在下面的 iOS UIViewController 代码中,我连接到使用自签名证书的服务器。我可以通过两种方式验证此自签名证书:使用信任 API 手动验证,或通过将自签名证书添加到我的应用程序的钥匙串(keychain)中来自动验证。

不幸的是,在我创建一个 CFReadStream 并将 kCFStreamSSLValidatesCertificateChain 设置为 kBooleanFalse 之后,我之后创建的每个 CFReadStream 都不会验证其证书链。我是否未能在某处清理代码?如果是这样,我很乐意将这个问题重新表述为有关 API 清理的特定内容。

#import <UIKit/UIKit.h>
#import <Security/Security.h>

@interface SecureViewController : UIViewController<NSStreamDelegate> {

}

- (id) initWithCertificate: (SecCertificateRef) certificate;

@end

#import "SecureViewController.h"

@interface SecureViewController()

@property (nonatomic) SecCertificateRef certificate;

@property (nonatomic, retain) NSInputStream *inputStream;
@property (nonatomic, retain) NSOutputStream *outputStream;

@property (nonatomic) BOOL verifyOnHasSpaceAvailable;

- (void) verifyManually;
- (void) verifyWithKeychain;

@end

@implementation SecureViewController

@synthesize certificate = _certificate;

@synthesize inputStream = _inputStream;
@synthesize outputStream = _outputStream;

@synthesize verifyOnHasSpaceAvailable = _verifyOnHasSpaceAvailable;

#pragma mark -
#pragma mark init/dealloc methods

- (id) initWithCertificate: (SecCertificateRef) certificate {
    if (self = [super initWithNibName:nil bundle:nil]) {
        self.certificate = certificate;
    }
    return self;
}

- (void)dealloc {
    self.certificate = NULL;

self.inputStream = nil;
self.outputStream = nil;

    [super dealloc];
}

#pragma mark -
#pragma mark UIViewController

- (void)loadView {
[super loadView];

UIButton *manualVerificationButton = [UIButton buttonWithType:UIButtonTypeRoundedRect];
[manualVerificationButton addTarget:self
                  action:@selector(verifyManually)
        forControlEvents:UIControlEventTouchUpInside];
manualVerificationButton.frame = CGRectMake(0,
                                            0,
                                            self.view.bounds.size.width,
                                            self.view.bounds.size.height / 2);
[manualVerificationButton setTitle:@"Manual Verification"
               forState:UIControlStateNormal];

[self.view addSubview:manualVerificationButton];

UIButton *keychainVerificationButton = [UIButton buttonWithType:UIButtonTypeRoundedRect];
[keychainVerificationButton addTarget:self
                               action:@selector(verifyWithKeychain)
                     forControlEvents:UIControlEventTouchUpInside];
keychainVerificationButton.frame = CGRectMake(0,
                                              self.view.bounds.size.height / 2,
                                              self.view.bounds.size.width,
                                              self.view.bounds.size.height / 2);
[keychainVerificationButton setTitle:
                                    @"Keychain Verification\n"
                                    @"(Doesn't work after Manual Verification)\n"
                                    @"((Don't know why yet.))"
                            forState:UIControlStateNormal];
keychainVerificationButton.titleLabel.lineBreakMode = UILineBreakModeWordWrap;
keychainVerificationButton.titleLabel.numberOfLines = 0;

[self.view addSubview:keychainVerificationButton];
}

#pragma mark -
#pragma mark private api

- (void) verifyWithKeychain {
self.inputStream = nil;
self.outputStream = nil;

self.verifyOnHasSpaceAvailable = NO;

OSStatus err = SecItemAdd((CFDictionaryRef) [NSDictionary dictionaryWithObjectsAndKeys:
                                             (id) kSecClassCertificate, kSecClass,
                                             self.certificate, kSecValueRef,
                                             nil],
                          NULL);
assert(err == noErr || err == errSecDuplicateItem);

CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL,
                                   (CFStringRef)@"localhost",
                                   8443,
                                   &readStream,
                                   &writeStream);

CFReadStreamSetProperty(readStream,
                        kCFStreamPropertySocketSecurityLevel,
                        kCFStreamSocketSecurityLevelTLSv1);

self.inputStream = (NSInputStream *)readStream;
self.outputStream = (NSOutputStream *)writeStream;

CFReadStreamOpen(readStream);
CFWriteStreamOpen(writeStream);
}

- (void) verifyManually {
self.inputStream = nil;
self.outputStream = nil;

// we don't want the keychain to accidentally accept our self-signed cert.
SecItemDelete((CFDictionaryRef) [NSDictionary dictionaryWithObjectsAndKeys:
                                 (id) kSecClassCertificate, kSecClass,
                                 self.certificate, kSecValueRef,
                                 nil]);

self.verifyOnHasSpaceAvailable = YES;

CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL,
                                   (CFStringRef)@"localhost",
                                   8443,
                                   &readStream,
                                   &writeStream);

NSDictionary *sslSettings = [NSDictionary dictionaryWithObjectsAndKeys:
                             (id)kCFBooleanFalse, (id)kCFStreamSSLValidatesCertificateChain,
                             nil];

CFReadStreamSetProperty(readStream,
                        kCFStreamPropertySSLSettings,
                        sslSettings);

//  Don't set this property.  The only settings that work are:
//  kCFStreamSocketSecurityLevelNone or leaving it unset.
//  Leaving it appears to be equivalent to setting it to:
//  kCFStreamSocketSecurityLevelTLSv1 or kCFStreamSocketSecurityLevelSSLv3
//
//  CFReadStreamSetProperty(readStream,
//                          kCFStreamPropertySocketSecurityLevel,
//                          kCFStreamSocketSecurityLevelTLSv1);

self.inputStream = (NSInputStream *)readStream;
self.outputStream = (NSOutputStream *)writeStream;

