ios - 使用 ARC 的安全框架内存泄漏

Question

我在为 ASIHTTPRequest 打开 p12 证书时遇到内存泄漏。这是我获取证书的代码:

- (SecIdentityRef)getClientCertificate {
    SecIdentityRef identityApp = nil;
    NSString *thePath = [[NSBundle mainBundle] pathForResource:@"myCert" ofType:@"p12"];
    NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
    CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
    CFStringRef password = CFSTR("myPassword");
    const void *keys[] = { kSecImportExportPassphrase };
    const void *values[] = { password };
    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
    CFRelease(options);
    CFRelease(password);
    if (securityError == errSecSuccess) {
        NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
        CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
        identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);        
    } else {
        NSLog(@"Error opening Certificate.");
    }
    return identityApp;
}

如您所见，它会产生内存泄漏:

或者，这个其他函数(基本相同)会产生其他类型的内存泄漏:

- (SecIdentityRef)getClientCertificate2 {
    SecIdentityRef identityApp = nil;
    NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
    NSString *documentsDirectory = [paths objectAtIndex:0];
    NSString *thePath = [documentsDirectory stringByAppendingPathComponent:@"myothercert.p12"];

    NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
    NSLog(@"PKCS12Data length is %i", [PKCS12Data length]);
    CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;

    CFStringRef password = CFSTR("randomgenerated");
    const void *keys[] = { kSecImportExportPassphrase };
    const void *values[] = { password };
    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
     CFRelease(options);
    //CFRelease(password);
    if (securityError == errSecSuccess) {
        NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
        CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
        identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
    } else {
        NSLog(@"Error opening Certificate.");
    }
    return identityApp;
}

产生这些内存泄漏:

是什么导致了这些内存泄漏？该代码可以很好地打开 p12 文件，但我需要修复内存泄漏。任何帮助表示赞赏。

谢谢!

EDIT

根据建议的更改，我仍然收到内存泄漏:

- (SecIdentityRef)copyClientCertificate2 {
SecIdentityRef identityApp = nil;
NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSString *thePath = [documentsDirectory stringByAppendingPathComponent:@"cert.p12"];

NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
NSLog(@"PKCS12Data length is %i", [PKCS12Data length]);


CFStringRef password = CFSTR("randomgenerated");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = NULL;
OSStatus securityError = SecPKCS12Import((__bridge CFDataRef)PKCS12Data, options, &items);
 CFRelease(options);
//CFRelease(password);
if (securityError == errSecSuccess) {
    NSLog(@"Success opening p12 certificate. Items: %ld", CFArrayGetCount(items));
    CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
    identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
} else {
    NSLog(@"Error opening Certificate.");
}
CFRetain(identityApp);
return identityApp;

Answer 1

您正在泄漏项目。您创建它但从不释放它。你不应该首先创建它。 SecPKCS12Import 通过引用返回 items。您不会将其传递给现有的；它超过了你一个。这应该是:

CFArrayRef items = NULL;

您还需要在 identityApp 上调用 CFRetain() 来保留它(因为它目前仅由数组保留。因此，您的方法需要称为 copyClientCertificate2 并且您需要在完成后CFRelease() 它的结果。

旁注:永远不要在方法前加上“get”，除非它通过引用返回结果。这就是“获取”在 ObjC 中的意思。例如:

- (BOOL)getName:(NSString **)name;

这里还有一段非常危险的代码:

NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath]; // (1)
CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;              // (2)
...
OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items); // (3)

ARC 可以在第 (2) 行之后立即免费发布 PKCS12Data。如果您在 Release模式下构建它，我希望它会崩溃。此处正确的解决方案是摆脱 inPKCS12Data，并执行第 (3) 行的 __bridge 转换。

---

编辑:

如果您从事此类工作，了解如何管理 Core Foundation 对象非常重要。首先，研究下面链接的创建规则。然后，调用方法 copy... 的目的是指示调用者负责对返回的对象调用 CFRelease。它看起来像这样:

SecIdentityRef identity = [self copyClientCertificate2];
... Do what you need to do with identity ....
CFRelease(identity);

由于您从不在 copyClientCertificate2 中使用 self，因此将它变成一个函数对您来说可能更有意义，这样它看起来就像其他 Core Foundation 函数:

SecIdentityRef identity = MYSecIdentityCopyClientCertificate();
... Do what you need to do with identity ....
CFRelease(identity);

注意函数名称中的单词Copy。