我已经在密钥链中创建了一个自签名证书,我正在使用MultipeerConnectivity框架在设备之间传输数据。
当我们创建会话时,我们可以在MCSession中邀请对等方时传递securityIdentity。
- (instancetype)initWithPeer:(MCPeerID *)myPeerID securityIdentity:(NSArray *)identity encryptionPreference:(MCEncryptionPreference)encryptionPreference;
但是securityIdentity是NSArray,我们如何在NSArray中传递证书,以及如何在中对其进行身份验证
- (void)session:(MCSession *)session didReceiveCertificate:(NSArray *)certificate fromPeer:(MCPeerID *)peerID certificateHandler:(void(^)(BOOL accept))certificateHandler;
它是一个数组,包含可用于将本地对等体标识为其他附近对等体的信息。
该数组包含有助于将对等体识别为其他对等体的对象。第一个是SecIdentityRef对象,该对象具有SecKeyRef对象和相关的SecCertificateRef对象。(它有点像苹果开发者证书和私钥对)
数组中的其他元素可以是SecCertificateRef对象,表示验证SecIdentityRef可能需要的中间证书。
接收对等方必须验证SecIdentityRef表示的身份。
以下是从p12文件获取SecIdentityRef的代码
- (SecIdentityRef)getClientCertificate
{
SecIdentityRef identity = nil;
NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectoryPath = [paths objectAtIndex:0];
NSString *myFilePath = [documentsDirectoryPath stringByAppendingPathComponent:@"cert_key_pair.p12"];
NSData *PKCS12Data = [NSData dataWithContentsOfFile:myFilePath];
CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
CFStringRef password = CFSTR("password");
const void *keys[] = { kSecImportExportPassphrase };//kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
CFRelease(options);
CFRelease(password);
if (securityError == errSecSuccess) {
NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
identity = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
} else {
NSLog(@"Error opening Certificate.");
}
return identity;
}
获取策略参考对象并评估信任
- (void)session:(MCSession *)session didReceiveCertificate:(NSArray *)certificate fromPeer: (MCPeerID *)peerID certificateHandler:(void (^)(BOOL accept))certificateHandler
{
SecCertificateRef myCert;
myCert = [certificate objectAtIndex:0]; // 1
SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); // 2
SecCertificateRef certArray[1] = { myCert };
CFArrayRef myCerts = CFArrayCreate(
NULL, (void *)certArray,
1, NULL);
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
myCerts,
myPolicy,
&myTrust); // 3
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult); // 4
}
//...
if (trustResult == kSecTrustResultConfirm || trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified) // 5
{
certificateHandler(YES);
}
// ...
if (myPolicy)
CFRelease(myPolicy);
}