SecTrustEvaluate在iOS 5上返回kSecTrustResultRecoverableTrustFailure
在报告不符合测试版的情况下,我需要更新iOS5的应用程序。 该问题可以追溯到我们的自定义SSL证书validation不再有效的事实。
在didReceiveAuthenticationChallenge部分中,我们获取了根证书并调用了SecTrustEvaluate。 这适用于iOS4。
protectionSpace = [challenge protectionSpace]; trust = [protectionSpace serverTrust]; err = SecTrustEvaluate(trust, &trustResult); trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified)); if (!trusted) { err = SecTrustSetAnchorCertificates(trust, (CFArrayRef)[EagleAccessAppDelegate getDelegate].rootCertificates); if (err == noErr) { err = SecTrustEvaluate(trust, &trustResult); } trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified)); } if (trusted) { NSURLCredential *cred = [NSURLCredential credentialForTrust:trust]; [[challenge sender] useCredential:cred forAuthenticationChallenge:challenge]; } else { [[challenge sender] cancelAuthenticationChallenge:challenge]; }
证书以DER格式存储为应用程序附带的资源。
// Load Certificates. NSString *devFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-dev-ca.der" ofType:@"crt"]; NSData *devRootCertificate = [[[NSData alloc] initWithContentsOfFile:devFilePath] autorelease]; SecCertificateRef devRoot = SecCertificateCreateWithData(NULL, (CFDataRef) devRootCertificate); NSString *prodFilePath = [[NSBundle mainBundle] pathForResource:@"ipms-prod-ca.der" ofType:@"crt"]; NSData *prodRootCertificate = [[[NSData alloc] initWithContentsOfFile:prodFilePath] autorelease]; SecCertificateRef prodRoot = SecCertificateCreateWithData(NULL, (CFDataRef) prodRootCertificate); self.rootCertificates = [[NSArray alloc] initWithObjects:(id)devRoot, (id)prodRoot, nil];
我们基本上拥有自己的CA证书,我们用它来为我们的应用程序连接的服务器颁发证书。
我可以使用AdvancedURLConnections示例应用程序重新创建它。
问题是证书是MD5签名。 iOS5不再支持这些签名。