Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
482 views
in Technique[技术] by (71.8m points)

ios - Use a self-signed ssl certificate in an iphone app

I apologize in advance for the long-winded question. I'm having trouble with a self-signed SSL cert and I want to document everything I've tried so far.

I'm working on an app that communicates with a REST service. The test server uses a self-signed ssl certificate that I can install on my computer without issue. It's a .p12 file that requires a password to install. Without this certificate installed, all requests to the server return a 403.

The .p12 installs three items in the Keychain, a "Root certificate authority", a "test user" certificate that's issued by the "Root certificate authority", and a private key that's associated with the "test user" cert.

I've installed this certificate on my iPad by emailing myself the .p12 file. I tapped on the attachment, input the password, and I can now access the site in Safari. Unfortunately, because of application sandboxing, this isn't enough to get my app to communicate with the REST service.

I'm using ASIHTTPRequest for all of the communication with the REST service from my app. Each request is a subclass of ASIHTTPRequest. The first thing I found I had to do was call [self setValidatesSecureCertificate:NO]; so that it would even attempt the SSL connection to the server. If that's all I do, I get 403 error codes back from the service.

Now I can't seem to figure out how to get the request to use the certificate. I've tried exporting the three items as separate .cer file, including them in the project and adding them to the request using the code below:

NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];

While the code executes without issue using this approach, I still get the 403 error.

I've even tried including the .p12 file in my application and importing it using the same code. This fails because SecCertificateCreateWithData returns nil.

I admit I don't really know what I'm doing here. This is all a little over my head and any help anyone could give me would be greatly appreciated.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

OK, I figured it out. I was sort of barking up the wrong tree.

The most important information I found was in Apple's documentation for Certificate, Key, and Trust Services Programming Guide, in particular, the "Tasks for iOS" page. That detailed how to extract the security identity from the .p12 file and how to add a trust exception.

The last piece of the puzzle was in ASIHTTPRequest's documentation on Client Certificate Support. By using the identity I extracted directly from the p12 file, I was able to pass that on to the request and get everything authenticated properly.

I hope this helps anyone else that has to implement a similar feature.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...