Macos SecTrustEvaluate()在mac 10.10中返回ksectrustResultCatalTrustFailure,而以前的版本返回kSecTrustResultRecoverableTrustFailure为什么?
直到MAC 10.9我们调用下面的函数Macos SecTrustEvaluate()在mac 10.10中返回ksectrustResultCatalTrustFailure,而以前的版本返回kSecTrustResultRecoverableTrustFailure为什么?,macos,ssl-certificate,keychain,truststore,osx-server,Macos,Ssl Certificate,Keychain,Truststore,Osx Server,直到MAC 10.9我们调用下面的函数 OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result); 我们使用kSecTrustResultRecoverableTrustFailure获取返回值,其中从MAC 10.10中,我得到的响应是ksectrustResultCatalTrustFailure 为什么会这样 ==============================================
OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result);
我们使用kSecTrustResultRecoverableTrustFailure获取返回值,其中从MAC 10.10中,我得到的响应是ksectrustResultCatalTrustFailure
为什么会这样
==================================================================================
下面是评估SSL证书的代码
//=====================================================================================================================
// EvaluateSSLCert
// For a given readstream, evaluates the server ssl certificate
// returns YES - certificate valid
// NO - invalid certificate
//=====================================================================================================================
-(BOOL)EvaluateSSLCert
{
BOOL bValidCert = YES;
SecTrustRef trust = NULL;
SecPolicyRef policy = NULL;
OSStatus retStat;
CFArrayRef certArray = NULL;
SecTrustResultType result;
SecPolicySearchRef search;
certArray = (CFArrayRef)CFReadStreamCopyProperty(m_StreamRead, kCFStreamPropertySSLPeerCertificates);
retStat = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &search);
retStat = SecPolicySearchCopyNext(search, &policy);
CFRelease(search);
retStat = SecTrustCreateWithCertificates(certArray, policy, &trust);
if(retStat == 0)
{
retStat = SecTrustSetAnchorCertificates(trust, NULL); //set to default settings
retStat = SecTrustEvaluate(trust, &result);
if(retStat == 0)
{
NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate succeeded");
if(result == kSecTrustResultDeny || result == kSecTrustResultFatalTrustFailure)
{
NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> Invalid Cert. SecTrustEvaluate result = %d", result);
bValidCert = NO;
}
else
{
//valid cert
NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate result = %d", result);
}
}
else
NSLogSecuredString(LOG_LEVEL_DEBUG,"<EvaluateSSLCert> SecTrustEvaluate failed");
}
CFRelease(policy);
CFRelease(trust);
return bValidCert;
}
KCFStreamPropertySLpeerCertificates不再适用于10.10。您可以尝试使用kCFStreamPropertySSLPeerTrust检索信任对象和证书对象
SecTrustRef trust=SecTrustRef CFReadStreamCopyProperty m_StreamRead,kCFStreamPropertySSLPeerTrust 有人知道吗?请分享详细信息…SecTrustSetAnchorCertificatestrust,NULL;//此行指的是设置默认锚证书。我们在KeyChain应用程序中保存了一个证书。此函数是否通过上述函数调用获取这些详细信息?是的,我进行了此更改,现在,SecTrustEvaluate函数本身失败,它没有返回0: