iOS：使用证书和签名验证文件

本文介绍了iOS：使用证书和签名验证文件 - 公共密钥错误，验证失败的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述 我有三件事：一个文件，一个签名文件和一个X509证书文件.cer。该文件必须使用证书中的公钥和签名文件进行验证。我想使用Security.h / CommonCrypto来执行。

我迄今为止所尝试的：

//加载所有文件 NSData * fileData = [NSData dataWithContentsOfFile：（...）]; NSData * signatureData = [NSData dataWithContentsOfFile：（...）]; NSData * certificateData = [NSData dataWithContentsOfFile：（...）]; SecCertificateRef certificate = SecCertificateCreateWithData（NULL，CFBridgingRetain（certificateData））; //加载证书

证书加载正常。可以使用

CFStringRef certificateDescription = SecCertificateCopySubjectSummary（certificate）;

哪些工作。 由于在iOS上似乎没有方法直接复制公钥，所以我首先创建一个信任。

SecTrustRef信任 OSStatus statusTrust = SecTrustCreateWithCertificates（certificate，secPolicy，& trust）; SecTrustResultType resultType; OSStatus statusTrustEval = SecTrustEvaluate（trust，& resultType）;

这一切都适用于errSecSuccess结果。

现在我尝试获取公钥。

SecKeyRef publicKey; publicKey = SecTrustCopyPublicKey（trust）; size_t keysize = SecKeyGetBlockSize（publicKey）;

但是publicKey的内容

NSData * keyData = [NSData dataWithBytes：publicKey length：keysize];

与打开.cer文件时看到的公钥不同。所以这是第一个问题。

然后我尝试验证签名，即使我知道公钥是错误的。填充是正确的。

OSStatus verficationResult = SecKeyRawVerify（publicKey，kSecPaddingPKCS1，[fileData bytes]，[fileData length]，[signatureData bytes]，[signatureData length]）;

这个操作失败，OSStatus为-9809（操作无法完成）。我希望它是-25293 errSecAuthFailed。

我做错了什么？

解决方案

我在 Apple Dev Forums 的提示帮助下解决了这个问题。 >

该问题与钥匙串无关。但是我将错误的参数传递给验证功能。它需要数据的摘要（hash），而不是数据直接。

NSData * fileData = [NSData dataWithContentsOfFile :(。 ..）]; NSData * signatureData = [NSData dataWithContentsOfFile：（...）]; NSData * certificateData = [NSData dataWithContentsOfFile：（...）]; SecCertificateRef certificateFromFile = SecCertificateCreateWithData（NULL，（__bridge CFDataRef）certificateData）; //加载证书 SecPolicyRef secPolicy = SecPolicyCreateBasicX509（）; SecTrustRef信任; OSStatus statusTrust = SecTrustCreateWithCertificates（certificateFromFile，secPolicy，& trust）; SecTrustResultType resultType; OSStatus statusTrustEval = SecTrustEvaluate（trust，& resultType）; SecKeyRef publicKey = SecTrustCopyPublicKey（trust）; uint8_t sha1HashDigest [CC_SHA1_DIGEST_LENGTH]; CC_SHA1（[fileData bytes]，[fileData length]，sha1HashDigest）; OSStatus verficationResult = SecKeyRawVerify（publicKey，kSecPaddingPKCS1SHA1，sha1HashDigest，CC_SHA1_DIGEST_LENGTH，[signatureData bytes]，[signatureData length]）; CFRelease（publicKey）; CFRelease（trust）; CFRelease（secPolicy）; CFRelease（certificateFromFile）; if（verficationResult == errSecSuccess）NSLog（@Verified）;

I have three things: a file, a signature file, and a X509 certificate file .cer. The file has to be verified using the public key in the certificate and the signature file. I want to do it using Security.h/CommonCrypto.

What I tried so far:

// load all the files NSData* fileData = [NSData dataWithContentsOfFile:(...)]; NSData* signatureData = [NSData dataWithContentsOfFile:(...)]; NSData* certificateData = [NSData dataWithContentsOfFile:(...)]; SecCertificateRef certificate = SecCertificateCreateWithData(NULL, CFBridgingRetain(certificateData)); // load the certificate

The certificate loads just fine. It's name can be checked using

CFStringRef certificateDescription = SecCertificateCopySubjectSummary(certificate);

which works. As there seems to be no method on iOS to copy the public key directly, I first create a trust.

SecTrustRef trust; OSStatus statusTrust = SecTrustCreateWithCertificates( certificate, secPolicy, &trust); SecTrustResultType resultType; OSStatus statusTrustEval = SecTrustEvaluate(trust, &resultType);

This all works fine with a errSecSuccess result.

Now I try to get the public key.

SecKeyRef publicKey; publicKey = SecTrustCopyPublicKey(trust); size_t keysize = SecKeyGetBlockSize(publicKey);

But the content of publicKey

NSData* keyData = [NSData dataWithBytes:publicKey length:keysize];

is not the same as the public key I see when opening the .cer file. So this is problem number one.

Then I try to verify the signature, even though I know the public key is wrong. The padding is correct.

OSStatus verficationResult = SecKeyRawVerify(publicKey, kSecPaddingPKCS1, [fileData bytes], [fileData length], [signatureData bytes], [signatureData length]);

This fails with a OSStatus of -9809 (The operation couldn’t be completed). I expect it to be –25293 errSecAuthFailed.

Am I doing something fundamentally wrong?

解决方案

I solved the problem with the help of a hint from Apple Dev Forums.

The problem had nothing to do with the keychain. But I passed the wrong parameters to the verification function. It needs a digest (hash) of the data, not the data directly.

NSData* fileData = [NSData dataWithContentsOfFile:(...)]; NSData* signatureData = [NSData dataWithContentsOfFile:(...)]; NSData* certificateData = [NSData dataWithContentsOfFile:(...)]; SecCertificateRef certificateFromFile = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData); // load the certificate SecPolicyRef secPolicy = SecPolicyCreateBasicX509(); SecTrustRef trust; OSStatus statusTrust = SecTrustCreateWithCertificates( certificateFromFile, secPolicy, &trust); SecTrustResultType resultType; OSStatus statusTrustEval = SecTrustEvaluate(trust, &resultType); SecKeyRef publicKey = SecTrustCopyPublicKey(trust); uint8_t sha1HashDigest[CC_SHA1_DIGEST_LENGTH]; CC_SHA1([fileData bytes], [fileData length], sha1HashDigest); OSStatus verficationResult = SecKeyRawVerify(publicKey, kSecPaddingPKCS1SHA1, sha1HashDigest, CC_SHA1_DIGEST_LENGTH, [signatureData bytes], [signatureData length]); CFRelease(publicKey); CFRelease(trust); CFRelease(secPolicy); CFRelease(certificateFromFile); if (verficationResult == errSecSuccess) NSLog(@"Verified");