[英]SSL Pinning with AFNetworking 3.0
I am using AFNetworking 3.0 . 我正在使用AFNetworking 3.0 。 I have webserver with a https certificate which is signed by Global Sign. 我的Web服务器带有由Global Sign签名的https证书。 I want to add Certificate pinning to my iOS app. 我想将证书固定添加到我的iOS应用程序。 My code as below: 我的代码如下:
- (AFSecurityPolicy*)customSecurityPolicy{
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"server" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
[securityPolicy setAllowInvalidCertificates:NO];
[securityPolicy setValidatesDomainName:YES];
//securityPolicy.validatesCertificateChain = NO;
[securityPolicy setPinnedCertificates:[NSKeyedUnarchiver unarchiveObjectWithData:certData]];
return securityPolicy;
}
My client code: 我的客户代码:
NSString *url = SERVER_URL;
AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
manager.responseSerializer.acceptableContentTypes = [NSSet setWithObject:@"application/json"];
manager.securityPolicy = [utils customSecurityPolicy];
[manager GET:url parameters:nil progress:nil success:^(NSURLSessionTask *task, id responseObject) {
NSLog(@"JSON: %@", responseObject);
} failure:^(NSURLSessionTask *operation, NSError *error) {
NSLog(@"Error: %@", error);
}];
We use burp suite for the man-in-the-middle proxy, we are able to interrupt the request and monitor the contents of the request. 我们使用burp套件作为中间人代理,我们能够中断请求并监视请求的内容。
So, How can I implement certificate pinning properly? 那么,如何正确实施证书固定?
This is valid question that lies outside AFNetworking, the only things you find is the way on which library you are using implements curl --cacert
operation. 这是AFNetworking之外的一个有效问题,您发现的唯一问题就是您使用的库实现curl --cacert
操作的方式。
In the specific case of AFNetworking , I have this situation: 在AFNetworking的特定情况下,我有这种情况:
let sessionManager = AFHTTPSessionManager()
sessionManager.responseSerializer = AFJSONResponseSerializer()
sessionManager.requestSerializer = AFJSONRequestSerializer()
let configuration = ServiceConfiguration.sharedInstance.configuration
if let policy = configuration?.getSecurityPolicy()?.policy() as? AFSecurityPolicy {
sessionManager.securityPolicy = policy
}
Method getSecurityPolicy
returns an optional object of RequestSecurityPolicy
(that is a protocol). 方法getSecurityPolicy
返回RequestSecurityPolicy
的可选对象(即协议)。
To make an AFSecurityPolicy I have: 要制定AFSecurityPolicy,我需要:
import AFNetworking
class SSLPinningPolicy: NSObject, RequestSecurityPolicy {
// MARK: - Private properties -
private var certificatesDictionary: [String: Data] = [:]
// MARK: - Initilizers -
init(certicatePaths: [String]) {
super.init()
for path in certicatePaths {
if let certPath = Bundle.main.path(forResource: path, ofType: "der") {
let url = URL(fileURLWithPath: certPath)
do {
let data = try Data(contentsOf: url)
self.certificatesDictionary[path] = data
} catch {
}
}
}
}
// MARK: - RequestSecurityPolicy delegates -
func policy() -> AnyObject {
let policy = AFSecurityPolicy(pinningMode: .certificate)
policy.allowInvalidCertificates = true
policy.pinnedCertificates = self.certificates()
return policy
}
func certificates() -> Set<Data> {
return Set(self.certificatesDictionary.map { $0.value })
}
}
Plus 加
In order to convert my certificate from .pem
to .der
you can simply use openssl from your shell: 为了将我的证书从.pem
转换为.der
您可以简单地在shell中使用openssl :
openssl x509 -outform der -in MyCertificate.pem -out MyCertificate.der
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.