[英]Adding trust for a X509 CA certificate imported into keychain on OS X
Recently I wrote a little chunk of code that grabs a CA certificate from a SCEP server, turns it into a SecCertificateRef and adds it to a keychain (either System or login).最近,我编写了一小段代码,从 SCEP 服务器获取 CA 证书,将其转换为 SecCertificateRef 并将其添加到钥匙串(系统或登录)。 Now I'm wondering how I can get the system to trust that certificate.
现在我想知道如何让系统信任该证书。 I've been playing around with Trust Policies but I haven't had much luck yet.
我一直在玩Trust Policies,但还没有运气。
On top of this, I understand that the system may not allow you to automatically trust a certificate without user interaction.最重要的是,我了解系统可能不允许您在没有用户交互的情况下自动信任证书。 If that's the case, how do you kick off the interaction?
如果是这样,你如何开始互动? Using "SecCertificateAddToKeychain" puts the certificate into the keychain silently.
使用“SecCertificateAddToKeychain”将证书静默放入钥匙串中。
Side note: I'm trying to support 10.5 with this code as well.旁注:我也在尝试使用此代码支持 10.5。
Thanks for any help!谢谢你的帮助!
Edit: After playing around with the code on the Citrix page I came up with my own function.编辑:在玩过 Citrix 页面上的代码后,我想出了自己的 function。 From what I gathered from the Citix page, this method is destructive.
根据我从花旗页面收集的信息,这种方法具有破坏性。 So if the certificate is already in the keychain and already has policies (iChat, etc) this will overwrite those.
因此,如果证书已经在钥匙串中并且已经有策略(iChat 等),这将覆盖那些。 Since I don't care about that in my project, here's a simpler version I came up with.
因为我在我的项目中不关心这个,所以这是我想出的一个更简单的版本。
-(OSStatus) addCertificate: (CertificateWrapper *) cert trust:(BOOL) shouldTrust {
//keychain is a SecKeychainRef created with SecKeychainOpen
OSStatus result = SecCertificateAddToKeychain([cert certificate], keychain);
if((result == noErr || result == errKCDuplicateItem) && shouldTrust){
SecTrustSettingsDomain domains[3] = { kSecTrustSettingsDomainSystem, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser};
for(int i = 0; i < 3; i++){
CFMutableArrayRef trustSettingMutArray = NULL;
trustSettingMutArray = CFArrayCreateMutable (NULL, 0, &kCFTypeArrayCallBacks);
result = SecTrustSettingsSetTrustSettings([cert certificate], domains[i], trustSettingMutArray );
if(result == noErr){
break;
}
}
}
return result;
}
There is a great example of how to do this on the Citrix web site with a ton of sample code. Citrix web 站点上有一个很好的示例,其中包含大量示例代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.