超级会员免费看
iOS安全开发:打造安全的钥匙串应用
1. 准备工作:转换证书格式
在开始构建应用之前,需要将证书转换为DER格式,因为安全框架期望的是DER格式的根证书,而非证书助手创建的PEM格式。具体操作步骤如下:
1. 打开终端应用(Terminal.app)。
2. 切换到
~/Library/Application Support/Certificate Authority/<CA Name>
目录。
3. 执行以下命令:
openssl x509 -in <PEM file> −inform PEM -out root.der -outform DER
将
<PEM file>
替换为实际的文件名。
2. 创建钥匙串应用
使用Xcode创建一个新的项目,选择标签式应用模板(Tabbed Application template),将项目命名为
KeychainViewer
,并启用故事板(storyboards)和自动引用计数(Automatic Reference Counting)。
2.1 添加安全框架
项目创建完成后,需要添加安全框架(Security framework):
1. 在项目导航器中选择项目。
2. 在项目编辑器中选择
Keychain Viewer
目标,然后导航到
Build Phases
标签。
3. 展开
Link Binary with Libraries (3 Items)
部分,添加
Security.framework
。
4. 将
Security.framework
移动到
Frameworks
组中,清理项目导航器。
2.2 删除默认视图控制器
删除
FirstViewController
和
SecondViewController
相关的文件,包括
.h
和
.m
文件。在Xcode询问时,选择
Move to Trash
。
3. 定义钥匙串项类
由于钥匙串API是C语言API,为了更方便地访问,将其封装在Objective-C类中。创建一个名为
KeychainItem
的新Objective-C类,使其成为
NSObject
的子类。
在
KeychainItem.h
中添加安全框架头文件的导入指令:
#import <Security/Security.h>
定义
KeychainItem
类的属性:
@property (strong, nonatomic) id type;
@property (strong, nonatomic) id item;
@property (strong, nonatomic) NSDictionary *attributes;
@property (strong, nonatomic) id persistentRef;
同时,定义初始化方法和其他方法:
- (id)initWithItem:(CFTypeRef)item;
- (id)initWithData:(NSData *)data options:(NSDictionary *)options;
- (BOOL)save:(NSError **)error;
- (id)valueForAttribute:(CFTypeRef)attr;
以下是这些方法的实现:
- (id)initWithItem:(CFTypeRef)item
{
self = [self init];
if (self) {
self.item = CFBridgingRelease(item);
}
return self;
}
- (id)initWithData:(NSData *)data options:(NSDictionary *)options
{
return nil;
}
- (BOOL)save:(NSError **)error
{
NSDictionary *attributes = @{
(__bridge id)kSecValueRef : self.item,
(__bridge id)kSecReturnPersistentRef : (id)kCFBooleanTrue
};
CFTypeRef cfPersistentRef;
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, &cfPersistentRef);
if (status != errSecSuccess) {
NSDictionary *userInfo = nil;
switch (status) {
case errSecParam:
userInfo = @{ NSLocalizedDescriptionKey : NSLocalizedString(@"errorSecParam",
@"One or more parameters passed to the function were not valid.") };
break;
case errSecAllocate:
userInfo = @{ NSLocalizedDescriptionKey : NSLocalizedString(@"errSecAllocate",
@"Failed to allocate memory.") };
break;
case errSecDuplicateItem:
userInfo = @{ NSLocalizedDescriptionKey : NSLocalizedString(@"errSecDuplicateItem",
@"The item already exists.") };
break;
}
if (*error)
*error = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:userInfo];
return NO;
}
self.persistentRef = CFBridgingRelease(cfPersistentRef);
return YES;
}
- (id)valueForAttribute:(CFTypeRef)attr
{
return [self.attributes valueForKey:(__bridge id)attr];
}
4. 实现具体子类
安全框架中定义了四种钥匙串项类型,这里只处理证书(Certificates)和身份(Identities),因此需要定义两个具体子类:
KeychainCertificate
和
KeychainIdentity
。
4.1 KeychainCertificate类
创建
KeychainCertificate
类,继承自
KeychainItem
。实现初始化方法:
- (id)init
{
self = [super init];
if (self) {
self.type = [(__bridge id)kSecClassCertificate copy];
}
return self;
}
