ios - 将 .p12 证书存储在钥匙串(keychain)中以备后用

Question

我正在尝试按照苹果文档处理客户端 p12 证书:

https://developer.apple.com/library/ios/documentation/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW13

我已成功从文件系统加载 .p12 证书:

- (SecIdentityRef)getClientCertificate:(NSString *) certificatePath {
    SecIdentityRef identity = nil;
    NSData *PKCS12Data = [NSData dataWithContentsOfFile:certificatePath];

    CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
    CFStringRef password = CFSTR("password");
    const void *keys[] = { kSecImportExportPassphrase };
    const void *values[] = { password };
    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
    CFRelease(options);
    CFRelease(password);
    if (securityError == errSecSuccess) {
        NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
        CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
        identity = (SecIdentityRef) CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
    } else {
        NSLog(@"Error opening Certificate.");
    }

    return identity;
}

然后我获得该身份的证书:

- (CFArrayRef)getCertificate:(SecIdentityRef) identity {
    SecCertificateRef certificate = nil;

    SecIdentityCopyCertificate(identity, &certificate);
    SecCertificateRef certs[1] = { certificate };



    CFArrayRef array = CFArrayCreate(NULL, (const void **) certs, 1, NULL);

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
    SecTrustRef myTrust;

    OSStatus status = SecTrustCreateWithCertificates(array, myPolicy, &myTrust);
    if (status == noErr) {
        NSLog(@"No Err creating certificate");
    } else {
        NSLog(@"Possible Err Creating certificate");
    }
    return array;
}

但我真正想做的是将证书(或身份)存储在我的应用程序钥匙串(keychain)中，这样我就不会从文件系统中读取它。

几个问题:

1. 我应该存储哪些？证书还是身份？
2. 如何存储和检索它？

上面的链接讨论了“获取和使用持久性钥匙串(keychain)引用”，这让我很困惑。

它也谈到“在钥匙串(keychain)中查找证书”，但它提到使用证书的名称来查找它。我不确定“名称”的来源。

Answer 1

1. Which am I supposed to store? The certificate or the identity?

这取决于您在做什么，以及您是否需要设备上的私钥进行身份验证。 SecIdentityRef 包含证书和私钥。如果您使用 .p12 文件进行身份验证，那么您可能希望存储和使用完整身份。如果您只需要证书，那么我不会首先将完整的 .p12 文件加载到驱动器上，因为它包含私钥。

2. How do I store it and retrieve it?

我建议将您的身份(或证书)存储在钥匙串(keychain)中，并使用 kSecAttrLabel 作为查询的唯一引用。

您需要查看的文档是 Storing an Identity in the Keychain ，它会将您定向到 Storing a Certificate in the Keychain并概述了存储身份和证书之间所需的一些细微差别。

这是按如下方式完成的(改编自上面的链接):

保存到钥匙串(keychain)

// Create a query (with unique label for reference later)
NSDictionary* addquery = @{ (id)kSecValueRef:   (__bridge id)identity,
                            (id)kSecClass:      (id)kSecClassIdentity,
                            (id)kSecAttrLabel:  @"My Identity",
                           };

// Add the identity to the keychain
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addquery, NULL);
if (status != errSecSuccess) {
    // Handle the error
}

从钥匙串(keychain)加载

// Query the keychain for your identity
NSDictionary *getquery = @{ (id)kSecClass:     (id)kSecClassIdentity,
                            (id)kSecAttrLabel: @"My Identity",
                            (id)kSecReturnRef: @YES,
                            };

// Retrieve the identity from the keychain
SecIdentityRef identity = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery,
                                      (CFTypeRef *)&identity);
if (status != errSecSuccess) { <# Handle error #> }
else                         { <# Use identity #> }

if (identity) { CFRelease(identity); } // After you are done with it

正如 RyanR 所提到的，您还可以在保存钥匙串(keychain)项后创建对钥匙串(keychain)项的持久引用，然后将其保存到文件中。我建议将 [kSecReturnPersistentRef][3] 添加到您的 addquery 以实现此目的。