Re: kCFStreamPropertySSLPeerCertificates issue
Re: kCFStreamPropertySSLPeerCertificates issue
- Subject: Re: kCFStreamPropertySSLPeerCertificates issue
- From: Ken McLeod <email@hidden>
- Date: Wed, 07 Aug 2013 19:07:39 -0700
On Aug 07 2013 06:17 PM, Jens Alfke wrote:
>
> On Aug 7, 2013, at 5:55 PM, Kevin Yu <email@hidden> wrote:
>
> >> In other words, you get the kCFStreamPropertySSLPeerTrust property, cast the result to a SecTrustRef, and call SecTrustEvaluate on that. (And you’ll need to link against Security.framework.)
> >>
> >> —Jens
> > So that means I should use kCFStreamPropertySSLPeerTrust to replace kCFStreamPropertySSLPeerCertificates?
Yes.
> It doesn’t replace it; it returns a SecTrustRef not an array. As I said, you’ll need to call SecTrustEvaluate afterwards to get the certificate chain.
Not necessarily. When you get kCFStreamPropertySSLPeerTrust, it's likely already been evaluated by CFNetwork so you don't need to do it again.
You can call SecTrustGetTrustResult() to preflight if SecTrustEvaluate() needs to be called. If it returns kSecTrustResultInvalid in the result parameter, then you need to call SecTrustEvaluate() to build the chain... any other result means the SecTrustRef has already been evaluated and the chain is built. You can then proceed to call SecTrustGetCertificateCount() and SecTrustGetCertificateAtIndex() to obtain each cert in the chain.
Protip: calling SecTrustGetCertificateAtIndex(trust, 0) to get the leaf certificate can be done at any time; it doesn't require the trust to be evaluated.
-ken
>
> —Jens
--
Sent-From: ☁ @
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden