iOS客户端https连接双向认证

从iOS10开始，必须强制使用https,利用系统自带的NSURLSession网络请求，设置代理

如果是https连接，会调用一下代理，允许所有请求

- (void)URLSession:(NSURLSession*)session task:(NSURLSessionTask*)task didReceiveChallenge:(NSURLAuthenticationChallenge*)challenge completionHandler:(void(^)(NSURLSessionAuthChallengeDisposition,NSURLCredential*_Nullable))completionHandler {

NSURLCredential*credential = [NSURLCredentialcredentialForTrust:challenge.protectionSpace.serverTrust];

completionHandler(NSURLSessionAuthChallengeUseCredential, credential);

}

以上是允许所有请求，这样做比较危险，中间人可以截取请求信息，下面做身份验证，服务器要配置SSL连接,创建证书参考:mac上apache创建服务器与iOS的双向认证证书，把服务器证书server.cer 和 客户端证书client.p12导入到项目

// 收到身份验证
- (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler {
    
    NSURLProtectionSpace *space = [challenge protectionSpace];
    NSString *host = space.host;
    NSLog(@"host:%@,",host);
    
    BOOL receivesCredentialSecurely = space.receivesCredentialSecurely;
    NSLog(@"iScreadentialSecurely:%@",@(receivesCredentialSecurely));
    
    NSString *authenticationMethod = space.authenticationMethod;
    NSLog(@"authenticationMethod:%@",authenticationMethod);
    
    NSString *protocol = space.protocol;
    NSLog(@"protocol:%@",protocol);
    
    NSInteger port = space.port;
    NSLog(@"port:%@",@(port));
    
    SecTrustRef trus = space.serverTrust;
    NSLog(@"trus:%@",trus);
    
    // 如果服务器主机是192.168.1.122才验证
    if([host isEqualToString:@"192.168.1.122"] && receivesCredentialSecurely) {
        // 认证方法：客户端认证
        if ([authenticationMethod isEqualToString:@"NSURLAuthenticationMethodClientCertificate"] ) {
            NSString *p12Path = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];
            NSData * p12Data = [NSData dataWithContentsOfFile:p12Path];
            
            [self authClientCerData:p12Data cerPass:@"123456" space:space success:^(NSURLCredential *credential) {
                completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
            } failure:^(NSString *errorMsg) {
                // 验证失败
                NSLog(@"errorMsg = %@",errorMsg);
                completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
            }];
            
            
            
            //验证服务器证书------------------------------------------
        } else if([authenticationMethod isEqualToString:@"NSURLAuthenticationMethodServerTrust"]) {
            
            NSString *path = [[NSBundle mainBundle] pathForResource:@"server_client.cer" ofType:nil];
            NSData *cerData = [[NSData alloc] initWithContentsOfFile:path];
            [self authServerCerData:cerData space:space success:^{
                // 验证成功
                NSURLCredential *credential = [NSURLCredential credentialForTrust:space.serverTrust];
                completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
            } failure:^(NSString *errorMsg) {
                // 验证失败
                NSLog(@"errorMsg = %@",errorMsg);
                completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
            }];
        } else {
           // 其他服务器连接取消连接
            completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge,nil);
        }
    }
}

客户端验证服务器证书具体步骤

// 认证服务器证书
-(void)authServerCerData:(NSData *)cerData space:(NSURLProtectionSpace *)space success:(void(^)())success failure:(void(^)(NSString *errorMsg))failure {
    if(![space.authenticationMethod isEqualToString:@"NSURLAuthenticationMethodServerTrust"]) {
        if (failure) {
            failure([[NSString alloc] initWithFormat:@"服务器认证方法不为'NSURLAuthenticationMethodServerTrust',authenticationMethod='%@'",space.authenticationMethod]);
        }
        
        return;
    }
    SecTrustRef serverTrust = space.serverTrust;
    if(serverTrust == nil) {
        if (failure) {
            failure(@"space.serverTurst == nil");
        }
        
