在iPhone SDK下导入SSL证书 [英] Importing an SSL cert under the iPhone SDK

问题描述

我的应用程式使用连接到 Schwab OFX伺服器 NSURLConnection 。不幸的是，服务器使用一个非常近的中间证书，在Mac桌面上信任，但还没有iPhone。 （尝试网址 - 你会在iPhone上得到一个cert错误。）

My app connects to the Schwab OFX server using NSURLConnection. Unfortunately the server uses a very recent intermediate certificate that is trusted on the Mac desktop but not yet the iPhone. (Try the URL—you'll get a cert error on iPhone.)

没有简单的方法来告诉 NSURLConnection 忽略我知道的无效证书。因此，我试图手动导入证书到钥匙串，并设置其信任级别，但我打了一个块。

There's no easy way to tell NSURLConnection to ignore an invalid cert that I know of. Thus I'm trying to import the cert into the Keychain manually and set its trust level but I've hit a block.

我调用 SecCertificateCreateWithData 成功从 .cer 文件导入证书。在桌面上，我将调用 SecTrustSettingsSetTrustSettings ，但它不存在于iPhone SDK中。

I call SecCertificateCreateWithData successfully to import the certificate from a .cer file. On the desktop I would then call SecTrustSettingsSetTrustSettings, but it doesn't exist in the iPhone SDK.

推荐答案

苹果技术支持部门及时回复了我的完美答案。

Apple technical support responded to me promptly with a perfect answer.

首先，我不正确的说，Schwab使用一个最近的中间证书，在Mac桌面上信任但还没有iPhone。中间证书从不在内置根证书存储中。问题是大多数SSL服务器捆绑验证所需的所有中间证书，但Schwab使用备用SSL进程，希望您能从URL获取中间证书。 Mac桌面支持中间证书提取，但不支持当前的iPhone操作系统。

First, I am incorrect in saying that Schwab uses "a very recent intermediate certificate that is trusted on the Mac desktop but not yet the iPhone". Intermediate certificates are never in the built-in root certificate store. The issue is that most SSL servers bundle all intermediate certificates needed for verification, but Schwab uses an alternate SSL process that expects you to fetch the intermediate certificate from a URL. The Mac desktop supports intermediate-certificate fetching, but not the current iPhone OS.

这里是实际代码的主旨：

Here's the gist of the actual code:

OSStatus            err;
NSString *          path;
NSData *            data;
SecCertificateRef   cert;

path = [[NSBundle mainBundle] pathForResource:@"OFX-G3" ofType:@"cer"];
assert(path != nil);

data = [NSData dataWithContentsOfFile:path];
assert(data != nil);

cert = SecCertificateCreateWithData(NULL, (CFDataRef) data);
assert(cert != NULL);

err = SecItemAdd(
    (CFDictionaryRef) [NSDictionary dictionaryWithObjectsAndKeys:
        (id) kSecClassCertificate,  kSecClass, 
        cert,                       kSecValueRef, 
        nil
    ], 
    NULL
);
assert(err == noErr);

CFRelease(cert);

这假设OFX-G3.cer是中间SSL证书，位于资源文件夹中。

This assumes that OFX-G3.cer is the intermediate SSL certificate and is located in the Resources folder.

这篇关于在iPhone SDK下导入SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！