On iOS, I know that we can evaluate a trust with SecTrustEvaluate(). To create a trust, we either import it from a *.p12 file or create it using an array of certificates and a set of policies.
在iOS上,我知道我们可以使用SecTrustEvaluate()来评估信任。要创建信任,我们可以从a *中导入它。p12文件或使用一系列证书和一组策略创建它。
I also know that in order to ensure that a server, that is not trusted by default, is trusted, we can use SecTrustSetAnchorCertificates() to augment the list of root CAs SecTrustEvaluate() uses to verify the server's certificate.
我还知道,为了确保不受缺省信任的服务器的信任,我们可以使用sectrustsetanchorcertificate()来增加根CAs SecTrustEvaluate()的列表,以验证服务器的证书。
Now, how can I ensure that these anchor certificates are available on a subsequent launch? I can store certificates, keys and identities in the application keychain, but not a certificate chain. Even if I store all the certificates in the chain, how will I know what certificates are to be used as anchor certificates?
现在,如何确保这些锚定证书在随后的发布中可用?我可以在应用程序密钥链中存储证书、密钥和标识,但不能存储证书链。即使我将所有证书存储在链中,我如何知道哪些证书将用作锚定证书?
One solution that comes to mind is to just get all the certificates from the keychain and set them as anchor certificates. Another method could be to all the certificate chains on the disk as *.p12 files and load them once on every application run.
我想到的一个解决方案是从keychain获取所有证书并将它们设置为锚定证书。另一种方法是将磁盘上的所有证书链设置为*。p12文件并在每次应用程序运行时加载一次。
1 个解决方案
#1
2
eskimo1 from Apple Devforums answered this so:
苹果开发论坛的eskimo1这样回答:
First up, you don't need to store the certificates in the keychain. You can store them elsewhere if you like (and create the SecCertificateRef using SecCertificateCreateWithData).
首先,您不需要将证书存储在密钥链中。如果您愿意,可以将它们存储在其他地方(并使用SecCertificateCreateWithData创建SecCertificateRef)。
Secondly, your question talks about .p12 files, but I'm not sure what this has to do with things. In general you only use a .p12 file to distribute confidential information, and certificates are not confidential.
第二,你的问题是关于。p12文件,但是我不确定这和什么有关。一般来说,您只使用.p12文件来分发机密信息,而且证书也不是机密的。
Finally, you can store a certificate chain by just storing the persistent reference to each certificate in that chain (or by storing the actual data of each certificate).
最后,您可以通过存储对该链中的每个证书的持久引用(或者存储每个证书的实际数据)来存储证书链。
#1
2
eskimo1 from Apple Devforums answered this so:
苹果开发论坛的eskimo1这样回答:
First up, you don't need to store the certificates in the keychain. You can store them elsewhere if you like (and create the SecCertificateRef using SecCertificateCreateWithData).
首先,您不需要将证书存储在密钥链中。如果您愿意,可以将它们存储在其他地方(并使用SecCertificateCreateWithData创建SecCertificateRef)。
Secondly, your question talks about .p12 files, but I'm not sure what this has to do with things. In general you only use a .p12 file to distribute confidential information, and certificates are not confidential.
第二,你的问题是关于。p12文件,但是我不确定这和什么有关。一般来说,您只使用.p12文件来分发机密信息,而且证书也不是机密的。
Finally, you can store a certificate chain by just storing the persistent reference to each certificate in that chain (or by storing the actual data of each certificate).
最后,您可以通过存储对该链中的每个证书的持久引用(或者存储每个证书的实际数据)来存储证书链。