gpt4 book ai didi

ios - 带客户端身份验证的 GCDAsyncSocket

转载 作者:可可西里 更新时间:2023-11-01 03:32:05 43 4
gpt4 key购买 nike

我一直在使用CocoaAsyncSocket在没有 SSL 的情况下将数据发送到我们的服务器。现在服务器端已经实现了带有客户端身份验证的 SSL/TLS。为了在我们的应用程序中实现这一点,我获得了以下三个文件:

  1. ca-chain.cert.pem
  2. 客户端测试.cert.pem
  3. 客户端测试.key.pem

我将文件转换为 iOS 可读格式,如下所示:

  1. ca-chain.cert.pem 到 ca-cert.cer
  2. client-test.cert.pem 到 client_cert.cer
  3. client-test.key.pem 到 client_key.p12

我已经让它工作到 SSL。但是在客户端身份验证方面遇到了麻烦。

这是我的代码:

didConnectToHost:

- (void)socket:(GCDAsyncSocket *)sock didConnectToHost:(NSString *)host port:(uint16_t)port;
{
// Configure SSL/TLS settings

NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:3];

// Allow self-signed certificates
CFArrayRef certsArray = [self loadCertificates];
[settings setObject:@0 forKey:GCDAsyncSocketSSLProtocolVersionMax];
[settings setObject:[NSNumber numberWithBool:YES] forKey:GCDAsyncSocketManuallyEvaluateTrust];
[settings setObject:(id)CFBridgingRelease(certsArray) forKey:GCDAsyncSocketSSLCertificates];
[sock startTLS:settings];
}

didReceiveTrust:

- (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler {
NSString *caCertPath = [[NSBundle mainBundle] pathForResource:@"ca-cert" ofType:@"cer"];
NSData *caCertData = [NSData dataWithContentsOfFile:caCertPath];

NSString *clientCertPath = [[NSBundle mainBundle] pathForResource:@"client_cert" ofType:@"cer"];
NSData *clientCertData = [NSData dataWithContentsOfFile:clientCertPath];

OSStatus status = -1;
SecTrustResultType result = kSecTrustResultDeny;

if(caCertData && clientCertData)
{
SecCertificateRef cert1;
cert1 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) caCertData);

SecCertificateRef cert2;
cert2 = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) clientCertData);

const void *ref[] = {cert1,cert2};
CFArrayRef ary = CFArrayCreate(NULL, ref, 2, NULL);

SecTrustSetAnchorCertificates(trust, ary);

status = SecTrustEvaluate(trust, &result);
}
else
{
NSLog(@"local certificates could not be loaded");
completionHandler(NO);
}

if ((status == noErr && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)))
{
completionHandler(YES);
}
else
{
CFArrayRef arrayRefTrust = SecTrustCopyProperties(trust);
NSLog(@"error in connection occured\n%@", arrayRefTrust);

completionHandler(NO);
}
}

加载证书:

-(CFArrayRef) loadCertificates
{
NSString *clientKeyPath = [[NSBundle mainBundle] pathForResource:@"client_key" ofType:@"p12"];
NSData* clientKeyData = [NSData dataWithContentsOfFile:clientKeyPath];
NSLog(@"key : %@",[[NSString alloc] initWithData:clientKeyData encoding:NSASCIIStringEncoding]);

CFDataRef inPKCS12Data = (CFDataRef)CFBridgingRetain(clientKeyData);
CFStringRef password = CFSTR("_mypassword_");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);

CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
CFRelease(options);
CFRelease(password);

if(securityError == errSecSuccess)
NSLog(@"Success opening p12 certificate.");

CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef myIdent = (SecIdentityRef)CFDictionaryGetValue(identityDict,
kSecImportItemIdentity);


NSString *clientCertPath = [[NSBundle mainBundle] pathForResource:@"client_cert" ofType:@"cer"];
NSData *clientCertData = [NSData dataWithContentsOfFile:clientCertPath];

SecCertificateRef clientCert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) clientCertData);

//SecIdentityRef certArray[1] = { myIdent };

const void *ref[] = {myIdent, clientCert};
CFArrayRef myCerts = CFArrayCreate(NULL, ref, 2, NULL);



// NSString *caCertPath = [[NSBundle mainBundle] pathForResource:@"ca-cert" ofType:@"cer"];
// NSData *caCertData = [NSData dataWithContentsOfFile:caCertPath];
//
// SecCertificateRef caCert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef) caCertData);
//
// const void *ref[] = {clientCert, myIdent, caCert};
// CFArrayRef myCerts = CFArrayCreate(NULL, ref, 3, NULL);


return myCerts;
}

我已经为客户端身份验证苦苦挣扎了两天。我现在收到此错误:

2017-03-13 15:35:40.777 MPS[79612:1478858] GCDAsyncSocket socketDidDisconnect Error - Error Domain=kCFStreamErrorDomainSSL Code=-9806 "(null)" UserInfo={NSLocalizedRecoverySuggestion=Error code definition can be found in Apple's SecureTransport.h}

我读到 CocoaAyncSocket 库在使用手动信任评估的客户端身份验证方面存在问题。我尝试了这里提到的解决方法:Support for client side authentication with manual trust evaluation仍然没有运气。我找不到我丢失的东西。

提前致谢!-乌玛

最佳答案

代码一切正常。我希望这可以帮助寻找答案的人。然而,问题在于文件转换。当我使用从另一个人那里转换后的文件时,它起作用了。

关于ios - 带客户端身份验证的 GCDAsyncSocket,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42773518/

43 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com