iOS-Network-Https

參考文章:
http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html
http://www.itdecent.cn/p/20d5fb4cd76d
雙向驗證:
http://blog.csdn.net/codingfire/article/details/53419521
http://m.ithao123.cn/content-10472230.html
OpenSSL:
https://www.openssl.org/docs/man1.0.2/
http://shjia.blog.51cto.com/2476475/1427138

通篇看完覺得一張圖解釋Https很??。

注意:

  1. 證書和服務器需要滿足Requirements for Connecting Using ATS的條件。
  2. 保證1滿足。

NSURLConnection-兩種方式實現(xiàn) - 客戶端驗證服務器

其他的如NSURLSession 調(diào)用方式和位置不同,原理一樣

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    NSLog(@"authenticatemethod:%@",challenge.protectionSpace.authenticationMethod);
    BOOL userJustCheckCertificateSame = NO;
    {
        if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
        NSMutableArray *certificates = [NSMutableArray array];
        NSData*caCert =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"new_cacert" ofType:@"cer"]];
        NSData*serverCert =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"new_server" ofType:@"cer"]];
        if (userJustCheckCertificateSame) {
            [certificates addObject:caCert];
            [certificates addObject:serverCert];
            [self serverTrustjustCheckCertificateSame:challenge pinCertificates:certificates];
        }else{
            SecCertificateRef caCertRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)caCert);
            SecCertificateRef serverCertRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)serverCert);
            [certificates addObject:(__bridge_transfer id)caCertRef];
            [certificates addObject:(__bridge_transfer id)serverCertRef];
            [self serverTrustSystemMethod:challenge pinCertificates:certificates];
        }
            
        }else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) {
            //暫時不做client 驗證
            [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
//            NSData*certData =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"old_client" ofType:@"cer"]];
//            [self addCertToKeychain:certData];
//            NSURLCredential *credential = [self getClientCertFromKeychain];
//            [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
        }else{
            [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
        }
    }
}

// 如果server 返回的證書鏈 里面有一個在local 證書集合里面,即可認為合法
- (void)serverTrustjustCheckCertificateSame:(NSURLAuthenticationChallenge *)challenge pinCertificates:(NSMutableArray *)pinCertificates{
    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
    if ([self localCaInServerChainList:serverTrust pinCertificates:pinCertificates]) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:serverTrust];
        [challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
    }else{
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}

- (BOOL)localCaInServerChainList:(SecTrustRef)serverTrust pinCertificates:(NSMutableArray *)pinCertificates{
    CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
    for (CFIndex i = 0; i < certificateCount; i++) {
        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
        NSData *trustChainCertificate = (__bridge_transfer NSData *)SecCertificateCopyData(certificate);
        if ([pinCertificates containsObject:trustChainCertificate]) {
            return YES;
        }
    }
    return NO;
}

// 調(diào)用系統(tǒng)方法
- (void)serverTrustSystemMethod:(NSURLAuthenticationChallenge *)challenge pinCertificates:(NSMutableArray *)pinCertificates{
    //1)獲取trust object
    SecTrustRef trust = challenge.protectionSpace.serverTrust;
    SecTrustResultType result;
    
    NSMutableArray *policies = [NSMutableArray array];
    // BasicX509 不驗證域名是否相同(我們用的IP)
    SecPolicyRef policy = SecPolicyCreateBasicX509();
    [policies addObject:(__bridge_transfer id)policy];
    SecTrustSetPolicies(trust, (__bridge CFArrayRef)policies);
    
    //注意:添加自己的證書作為可信列表
    SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)pinCertificates);
    
    //禁用系統(tǒng)可信列表
    //SecTrustSetAnchorCertificatesOnly(trust, false);
    
