[英]Use a self-signed ssl certificate in an iphone app
I apologize in advance for the long-winded question. 对于这个棘手的问题,我预先表示歉意。 I'm having trouble with a self-signed SSL cert and I want to document everything I've tried so far. 我在使用自签名SSL证书时遇到了麻烦,我想记录一下到目前为止我已经尝试过的所有内容。
I'm working on an app that communicates with a REST service. 我正在开发与REST服务通信的应用程序。 The test server uses a self-signed ssl certificate that I can install on my computer without issue. 测试服务器使用自签名的ssl证书,我可以将其安装在计算机上而不会出现问题。 It's a .p12 file that requires a password to install. 这是一个.p12文件,需要输入密码才能安装。 Without this certificate installed, all requests to the server return a 403. 没有安装此证书,对服务器的所有请求都返回403。
The .p12 installs three items in the Keychain, a "Root certificate authority", a "test user" certificate that's issued by the "Root certificate authority", and a private key that's associated with the "test user" cert. .p12在钥匙串中安装三个项目,一个是“根证书颁发机构”,一个是由“根证书颁发机构”颁发的“测试用户”证书,另一个是与“测试用户”证书关联的私钥。
I've installed this certificate on my iPad by emailing myself the .p12 file. 我已通过电子邮件向自己发送.p12文件在iPad上安装了此证书。 I tapped on the attachment, input the password, and I can now access the site in Safari. 我点击附件,输入密码,现在可以在Safari中访问该网站。 Unfortunately, because of application sandboxing, this isn't enough to get my app to communicate with the REST service. 不幸的是,由于应用程序沙箱,这还不足以使我的应用程序与REST服务进行通信。
I'm using ASIHTTPRequest for all of the communication with the REST service from my app. 我将ASIHTTPRequest用于与我的应用程序中的REST服务进行的所有通信。 Each request is a subclass of ASIHTTPRequest. 每个请求都是ASIHTTPRequest的子类。 The first thing I found I had to do was call [self setValidatesSecureCertificate:NO];
我发现我要做的第一件事是调用[self setValidatesSecureCertificate:NO];
so that it would even attempt the SSL connection to the server. 这样它甚至可以尝试与服务器建立SSL连接。 If that's all I do, I get 403 error codes back from the service. 如果仅此而已,我会从服务返回403错误代码。
Now I can't seem to figure out how to get the request to use the certificate. 现在,我似乎无法弄清楚如何获得使用证书的请求。 I've tried exporting the three items as separate .cer file, including them in the project and adding them to the request using the code below: 我尝试将这三个项目导出为单独的.cer文件,包括它们在项目中,并使用以下代码将它们添加到请求中:
NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];
While the code executes without issue using this approach, I still get the 403 error. 尽管使用这种方法执行代码没有问题,但我仍然收到403错误。
I've even tried including the .p12 file in my application and importing it using the same code. 我什至尝试将.p12文件包含在我的应用程序中,并使用相同的代码导入。 This fails because SecCertificateCreateWithData
returns nil. 这将失败,因为SecCertificateCreateWithData
返回nil。
I admit I don't really know what I'm doing here. 我承认我真的不知道我在这里做什么。 This is all a little over my head and any help anyone could give me would be greatly appreciated. 这一切都让我烦恼不已,任何人都可以给我的帮助将不胜感激。
OK, I figured it out. 好,我知道了。 I was sort of barking up the wrong tree. 我有点叫错了树。
The most important information I found was in Apple's documentation for Certificate, Key, and Trust Services Programming Guide , in particular, the "Tasks for iOS" page. 我发现的最重要的信息是在Apple的《 证书,密钥和信任服务编程指南》文档中,尤其是在“ iOS任务”页面中。 That detailed how to extract the security identity from the .p12 file and how to add a trust exception. 上面详细介绍了如何从.p12文件中提取安全身份以及如何添加信任异常。
The last piece of the puzzle was in ASIHTTPRequest's documentation on Client Certificate Support . 最后一个难题是在ASIHTTPRequest的“ 客户端证书支持”文档中。 By using the identity I extracted directly from the p12 file, I was able to pass that on to the request and get everything authenticated properly. 通过使用我直接从p12文件中提取的身份,我能够将其传递给请求并正确验证了所有内容。
I hope this helps anyone else that has to implement a similar feature. 我希望这对必须实施类似功能的其他人员有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.