錯(cuò)誤1.png
相關(guān)鏈接:
關(guān)于ATS參數(shù):http://www.cnblogs.com/dahe007/p/6093874.html
ATS介紹官方文檔:https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
ATS審核問題:https://yq.aliyun.com/articles/62563
1.拿到后臺(tái)人員給到的域名后 首先查看能否通過ATS驗(yàn)證
-》1.打開終端 輸入命令 nscurl --ats-diagnostics --verbose 你的域名
例1:nscurl --ats-diagnostics --verbose https://www.baidu.com 查看百度的 部分打印結(jié)果
1.png
仔細(xì)觀察 就是系統(tǒng)在做一系列測(cè)試 看在不同的ATS參數(shù)下 結(jié)果是什么 pass or fail
例2:nscurl --ats-diagnostics --verbose https://mu.simochina.com
設(shè)置了NSAllowsArbitraryLoads = true 通過了.png
設(shè)置最小適配TLS到1.2 也是ios要求的 結(jié)果FAIL.png
設(shè)置最小適配TLS到1.0 也是現(xiàn)在用的比較多的 結(jié)果pass 通過了.png
中間還有很多測(cè)試 這是最后的能pass的配置 然后直接復(fù)制了過去 能正常請(qǐng)求到服務(wù)器了.png
2.拿到后臺(tái)人員給到的 .crt證書 轉(zhuǎn)成 .cer證書
->1. 終端命令
cd 到.crt證書 所在文件夾
然后輸入命令 openssl x509 -in 后臺(tái)給你的證書名.crt -out 轉(zhuǎn)化的證書名.cer -outform der
例:
cd /Users/myfile/Desktop/certificate
openssl x509 -in certificate.crt -out certificate.cer -outform der
->2.雙擊后臺(tái)給到的.crt證書 加入鑰匙串 然后從鑰匙串導(dǎo)出時(shí)選擇.cer
->3.根據(jù)域名自己生成一個(gè)單向驗(yàn)證的證書 終端命令
openssl s_client -connect https://你的域名:443 </dev/null 2>/dev/null | openssl x509 -outform DER > 證書名.cer
例:openssl s_client -connect https://baidu.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > myCertificate.cer
3.開始的錯(cuò)誤是在AFN中報(bào)出來的錯(cuò)誤 加入的證書無(wú)法進(jìn)行驗(yàn)證 加入驗(yàn)證 但是不執(zhí)行回調(diào) 后通過修改ATS參數(shù)獲得解決
我的ATS參數(shù)設(shè)置.png
關(guān)于AFN中https的驗(yàn)證,如下
//https相關(guān)設(shè)置
AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
//安全策略
[manager setSecurityPolicy:[self customSecurityPolicy]];
//證書校驗(yàn)
[self checkCredential:manager];
//安全策略
+ (AFSecurityPolicy*)customSecurityPolicy {
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
//獲取證書路徑
NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"myCertificate" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
NSSet *dataSet = [NSSet setWithArray:@[certData]];
[securityPolicy setAllowInvalidCertificates:YES];//是否允許使用自簽名證書
[securityPolicy setPinnedCertificates:dataSet];//設(shè)置去匹配服務(wù)端證書驗(yàn)證的證書
[securityPolicy setValidatesDomainName:NO];//是否需要驗(yàn)證域名,默認(rèn)YES
return securityPolicy;
}
//校驗(yàn)證書
+ (void)checkCredential:(AFURLSessionManager *)manager
{
[manager setSessionDidBecomeInvalidBlock:^(NSURLSession * _Nonnull session, NSError * _Nonnull error) {
NSLog(@"policy-%@",error);
}];
__weak typeof(manager)weakManager = manager;
[manager setSessionDidReceiveAuthenticationChallengeBlock:^NSURLSessionAuthChallengeDisposition(NSURLSession*session, NSURLAuthenticationChallenge *challenge, NSURLCredential *__autoreleasing*_credential) {
NSURLSessionAuthChallengeDisposition disposition = NSURLSessionAuthChallengePerformDefaultHandling;
__autoreleasing NSURLCredential *credential =nil;
NSLog(@"pwc -- authenticationMethod= %@",challenge.protectionSpace.authenticationMethod);
//判斷服務(wù)器要求客戶端的接收認(rèn)證挑戰(zhàn)方式择诈,如果是NSURLAuthenticationMethodServerTrust則表示去檢驗(yàn)服務(wù)端證書是否合法,NSURLAuthenticationMethodClientCertificate則表示需要將客戶端證書發(fā)送到服務(wù)端進(jìn)行檢驗(yàn)
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
// 基于客戶端的安全策略來決定是否信任該服務(wù)器锨侯,不信任的話湿酸,也就沒必要響應(yīng)挑戰(zhàn)
if([weakManager.securityPolicy evaluateServerTrust:challenge.protectionSpace.serverTrust forDomain:challenge.protectionSpace.host]) {
// 創(chuàng)建挑戰(zhàn)證書(注:挑戰(zhàn)方式為UseCredential和PerformDefaultHandling都需要新建挑戰(zhàn)證書)
credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];
// 確定挑戰(zhàn)的方式
if (credential) {
//證書挑戰(zhàn) 設(shè)計(jì)policy,none,則跑到這里
disposition = NSURLSessionAuthChallengeUseCredential;
} else {
disposition = NSURLSessionAuthChallengePerformDefaultHandling;
}
} else {
disposition = NSURLSessionAuthChallengeCancelAuthenticationChallenge;
}
} else { //只有雙向認(rèn)證才會(huì)走這里
// client authentication
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
//客戶端證書路徑
NSString *p12 = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];
NSFileManager *fileManager =[NSFileManager defaultManager];
if(![fileManager fileExistsAtPath:p12])
{
NSLog(@"client.p12:not exist");
}
else
{
//生成證書二進(jìn)制文件
NSData *PKCS12Data = [NSData dataWithContentsOfFile:p12];
if ([self extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data])
{
SecCertificateRef certificate = NULL;
SecIdentityCopyCertificate(identity, &certificate);
const void*certs[] = {certificate};
CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs,1,NULL);
credential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)certArray persistence:NSURLCredentialPersistencePermanent];
// credential = [NSURLCredential credentialWithIdentity:identity certificates:nil persistence:NSURLCredentialPersistenceNone];
disposition =NSURLSessionAuthChallengeUseCredential;
if (certArray) {//釋放資源
CFRelease(certArray);
}
}
}
}
*_credential = credential;
return disposition;
}];
}
//讀取p12文件中的密碼
+ (BOOL)extractIdentity:(SecIdentityRef*)outIdentity andTrust:(SecTrustRef *)outTrust fromPKCS12Data:(NSData *)inPKCS12Data {
OSStatus securityError = errSecSuccess;
//client certificate password
NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"123456" forKey:(__bridge id)kSecImportExportPassphrase];
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((__bridge CFDataRef)inPKCS12Data,(__bridge CFDictionaryRef)optionsDictionary,&items);
if(securityError == 0) {
CFDictionaryRef myIdentityAndTrust =CFArrayGetValueAtIndex(items,0);
const void*tempIdentity =NULL;
tempIdentity= CFDictionaryGetValue (myIdentityAndTrust,kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void*tempTrust =NULL;
tempTrust = CFDictionaryGetValue(myIdentityAndTrust,kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failedwith error code %d",(int)securityError);
return NO;
}
return YES;
}
相關(guān)鏈接 資料參考:
http://www.reibang.com/p/0109f45395e3
http://www.reibang.com/p/a84237b07611
http://www.reibang.com/p/36ddc5b009a7
http://www.reibang.com/p/1f426385ba53