    //2)SecTrustEvaluate會查找前面SecTrustSetAnchorCertificates設置的證書或者系統(tǒng)默認提供的證書,對trust進行驗證
    OSStatus status = SecTrustEvaluate(trust, &result);
    if (status == errSecSuccess &&
        (result == kSecTrustResultProceed ||
         result == kSecTrustResultUnspecified))
    {
        //3)驗證成功,生成NSURLCredential憑證cred,告知challenge的sender使用這個憑證來繼續(xù)連接
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred forAuthenticationChallenge:challenge];
    } else {
        //5)驗證失敗,取消這次驗證流程
        [challenge.sender cancelAuthenticationChallenge:challenge];
    }
}

NSURLConnection -服務器驗證客戶端

所有參考鏈接:
http://www.cnblogs.com/qiyer/p/4871421.html
http://m.ithao123.cn/content-10472230.html
http://oncenote.com/2014/10/21/Security-1-HTTPS/
http://oncenote.com/2015/09/16/Security-2-HTTPS2/#verify_safely
http://www.cnblogs.com/interdrp/p/4881116.html
http://www.cnblogs.com/pixy/p/4722381.html
http://www.cnblogs.com/JeffreySun/archive/2010/06/24/1627247.html
http://www.itdecent.cn/p/2927ca2b3719
http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html
http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html
https://zh.wikipedia.org/wiki/%E8%BF%AA%E8%8F%B2-%E8%B5%AB%E7%88%BE%E6%9B%BC%E5%AF%86%E9%91%B0%E4%BA%A4%E6%8F%9B
http://www.cnblogs.com/oc-bowen/p/5896041.html
http://www.cnblogs.com/jukan/p/5527922.html
http://www.cnblogs.com/guogangj/p/4118605.html
http://blog.csdn.net/linda1000/article/details/8676330
http://blog.sina.com.cn/s/blog_a9303fd90101jmtx.html
https://tools.ietf.org/html/rfc5246#section-7.3
https://developer.apple.com/library/prerelease/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/revisionHistory.html#//apple_ref/doc/uid/TP40001358-CH206-TPXREF101
https://developer.apple.com/library/prerelease/content/technotes/tn2326/_index.html
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57
https://developer.apple.com/library/content/documentation/Security/Conceptual/CertKeyTrustProgGuide/revisionHistory/revisionHistory.html#//apple_ref/doc/uid/TP40001358-CH206-TPXREF101
https://developer.apple.com/library/content/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884-CH1-SECBASICTRUSTCUSTOMIZATION
http://www.itdecent.cn/p/2542c95fb023
http://www.cnblogs.com/longshiyVip/p/5080917.html
http://www.itdecent.cn/p/e767a4e9252e
http://www.cnblogs.com/hyddd/archive/2009/01/07/1371292.html
https://developer.apple.com/library/content/qa/qa1727/_index.html
https://developer.apple.com/reference/security

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關(guān)閱讀更多精彩內(nèi)容

  • 10點半睡,6點半起,2+6.5=8.5小時有核心技術(shù)的人,才能活到最后。 iOS 閱讀整理在sourcetree...
    士夢閱讀 3,141評論 0 18
  • 前端知識體系http://www.cnblogs.com/sb19871023/p/3894452.html 前端...
    秋風喵閱讀 12,738評論 7 163
  • 一層一層把地基搭好,現(xiàn)在終于可以把商品拿出來show了。顧客買東西,解決的就是信任和價值。展示商品就是像顧客...
    上帝愛非洲閱讀 433評論 2 3
  • 面試的時候,是自尊和自傲遭到碾壓和粉碎最徹底的時候。面試官的一個個問題,尖銳到像一把針,毫不避諱的刺過你的心臟,刺...
    小沙發(fā)閱讀 427評論 0 0
  • 被游戲帶上分感動 就很開心 沒有說晚安 但也沒差 有一個小尷尬 還好沒在意 確認之后是了解 沒關(guān)系的 我先藏著...
    藍桉_嶼閱讀 242評論 0 0

友情鏈接更多精彩內(nèi)容