Objective-C:评估由我们自己的 PKI(根 CA)在 TLS TCP 连接上签署的服务器证书 [英] Objective-C: eveluate server certificate signed by our own PKI (root CA) on TLS TCP connection
本文介绍了Objective-C:评估由我们自己的 PKI(根 CA)在 TLS TCP 连接上签署的服务器证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
*已解决*
我的问题是参考以下问题:
Objective-C:如何使用签名者的公钥验证 SecCertificateRef?
My problem is referencing to the following question:
Objective-C: How to verify SecCertificateRef with signer's public key?
我们有自己的 PKI 和我们信任的自己的 rootCA.我们使用这个 rootCA 签署交付给个人服务器的证书.现在我想连接 iOS 应用程序并检查从服务器传递的证书是否使用我们的 CA 签名.
We have an own PKI and so an own rootCA that we trust. With this rootCA we sign the certificates that are delivered to the personal servers. Now I want to connect with the iOS app and check if the cert that is delivered from the server is signed with our CA.
我的应用程序应该能够使用此证书连接到 n 个服务器(可能通过零配置服务找到)使用由 GCDAsyncSocket 建立的 TCP 连接.我的应用程序中有证书的公共部分,我想将其添加到我的CertChain"中,以便应用程序在连接时信任它们.
My app should be able to connect to n servers with this certificates (maybe found with zero-conf service) using a TCP-connection, established by GCDAsyncSocket. I have the public part of the certificate in my app that I would like to add to my "CertChain" so the app will trust them on connect.
我已经尝试了很多,但仍然无法通过 SecTrustEvaluate(trust, &result); 获得有效的结果.(我想在生产中使用它,所以请不要告诉我有关停用验证的任何信息)
I have tried a lot, but I'm still not able to pass SecTrustEvaluate(trust, &result); with a valid result.
(I want to use this in productive, so please don't tell me anything about deactivating validation)
我的证书:
在应用程序中:rootCA、oldServerCA (cer)
在服务器上(通过信任):homeServer、oldServer
My certificates:
in app: rootCA, oldServerCA (cer)
on server (via trust): homeServer, oldServer
我的证书链:
rootCA 签名 homeServer
oldServerCA 签署了 oldServer
My certificate chain:
rootCA signed homeServer
oldServerCA signed oldServer
我的代码部分:
添加更新
- (void)socket:(GCDAsyncSocket *)sock didConnectToHost:(NSString *)host port:(uint16_t)port;
{
// Configure SSL/TLS settings
NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:3];
// Allow self-signed certificates
[settings setObject:[NSNumber numberWithBool:YES]
forKey:GCDAsyncSocketManuallyEvaluateTrust];
[sock startTLS:settings];
// get the certificates as data for further operations
NSString *certFilePath1 = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"cer"]; // also tried it with 'der', same result
NSData *certData1 = [NSData dataWithContentsOfFile:certFilePath1];
NSString *certFilePath2 = [[NSBundle mainBundle] pathForResource:@"oldServerCA" ofType:@"cer"];
NSData *certData2 = [NSData dataWithContentsOfFile:certFilePath2];
// if data exists, use it
if(certData1 && certData2)
{
SecCertificateRef cert1;
cert1 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData1);
SecCertificateRef cert2;
cert2 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData2);
// only working for "cer"
NSString *name = [NSString stringWithUTF8String:CFStringGetCStringPtr(SecCertificateCopySubjectSummary(cert1), kCFStringEncodingUTF8)];
// maybe I understood the usage of "name" in "kSecAttrApplicationTag" wrong?
