Ale*_*rth 8 sockets ssl certificate-authority ios root-certificate
我正在尝试建立与java运行SSLServerSocket的安全连接.
我创建了自己的根CA,并使用此证书签署了Java SSLServerSocket的证书.
我想将此根证书添加到我的应用程序,以便根证书签署的任何证书都可以.
到目前为止,我通过将读取和写入流属性设置为此来使安全连接正常工作:
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
(id)kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamPropertySocketSecurityLevel,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
[NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,nil];
我将证书添加到钥匙串,如下所示:
-(void)addRootCert{
NSString* rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootCA" ofType:@"der"];
NSData* rootCertData = [NSData dataWithContentsOfFile:rootCertPath];
OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)rootCertData);
NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:(__bridge_transfer id)kSecClassCertificate, kSecClass, rootCert, kSecValueRef, nil];
err = SecItemAdd((__bridge CFDictionaryRef) dict, NULL);
if (err == noErr) {
NSLog(@"Sucessfully added root certificate");
}else if (err == errSecDuplicateItem){
NSLog(@"Root certificate already exists");
}else{
NSLog(@"Root certificate add failed");
}
}
这很好,但我想验证证书链,以便我的应用程序只接受由我的CA(或默认的受信任的CA)签名的证书
我怎样才能做到这一点?
如果我设置kCFStreamSSLValidatesCertificateChain为yes,我会收到错误:CFNetwork SSLHandshake failed (-9807)但如果不是,那么签署服务器证书的人无关紧要,无论如何都会连接(我认为是对的?)
谢谢!
| 归档时间: |
|
| 查看次数: |
7867 次 |
| 最近记录: |