ios – 对于具有不匹配主题名称的自签名CA,使用kSecTrustResultRecoverableTrustFailure时,SecTrustEvaluate失败

iOS 2019-12-23
这是我使用自签名证书进行身份验证的非常标准的NSURLConnection回调: 
- (SecCertificateRef)certRefFromDerNamed:(Nsstring*)derFileName resultingDataRef:(CFDataRef*)dataRefPtr{
    Nsstring *thePath = [[NSBundle mainBundle] pathForResource:derFileName ofType:@"der"];
    NSData *certData = [[NSData alloc] initWithContentsOfFile:thePath];
    CFDataRef certDataRef = (__bridge_retained CFDataRef)certData;
    SecCertificateRef cert = SecCertificateCreateWithData(NULL,certDataRef);
    *dataRefPtr = certDataRef;
    return cert;
}

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {

if (connection == self.connection) {

    BOOL trusted = NO;
     if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {

        SecPolicyRef policyRef = SecPolicyCreateBasicX509();

        SecCertificateRef cert1;
        CFDataRef certData1;

        cert1 = [self certRefFromDerNamed:@"some3rdpartycacert" resultingDataRef:&certData1];

        SecCertificateRef certArray[1] = { cert1 };
        CFArrayRef certArrayRef = CFArrayCreate(NULL,(void *)certArray,1,NULL);

        SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
        SecTrustSetAnchorCertificates(serverTrust,certArrayRef);
        SecTrustResultType trustResult;

        SecTrustEvaluate(serverTrust,&trustResult);

        trusted = (trustResult == kSecTrustResultUnspecified);

        CFRelease(certArrayRef);
        CFRelease(policyRef);
        CFRelease(cert1);
        CFRelease(certData1);
    }
    if (trusted) {
        [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
    } else {
        [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge];
    }
}
}

而且trustResult总是kSecTrustResultRecoverableTrustFailure.

证书本身有点问题.根据服务器上的curl cert主题名称与我正在连接的url不匹配.我已经联系了第三方公司,他们告诉我,我需要在我的代码中接受这个url不匹配.问题是我不知道如何在iOS上这样做.我可以完全绕过证书检查(通过简单地假设trusted = YES并调用useCredential)或完全失败.从安全角度来看,第一种解决方案显然是错误的,并且容易发生MITM攻击.

这是CURL输出(我在这里使用了相同证书的PEM版本):

ukaszs-iMac:Preferences lukasz$ curl --verbose --cacert ~/Desktop/some3rdpartycacert.txt  https://dev-service.some3rdparty.com:50101/
* About to connect() to dev-service.some3rdparty.com port 50101 (#0)
*   Trying XXX.XXX.XXX.XXX...
* connected
* Connected to dev-service.some3rdparty.com (XXX.XXX.XXX.XXX) port 50101 (#0)
* successfully set certificate verify locations:
*   CAfile: /Users/lukasz/Desktop/some3rdpartycacert.txt
  CApath: none
* SSLv3,TLS handshake,Client hello (1):
* SSLv3,Server hello (2):
* SSLv3,CERT (11):
* SSLv3,Request CERT (13):
* SSLv3,Server finished (14):
* SSLv3,Client key exchange (16):
* SSLv3,TLS change cipher,Finished (20):
* SSLv3,Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*    subject: C=CA; ST=Ontario; O=Some 3rdParty Corporation; CN=otherpage.some3rdparty.com; emailAddress=noc@some3rdparty.com
*    start date: 2013-10-30 16:52:14 GMT
*    expire date: 2013-10-30 16:52:14 GMT
* SSL: certificate subject name 'otherpage.some3rdparty.com' does not match target host name 'dev-service.some3rdparty.com'
* Closing connection #0
* SSLv3,TLS alert,Client hello (1):
curl: (51) SSL: certificate subject name 'otherpage.some3rdparty.com' does not match target host name 'dev-service.some3rdparty.com'

那么,如何忽略iOS上的这个特殊错误

解决方法

您需要使用实际主机名创建特殊策略,然后从中创建和评估serverTrust.大致: 
SecPolicyRef policyRef = SecPolicyCreateSSL(true,CFSTR("otherpage.some3rdparty.com"));

Osstatus    status;
SecTrustRef serverTrust;
status = SecTrustCreateWithCertificates(certificatesFromOriginalServerTrust,policyRef,& serverTrust);
// noErr == status?

status = SecTrustSetAnchorCertificates(serverTrust,certArrayRef);
// noErr == status?

SecTrustResultType trustResult;
status = SecTrustEvaluate(serverTrust,&trustResult);
// noErr == status?

if(kSecTrustResultProceed == trustResult || kSecTrustResultUnspecified == trustResult) {
    // all good
}

附:您没有使用您创建的政策.

我刚刚找到了一个更完整的解释here.

相关文章

iOS开发-UITabbarController的介绍与使用
UITabBarController 是 iOS 中用于管理和显示选项卡界面的一...
iOS开发-UITableView的重用机制
UITableView的重用机制避免了频繁创建和销毁单元格的开销,使...
iOS开发-属性的内存管理
Objective-C中,类的实例变量(instance variables)和属性(...
OC-从内存角度理解block可作为方法传入参数的原因
从内存管理的角度来看,block可以作为方法的传入参数是因为b...
iOS开发-WKWebView的介绍与基本使用
WKWebView 是 iOS 开发中用于显示网页内容的组件,它是在 iO...
iOS开发-多线程编程
OC中常用的多线程编程技术: 1. NSThread NSThread是Objecti...