从iOS10开始,必须强制使用https,利用系统自带的NSURLSession网络请求,设置代理
如果是https连接,会调用一下代理,允许所有请求
- (void)URLSession:(NSURLSession*)session task:(NSURLSessionTask*)task didReceiveChallenge:(NSURLAuthenticationChallenge*)challenge completionHandler:(void(^)(NSURLSessionAuthChallengeDisposition,NSURLCredential*_Nullable))completionHandler {
NSURLCredential*credential = [NSURLCredentialcredentialForTrust:challenge.protectionSpace.serverTrust];
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
}
以上是允许所有请求,这样做比较危险,中间人可以截取请求信息,下面做身份验证,服务器要配置SSL连接,创建证书参考:mac上apache创建服务器与iOS的双向认证证书,把服务器证书server.cer 和 客户端证书client.p12导入到项目
// 收到身份验证
- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler {
NSURLProtectionSpace *space = [challenge protectionSpace];
NSString *host = space.host;
NSLog(@"host:%@,",host);
BOOL receivesCredentialSecurely = space.receivesCredentialSecurely;
NSLog(@"iScreadentialSecurely:%@",@(receivesCredentialSecurely));
NSString *authenticationMethod = space.authenticationMethod;
NSLog(@"authenticationMethod:%@",authenticationMethod);
NSString *protocol = space.protocol;
NSLog(@"protocol:%@",protocol);
NSInteger port = space.port;
NSLog(@"port:%@",@(port));
SecTrustRef trus = space.serverTrust;
NSLog(@"trus:%@",trus);
// 如果服务器主机是192.168.1.122才验证
if([host isEqualToString:@"192.168.1.122"] && receivesCredentialSecurely) {
// 认证方法:客户端认证
if ([authenticationMethod isEqualToString:@"NSURLAuthenticationMethodClientCertificate"] ) {
NSString *p12Path = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];
NSData * p12Data = [NSData dataWithContentsOfFile:p12Path];
[self authClientCerData:p12Data cerPass:@"123456" space:space success:^(NSURLCredential *credential) {
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
} failure:^(NSString *errorMsg) {
// 验证失败
NSLog(@"errorMsg = %@",errorMsg);
completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
}];
//验证服务器证书------------------------------------------
} else if([authenticationMethod isEqualToString:@"NSURLAuthenticationMethodServerTrust"]) {
NSString *path = [[NSBundle mainBundle] pathForResource:@"server_client.cer" ofType:nil];
NSData *cerData = [[NSData alloc] initWithContentsOfFile:path];
[self authServerCerData:cerData space:space success:^{
// 验证成功
NSURLCredential *credential = [NSURLCredential credentialForTrust:space.serverTrust];
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
} failure:^(NSString *errorMsg) {
// 验证失败
NSLog(@"errorMsg = %@",errorMsg);
completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
}];
} else {
// 其他服务器连接取消连接
completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
}
}
}
客户端验证服务器证书具体步骤
// 认证服务器证书
-(void)authServerCerData:(NSData *)cerData space:(NSURLProtectionSpace *)space success:(void(^)())success failure:(void(^)(NSString *errorMsg))failure {
if(![space.authenticationMethod isEqualToString:@"NSURLAuthenticationMethodServerTrust"]) {
if (failure) {
failure([[NSString alloc] initWithFormat:@"服务器认证方法不为'NSURLAuthenticationMethodServerTrust',authenticationMethod='%@'",space.authenticationMethod]);
}
return;
}
SecTrustRef serverTrust = space.serverTrust;
if(serverTrust == nil) {
if (failure) {
failure(@"space.serverTurst == nil");
}
return;
}
// 读取证书
if (cerData == nil) {
if (failure) {
failure(@"证书数据为空");
}
return;
}
SecCertificateRef cerRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)cerData);
if(cerRef == nil) {
if (failure) {
failure(@"不能读取证书信息,请检查证书名称");
}
return;
}
NSArray *caArray = @[(__bridge id)cerRef];
//将读取的证书设置为服务端帧数的根证书
OSStatus status = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)caArray);
if(!(status == errSecSuccess)) {
if (failure) {
failure([[NSString alloc] initWithFormat:@"设置为服务端帧数的根证书失败,status=%@",@(status)]);
}
return;
}
SecTrustResultType result = -1;
//验证服务器的证书是否可信(有可能通过联网验证证书颁发机构)
status = SecTrustEvaluate(serverTrust, &result);
if(!(status == errSecSuccess)) {
if (failure) {
failure([[NSString alloc] initWithFormat:@"服务器证书验证失败,status=%@",@(status)]);
}
return;
}
// result返回结果,是否信任
BOOL allowConnect = ((result == kSecTrustResultUnspecified) || (result == kSecTrustResultProceed));
if(!allowConnect) {
if (failure) {
failure(@"不是信任的连接");
}
return;
}
// 全部通过验证
if (success) {
success();
}
}
服务器认证客户端证书
// 服务器认证客户端证书
-(void)authClientCerData:(NSData *)cerData cerPass:(NSString *)pass space:(NSURLProtectionSpace *)space success:(void(^)(NSURLCredential *credential))success failure:(void(^)(NSString *errorMsg))failure {
if(![space.authenticationMethod isEqualToString:@"NSURLAuthenticationMethodClientCertificate"]) {
failure([[NSString alloc] initWithFormat:@"服务器认证方法不为'NSURLAuthenticationMethodClientCertificate',authenticationMethod='%@'",space.authenticationMethod]);
return;
}
// 读取证书
if (cerData == nil) {
if (failure) {
failure(@"证书数据为空");
}
return;
}
CFDataRef inPKCS12Data = (__bridge CFDataRef)cerData;
SecIdentityRef identity = NULL;
OSStatus status = [self extractIdentity:inPKCS12Data identity:&identity pass:pass];
if(status != 0 || identity == NULL) {
if(failure) {
failure([[NSString alloc] initWithFormat:@"提取身份失败,status=%@",@(status)]);
}
return;
}
SecCertificateRef certificate = NULL;
SecIdentityCopyCertificate (identity, &certificate);
const void *certs[] = {certificate};
CFArrayRef arrayOfCerts = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);
// NSURLCredentialPersistenceForSession:创建URL证书,在会话期间有效
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)arrayOfCerts persistence:NSURLCredentialPersistenceForSession];
if (success) {
success(credential);
}
if(certificate) {
CFRelease(certificate);
}
if (arrayOfCerts) {
CFRelease(arrayOfCerts);
}
return;
}
// 提取身份identity
- (OSStatus)extractIdentity:(CFDataRef)inP12Data identity:(SecIdentityRef*)identity pass:(NSString *)pass {
CFStringRef password = (__bridge CFStringRef)(pass);//证书密码
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inP12Data, options, &items);
if (securityError == 0)
{
CFDictionaryRef ident = CFArrayGetValueAtIndex(items,0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);
*identity = (SecIdentityRef)tempIdentity;
}
if (options) {
CFRelease(options);
}
return securityError;
}
网友评论