- (id)initWithData:(NSData *)data options:(NSDictionary *)options
{
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)data);
if (cert) {
self = [self initWithItem:cert];
}
return self;
}
4.2 KeychainIdentity类
创建
KeychainIdentity
类,继承自
KeychainItem
。由于加载文件时需要密码,实现如下初始化方法:
- (id)init
{
self = [super init];
if (self) {
self.type = [(__bridge id)kSecClassIdentity copy];
}
return self;
}
- (id)initWithData:(NSData *)data options:(NSDictionary *)options
{
CFDataRef inPKCS12Data = (__bridge CFDataRef)data;
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus status = SecPKCS12Import(inPKCS12Data, (__bridge CFDictionaryRef)options, &items);
if (status != errSecSuccess) {
NSLog(@"Error Reading P12 file");
abort();
}
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity =
(SecIdentityRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity);
if (identity)
self = [self initWithItem:identity];
return self;
}
5. 定义视图控制器类
创建
KeychainItemsViewController
类,继承自
UITableViewController
,作为抽象基类。在
KeychainItemsViewController.h
中添加属性:
@property (strong, nonatomic) NSArray *items;
在
KeychainItemsViewController.m
中实现表格视图数据源方法:
- (NSInteger)numberOfSectionsInTableView:(UITableView *)tableView
{
return 1;
}
- (NSInteger)tableView:(UITableView *)tableView numberOfRowsInSection:(NSInteger)section
{
return self.items.count;
}
- (UITableViewCell *)tableView:(UITableView *)tableView cellForRowAtIndexPath:(NSIndexPath *)
indexPath
{
static NSString *CellIdentifier = @"KeychainItemCell";
UITableViewCell *cell = [tableView dequeueReusableCellWithIdentifier:CellIdentifier
forIndexPath:indexPath];
KeychainItem *item = self.items[indexPath.row];
cell.textLabel.text = [item valueForAttribute:kSecAttrLabel];
return cell;
}
创建具体子类
CertificatesViewController
和
IdentitiesViewController
,继承自
KeychainItemsViewController
。
6. 更新故事板
打开
MainStoryboard.storyboard
,进行以下操作:
1. 删除
First View Controller
和
Second View Controller
。
2. 拖动一个
UITableViewController
到编辑器面板,从标签栏控制器(Tab Bar Controller)控制拖动到该表格视图控制器,选择
View Controllers
关系Segue。
3. 将表格视图控制器的标题重命名为
Identities
,使用
first.png
图像。
4. 将表格视图控制器的类改为
IdentitiesViewController
。
5. 将表格视图单元格的样式改为
Basic
,标识符设置为
KeychainItemCell
,附件设置为
Disclosure Indicator
。
6. 重复上述步骤,创建另一个表格视图控制器,标题为
Certificates
,类改为
CertificatesViewController
。
7. 加载钥匙串项
在
CertificatesViewController.m
中更新
viewDidLoad
方法:
- (void)viewDidLoad
{
[super viewDidLoad];
self.items = [KeychainCertificate allKeychainCertificates];
}
在
KeychainCertificate.h
中声明类方法:
+ (NSArray *)allKeychainCertificates;
在
KeychainCertificate.m
中实现该方法:
+ (NSArray *)allKeychainCertificates
{
NSMutableArray *certs = [NSMutableArray array];
NSDictionary *query = @{
(__bridge id)kSecClass : (__bridge id)kSecClassCertificate,
(__bridge id)kSecReturnRef : (id)kCFBooleanTrue,
(__bridge id)kSecReturnAttributes : (id)kCFBooleanTrue,
(__bridge id)kSecReturnPersistentRef : (id)kCFBooleanTrue,
(__bridge id)kSecMatchLimit : (__bridge id)kSecMatchLimitAll
};
CFTypeRef results = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &results);
