stackoom
  简体   繁体   中英

Adding trust for a X509 CA certificate imported into keychain on OS X

 原文  2011-06-28 20:44:35       objective-c/ cocoa/ security/ macos/ keychain

Question

Recently I wrote a little chunk of code that grabs a CA certificate from a SCEP server, turns it into a SecCertificateRef and adds it to a keychain (either System or login). Now I'm wondering how I can get the system to trust that certificate. I've been playing around with Trust Policies but I haven't had much luck yet.

On top of this, I understand that the system may not allow you to automatically trust a certificate without user interaction. If that's the case, how do you kick off the interaction? Using "SecCertificateAddToKeychain" puts the certificate into the keychain silently.

Side note: I'm trying to support 10.5 with this code as well.

Thanks for any help!

Edit: After playing around with the code on the Citrix page I came up with my own function. From what I gathered from the Citix page, this method is destructive. So if the certificate is already in the keychain and already has policies (iChat, etc) this will overwrite those. Since I don't care about that in my project, here's a simpler version I came up with.

-(OSStatus) addCertificate: (CertificateWrapper *) cert trust:(BOOL) shouldTrust {
    //keychain is a SecKeychainRef created with SecKeychainOpen
    OSStatus result = SecCertificateAddToKeychain([cert certificate], keychain);
    if((result == noErr || result == errKCDuplicateItem) && shouldTrust){

        SecTrustSettingsDomain domains[3] = { kSecTrustSettingsDomainSystem, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser};

        for(int i = 0; i < 3; i++){

            CFMutableArrayRef trustSettingMutArray = NULL;

            trustSettingMutArray = CFArrayCreateMutable (NULL, 0, &kCFTypeArrayCallBacks);

            result = SecTrustSettingsSetTrustSettings([cert certificate], domains[i], trustSettingMutArray );

            if(result == noErr){
                break;
            }
        }
    }
    return result;
}

1 answers

solution1
 0 ACCPTED  2011-06-29 00:36:28

There is a great example of how to do this on the Citrix web site with a ton of sample code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Loading a X509 pem certificate with password. Objective C Getting X509 Certificate from Signed envelop data accessing x509 certificate expiry date in xcode 4 OpenSSL x509 Certificate: Add Extension with X509_add1_ext_i2d() How to validate x509 certificate against CRL byte array in iOS Make digital sign of xml-nodes by X509 certificate on iOS sendSynchronousRequest using self signed certificate installed on Mac OS X keychain for Mac Storing a symmetric key in OS X keychain programmatically Cocoa: adding an item to a custom OS X keychain so it could be accessed by any other application without prompt create DER certificate in os x
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM