Swift 3如何使用SSL Pinning和AlamoFirevalidation服务器证书?
我正在写swift 3中的一个应用程序,需要与我的服务器通话。 我有完整的证书链,我是CA的der和crt格式(不要与自签名混淆)。 如何在我的应用程序中使用它来validation我的服务器? 以下是我的rest电话和回复
rest电话:
var request = URLRequest(url: URL(string: "https://myserver/login")!) request.addValue("Content-Type", forHTTPHeaderField: "application/json") request.httpMethod = "GET" let session = URLSession.shared session.dataTask(with: request) {data, response, err in print("=========================DATA===============================") if data != nil { print(data!) } print("=========================RESPONSE===============================") if response != nil { print(response!) } print("=========================ERR===============================") if err != nil { print(err!) } }.resume() 输出:
=========================DATA=============================== =========================RESPONSE=============================== =========================ERR=============================== Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x60800011f020>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=( "<cert(0x7fae4803d200) s: myserver i: MySubCA>", "<cert(0x7fae48047000) s: MySubCA i: MyRootCA>", "<cert(0x7fae48044600) s: MyRootCA i: MyRootCA>" ), NSUnderlyingError=0x60800005a040 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x60800011f020>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7fae4803d200) s: myserver i: MySubCA>", "<cert(0x7fae48047000) s: MySubCA i: MyRootCA>", "<cert(0x7fae48044600) s: MyRootCA i: MyRootCA>" )}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://myserver/login, NSErrorFailingURLStringKey=https://myserver/login, NSErrorClientCertificateStateKey=0}
我只是利用在线博客AlamoFire和openssl解决了这个问题
我使用AlamoFire在iOS的networking
https://github.com/Alamofire/Alamofire
我在iOS上使用了一篇关于SSL固定的文章,以便find正确的方向
https://infinum.co/the-capsized-eight/articles/how-to-make-your-ios-apps-more-secure-with-ssl-pinning
我用openssl把我的证书转换成der格式
https://help.netmail.com/display/KB/Converting+SSL+Certificate+File+from+CRT+TO+DER+TO+PEM
Der转换
openssl x509 -in cert.crt -out cert.der -outform DER
您将需要将der格式的证书添加到您的应用程序包。
Swift 3的实现
// Your hostname and endpoint let hostname = "YOUR_HOST_NAME" let endpoint = "YOUR_ENDPOINT" let cert = "YOUR_CERT" // eg for cert.der, this should just be "cert" // Set up certificates let pathToCert = Bundle.main.path(forResource: cert, ofType: "der") let localCertificate = NSData(contentsOfFile: pathToCert!) let certificates = [SecCertificateCreateWithData(nil, localCertificate!)!] // Configure the trust policy manager let serverTrustPolicy = ServerTrustPolicy.pinCertificates( certificates: certificates, validateCertificateChain: true, validateHost: true ) let serverTrustPolicies = [hostname: serverTrustPolicy] let serverTrustPolicyManager = ServerTrustPolicyManager(policies: serverTrustPolicies) // Configure session manager with trust policy afManager = SessionManager( configuration: URLSessionConfiguration.default, serverTrustPolicyManager: serverTrustPolicyManager ) afManager.request(endpoint, method: .get).responseJSON { response in debugPrint("All Response Info: \(response)") }