什么是kSecTrustResultRecoverableTrustFailure的原因? [英] What is the reason of kSecTrustResultRecoverableTrustFailure?

查看:3376
本文介绍了什么是kSecTrustResultRecoverableTrustFailure的原因?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想通过一些额外的检查验证我的SSL服务器证书。有时我会得到一个

  kSecTrustResultRecoverableTrustFailure

而不是



kSecTrustResultProceed kSecTrustResultUnspecified



似乎如果




  • md5散列(IOS5)

  • 服务器不提供根证书和中间证书

  • SecTrustSetAnchorCertificatesOnly
    已设置,并且锚点证书只在内置锚点证书中

  • 证书已过期




这取决于用于评估信任的AppleX509TP策略。



我的问题是我不想信任链路是否失败,但我想信任如果使用MD5。



有没有办法找出为什么

另一种方法是从中提取 CSSM_ALGID_MD5 SecCertificateRef

解决方案

这可能是服务器证书问题....



检查此处

a>,我解决了我的 kSecTrustResultRecoverableTrustFailure 问题,将 subjectAltName = DNS:example.com 添加到openssl配置文件,



如果你不使用openssl来生成它,对不起,但我可以帮助你..无论如何,如果你想使用openssl,这里是一个很好的教程,生成这些键,然后与您自己的根证书颁发机构签署



在本教程中,我只是将openssl服务器配置文件更改为:

 
 [server] 
 basicConstraints = CA:FALSE 
 keyUsage = digitalSignature,keyEncipherment,dataEncipherment 
 extendedKeyUsage = serverAuth 
 nsCertType = server 
 subjectAltName = IP:10.0.1.5,DNS:office.totendev.com 
 
 
 
 
 
希望它有帮助!
 
 
 
  EDITED: 
 
 
 
我的服务器评估代码:
  #pragma mark  -  SERVER Auth Helper 
 //用challenge验证服务器证书
 +(BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
 //获取服务器信任管理对象一个锚点对象来验证
 SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust],(__bridge CFArrayRef)[self allowedCAcertificates]); 
 //设置为服务器信任管理对象以允许分配给它的锚定对象(ABOVE),并禁用苹果CA信任
 SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust],YES); 
 //尝试评估它
 SecTrustResultType evaluateResult = kSecTrustResultInvalid; // evaluate result 
 OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust],& evaluateResult); 
 //检查没有求值错误
 if(sanityCheck == noErr){
 //检查结果
 if([[self class] validateTrustResult:evaluateResult]){return是; } 
} 
 // deny! 
 return NO; 
} 
 //验证SecTrustResulType 
 +(BOOL)validateTrustResult:(SecTrustResultType)result {
 switch(result){
 case kSecTrustResultProceed:{TDLog(kLogLevelHandshake,nil ,@kSecTrustResultProceed); return YES; } 
 break; 
 case kSecTrustResultConfirm:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultConfirm); return YES; } 
 break; 
 case kSecTrustResultUnspecified:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultUnspecified); return YES; } 
 break; 
 case kSecTrustResultDeny:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultDeny); return YES; } 
 break; 
 case kSecTrustResultFatalTrustFailure:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultFatalTrustFailure); return NO; } 
 break; 
 case kSecTrustResultInvalid:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultInvalid); return NO; } 
 break; 
 case kSecTrustResultOtherError:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultOtherError); return NO; } 
 break; 
 case kSecTrustResultRecoverableTrustFailure:{TDLog(kLogLevelHandshake,nil,@kSecTrustResultRecoverableTrustFailure); return NO; } 
 break; 
 default:{TDLog(kLogLevelHandshake,nil,@unkown certificate evaluate result type!denying ...); return NO; } 
 break; 
} 
 
} 
  
希望现在有帮助:)! 
 
I'd like to validate my ssl server certificates with some extra checks. And sometimes I get a 
kSecTrustResultRecoverableTrustFailure 

instead of 



kSecTrustResultProceed or kSecTrustResultUnspecified



It seems to happen if



    

  • the certificate is md5 hashed (IOS5)
    • 

  • the server does not present the root and intermediate certificates
    • 

  • the SecTrustSetAnchorCertificatesOnly(trust,YES) 
is set and the anchor certificate is only in the built in anchor certificates
    • 

  • the certificate is expired
    • 

  • ?
    • 




It depends on the AppleX509TP policy used to evaluate the trust.



My problem is I do not want to trust if the chain fails, but I want to trust if MD5 is used.



Is there a way to find out why the evaluation failed?



As an alternative is there a way to extract the CSSM_ALGID_MD5 from a SecCertificateRef?
 解决方案 
It may be a server certificate problem....



Check here, I solved my kSecTrustResultRecoverableTrustFailure problem, adding subjectAltName = DNS:example.com into openssl config file, specifically in server key generation...



If you are not using openssl to generate it, I'm sorry but I can help you.. Anyway if you want to use openssl, here is a good tutorial to generate those keys and sign then with your own root certificate authority.



From this tutorial, I just changed my openssl server config file to:
    
    [ server ]
    basicConstraints = critical,CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    nsCertType = server
    subjectAltName = IP:10.0.1.5,DNS:office.totendev.com
    



Hope it helps !



EDITED:



My Server evaluation code:
#pragma mark - SERVER Auth Helper
//Validate server certificate with challenge
+ (BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
//Get server trust management object a set anchor objects to validate it
SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust], (__bridge CFArrayRef)[self allowedCAcertificates]);
//Set to server trust management object to JUST ALLOW those anchor objects assigned to it (ABOVE), and disable apple CA trusts 
SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust], YES);
//Try to evalute it
SecTrustResultType evaluateResult = kSecTrustResultInvalid; //evaluate result
OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust], &evaluateResult);
//Check for no evaluate error
if (sanityCheck == noErr) {
    //Check for result
    if ([[self class] validateTrustResult:evaluateResult]) { return YES ; }
}
//deny!
return NO ;
}
//Validate SecTrustResulType
+ (BOOL)validateTrustResult:(SecTrustResultType)result {
switch (result) {
    case kSecTrustResultProceed: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultProceed"); return YES ; }
        break;
    case kSecTrustResultConfirm: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultConfirm"); return YES ; }
        break;
    case kSecTrustResultUnspecified: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultUnspecified"); return YES ; }
        break;
    case kSecTrustResultDeny: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultDeny"); return YES ; }
        break;
    case kSecTrustResultFatalTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultFatalTrustFailure"); return NO ; }
        break;
    case kSecTrustResultInvalid: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultInvalid"); return NO ; }
        break;
    case kSecTrustResultOtherError: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultOtherError"); return NO ; }
        break;
    case kSecTrustResultRecoverableTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultRecoverableTrustFailure"); return NO ; }
        break;
    default: { TDLog(kLogLevelHandshake,nil,@"unkown certificate evaluate result type! denying..."); return NO ; }
        break;
}

}

Hope now it helps :) !


                        
这篇关于什么是kSecTrustResultRecoverableTrustFailure的原因?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
相关文章
移动开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