CFReadStreamOpen(readStream);
CFWriteStreamOpen(writeStream);
}

#pragma mark -
#pragma mark private properties

- (void) setCertificate:(SecCertificateRef) certificate {
if (_certificate != certificate) {
    if (_certificate) {
        CFRelease(_certificate);
    }
    _certificate = certificate;
    if (_certificate) {
        CFRetain(_certificate);
    }
}
}

- (void) setInputStream:(NSInputStream *) inputStream {
if (_inputStream != inputStream) {
    [_inputStream setDelegate:nil];
    [_inputStream removeFromRunLoop:[NSRunLoop currentRunLoop]
                            forMode:NSDefaultRunLoopMode];
    [_inputStream close];
    [_inputStream release];
    _inputStream = inputStream;
    [_inputStream retain];
    [_inputStream setDelegate:self];
    [_inputStream scheduleInRunLoop:[NSRunLoop currentRunLoop]
                            forMode:NSDefaultRunLoopMode];
}
}

- (void) setOutputStream:(NSOutputStream *) outputStream {
if (_outputStream != outputStream) {
    [_outputStream setDelegate:nil];
    [_outputStream removeFromRunLoop:[NSRunLoop currentRunLoop]
                             forMode:NSDefaultRunLoopMode];
    [_outputStream close];
    [_outputStream release];
    _outputStream = outputStream;
    [_outputStream retain];
    [_outputStream setDelegate:self];
    [_outputStream scheduleInRunLoop:[NSRunLoop currentRunLoop]
                             forMode:NSDefaultRunLoopMode];
}
}

#pragma mark -
#pragma mark NSStreamDelegate

- (void)stream:(NSStream *)aStream
   handleEvent:(NSStreamEvent)eventCode {
    switch (eventCode) {
        case NSStreamEventNone:
        break;
    case NSStreamEventOpenCompleted:
        break;
    case NSStreamEventHasBytesAvailable:
        break;
    case NSStreamEventHasSpaceAvailable:
        NSLog(@"Socket Security Level: %@", [aStream propertyForKey:(NSString *) kCFStreamPropertySocketSecurityLevel]);
        NSLog(@"SSL settings: %@", [aStream propertyForKey:(NSString *) kCFStreamPropertySSLSettings]);
        if (self.verifyOnHasSpaceAvailable) {
            SecPolicyRef policy = SecPolicyCreateSSL(NO, CFSTR("localhost"));
            SecTrustRef trust = NULL;

            SecTrustCreateWithCertificates([aStream propertyForKey:(NSString *) kCFStreamPropertySSLPeerCertificates],
                                           policy,
                                           &trust);
            SecTrustSetAnchorCertificates(trust,
                                          (CFArrayRef) [NSArray arrayWithObject:(id) self.certificate]);
            SecTrustResultType trustResultType = kSecTrustResultInvalid;
            OSStatus status = SecTrustEvaluate(trust, &trustResultType);

            if (status == errSecSuccess) {
                // expect trustResultType == kSecTrustResultUnspecified until my cert exists in the keychain
                // see technote for more detail: http://developer.apple.com/library/mac/#qa/qa2007/qa1360.html
                if (trustResultType == kSecTrustResultUnspecified) {
                    NSLog(@"We can trust this certificate! TrustResultType: %d", trustResultType);
                } else {
                    NSLog(@"Cannot trust certificate. TrustResultType: %d", trustResultType);
                }
            } else {
                NSLog(@"Creating trust failed: %d", status);
                [aStream close];
            }
            if (trust) {
                CFRelease(trust);
            }
            if (policy) {
                CFRelease(policy);
            }
        } else {
            NSLog(@"We can trust this server!");
        }
        break;
    case NSStreamEventErrorOccurred:
        if ([[aStream streamError] code] == -9807) { // header file with error code symbol isn't present in ios.
            NSLog(@"We cannot trust this certificate.");
        } else {
            NSLog(@"unexpected NSStreamEventErrorOccurred: %@", [aStream streamError]);
        }
        break;
    case NSStreamEventEndEncountered:
        break;
    default:
        break;
}
}

@end

最佳答案

CFReadStream setter 调用的顺序显然很重要。以下 verifyManually 方法有效:

- (void) verifyManually {
self.inputStream = nil;
self.outputStream = nil;

// we don't want the keychain to accidentally accept our self-signed cert.
SecItemDelete((CFDictionaryRef) [NSDictionary dictionaryWithObjectsAndKeys:
                                 (id) kSecClassCertificate, kSecClass,
                                 self.certificate, kSecValueRef,
                                 nil]);

self.verifyOnHasSpaceAvailable = YES;

CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL,
                                   (CFStringRef)@"localhost",
                                   8443,
                                   &readStream,
                                   &writeStream);

// Set this kCFStreamPropertySocketSecurityLevel before
// setting kCFStreamPropertySSLSettings.
// Setting kCFStreamPropertySocketSecurityLevel
// appears to override previous settings in kCFStreamPropertySSLSettings
CFReadStreamSetProperty(readStream,
                        kCFStreamPropertySocketSecurityLevel,
                        kCFStreamSocketSecurityLevelTLSv1);


NSDictionary *sslSettings = [NSDictionary dictionaryWithObjectsAndKeys:
                             (id)kCFBooleanFalse, (id)kCFStreamSSLValidatesCertificateChain,
                             nil];

CFReadStreamSetProperty(readStream,
                        kCFStreamPropertySSLSettings,
                        sslSettings);

self.inputStream = (NSInputStream *)readStream;
self.outputStream = (NSOutputStream *)writeStream;

CFReadStreamOpen(readStream);
CFWriteStreamOpen(writeStream);
}

10-06 14:22