Jak zweryfikować (i wymagać) certyfikatu z podpisem własnym w systemie iOS

Question

Chciałbym utworzyć połączenie SSL z serwerem za pomocą certyfikatów z podpisem własnym, które są dostarczane wraz z kodem w systemie iOS. W ten sposób nie muszę się martwić o bardziej wyrafinowane ataki man-in-the-middle, w których ktoś ma dostęp do wysokiego poziomu "zaufanego" urzędu certyfikacji. Mam problemy z używaniem tego, co uważam za standardową metodę firmy Apple.

Generowanie certyfikatu poprzez procedurę znaleźć here

# Create root CA & private key 
openssl req -newkey rsa:4096 -sha512 -days 9999 -x509 -nodes -out root.pem.cer 
# Create a certificate signing request 
openssl req -newkey rsa:4096 -sha512 -nodes -out ssl.csr -keyout ssl.key 
# Create an OpenSSL Configuration file from http://svasey.org/projects/software-usage-notes/ssl_en.html 
vim openssl.conf 
# Create the indexes 
touch certindex 
echo 000a > certserial 
echo 000a > crlnumber 
# Generate SSL certificate 
openssl ca -batch -config openssl.conf -notext -in ssl.csr -out ssl.pem.cer 
# Create Certificate Revocation List 
openssl ca -config openssl.conf -gencrl -keyfile privkey.pem -cert root.pem.cer -out root.crl.pem 
openssl crl -inform PEM -in root.crl.pem -outform DER -out root.crl && rm root.crl.pem 

a kod iOS:

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { 
    NSURLProtectionSpace *protectionSpace = [challenge protectionSpace]; 
    if ([protectionSpace authenticationMethod] == NSURLAuthenticationMethodServerTrust) { 
    // Load anchor cert.. also tried this with both certs and it doesn't seem to matter 
    NSString *path = [[NSBundle mainBundle] pathForResource:@"root.der" ofType:@"crt"]; 
    NSData *data = [[NSData alloc] initWithContentsOfFile:path]; 
    SecCertificateRef anchorCert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)data); 
    CFMutableArrayRef anchorCerts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); 
    CFArrayAppendValue(anchorCerts, anchorCert); 

    // Set anchor cert 
    SecTrustRef trust = [protectionSpace serverTrust]; 
    SecTrustSetAnchorCertificates(trust, anchorCerts); 
    SecTrustSetAnchorCertificatesOnly(trust, YES); // only use that certificate 
    CFRelease(anchorCert); 
    CFRelease(anchorCerts); 

    // Validate cert 
    SecTrustResultType secresult = kSecTrustResultInvalid; 
    if (SecTrustEvaluate(trust, &secresult) != errSecSuccess) { 
     [challenge.sender cancelAuthenticationChallenge:challenge]; 
     return; 
    } 

    switch (secresult) { 
     case kSecTrustResultInvalid: 
     case kSecTrustResultDeny: 
     case kSecTrustResultFatalTrustFailure: 
     case kSecTrustResultOtherError: 
     case kSecTrustResultRecoverableTrustFailure: { 
     // !!! It's always kSecTrustResultRecoverableTrustFailure, aka 5 
     NSLog(@"Failing due to result: %lu", secresult); 
     [challenge.sender cancelAuthenticationChallenge:challenge]; 
     return; 
     } 

     case kSecTrustResultUnspecified: // The OS trusts this certificate implicitly. 
     case kSecTrustResultProceed: { // The user explicitly told the OS to trust it. 
     NSURLCredential *credential = [NSURLCredential credentialForTrust:trust]; 
     [challenge.sender useCredential:credential forAuthenticationChallenge:challenge]; 
     return; 
     } 
     default: ; 
     /* It's somebody else's key. Fall through. */ 
    } 
    /* The server sent a key other than the trusted key. */ 
    [connection cancel]; 

    // Perform other cleanup here, as needed. 
    } else { 
    NSLog(@"In weird space... not handling authentication method: %@", [protectionSpace authenticationMethod]); 
    [connection cancel]; 
    } 
} 

zawsze jestem coraz kSecTrustResultRecoverableTrustFailure jako wynik. Nie sądzę, że jest to problem z localhostem, ponieważ próbowałem również zmienić kod Apple'a. Co robić?

Dzięki!

Answer 1

Jeśli wynikiem zaufania jest kSecTrustResultRecoverableTrustFailure, możesz być w stanie odzyskać od awarii.

Oto sposób obejścia tego problemu.

https://developer.apple.com/library/mac/#documentation/security/conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW8

Answer 2

Należy upewnić się, że certyfikat jest ważny. Myślę, że to nazwa nie powinna być root.der.crt. Możesz sprawdzić typy certyfikatów od here. Poniższy kod jest dla certyfikatu p12, mam nadzieję, że to pomoże.

NSData *PKCS12DataQA = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"CERTIFICATE NAME" ofType:@"CERTIFICATE TYPE"]]; 

BOOL result = [self extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12DataQA]; 


- (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data 
{ 
    OSStatus securityError = errSecSuccess; 
    //testtest is the passsword for the certificate. 
    NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"testtest" forKey:(id)CFBridgingRelease(kSecImportExportPassphrase)]; 

    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL); 
    securityError = SecPKCS12Import((__bridge CFDataRef)(inPKCS12Data),(CFDictionaryRef)CFBridgingRetain(optionsDictionary),&items); 

    if (securityError == 0) { 
     CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0); 
     const void *tempIdentity = NULL; 
     tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity); 
     *outIdentity = (SecIdentityRef)tempIdentity; 
     const void *tempTrust = NULL; 
     tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust); 
     *outTrust = (SecTrustRef)tempTrust; 

    } else { 
     NSLog(@"Failed with error code %d",(int)securityError); 
     return NO; 
    } 

    return YES; 
}