if (status == errSecSuccess && results != NULL) {
for (NSDictionary *result in (__bridge NSArray *)results) {
id itemRef = [result valueForKey:(__bridge id)kSecValueRef];
id persistentRef = [result valueForKey:(__bridge id)kSecValuePersistentRef];
NSMutableDictionary *attrs = [NSMutableDictionary dictionaryWithDictionary:result];
[attrs removeObjectForKey:(__bridge id)kSecValueRef];
[attrs removeObjectForKey:(__bridge id)kSecValuePersistentRef];
KeychainCertificate *cert =
[[KeychainCertificate alloc] initWithItem:(__bridge CFTypeRef)itemRef];
cert.persistentRef = persistentRef;
cert.attributes = attrs;
[certs addObject:cert];
}
}
return certs;
}
在
IdentitiesViewController.m
中进行类似的操作,实现
allKeychainIdentities
方法:
+ (NSArray *)allKeychainIdentities
{
NSMutableArray *idents = [NSMutableArray array];
NSDictionary *query = @{
(__bridge id)kSecClass : (__bridge id)kSecClassIdentity,
(__bridge id)kSecReturnRef : (id)kCFBooleanTrue,
(__bridge id)kSecReturnAttributes : (id)kCFBooleanTrue,
(__bridge id)kSecReturnPersistentRef : (id)kCFBooleanTrue,
(__bridge id)kSecMatchLimit : (__bridge id)kSecMatchLimitAll
};
CFTypeRef results = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &results);
if (status == errSecSuccess && results != NULL) {
for (NSDictionary *result in (__bridge NSArray *)results) {
id itemRef = [result valueForKey:(__bridge id)kSecValueRef];
id persistentRef = [result valueForKey:(__bridge id)kSecValuePersistentRef];
NSMutableDictionary *attrs = [NSMutableDictionary dictionaryWithDictionary:result];
[attrs removeObjectForKey:(__bridge id)kSecValueRef];
[attrs removeObjectForKey:(__bridge id)kSecValuePersistentRef];
KeychainIdentity *ident =
[[KeychainIdentity alloc] initWithItem:(__bridge CFTypeRef)itemRef];
ident.persistentRef = persistentRef;
ident.attributes = attrs;
[idents addObject:ident];
}
}
return idents;
}
8. 加载证书和身份
将之前创建的
root.cer
和
cert.p12
文件添加到项目的
Supporting Files
组中,确保勾选
Copy items to destination group’s folder (if needed)
复选框。
在
AppDelegate.m
中导入头文件:
#import "KeychainCertificate.h"
#import "KeychainIdentity.h"
定义私有类别:
@interface AppDelegate ()
- (BOOL)isAnchorCertLoaded;
- (void)addAnchorCertificate;
- (void)addIdentity;
@end
修改
application:didFinishLaunchingWithOptions:
方法:
- (BOOL)application:(UIApplication *)application
didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
if ([self isAnchorCertLoaded]) {
[self addIdentity];
[self addAnchorCertificate];
}
return YES;
}
实现其他方法:
- (BOOL)isAnchorCertLoaded
{
return ([[NSUserDefaults standardUserDefaults] valueForKey:@"anchor_certificate"] == nil);
}
- (void)addAnchorCertificate
{
NSString *rootCertificatePath = [[NSBundle mainBundle] pathForResource:@"root" ofType:@"der"];
NSData *data = [[NSData alloc] initWithContentsOfFile:rootCertificatePath];
KeychainCertificate *cert = [[KeychainCertificate alloc] initWithData:data options:nil];
if (cert) {
NSError *error;
BOOL saved = [cert save:&error];
if (!saved) {
NSLog(@"Error Saving Certificate: %@", [error localizedDescription]);
abort();
}