        return;
    }
    
    // 读取证书
    if (cerData == nil) {
        if (failure) {
            failure(@"证书数据为空");
        }
        
        return;
    }
    
    SecCertificateRef cerRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)cerData);
    if(cerRef == nil) {
        if (failure) {
            failure(@"不能读取证书信息,请检查证书名称");
        }
        
        return;
    }
    
    NSArray *caArray = @[(__bridge id)cerRef];
     //将读取的证书设置为服务端帧数的根证书
    OSStatus status = SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)caArray);
    if(!(status == errSecSuccess)) {
        if (failure) {
            failure([[NSString alloc] initWithFormat:@"设置为服务端帧数的根证书失败,status=%@",@(status)]);
        }
        
        return;
    }
    
    SecTrustResultType result = -1;
    //验证服务器的证书是否可信(有可能通过联网验证证书颁发机构)
    status = SecTrustEvaluate(serverTrust, &result);
    if(!(status == errSecSuccess)) {
        if (failure) {
            failure([[NSString alloc] initWithFormat:@"服务器证书验证失败,status=%@",@(status)]);
        }
        
        return;
    }
    // result返回结果,是否信任
    BOOL allowConnect = ((result == kSecTrustResultUnspecified) || (result == kSecTrustResultProceed));
    if(!allowConnect) {
        if (failure) {
            failure(@"不是信任的连接");
        }
         
        return;
    }
    // 全部通过验证
    if (success) {
        success();
    }  
}

服务器认证客户端证书

// 服务器认证客户端证书
-(void)authClientCerData:(NSData *)cerData cerPass:(NSString *)pass space:(NSURLProtectionSpace *)space success:(void(^)(NSURLCredential *credential))success failure:(void(^)(NSString *errorMsg))failure {
    if(![space.authenticationMethod isEqualToString:@"NSURLAuthenticationMethodClientCertificate"]) {
        failure([[NSString alloc] initWithFormat:@"服务器认证方法不为'NSURLAuthenticationMethodClientCertificate',authenticationMethod='%@'",space.authenticationMethod]);
        return;
    }

    // 读取证书
    if (cerData == nil) {
        if (failure) {
            failure(@"证书数据为空");
        }
        
        return;
    }
    
    CFDataRef inPKCS12Data = (__bridge CFDataRef)cerData;
    
    SecIdentityRef identity = NULL;
    
    OSStatus status = [self extractIdentity:inPKCS12Data identity:&identity pass:pass];
    if(status != 0 || identity == NULL) {
        if(failure) {
            failure([[NSString alloc] initWithFormat:@"提取身份失败,status=%@",@(status)]);
        }
        return;

    }
    
    SecCertificateRef certificate = NULL;
    SecIdentityCopyCertificate (identity, &certificate);
    const void *certs[] = {certificate};
    CFArrayRef arrayOfCerts = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);
    
    // NSURLCredentialPersistenceForSession:创建URL证书,在会话期间有效
    NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)arrayOfCerts persistence:NSURLCredentialPersistenceForSession];
    if (success) {
        success(credential);
    }
    
    if(certificate) {
        CFRelease(certificate);
    }
    
    if (arrayOfCerts) {
        CFRelease(arrayOfCerts);
        
    }
    return;
}

// 提取身份identity
- (OSStatus)extractIdentity:(CFDataRef)inP12Data identity:(SecIdentityRef*)identity pass:(NSString *)pass {
    
    CFStringRef password = (__bridge CFStringRef)(pass);//证书密码
    const void *keys[] = { kSecImportExportPassphrase };
    const void *values[] = { password };
    
    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    OSStatus securityError = SecPKCS12Import(inP12Data, options, &items);
    if (securityError == 0)
    {
        CFDictionaryRef ident = CFArrayGetValueAtIndex(items,0);
        const void *tempIdentity = NULL;
        tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);
        *identity = (SecIdentityRef)tempIdentity;
    }
    
    if (options) {
        CFRelease(options);
    }
    
    return securityError;
}