SSL Pinning with AFNetworking 3.0
Question
I am using AFNetworking 3.0 . I have webserver with a https certificate which is signed by Global Sign. I want to add Certificate pinning to my iOS app. My code as below:
- (AFSecurityPolicy*)customSecurityPolicy{
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone];
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"server" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:cerPath];
[securityPolicy setAllowInvalidCertificates:NO];
[securityPolicy setValidatesDomainName:YES];
//securityPolicy.validatesCertificateChain = NO;
[securityPolicy setPinnedCertificates:[NSKeyedUnarchiver unarchiveObjectWithData:certData]];
return securityPolicy;
}
My client code:
NSString *url = SERVER_URL;
AFHTTPSessionManager *manager = [AFHTTPSessionManager manager];
manager.responseSerializer.acceptableContentTypes = [NSSet setWithObject:@"application/json"];
manager.securityPolicy = [utils customSecurityPolicy];
[manager GET:url parameters:nil progress:nil success:^(NSURLSessionTask *task, id responseObject) {
NSLog(@"JSON: %@", responseObject);
} failure:^(NSURLSessionTask *operation, NSError *error) {
NSLog(@"Error: %@", error);
}];
We use burp suite for the man-in-the-middle proxy, we are able to interrupt the request and monitor the contents of the request.
So, How can I implement certificate pinning properly?
1 answers
solution1
2 2017-04-20 08:58:51
This is valid question that lies outside AFNetworking, the only things you find is the way on which library you are using implements curl --cacert operation.
In the specific case of AFNetworking , I have this situation:
let sessionManager = AFHTTPSessionManager()
sessionManager.responseSerializer = AFJSONResponseSerializer()
sessionManager.requestSerializer = AFJSONRequestSerializer()
let configuration = ServiceConfiguration.sharedInstance.configuration
if let policy = configuration?.getSecurityPolicy()?.policy() as? AFSecurityPolicy {
sessionManager.securityPolicy = policy
}
Method getSecurityPolicy returns an optional object of RequestSecurityPolicy (that is a protocol).
To make an AFSecurityPolicy I have:
import AFNetworking
class SSLPinningPolicy: NSObject, RequestSecurityPolicy {
// MARK: - Private properties -
private var certificatesDictionary: [String: Data] = [:]
// MARK: - Initilizers -
init(certicatePaths: [String]) {
super.init()
for path in certicatePaths {
if let certPath = Bundle.main.path(forResource: path, ofType: "der") {
let url = URL(fileURLWithPath: certPath)
do {
let data = try Data(contentsOf: url)
self.certificatesDictionary[path] = data
} catch {
}
}
}
}
// MARK: - RequestSecurityPolicy delegates -
func policy() -> AnyObject {
let policy = AFSecurityPolicy(pinningMode: .certificate)
policy.allowInvalidCertificates = true
policy.pinnedCertificates = self.certificates()
return policy
}
func certificates() -> Set<Data> {
return Set(self.certificatesDictionary.map { $0.value })
}
}
Plus
In order to convert my certificate from .pem to .der you can simply use openssl from your shell:
openssl x509 -outform der -in MyCertificate.pem -out MyCertificate.der
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.