AFNetworking3.0安全策略<三>

AFSecurityPolicy这个类的最用是为了验证HTTPS证书是否正确
https=http+ssl证书

一 实例化

先从头文件看 AFSecurityPolicy中所用API来自于 ,从字面理解就可以想到安全
接下来有一个自定义的枚举值

Paste_Image.png

在看他的三个实例化方法

Paste_Image.png

可以看出来后两个初始化方法都试从本地加载.cer证书,然后取出证书中的公钥存放在集合里

#pragma mark  加载某个包下所有的证书 以二进制保存在集合里面
+ (NSSet *)certificatesInBundle:(NSBundle *)bundle
{
    NSArray *paths = [bundle pathsForResourcesOfType:@"cer" inDirectory:@"."];

    NSMutableSet *certificates = [NSMutableSet setWithCapacity:[paths count]];
    for (NSString *path in paths)
    {
        NSData *certificateData = [NSData dataWithContentsOfFile:path];
        [certificates addObject:certificateData];
    }
    return [NSSet setWithSet:certificates];
}

#pragma mark - 取出所有证书中的所有公钥   放在集合里
- (void)setPinnedCertificates:(NSSet *)pinnedCertificates
{
    _pinnedCertificates = pinnedCertificates;

    if (pinnedCertificates)
    {
        NSMutableSet *mutablePinnedPublicKeys = [NSMutableSet setWithCapacity:[pinnedCertificates count]];
        for (NSData *certificate in pinnedCertificates)
        {
            id publicKey = AFPublicKeyForCertificate(certificate);
            if (!publicKey)
            {
                continue;
            }
            [mutablePinnedPublicKeys addObject:publicKey];
        }
        self.pinnedPublicKeys = [NSSet setWithSet:mutablePinnedPublicKeys];
    } else
    {
        self.pinnedPublicKeys = nil;
    }
}

/*
 __Require_Quiet  当条件返回false时，执行标记以后的代码
 
 __Require_noErr_Quiet  当条件抛出异常时，执行标记以后的代码
 */

// 在证书中获取公钥
static id AFPublicKeyForCertificate(NSData *certificate)
{
    id allowedPublicKey = nil;
    SecCertificateRef allowedCertificate;
    SecPolicyRef policy = nil;
    SecTrustRef allowedTrust = nil;
    SecTrustResultType result;
    
    // 1. 根据二进制的证书生成SecCertificateRef类型的证书
    allowedCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificate);
    
    // 2.allowedCertificate != NULL      如果条件不成立就跳到_out标记处
    __Require_Quiet(allowedCertificate != NULL, _out);

    // 3. 新建policy为X.509
    policy = SecPolicyCreateBasicX509();
    
    // 4.根据SecCertificateRef类型的证书创建SecTrustRef对象，        如果出错就跳到_out标记处
    __Require_noErr_Quiet(SecTrustCreateWithCertificates(allowedCertificate, policy, &allowedTrust), _out);
    
    // 5.校验证书的过程，同步方法   结果存在 result中
    __Require_noErr_Quiet(SecTrustEvaluate(allowedTrust, &result), _out);

    // 6.在SecTrustRef对象中取出公钥
    allowedPublicKey = (__bridge_transfer id)SecTrustCopyPublicKey(allowedTrust);

_out:
    if (allowedTrust) {
        CFRelease(allowedTrust);
    }

    if (policy) {
        CFRelease(policy);
    }

    if (allowedCertificate) {
        CFRelease(allowedCertificate);
    }

    return allowedPublicKey;
}

二 验证证书是否正确

Paste_Image.png

一个serverTrust是一个证书的管理对象，所有队证书操作的方法都在这个类里面

#pragma mark - 核心方法  验证证书是否正确的方法

- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
                  forDomain:(NSString *)domain
{
    if (domain &&
        self.allowInvalidCertificates &&
        self.validatesDomainName &&
        (self.SSLPinningMode == AFSSLPinningModeNone ||
         [self.pinnedCertificates count] == 0))
    {
        JZLog(@"In order to validate a domain name for self signed certificates, you MUST use pinning.");
        return NO;
    }

    //   证书的策略
    NSMutableArray *policies = [NSMutableArray array];
    if (self.validatesDomainName)
    {
         //验证domain 使用SecPolicyCreateSSL函数创建验证策略，  其中第一个参数为true表示验证整个SSL证书链，
        //第二个参数传入domain，用于判断整个证书链上需要验证的节点表示的那个domain是否和此处传入domain一致
        [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
    } else
    {
        // 如果不需要验证domain，使用默认的BasicX509验证策略
        [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
    }

    //  为serverTrust添加验证车略，即告诉服务端如何验证策略
    SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);

    if (self.SSLPinningMode == AFSSLPinningModeNone)
    {
        return self.allowInvalidCertificates || AFServerTrustIsValid(serverTrust);
    } else if (!AFServerTrustIsValid(serverTrust) && !self.allowInvalidCertificates)
    {
        // 服务器不通过  且 不允许自创建证书
        return NO;
    }
        // 代码能够走到这里说明两点
        // 1.通过了根证书的验证   或者 allowInvalidCertificates = YES
    switch (self.SSLPinningMode)
    {
        case AFSSLPinningModeNone:
        default:
            return NO;
        case AFSSLPinningModeCertificate:
        { // 全部校验
            NSMutableArray *pinnedCertificates = [NSMutableArray array];
            for (NSData *certificateData in self.pinnedCertificates)
            {
                 // 将二进制证书转换为 SecCertificateRef 类型证书
                [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
            }
            // 把本地的证书设为根证书，即服务器应该信任的证书
            SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);

             // 校验能够信任
            if (!AFServerTrustIsValid(serverTrust))
            {
                return NO;
            }

            // 取出服务器中的所有证书
            NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust);
            
             //  判断本地是否包含服务里返回的证书
            for (NSData *trustChainCertificate in [serverCertificates reverseObjectEnumerator])
            {
                if ([self.pinnedCertificates containsObject:trustChainCertificate])
                {
                    return YES;
                }
            }
            
            return NO;
        }
        case AFSSLPinningModePublicKey:
        {
            NSUInteger trustedPublicKeyCount = 0;
            NSArray *publicKeys = AFPublicKeyTrustChainForServerTrust(serverTrust);


            for (id trustChainPublicKey in publicKeys)
            {
                for (id pinnedPublicKey in self.pinnedPublicKeys)
                {
                    if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)trustChainPublicKey, (__bridge SecKeyRef)pinnedPublicKey))
                    {
                        trustedPublicKeyCount += 1;
                    }
                }
            }
            return trustedPublicKeyCount > 0;
        }
    }
    
    return NO;
}