为在 OS X 上导入钥匙串的 X509 CA 证书添加信任

Question

Recently I wrote a little chunk of code that grabs a CA certificate from a SCEP server, turns it into a SecCertificateRef and adds it to a keychain (either System or login). Now I'm wondering how I can get the system to trust that certificate. I've been playing around with Trust Policies but I haven't had much luck yet.

On top of this, I understand that the system may not allow you to automatically trust a certificate without user interaction. If that's the case, how do you kick off the interaction? Using "SecCertificateAddToKeychain" puts the certificate into the keychain silently.

Side note: I'm trying to support 10.5 with this code as well.

Thanks for any help!

Edit: After playing around with the code on the Citrix page I came up with my own function. From what I gathered from the Citix page, this method is destructive. So if the certificate is already in the keychain and already has policies (iChat, etc) this will overwrite those. Since I don't care about that in my project, here's a simpler version I came up with.

-(OSStatus) addCertificate: (CertificateWrapper *) cert trust:(BOOL) shouldTrust {
    //keychain is a SecKeychainRef created with SecKeychainOpen
    OSStatus result = SecCertificateAddToKeychain([cert certificate], keychain);
    if((result == noErr || result == errKCDuplicateItem) && shouldTrust){

        SecTrustSettingsDomain domains[3] = { kSecTrustSettingsDomainSystem, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser};

        for(int i = 0; i < 3; i++){

            CFMutableArrayRef trustSettingMutArray = NULL;

            trustSettingMutArray = CFArrayCreateMutable (NULL, 0, &kCFTypeArrayCallBacks);

            result = SecTrustSettingsSetTrustSettings([cert certificate], domains[i], trustSettingMutArray );

            if(result == noErr){
                break;
            }
        }
    }
    return result;
}

Answer 1

There is a great example of how to do this on the Citrix web site with a ton of sample code.