NSUserDefaults *userDefaults = [NSUserDefaults standardUserDefaults];
[userDefaults setObject:cert.persistentRef forKey:@"anchor_certificate"];
[userDefaults synchronize];
}
}
- (void)addIdentity
{
NSString *identityPath = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"p12"];
NSData *data = [[NSData alloc] initWithContentsOfFile:identityPath];
NSString *password = @"@Super2048Cat";
KeychainIdentity *ident =
[[KeychainIdentity alloc] initWithData:data
options:@{ (__bridge id)kSecImportExportPassphrase : password }];
if (ident) {
NSError *error;
BOOL saved = [ident save:&error];
if (!saved) {
NSLog(@"Error Saving Identity: %@", [error localizedDescription]);
abort();
}
}
}
9. 添加详细视图
创建
KeychainItemViewController
类,继承自
UIViewController
。在
KeychainItemViewController.h
中声明属性和方法:
@class KeychainItem;
@property (strong, nonatomic) KeychainItem *item;
@property (weak, nonatomic) IBOutlet UITextView *textView;
- (IBAction)done:(id)sender;
在
KeychainItemViewController.m
中实现
done:
方法:
- (IBAction)done:(id)sender
{
[self dismissViewControllerAnimated:YES completion:nil];
}
在
MainStoryboard.storyboard
中添加视图控制器场景:
1. 拖动两个
UIViewController
到故事板编辑器,分别放在
IdentitiesViewController
和
CertificatesViewController
旁边。
2. 将两个视图的背景颜色改为黑色,添加
UITextView
和
UIButton
。
3. 将视图控制器的类改为
KeychainItemViewController
,连接
textView
出口和
done:
动作。
4. 从表格视图单元格控制拖动到
KeychainItemViewController
,选择模态选择Segue,分别命名为
CertificateSegue
和
IdentitySegue
。
在
KeychainItemViewController.m
中实现
viewWillAppear:
方法:
- (void)viewWillAppear:(BOOL)animated
{
if (self.item) {
NSMutableString *itemInfo = [NSMutableString string];
[itemInfo appendFormat:@"AccessGroup: %@\n",
[self.item valueForAttribute:kSecAttrAccessGroup]];
[itemInfo appendFormat:@"CreationDate: %@\n",
[self.item valueForAttribute:kSecAttrCreationDate]];
[itemInfo appendFormat:@"CertificateEncoding: %@\n",
[self.item valueForAttribute:kSecAttrCertificateEncoding]];
[itemInfo appendFormat:@"CreationDate: %@\n", [self.item valueForAttribute:kSecClass]];
[itemInfo appendFormat:@"Issuer: %@\n", [self.item valueForAttribute:kSecAttrIssuer]];
[itemInfo appendFormat:@"Label: %@\n", [self.item valueForAttribute:kSecAttrLabel]];
[itemInfo appendFormat:@"ModificationDate: %@\n",
[self.item valueForAttribute:kSecAttrModificationDate]];
[itemInfo appendFormat:@"Accessible: %@\n", [self.item valueForAttribute:kSecAttrAccessible]];
[itemInfo appendFormat:@"PublicKeyHash: %@\n",
[self.item valueForAttribute:kSecAttrPublicKeyHash]];
[itemInfo appendFormat:@"SerialNumber: %@\n",
[self.item valueForAttribute:kSecAttrSerialNumber]];
[itemInfo appendFormat:@"Subject: %@\n", [self.item valueForAttribute:kSecAttrSubject]];
self.textView.text = itemInfo;
}
}
在
CertificatesViewController.m
和
IdentitiesViewController.m
中实现
prepareForSegue:sender:
方法:
- (void)prepareForSegue:(UIStoryboardSegue *)segue sender:(id)sender
{
if ([segue.identifier isEqualToString:@"CertificateSegue"]) {
NSIndexPath *indexPath = [self.tableView indexPathForSelectedRow];
KeychainCertificate *cert = self.items[indexPath.row];
