Dan*_*val 9 ocsp certificate ios ios7
我一直试图在不同的时刻使用OCSP和CRL检查iOS 7.0中的X.509证书撤销状态,并且评估返回kSecTrustResultUnspecified(这意味着证书是可信的),而不用实际检查OCSP或CRL源,当我通过链中的所有证书.我在下面提出了我认为相关的任何代码,请帮忙!
谢谢!
PS:ocspOnly和crlOnly是布尔值,表示是否只使用任何撤销检查方法; certs是一个NSArray,包含除锚证书之外的所有链中的证书; 之前正确设置了锚证书.
int evaluationMethod = kSecRevocationRequirePositiveResponse;
if (ocspOnly) {
evaluationMethod |= kSecRevocationOCSPMethod;
} else if (crlOnly) {
evaluationMethod |= kSecRevocationCRLMethod;
} else {
evaluationMethod |= kSecRevocationUseAnyAvailableMethod;
}
if ((status = SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, SecPolicyCreateRevocation(evaluationMethod), &trust)) != errSecSuccess) {
NSLog(@"Failed to create trust with certificate and policy: %ld", status);
return NO;
}
if ((status = SecTrustSetNetworkFetchAllowed(trust, YES)) != errSecSuccess) {
NSLog(@"Failed to activate network fetch: %ld", status);
}
status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
NSLog(@"Failed to evaluate trust: %ld", status);
return NO;
}
if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified)
return YES;
return NO;
PS-2:这个问题也被要求在iOS的开发者论坛在这里.