HTTPS双向认证(AFNetworking 3.0)
2017-09-29 本文已影响42人
墨凌风起
HttpsManager.h
+(AFHTTPSessionManager *)SignalSSL;
+(AFHTTPSessionManager *)DualSSL;
HttpsManager.m
//单向:客户端验证服务器的CA证书
+(AFHTTPSessionManager *)SignalSSL{
AFHTTPSessionManager *_manager = [AFHTTPSessionManager manager];
NSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"CA" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:certFilePath];
NSSet *certSet = [NSSet setWithObject:certData];
AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certSet];
policy.allowInvalidCertificates = YES;
policy.validatesDomainName = YES;
_manager.securityPolicy = policy;
_manager.responseSerializer = [AFHTTPResponseSerializer serializer];
//设置POST的请求的header
[_manager.requestSerializer setValue:@"value" forHTTPHeaderField:@"key"];
return _manager;
}
//双向:客户端验证服务器的CA证书,服务器验证客户端的p12证书
+(AFHTTPSessionManager *)DualSSL{
__weak AFHTTPSessionManager *_manager = [AFHTTPSessionManager manager];
NSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"cacert" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:certFilePath];
NSSet *certSet = [NSSet setWithObject:certData];
AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certSet];
policy.allowInvalidCertificates = YES;
policy.validatesDomainName = YES;
_manager.securityPolicy = policy;
_manager.responseSerializer = [AFHTTPResponseSerializer serializer];
//设置POST的请求的header
[_manager.requestSerializer setValue:@"value" forHTTPHeaderField:@"key"];
//客户端请求验证 重写 setSessionDidReceiveAuthenticationChallengeBlock 方法
__weak typeof(self)weakSelf = self;
[_manager setSessionDidReceiveAuthenticationChallengeBlock:^NSURLSessionAuthChallengeDisposition(NSURLSession*session, NSURLAuthenticationChallenge *challenge, NSURLCredential *__autoreleasing*_credential) {
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
__autoreleasing NSURLCredential *credential =nil;
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
if([_manager.securityPolicy evaluateServerTrust:challenge.protectionSpace.serverTrust forDomain:challenge.protectionSpace.host]) {
credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
if(credential) {
disposition =NSURLSessionAuthChallengeUseCredential;
} else {
disposition =NSURLSessionAuthChallengePerformDefaultHandling;
}
} else {
disposition = NSURLSessionAuthChallengeCancelAuthenticationChallenge;
}
} else {
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
NSString *p12Str = [[NSBundle mainBundle] pathForResource:@"p12证书" ofType:@"p12"];;
NSData *PKCS12Data = [NSData dataWithContentsOfFile:p12Str];
if ([[weakSelf class] extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data]){
SecCertificateRef caRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)PKCS12Data);
SecIdentityCopyCertificate(identity, &caRef);
const void*certs[] = {caRef};
CFArrayRef certArray =CFArrayCreate(kCFAllocatorDefault, certs,1,NULL);
credential =[NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)certArray persistence:NSURLCredentialPersistencePermanent];
disposition =NSURLSessionAuthChallengeUseCredential;
}
}
*_credential = credential;
return disposition;
}];
return _manager;
}
#pragma ---mark daili
+(BOOL)extractIdentity:(SecIdentityRef*)outIdentity andTrust:(SecTrustRef *)outTrust fromPKCS12Data:(NSData *)inPKCS12Data {
OSStatus securityError = errSecSuccess;
//client certificate password
NSDictionary*optionsDictionary = [NSDictionary dictionaryWithObject:@"p12Pwd"
forKey:(__bridge id)kSecImportExportPassphrase];
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((__bridge CFDataRef)inPKCS12Data,(__bridge CFDictionaryRef)optionsDictionary,&items);
if(securityError == 0) {
CFDictionaryRef myIdentityAndTrust =CFArrayGetValueAtIndex(items,0);
const void*tempIdentity =NULL;
tempIdentity= CFDictionaryGetValue (myIdentityAndTrust,kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void*tempTrust =NULL;
tempTrust = CFDictionaryGetValue(myIdentityAndTrust,kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failedwith error code %d",(int)securityError);
return NO;
}
return YES;
}
ViewController.m
//单向认证
- (IBAction)signalSSLRequest:(id)sender {
//访问服务器的参数
NSDictionary *parameter = [NSDictionary dictionaryWithObjectsAndKeys:
@"libai",@"username",nil];
//请求地址
NSString *url = @"https://xxx";
[[HttpsManager SignalSSL] POST:url parameters:parameter progress:nil success:^(NSURLSessionDataTask * _Nonnull task, id _Nullable responseObject) {
NSDictionary *dic = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableContainers error:nil];
NSLog(@"errMessage = %@",dic);
} failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {
NSLog(@"错误Error: %@", error);
}];
}
//双向认证
- (IBAction)DualSSLRequest:(id)sender {
NSDictionary *parameter = @{@"name":@"libai"};
NSString *url = @"https://xxx";
[[HttpsManager DualSSL] POST:url parameters:parameter progress:nil success:^(NSURLSessionDataTask * _Nonnull task, id _Nullable responseObject) {
NSDictionary *dic = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableContainers error:nil];
NSLog(@"errMessage = %@",dic);
} failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {
NSLog(@"错误Error: %@", error);
}];
}
