在iphone应用程序中使用自签名证书 [英] Use a self-signed ssl certificate in an iphone app
问题描述
我为这个冗长的问题提前道歉。我在使用自签名SSL证书时遇到问题,我想记录到目前为止我尝试过的所有内容。
I apologize in advance for the long-winded question. I'm having trouble with a self-signed SSL cert and I want to document everything I've tried so far.
我正在开发一个与之通信的应用程序一个REST服务。测试服务器使用自签名的ssl证书,我可以在我的计算机上安装该证书。这是一个需要密码才能安装的.p12文件。如果未安装此证书,则对服务器的所有请求都将返回403.
I'm working on an app that communicates with a REST service. The test server uses a self-signed ssl certificate that I can install on my computer without issue. It's a .p12 file that requires a password to install. Without this certificate installed, all requests to the server return a 403.
.p12在Keychain中安装三个项目,一个根证书颁发机构,一个测试用户 由根证书颁发机构颁发的证书,以及与测试用户证书相关联的私钥。
The .p12 installs three items in the Keychain, a "Root certificate authority", a "test user" certificate that's issued by the "Root certificate authority", and a private key that's associated with the "test user" cert.
我在iPad上安装了此证书通过电子邮件发送自己的.p12文件。我点击了附件,输入了密码,现在我可以在Safari中访问该网站了。不幸的是,由于应用程序沙盒,这还不足以使我的应用程序与REST服务进行通信。
I've installed this certificate on my iPad by emailing myself the .p12 file. I tapped on the attachment, input the password, and I can now access the site in Safari. Unfortunately, because of application sandboxing, this isn't enough to get my app to communicate with the REST service.
我正在使用ASIHTTPRequest进行所有通信我的应用程序的REST服务。每个请求都是ASIHTTPRequest的子类。我发现我要做的第一件事就是调用 [self setValidatesSecureCertificate:NO]; ,这样它甚至可以尝试与服务器建立SSL连接。如果这就是我所做的一切,我从服务中得到403错误代码。
I'm using ASIHTTPRequest for all of the communication with the REST service from my app. Each request is a subclass of ASIHTTPRequest. The first thing I found I had to do was call [self setValidatesSecureCertificate:NO]; so that it would even attempt the SSL connection to the server. If that's all I do, I get 403 error codes back from the service.
现在我似乎无法弄清楚如何获得使用证书的请求。我已经尝试将这三个项目导出为单独的.cer文件,包括它们在项目中,并使用以下代码将它们添加到请求中:
Now I can't seem to figure out how to get the request to use the certificate. I've tried exporting the three items as separate .cer file, including them in the project and adding them to the request using the code below:
NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];
虽然使用这种方法代码执行没有问题,但我仍然收到403错误。
While the code executes without issue using this approach, I still get the 403 error.
我甚至尝试在我的应用程序中包含.p12文件并使用相同的代码导入它。这会失败,因为 SecCertificateCreateWithData 返回nil。
I've even tried including the .p12 file in my application and importing it using the same code. This fails because SecCertificateCreateWithData returns nil.
我承认我真的不知道我在这里做什么。这一切都有点过头了,任何人都可以给予我的帮助将不胜感激。
I admit I don't really know what I'm doing here. This is all a little over my head and any help anyone could give me would be greatly appreciated.
推荐答案
好的,我认为它出。我有点咆哮错误的树。
OK, I figured it out. I was sort of barking up the wrong tree.
我发现的最重要的信息是在Apple的文档中证书,密钥和信任服务编程指南,特别是iOS任务页面。这详细说明了如何从.p12文件中提取安全标识以及如何添加信任异常。
The most important information I found was in Apple's documentation for Certificate, Key, and Trust Services Programming Guide, in particular, the "Tasks for iOS" page. That detailed how to extract the security identity from the .p12 file and how to add a trust exception.
最后一部分拼图是在ASIHTTPRequest的客户端证书支持。通过使用我直接从p12文件中提取的身份,我能够将其传递给请求并正确地验证所有内容。
The last piece of the puzzle was in ASIHTTPRequest's documentation on Client Certificate Support. By using the identity I extracted directly from the p12 file, I was able to pass that on to the request and get everything authenticated properly.
我希望这可以帮助其他任何人必须实现类似的功能。
I hope this helps anyone else that has to implement a similar feature.
这篇关于在iphone应用程序中使用自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