KeychainItemViewController *kivc = [segue destinationViewController];
kivc.item = cert;
}
}
- (void)prepareForSegue:(UIStoryboardSegue *)segue sender:(id)sender
{
if ([segue.identifier isEqualToString:@"IdentitySegue"]) {
NSIndexPath *indexPath = [self.tableView indexPathForSelectedRow];
KeychainIdentity *ident = self.items[indexPath.row];
KeychainItemViewController *kivc = [segue destinationViewController];
kivc.item = ident;
}
}
流程图
graph TD;
A[准备工作:转换证书格式] --> B[创建钥匙串应用];
B --> C[定义钥匙串项类];
C --> D[实现具体子类];
D --> E[定义视图控制器类];
E --> F[更新故事板];
F --> G[加载钥匙串项];
G --> H[加载证书和身份];
H --> I[添加详细视图];
总结
通过以上步骤,我们完成了一个基本的钥匙串应用的开发,包括证书和身份的管理、显示以及详细信息的展示。在开发过程中,需要注意证书格式的转换、安全框架的使用以及视图控制器和故事板的配置。后续可以进一步扩展应用,例如添加更多的钥匙串项类型、优化用户界面等。
iOS安全开发:打造安全的钥匙串应用
10. 增强数字身份功能:加密和解密
为了让数字身份具备加密和解密数据的能力,需要在
KeychainIdentity.h
中添加两个方法:
- (NSData *)encrypt:(NSData *)data;
- (NSData *)decrypt:(NSData *)data;
同时,为了判断数字身份是否可信任,声明一些私有属性和方法:
@interface KeychainIdentity ()
@property (assign, nonatomic, readonly, getter=isTrusted) BOOL trusted;
@property (assign, nonatomic, readonly) SecTrustRef trust;
@property (assign, nonatomic, readonly) SecCertificateRef anchorCertificate;
@property (assign, nonatomic, readonly) SecCertificateRef certificate;
- (BOOL)recoverTrust;
@end
在实现文件中合成这些属性:
@synthesize trusted = _trusted;
@synthesize trust = _trust;
@synthesize anchorCertificate = _anchorCertificate;
@synthesize certificate = _certificate;
更新
init
方法来初始化这些实例变量:
- (id)init
{
self = [super init];
if (self) {
self.type = [(__bridge id)kSecClassIdentity copy];
_trusted = NO;
_trust = NULL;
}
return self;
}
实现
dealloc
方法来释放信任和证书引用:
- (void)dealloc
{
if (_trust)
CFRelease(_trust);
if (_certificate)
CFRelease(_certificate);
if (_anchorCertificate)
CFRelease(_anchorCertificate);
}
11. 实现信任相关方法
11.1 加载锚证书
- (SecCertificateRef)anchorCertificate
{
if (_anchorCertificate == NULL) {
id persistentRef =
[[NSUserDefaults standardUserDefaults] objectForKey:@"anchor_certificate"];
NSDictionary *query = @{
(__bridge id)kSecClass : (__bridge id)kSecClassCertificate,
(__bridge id)kSecValuePersistentRef : persistentRef,
(__bridge id)kSecReturnRef : (id)kCFBooleanTrue,
(__bridge id)kSecMatchLimit : (__bridge id)kSecMatchLimitOne
};
OSStatus status =
SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&_anchorCertificate);
if (status != errSecSuccess || _anchorCertificate == NULL) {
NSLog(@"Error loading Anchor Certificate");
abort();
}
}
return _anchorCertificate;
}
该方法会从用户默认设置中获取锚证书的持久引用,然后查询钥匙串以加载锚证书。
11.2 加载数字身份证书
- (SecCertificateRef)certificate
{
if (_certificate == NULL) {
OSStatus status =
SecIdentityCopyCertificate((__bridge SecIdentityRef)self.item, &_certificate);
if (status != errSecSuccess) {
NSLog(@"Error retrieving Identity Certificate");
return NULL;
}
}
return _certificate;
}
此方法通过
SecIdentityCopyCertificate
函数从数字身份中获取证书。
11.3 创建信任引用
- (SecTrustRef)trust
{
if (_trust == NULL) {
SecPolicyRef policy = SecPolicyCreateBasicX509();
NSArray *certs = @[ (__bridge id)self.certificate, (__bridge id)self.anchorCertificate ];
