HTTPS双向认证(AFNetworking 3.0)

HttpsManager.h

+(AFHTTPSessionManager *)SignalSSL;
+(AFHTTPSessionManager *)DualSSL;

HttpsManager.m

//单向:客户端验证服务器的CA证书
+(AFHTTPSessionManager *)SignalSSL{
    AFHTTPSessionManager *_manager = [AFHTTPSessionManager manager];
    NSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"CA" ofType:@"cer"];
    
    NSData *certData = [NSData dataWithContentsOfFile:certFilePath];
    NSSet *certSet = [NSSet setWithObject:certData];
    AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certSet];
    policy.allowInvalidCertificates = YES;
    policy.validatesDomainName = YES;
    _manager.securityPolicy = policy;
    _manager.responseSerializer = [AFHTTPResponseSerializer serializer];

    //设置POST的请求的header
    [_manager.requestSerializer setValue:@"value" forHTTPHeaderField:@"key"];
    
    return _manager;
}
//双向:客户端验证服务器的CA证书,服务器验证客户端的p12证书
+(AFHTTPSessionManager *)DualSSL{
    __weak AFHTTPSessionManager *_manager = [AFHTTPSessionManager manager];
    NSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"cacert" ofType:@"cer"];
    NSData *certData = [NSData dataWithContentsOfFile:certFilePath];
    NSSet *certSet = [NSSet setWithObject:certData];
    AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certSet];
    policy.allowInvalidCertificates = YES;
    policy.validatesDomainName = YES;
    _manager.securityPolicy = policy;
    
    _manager.responseSerializer = [AFHTTPResponseSerializer serializer];
    //设置POST的请求的header
    [_manager.requestSerializer setValue:@"value" forHTTPHeaderField:@"key"];
    
    //客户端请求验证 重写 setSessionDidReceiveAuthenticationChallengeBlock 方法
    __weak typeof(self)weakSelf = self;
    [_manager setSessionDidReceiveAuthenticationChallengeBlock:^NSURLSessionAuthChallengeDisposition(NSURLSession*session, NSURLAuthenticationChallenge *challenge, NSURLCredential *__autoreleasing*_credential) {
        NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
        __autoreleasing NSURLCredential *credential =nil;
        
        if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
            if([_manager.securityPolicy evaluateServerTrust:challenge.protectionSpace.serverTrust forDomain:challenge.protectionSpace.host]) {
                credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
                if(credential) {
                    disposition =NSURLSessionAuthChallengeUseCredential;
                } else {
                    disposition =NSURLSessionAuthChallengePerformDefaultHandling;
                }
            } else {
                disposition = NSURLSessionAuthChallengeCancelAuthenticationChallenge;
            }
        } else {

            SecIdentityRef identity = NULL;
            SecTrustRef trust = NULL;
            NSString *p12Str = [[NSBundle mainBundle] pathForResource:@"p12证书" ofType:@"p12"];;
            NSData *PKCS12Data = [NSData dataWithContentsOfFile:p12Str];
            if ([[weakSelf class] extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data]){
                SecCertificateRef caRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)PKCS12Data);
                
                SecIdentityCopyCertificate(identity, &caRef);
                
                const void*certs[] = {caRef};
                CFArrayRef certArray =CFArrayCreate(kCFAllocatorDefault, certs,1,NULL);
                credential =[NSURLCredential credentialWithIdentity:identity certificates:(__bridge  NSArray*)certArray persistence:NSURLCredentialPersistencePermanent];
                disposition =NSURLSessionAuthChallengeUseCredential;
                
            }
        }
        *_credential = credential;
        return disposition;
    }];
    
    return _manager;

}

#pragma ---mark daili
+(BOOL)extractIdentity:(SecIdentityRef*)outIdentity andTrust:(SecTrustRef *)outTrust fromPKCS12Data:(NSData *)inPKCS12Data {
    OSStatus securityError = errSecSuccess;
    //client certificate password
    NSDictionary*optionsDictionary = [NSDictionary dictionaryWithObject:@"p12Pwd"
                                                                 forKey:(__bridge id)kSecImportExportPassphrase];
    
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    securityError = SecPKCS12Import((__bridge CFDataRef)inPKCS12Data,(__bridge CFDictionaryRef)optionsDictionary,&items);
    
    if(securityError == 0) {
        CFDictionaryRef myIdentityAndTrust =CFArrayGetValueAtIndex(items,0);
        const void*tempIdentity =NULL;
        tempIdentity= CFDictionaryGetValue (myIdentityAndTrust,kSecImportItemIdentity);
        *outIdentity = (SecIdentityRef)tempIdentity;
        const void*tempTrust =NULL;
        tempTrust = CFDictionaryGetValue(myIdentityAndTrust,kSecImportItemTrust);
        *outTrust = (SecTrustRef)tempTrust;
    } else {
        NSLog(@"Failedwith error code %d",(int)securityError);
        return NO;
    }
    return YES;
}

ViewController.m

//单向认证
- (IBAction)signalSSLRequest:(id)sender {
    //访问服务器的参数
    
    NSDictionary *parameter = [NSDictionary dictionaryWithObjectsAndKeys:
                         @"libai",@"username",nil];
    //请求地址
    NSString *url = @"https://xxx";
    [[HttpsManager SignalSSL] POST:url parameters:parameter progress:nil success:^(NSURLSessionDataTask * _Nonnull task, id  _Nullable responseObject) {
        NSDictionary *dic = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableContainers error:nil];
        NSLog(@"errMessage = %@",dic);
    } failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {
        NSLog(@"错误Error: %@", error);
    }];
}
//双向认证
- (IBAction)DualSSLRequest:(id)sender {
    NSDictionary *parameter = @{@"name":@"libai"};
    NSString *url = @"https://xxx";
    [[HttpsManager DualSSL] POST:url parameters:parameter progress:nil success:^(NSURLSessionDataTask * _Nonnull task, id  _Nullable responseObject) {
        NSDictionary *dic = [NSJSONSerialization JSONObjectWithData:responseObject options:NSJSONReadingMutableContainers error:nil];
        NSLog(@"errMessage = %@",dic);
    } failure:^(NSURLSessionDataTask * _Nullable task, NSError * _Nonnull error) {
        NSLog(@"错误Error: %@", error);
    }];
}

你可能感兴趣的:(HTTPS双向认证(AFNetworking 3.0))