最近看了一下chromium浏览器代码,想找到 ios平台有关读证书和验证证书的接口,最终没有找到,但有发现一些证书相关的接口,不知道以后会不会用到,在这里做一下笔记。
如果你看到这篇文章,知道在ios平台有关读证书和验证证书的一些信息,希望分享一下!
chromium浏览器证书操作公用部分路径: ../src/net/cert/
此路径下cert_status_flags_list.h 头文件定义了证书状态:
// This is the list of CertStatus flags and their values.
//
// Defines the values using a macro CERT_STATUS_FLAG,
// so it can be expanded differently in some places
// The possible status bits for CertStatus.
// Bits 0 to 15 are for errors.
CERT_STATUS_FLAG(COMMON_NAME_INVALID, 1 << 0)
CERT_STATUS_FLAG(DATE_INVALID, 1 << 1)
CERT_STATUS_FLAG(AUTHORITY_INVALID, 1 << 2)
// 1 << 3 is reserved for ERR_CERT_CONTAINS_ERRORS (not useful with WinHTTP).
CERT_STATUS_FLAG(NO_REVOCATION_MECHANISM, 1 << 4)
CERT_STATUS_FLAG(UNABLE_TO_CHECK_REVOCATION, 1 << 5)
CERT_STATUS_FLAG(REVOKED, 1 << 6)
CERT_STATUS_FLAG(INVALID, 1 << 7)
CERT_STATUS_FLAG(WEAK_SIGNATURE_ALGORITHM, 1 << 8)
// 1 << 9 was used for CERT_STATUS_NOT_IN_DNS
CERT_STATUS_FLAG(NON_UNIQUE_NAME, 1 << 10)
CERT_STATUS_FLAG(WEAK_KEY, 1 << 11)
// 1 << 12 was used for CERT_STATUS_WEAK_DH_KEY
CERT_STATUS_FLAG(PINNED_KEY_MISSING, 1 << 13)
CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14)
CERT_STATUS_FLAG(VALIDITY_TOO_LONG, 1 << 15)
// Bits 16 to 23 are for non-error statuses.
CERT_STATUS_FLAG(IS_EV, 1 << 16)
CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17)
// Bit 18 was CERT_STATUS_IS_DNSSEC
CERT_STATUS_FLAG(SHA1_SIGNATURE_PRESENT, 1 << 19)
CERT_STATUS_FLAG(CT_COMPLIANCE_FAILED, 1 << 20)
// Bits 24 - 31 are for errors.
CERT_STATUS_FLAG(CERTIFICATE_TRANSPARENCY_REQUIRED, 1 << 24)
ios证书相关的操作路径:../src/ios/web/net/
相关文件:
crw_cert_verification_controller.h
crw_cert_verification_controller.mm
crw_cert_verification_controller_unittest.mm
crw_cert_verification_controller.h 头文件定义:
证书下载策略:
// Accept policy for valid or invalid SSL cert.
typedef NS_ENUM(NSInteger, CertAcceptPolicy) {
// Cert status can't be determined due to an error. Caller should reject the
// load and show a net error page.
CERT_ACCEPT_POLICY_NON_RECOVERABLE_ERROR = 0,
// The cert is not valid. Caller may present an SSL warning and ask the user
// if they want to proceed or reject the load.
CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER,
// The cert is not valid. However, the caller should proceed with the load
// because the user has decided to proceed with this invalid cert.
CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER,
// The cert is valid. Caller should proceed with the load.
CERT_ACCEPT_POLICY_ALLOW,
};
- (void)decideLoadPolicyForTrust:(base::ScopedCFTypeRef<SecTrustRef>)trust
host:(NSString*)host
completionHandler:(web::PolicyDecisionHandler)completionHandler;
此函数根据trust和host决定证书的状态
- (void)querySSLStatusForTrust:(base::ScopedCFTypeRef<SecTrustRef>)trust
host:(NSString*)host
completionHandler:(web::StatusQueryHandler)completionHandler;
此函数记录证书被允许用于host 在以后decideLoadPolicyForTrust调用中
- (void)allowCert:(scoped_refptr<net::X509Certificate>)cert
forHost:(NSString*)host
status:(net::CertStatus)status;
仅做一下记录,如有新的发现再更新...