SecPKCS12Import不会返回任何项目 [英] SecPKCS12Import does not return any items

问题描述

我想将某些CA证书用于TLS验证添加到我的iOS 6应用程序的钥匙串中。证书包含在应用程序包中。我不想要添加任何身份（私钥/证书组合），这在几个示例中有所描述。

I want to add certain CA certificates for TLS validation to the keychain of my iOS 6 application. The certificates are included in the Application Bundle. I do not want to add any identity (private key / certificate combination) which is described in several example.

SecPKCS12Import 调用不会返回任何错误，但遗憾的是它也不会返回任何证书。

The SecPKCS12Import call does not return any error, but unfortunately it does not return any certificate as well.

为了让您重现我的步骤，我以Google中级证书（'Google Internet Authority'）为例，并在下载的PEM证书上运行以下命令：

To let you reproduce my steps I took the Google Intermediate Certificate ('Google Internet Authority') as an example, and ran the following commands on the downloaded PEM certificate:

。

#convert PEM certificate to PKCS12
openssl pkcs12 -export -in google.pem -nokeys -out google.p12 -passout "pass:google"
#verification
openssl pkcs12 -in google.p12 -passin "pass:google"
MAC verified OK
Bag Attributes: <No Attributes>
subject=/C=US/O=Google Inc/CN=Google Internet Authority
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
[...]
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----

之后我将文件捆绑在我的应用程序中，其中包含以下代码执行：

Afterwards I bundled the file in my application where the following code got executed:

NSMutableDictionary * options = [[[NSMutableDictionary alloc] init] autorelease];
[options setObject:@"google" forKey:(id)kSecImportExportPassphrase];
CFArrayRef items = NULL;
NSData *certData = [NSData dataWithContentsOfFile:[NSBundle pathForResource:@"google" ofType:@"p12" inDirectory:[[NSBundle mainBundle] bundlePath]]];
OSStatus result = SecPKCS12Import((CFDataRef)certData, (CFDictionaryRef)options, &items);
assert(result == errSecSuccess);
CFIndex count = CFArrayGetCount(items);
NSLog(@"Certificates found: %ld",count);

控制台结果输出为'找到证书：0'。 certData 变量填充了正确的字节数，如果我更改了提供的密码，结果将更改为 errSecAuthFailed 。

The console result output is 'Certificates found: 0'. The certData variable gets filled with the correct amount of bytes, and if I change the provided password, the results changes to errSecAuthFailed.

你知道问题可能是什么吗？

Do you have any idea what the problem might be?

推荐答案

我会说这是一个错误，请参阅相关问题在iOS上运行HTTPS服务器的SSL身份证书和错误证书在1月1日10000之后到期后，SecPKCS12Import将返回空数组。

I'd say that's a bug, see related question SSL Identity Certificate to run an HTTPS Server on iOS and bug SecPKCS12Import returns empty array when certificate expires after Jan 1st 10000.

由于您只需要一个没有私钥的证书，我会从DER格式文件中导入证书。

As you only want a certificate, without the private key, I'd import the certificate from a DER format file.

$ openssl x509 -in google.pem -out google.der -outform DER
$ openssl x509 -in google.der -noout -text

捆绑DER证书文件和impo rt it：

Bundle DER certificate file and import it:

NSString *path = [[NSBundle mainBundle] pathForResource:@"google" ofType:@"der"];
NSData *derData = [NSData dataWithContentsOfFile:path];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)derData);

// add cert to KeyChain or use it as you need

CFRelease(cert);

这篇关于SecPKCS12Import不会返回任何项目的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！