现在,我的应用程序应该信任由该CA签发的任何服务器证书。(我不关心其他应用程序如何处理这些证书,我假设它们不会信任它,因为它们在沙箱中。)
我在网上找到了几个类似的问题,但似乎出了点问题。
如果我将CA证书拖放到模拟器中并手动接受信任,则与服务器的连接似乎可以正常工作。
但是,当我尝试以编程方式建立对CA证书的信任时,尽管下面的代码没有生成错误,但稍后连接到服务器的尝试被拒绝。
因此,我必须弄错了证书实现部分...有什么想法吗?
先感谢您!
NSString* certPath = [[NSBundle mainBundle] pathForResource:@"MyTestCA2" ofType:@"cer"]; //cer = CA certificate
NSData* certData = [NSData dataWithContentsOfFile:certPath];
SecCertificateRef cert;
if( [certData length] ) {
cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
if( cert != NULL ) {
CFStringRef certSummary = SecCertificateCopySubjectSummary(cert);
NSString* summaryString = [[NSString alloc] initWithString:(__bridge NSString*)certSummary];
NSLog(@"CERT SUMMARY: %@", summaryString);
certSummary = nil;
} else {
NSLog(@" *** ERROR *** trying to create the SSL certificate from data located at %@, but failed", certPath);
}
}
OSStatus err = noErr;
CFTypeRef result;
NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
(__bridge id)kSecClassCertificate, kSecClass,
cert, kSecValueRef,
nil];
err = SecItemAdd((__bridge CFDictionaryRef)dict, &result);
if(err!=noErr) NSLog(@"error while importing");
if (err==errSecDuplicateItem) NSLog(@"Cert already installed");
NSLog(@":%i",(int)err);
assert(err==noErr||err==errSecDuplicateItem); // accept no errors other than duplicate
err = noErr;
SecTrustRef trust;
err = SecTrustCreateWithCertificates(cert, SecPolicyCreateBasicX509() ,&trust);
assert(err==noErr);
err = noErr;
CFMutableArrayRef newAnchorArray = CFArrayCreateMutable(kCFAllocatorDefault,0,&kCFTypeArrayCallBacks);
CFArrayAppendValue(newAnchorArray,cert);
err = SecTrustSetAnchorCertificates(trust, newAnchorArray);
assert(err==noErr);
SecTrustResultType trustResult;
err=SecTrustEvaluate(trust,&trustResult);
assert(err==noErr);
cert=nil;
kSecResultUnspecified
,但连接仍然失败并显示“CFNetwork SSLHandshake failed (-9807)”,但是当证书已被拖放到模拟器中并由用户接受时,就不会出现此类错误(即使这样,我仍然只能获得kSecResultUnspecified
);如果我解决了问题,我会进行更新的。 - McMini