iOS - 以编程方式安装SSL证书 [英] iOS - Install SSL certificate programatically

问题描述

我在写一个phonegap插件，在应用程序钥匙串中安装CA根证书和用户证书。

I'm writing a phonegap plugin that installs both CA root certificate and user certificate in the app keychain.

这里是用于安装证书的代码： / p>

Here is the code used to install the certificate:

NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:certpath];
CFDataRef inPKCS12Data = (CFDataRef)PKCS12Data;
CFStringRef password = (CFStringRef)certPassword;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
if (securityError == 0) {
    NSLog(@" *** Certificate install Success ***");
} else {
    NSLog(@" *** Certificate install Failure ***");
}

上面的代码工作正常（securityError等于0）。但是，我得到这些错误：

The code above works fine (securityError equals 0). However, I'm obtaining those errors:

unknown apsd[59] <Warning>: <APSCourier: 0xee1ba80>: Stream error occurred for <APSTCPStream: 0x126940>: TLS Error Code=-9844 "peer dropped connection before responding"
unknown securityd[638] <Error>: CFReadStream domain: 12 error: 8

这表示设备不接受安装的证书，所以我想知道证书没有验证CA设备上安装的根证书。

That indicates that the device does not accept the installed certificate, so i'm wondering that the certificate is not validated against the CA Root certificate installed on the device.

我必须为应用程序安装CA Root证书吗？

Do I have to install the CA Root certificate for the app ?

任何想法？

PS：我刚刚接触Objective-C和XCode环境。

P.S: I'm new to Objective-C and XCode environment.

编辑：

以下代码用于将CA根证书存储在钥匙串中：

The code below is used to store CA root certificat in keychain:

NSString *rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootca" ofType:@"cer"];
NSData *rootCertData = [NSData dataWithContentsOfFile:rootCertPath];

OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);

CFTypeRef result;

NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
(id)kSecClassCertificate, kSecClass,
rootCert, kSecValueRef,
nil];

err = SecItemAdd((CFDictionaryRef)dict, &result);

if( err == noErr) {
    NSLog(@"Install root certificate success");
} else if( err == errSecDuplicateItem ) {
    NSLog(@"duplicate root certificate entry");
} else {
    NSLog(@"install root certificate failure");
}

EDIT ：

似乎证书没有发送到服务器。我认为，我必须手动发送证书，每次一个https请求...
我正在寻找一种方法来捕获每个https电话在phonegap。

It seems that the certificate is not sent to server. I think that I have to send manually the certificate each time an https request is made... I'm looking for a way to catch every https call in phonegap.

请随时发布任何想法

推荐答案

这不足以将证书导入钥匙串。新的根证书也已被用户或系统信任。

It's no enough to import the certificate into the keychain. The new root certificate has also be trusted by the user or system.

假设您仍然在 SecCertificateRef 变量 certificate ，使用以下代码提高信任级别：

Assuming you still have the SecCertificateRef in the variable certificate, use the following code to raise the trust level:

NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
status = SecTrustSettingsSetTrustSettings(certificate, kSecTrustSettingsDomainUser, (__bridge CFTypeRef)(newTrustSettings));
if (status != errSecSuccess) {
    NSLog(@"Could not change the trust setting for a certificate. Error: %d", status);
    exit(0);
}

更改信任级别会在弹出式窗口中询问用户是否接受

Changing the trust level will ask the user in a popup window if he accepts the change.

这篇关于iOS - 以编程方式安装SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！