, but I want to trust if MD5 is used.

有没有办法找出评估失败的原因?

Is there a way to find out why the evaluation failed?

作为替代，有没有办法从 SecCertificateRef 中提取 CSSM_ALGID_MD5?

As an alternative is there a way to extract the CSSM_ALGID_MD5 from a SecCertificateRef?

推荐答案

有没有办法找出评估失败的原因?

Is there a way to find out why the evaluation failed?

在调用SecTrustEvaluate()后调用SecTrustCopyProperties():

SecTrustRef trust = ...;
SecTrustResultType trustResult = kSecTrustResultOtherError;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSArray * trustProperties = (__bridge_transfer id)
        SecTrustCopyProperties(certTrust);
}

trustProperties 是一个字典数组，评估的证书链中的每个证书一个字典.每个字典都有一个条目title，其中包含证书的名称，如果证书没有被评估，它还包含一个包含错误的条目error.例如.如果问题是证书已过期，则error 的值为CSSMERR_TP_CERT_EXPIRED.

trustProperties is an array of dictionaries, one dictionary per cert in the cert chain evaluated. Every dictionary has an entry title, containing the name of the cert and if the cert didn't evaluate, it also contains an entry error containing the error. E.g. if the problem was that the cert has expired, the value of error will be CSSMERR_TP_CERT_EXPIRED.

这篇关于kSecTrustResultRecoverableTrustFailure 的原因是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！