OSStatus status =
SecTrustCreateWithCertificates((__bridge CFTypeRef)certs, policy, &_trust);
if (status != errSecSuccess) {
NSLog(@"Error Creating Trust from Certificate");
return NULL;
}
}
return _trust;
}
该方法创建一个基本的X.509策略,然后使用证书数组创建信任引用。
11.4 判断数字身份是否可信任
- (BOOL)isTrusted
{
if (_trust == NULL) {
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(self.trust, &trustResult);
if (status == errSecSuccess) {
switch (trustResult) {
case kSecTrustResultInvalid:
case kSecTrustResultDeny:
case kSecTrustResultFatalTrustFailure:
case kSecTrustResultOtherError:
_trusted = NO;
break;
case kSecTrustResultProceed:
case kSecTrustResultConfirm:
case kSecTrustResultUnspecified:
_trusted = YES;
break;
case kSecTrustResultRecoverableTrustFailure:
_trusted = [self recoverTrust];
break;
}
}
else
_trusted = NO;
}
return _trusted;
}
该方法评估信任结果,并根据不同的结果类型判断数字身份是否可信任。对于可恢复的信任失败,会调用
recoverTrust
方法尝试恢复信任。
11.5 恢复信任
- (BOOL)recoverTrust
{
NSArray *anchorCerts = @[ (__bridge id)self.anchorCertificate ];
SecTrustSetAnchorCertificates(self.trust, (__bridge CFArrayRef)anchorCerts);
SecTrustSetAnchorCertificatesOnly(self.trust, NO);
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(self.trust, &trustResult);
if (status == errSecSuccess) {
switch (trustResult) {
case kSecTrustResultInvalid:
case kSecTrustResultDeny:
case kSecTrustResultFatalTrustFailure:
case kSecTrustResultOtherError:
case kSecTrustResultRecoverableTrustFailure:
return NO;
break;
case kSecTrustResultProceed:
case kSecTrustResultConfirm:
case kSecTrustResultUnspecified:
return YES;
break;
}
}
return NO;
}
此方法通过设置锚证书并重新评估信任来尝试恢复可恢复的信任失败。
12. 实现加密和解密方法
12.1 加密方法
- (NSData *)encrypt:(NSData *)data
{
if (!self.isTrusted)
return nil;
SecKeyRef publicKey = SecTrustCopyPublicKey(self.trust);
size_t keyBlockSize = SecKeyGetBlockSize(publicKey);
size_t bufferSize = keyBlockSize*sizeof(uint8_t);
uint8_t *srcBuffer = malloc(bufferSize);
size_t srcBufferLen = keyBlockSize - 11;
uint8_t *buffer = malloc(bufferSize);
size_t bufferLen = keyBlockSize;
NSMutableData *result = [[NSMutableData alloc] init];
NSRange range = NSMakeRange(0, keyBlockSize);
while (range.location < data.length) {
memset(srcBuffer, 0x0, bufferSize);
memset(buffer, 0x0, bufferSize);
if (NSMaxRange(range) > data.length)
range.length = data.length - range.location;
[data getBytes:srcBuffer range:range];
OSStatus status =
SecKeyEncrypt(publicKey, kSecPaddingPKCS1, srcBuffer, srcBufferLen, buffer, &bufferLen);
if (status != errSecSuccess) {
NSLog(@"Error Encrypting Data");
free(buffer);
free(srcBuffer);
free(publicKey);
return nil;
}
[result appendBytes:buffer length:bufferLen];
range.location += srcBufferLen;
}
free(buffer);
free(srcBuffer);
free(publicKey);
return result;
}
加密方法首先检查数字身份是否可信任,然后使用公钥进行加密。如果数据长度超过密钥块大小,会分块进行加密。
12.2 解密方法
- (NSData *)decrypt:(NSData *)data
{
if (!self.isTrusted)
return nil;
SecKeyRef privateKey;
OSStatus status = SecIdentityCopyPrivateKey((__bridge SecIdentityRef)self.item, &privateKey);