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)[NSDictionary dictionaryWithObjectsAndKeys:
(__bridge id)(kSecClassKey), kSecClass,
(__bridge id)kSecAttrKeyTypeRSA, kSecAttrKeyType,
(__bridge id)kSecAttrKeyClassPublic, kSecAttrKeyClass,
kCFBooleanTrue, kSecAttrIsPermanent,
[name dataUsingEncoding:NSUTF8StringEncoding], kSecAttrApplicationTag,
certData1, kSecValueData,
kCFBooleanTrue, kSecReturnPersistentRef,
nil],
NULL); //don't need public key ref
// Setting "cer" is successfully and delivers "noErr" in first run, then "errKCDuplicateItem"
NSLog(@"evaluate with status %d", (int)status);
NSString *name2 = [NSString stringWithUTF8String:CFStringGetCStringPtr(SecCertificateCopySubjectSummary(cert2), kCFStringEncodingUTF8)];
OSStatus status2 = SecItemAdd((__bridge CFDictionaryRef)[NSDictionary dictionaryWithObjectsAndKeys:
(__bridge id)(kSecClassKey), kSecClass,
(__bridge id)kSecAttrKeyTypeRSA, kSecAttrKeyType,
(__bridge id)kSecAttrKeyClassPublic, kSecAttrKeyClass,
kCFBooleanTrue, kSecAttrIsPermanent,
[name2 dataUsingEncoding:NSUTF8StringEncoding], kSecAttrApplicationTag,
certData2, kSecValueData,
kCFBooleanTrue, kSecReturnPersistentRef,
nil],
NULL); //don't need public key ref
NSLog(@"evaluate with status %d", (int)status2);
// log here -> certificates were loaded. Fine
// create references of each to proof them seperatly
const void *ref[] = {cert1};
CFArrayRef aryRef = CFArrayCreate(NULL, ref, 1, NULL);
const void *ref2[] = {cert2};
CFArrayRef aryRef2 = CFArrayCreate(NULL, ref2, 1, NULL);
// need this way to get sock.sslContext, otherways it's NULL (see implementation of GCDAsyncSocket)
[sock performBlock:^{
SSLContextRef sslContext = sock.sslContext;
OSStatus status = SSLSetCertificate(sslContext, aryRef);
// the status is everywhere always -909 -> badReqErr /*bad parameter or invalid state for operation*/
if(status == noErr)
NSLog(@"successfully set ssl certificates");
else
NSLog(@"setting ssl certificates failed");
status = SSLSetCertificate(sock.sslContext, aryRef2);
if(status == noErr)
NSLog(@"successfully set ssl certificates");
else
NSLog(@"setting ssl certificates failed");
status = SSLSetEncryptionCertificate(sock.sslContext, aryRef);
if(status == noErr)
NSLog(@"successfully set ssl certificates");
else
NSLog(@"setting ssl certificates failed");
}];
}
@synchronized( self )
{
if( isConnected == NO )
{
if(gcdAsyncSocket && [gcdAsyncSocket isConnected])
{
isConnected = YES;
[gcdAsyncSocket readDataWithTimeout:READ_TIMEOUT tag:0];
[NSThread detachNewThreadSelector:@selector(readDataToData:withTimeout:tag:) toTarget:gcdAsyncSocket withObject:nil];
[gcdAsyncSocket readDataToData:[GCDAsyncSocket LFData] withTimeout:READ_TIMEOUT tag:0];
[del onConnect];
}
}
}
}
好吧...如果在这里不起作用,那么手动检查...
well... if not working here, then check manually...
- (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)trust
completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
{
// https://code.csdn.net/OS_Mirror/CocoaAsyncSocket/file_diff/a4b9c4981b3c022ca89d0cdaadecc70b825ad4f1...5d58af30d2d8a3e0f7219487e72f1b4b2c3b4894/GCD/Xcode/SimpleHTTPClient/Desktop/SimpleHTTPClient/SimpleHTTPClientAppDelegate.m
dispatch_queue_t bgQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
dispatch_async(bgQueue, ^{
// This is where you would (eventually) invoke SecTrustEvaluate.
// Presumably, if you're using manual trust evaluation, you're likely doing extra stuff here.
// For example, allowing a specific self-signed certificate that is known to the app.
NSString *certFilePath1 = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"cer"];
NSData *certData1 = [NSData dataWithContentsOfFile:certFilePath1];
NSString *certFilePath2 = [[NSBundle mainBundle] pathForResource:@"oldServerCA" ofType:@"cer"];
NSData *certData2 = [NSData dataWithContentsOfFile:certFilePath2];
if(certData1 && certData2)
{
CFArrayRef arrayRefTrust = SecTrustCopyProperties(trust);
SecTrustResultType result = kSecTrustResultUnspecified;
// usualy should work already here
OSStatus status = SecTrustEvaluate(trust, &result);
NSLog(@"evaluate with result %d and status %d", result, (int)status);
NSLog(@"trust properties: %@", arrayRefTrust);
/* log:
evaluate with result 5 and status 0
trust properties: (
{
type = error;
value = "Root certificate is not trusted."; // expected, when top part was not working
}
*/
SecCertificateRef cert1;
cert1 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData1);
SecCertificateRef cert2;
cert2 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData2);
const void *ref[] = {cert1};
CFIndex count = SecTrustGetCertificateCount(trust);
// CFMutableArrayRef aryRef = CFArrayCreateMutable(NULL, count + 1, NULL);
// CFArrayAppendValue(aryRef, ref);
CFArrayCreate(NULL, ref, 2, NULL);
// # # # #
// so check one by one...
