美文网首页
iOS-Network-Https

iOS-Network-Https

作者: 枫枫大世界 | 来源:发表于2017-03-26 18:41 被阅读31次

    参考文章:
    http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
    http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html
    http://www.jianshu.com/p/20d5fb4cd76d
    双向验证:
    http://blog.csdn.net/codingfire/article/details/53419521
    http://m.ithao123.cn/content-10472230.html
    OpenSSL:
    https://www.openssl.org/docs/man1.0.2/
    http://shjia.blog.51cto.com/2476475/1427138

    通篇看完觉得一张图解释Https很🐂。

    注意:

    1. 证书和服务器需要满足Requirements for Connecting Using ATS的条件。
    2. 保证1满足。

    NSURLConnection-两种方式实现 - 客户端验证服务器

    其他的如NSURLSession 调用方式和位置不同,原理一样

    - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    NSLog(@"authenticatemethod:%@",challenge.protectionSpace.authenticationMethod);
    BOOL userJustCheckCertificateSame = NO;
    {
        if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
        NSMutableArray *certificates = [NSMutableArray array];
        NSData*caCert =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"new_cacert" ofType:@"cer"]];
        NSData*serverCert =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"new_server" ofType:@"cer"]];
        if (userJustCheckCertificateSame) {
            [certificates addObject:caCert];
            [certificates addObject:serverCert];
            [self serverTrustjustCheckCertificateSame:challenge pinCertificates:certificates];
        }else{
            SecCertificateRef caCertRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)caCert);
            SecCertificateRef serverCertRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)serverCert);
            [certificates addObject:(__bridge_transfer id)caCertRef];
            [certificates addObject:(__bridge_transfer id)serverCertRef];
            [self serverTrustSystemMethod:challenge pinCertificates:certificates];
        }
            
        }else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) {
            //暂时不做client 验证
            [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
//            NSData*certData =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"old_client" ofType:@"cer"]];
//            [self addCertToKeychain:certData];
//            NSURLCredential *credential = [self getClientCertFromKeychain];
//            [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
        }else{
            [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
        }
    }
}

// 如果server 返回的证书链 里面有一个在local 证书集合里面,即可认为合法
- (void)serverTrustjustCheckCertificateSame:(NSURLAuthenticationChallenge *)challenge pinCertificates:(NSMutableArray *)pinCertificates{
    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
    if ([self localCaInServerChainList:serverTrust pinCertificates:pinCertificates]) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:serverTrust];
        [challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
    }else{
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}

- (BOOL)localCaInServerChainList:(SecTrustRef)serverTrust pinCertificates:(NSMutableArray *)pinCertificates{
    CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
    for (CFIndex i = 0; i < certificateCount; i++) {
        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
        NSData *trustChainCertificate = (__bridge_transfer NSData *)SecCertificateCopyData(certificate);
        if ([pinCertificates containsObject:trustChainCertificate]) {
            return YES;
        }
    }
    return NO;
}

// 调用系统方法
- (void)serverTrustSystemMethod:(NSURLAuthenticationChallenge *)challenge pinCertificates:(NSMutableArray *)pinCertificates{
    //1)获取trust object
    SecTrustRef trust = challenge.protectionSpace.serverTrust;
    SecTrustResultType result;
    
    NSMutableArray *policies = [NSMutableArray array];
    // BasicX509 不验证域名是否相同(我们用的IP)
    SecPolicyRef policy = SecPolicyCreateBasicX509();
    [policies addObject:(__bridge_transfer id)policy];
    SecTrustSetPolicies(trust, (__bridge CFArrayRef)policies);
    
    //注意:添加自己的证书作为可信列表
    SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)pinCertificates);
    
    //禁用系统可信列表
    //SecTrustSetAnchorCertificatesOnly(trust, false);
    
    //2)SecTrustEvaluate会查找前面SecTrustSetAnchorCertificates设置的证书或者系统默认提供的证书,对trust进行验证
    OSStatus status = SecTrustEvaluate(trust, &result);
    if (status == errSecSuccess &&
        (result == kSecTrustResultProceed ||
         result == kSecTrustResultUnspecified))
    {
        //3)验证成功,生成NSURLCredential凭证cred,告知challenge的sender使用这个凭证来继续连接
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
    } else {
        //5)验证失败,取消这次验证流程
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}

    NSURLConnection -服务器验证客户端

    所有参考链接:
    http://www.cnblogs.com/qiyer/p/4871421.html
    http://m.ithao123.cn/content-10472230.html
    http://oncenote.com/2014/10/21/Security-1-HTTPS/
    http://oncenote.com/2015/09/16/Security-2-HTTPS2/#verify_safely
    http://www.cnblogs.com/interdrp/p/4881116.html
    http://www.cnblogs.com/pixy/p/4722381.html
    http://www.cnblogs.com/JeffreySun/archive/2010/06/24/1627247.html
    http://www.jianshu.com/p/2927ca2b3719
    http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html
    http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
    https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B
    http://www.cnblogs.com/oc-bowen/p/5896041.html
    http://www.cnblogs.com/jukan/p/5527922.html
    http://www.cnblogs.com/guogangj/p/4118605.html
    http://blog.csdn.net/linda1000/article/details/8676330
    http://blog.sina.com.cn/s/blog_a9303fd90101jmtx.html
    https://tools.ietf.org/html/rfc5246#section-7.3
    https://developer.apple.com/library/prerelease/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/revisionHistory.html#//apple_ref/doc/uid/TP40001358-CH206-TPXREF101
    https://developer.apple.com/library/prerelease/content/technotes/tn2326/_index.html
    https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57
    https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/revisionHistory/revisionHistory.html#//apple_ref/doc/uid/TP40001358-CH206-TPXREF101
    https://developer.apple.com/library/content/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884-CH1-SECBASICTRUSTCUSTOMIZATION
    http://www.jianshu.com/p/2542c95fb023
    http://www.cnblogs.com/longshiyVip/p/5080917.html
    http://www.jianshu.com/p/e767a4e9252e
    http://www.cnblogs.com/hyddd/archive/2009/01/07/1371292.html
    https://developer.apple.com/library/content/qa/qa1727/_index.html
    https://developer.apple.com/reference/security

    相关文章

      网友评论

          本文标题:iOS-Network-Https

          本文链接:https://www.haomeiwen.com/subject/dxkumttx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|iOS-Network-Https|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!