if (status != errSecSuccess && privateKey != NULL) {
CFRelease(privateKey);
privateKey = NULL;
return nil;
}
size_t keyBlockSize = SecKeyGetBlockSize(privateKey);
size_t bufferSize = keyBlockSize*sizeof(uint8_t);
uint8_t *srcBuffer = malloc(bufferSize);
uint8_t *buffer = malloc(bufferSize);
size_t bufferLen = keyBlockSize;
NSMutableData *result = [[NSMutableData alloc] init];
NSRange range = NSMakeRange(0, keyBlockSize);
while (range.location < data.length) {
memset(srcBuffer, 0x0, bufferSize);
memset(buffer, 0x0, bufferSize);
if (NSMaxRange(range) > data.length)
range.length = data.length - range.location;
[data getBytes:srcBuffer range:range];
OSStatus status =
SecKeyDecrypt(privateKey, kSecPaddingPKCS1, srcBuffer, keyBlockSize, buffer, &bufferLen);
if (status != errSecSuccess) {
NSLog(@"Error Decrypting Data");
free(buffer);
free(srcBuffer);
free(privateKey);
return nil;
}
[result appendBytes:buffer length:bufferLen];
range.location += keyBlockSize;
}
free(buffer);
free(srcBuffer);
free(privateKey);
return result;
}
解密方法首先检查数字身份是否可信任,然后获取私钥进行解密。同样,如果数据长度超过密钥块大小,会分块进行解密。
13. 在身份详细视图控制器中使用加密和解密功能
创建
IdentityViewController
类,继承自
KeychainItemViewController
。在
IdentityViewController.h
中声明按钮的出口和动作:
@property (weak, nonatomic) IBOutlet UIButton *cryptButton;
- (IBAction)crypt:(id)sender;
在
IdentityViewController.m
中定义私有类别和方法:
@interface IdentityViewController () {
NSData *_encryptedData;
}
- (void)encrypt;
- (void)decrypt;
@end
实现
crypt:
动作方法:
- (IBAction)crypt:(id)sender
{
if (_encryptedData)
[self decrypt];
else
[self encrypt];
}
实现
encrypt
方法:
- (void)encrypt
{
KeychainIdentity *ident = (KeychainIdentity *)self.item;
NSData *data = [self.textView.text dataUsingEncoding:NSUTF8StringEncoding];
_encryptedData = [ident encrypt:data];
if (_encryptedData == nil) {
NSLog(@"Encryption Failed");
return;
}
self.textView.text = [_encryptedData description];
[self.cryptButton setTitle:@"Decrypt" forState:UIControlStateNormal];
}
实现
decrypt
方法:
- (void)decrypt
{
KeychainIdentity *ident = (KeychainIdentity *)self.item;
NSData *data = [ident decrypt:_encryptedData];
if (data == nil) {
NSLog(@"Decryption Failed");
return;
}
NSString *decryptedString = [[NSString alloc] initWithBytes:[data bytes]
length:[data length]
encoding:NSUTF8StringEncoding];
_encryptedData = nil;
self.textView.text = decryptedString;
[self.cryptButton setTitle:@"Encrypt" forState:UIControlStateNormal];
}
14. 调整故事板以使用新的身份视图控制器
打开
MainStoryboard.storyboard
,找到
KeychainItemViewController
并将其类改为
IdentityViewController
。拖动一个
UIButton
到视图的右下角,将其标签改为
Encrypt
。连接
cryptButton
出口和
crypt:
动作。
15. 测试应用
构建并运行应用,选择数字身份打开
IdentityViewController
。点击
Encrypt
按钮加密文本,然后点击
Decrypt
按钮解密文本。
流程图
graph TD;
J[增强数字身份功能:加密和解密] --> K[实现信任相关方法];
K --> L[实现加密和解密方法];
L --> M[在身份详细视图控制器中使用加密和解密功能];
M --> N[调整故事板以使用新的身份视图控制器];
N --> O[测试应用];
总结
通过以上步骤,我们为钥匙串应用中的数字身份添加了加密和解密功能。在实现过程中,需要注意数字身份的信任评估、密钥的获取和使用以及数据的分块处理。同时,在视图控制器中合理地集成这些功能,为用户提供一个可操作的界面。后续可以进一步优化加密算法、增强用户交互等,提升应用的安全性和用户体验。
扫一扫
37
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