BOOL isMatching = NO;
for (int i = 0; i < count; i++)
{
SecCertificateRef certRef = SecTrustGetCertificateAtIndex(trust, i);
NSString *name = [NSString stringWithUTF8String:CFStringGetCStringPtr(SecCertificateCopySubjectSummary(certRef), kCFStringEncodingUTF8)]; // only working for "cer"
NSLog(@"remote cert at index %d is '%@'", i, name);
/*
first is 'homeserver', second is 'oldServer'
*/
// const void *ref[] = {certRef, cert1, cert2};
// CFArrayRef aryCheck = CFArrayCreate(NULL, ref, 3, NULL);
// check against the new cert (rootCA)
const void *ref[] = {certRef, cert1};
CFArrayRef aryCheck = CFArrayCreate(NULL, ref, 2, NULL);
SecTrustRef trustManual;
OSStatus certStatus = SecTrustCreateWithCertificates(aryCheck, SecPolicyCreateBasicX509(), &trustManual);
// certStatus always noErr
NSLog(@"certStatus: %d", (int)certStatus);
SecTrustResultType result;
OSStatus status = SecTrustEvaluate(trustManual, &result);
CFArrayRef arrayRef = SecTrustCopyProperties(trustManual);
NSLog(@"evaluate with result %d and status %d", result, (int)status);
NSLog(@"trust properties: %@", arrayRef);
/* log:
evaluate with result 5 and status 0
trust properties: (
{
type = error;
value = "Root certificate is not trusted.";
}
*/
// always else-part because result is "kSecTrustResultRecoverableTrustFailure"
if (status == noErr && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified))
{
isMatching = YES;
NSLog(@"certificates matches");
}
else
{
NSLog(@"certificates differs");
}
}
if (isMatching || (status == noErr && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)))
{
completionHandler(YES);
}
else
{
completionHandler(NO);
}
}
completionHandler(NO);
});
}
更新 1
已删除
[settings setObject:[NSNumber numberWithBool:YES]
forKey:GCDAsyncSocketManuallyEvaluateTrust];
现在使用
SecCertificateRef cert1, cert2;
// init certs, see top part
// according to @SeanBaker "Certs[0] would be nil (you don't want to do client auth), and certs[1...] would be the root certificates you want to trust in establishing the connection"
const void *certs[] = {NULL, cert1, cert2};
// const void *certs[] = {nil, cert1, cert2};
CFArrayRef aryCerts = CFArrayCreate(NULL, certs, 3, NULL);
[settings setObject:(__bridge NSArray*)aryCerts
forKey:(NSString *)kCFStreamSSLCertificates];
但是在
// 2. kCFStreamSSLCertificates
value = [tlsSettings objectForKey:(NSString *)kCFStreamSSLCertificates];
if ([value isKindOfClass:[NSArray class]])
{
CFArrayRef certs = (__bridge CFArrayRef)value;
status = SSLSetCertificate(sslContext, certs);
...
好像我用错了,但我没有看到错误:/(不经常使用核心基础)
seems like I'm using it wrong, but I don't see the mistake :/ (not using often core foundation)
如果您需要更多信息,请直接询问.每一个提示都可以挽救生命:)
If you need further information, just ask. Every hint can rescue lifes :)
推荐答案
解决了问题,将证书设置为anchorCertificates of the trust 手动检查- (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)信任completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler 但感谢你的提示和努力:) 会给你一些赏金.
Solved the problem by setting the certificates as anchorCertificates of the trust in the manual check - (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)trust
completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler but thanks for your hints and effort :) will give you some bounty for this.
NSString *certFilePath1 = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"cer"];
NSData *certData1 = [NSData dataWithContentsOfFile:certFilePath1];
NSString *certFilePath2 = [[NSBundle mainBundle] pathForResource:@"oldServerCA" ofType:@"cer"];
NSData *certData2 = [NSData dataWithContentsOfFile:certFilePath2];
OSStatus status = -1;
SecTrustResultType result = kSecTrustResultDeny;
if(certData1 && certData2)
{
SecCertificateRef cert1;
cert1 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData1);
SecCertificateRef cert2;
cert2 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) certData2);
const void *ref[] = {cert1, cert2};
CFArrayRef ary = CFArrayCreate(NULL, ref, 2, NULL);
SecTrustSetAnchorCertificates(trust, ary);
status = SecTrustEvaluate(trust, &result);
}
else
{
NSLog(@"local certificates could not be loaded");
completionHandler(NO);
}
if ((status == noErr && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)))
{
completionHandler(YES);
}
else
{
CFArrayRef arrayRefTrust = SecTrustCopyProperties(trust);
NSLog(@"error in connection occured
%@", arrayRefTrust);
completionHandler(NO);
}
这篇关于Objective-C:评估由我们自己的 PKI(根 CA)在 TLS TCP 连接上签署的服务器证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
