信任用于HTTPS连接的自签名证书

Question

我正在使用连接服务器的Swift创建一个iOS应用。 这是我用来上传图片的代码：

public class SendImages: NSObject,NSURLConnectionDelegate {

    var user = UserInfo?()
    var url = String?()
    var urladditional = String?()
    var sendImages: NSURLConnection = NSURLConnection()
    var my_data:NSMutableData? = nil
    var statusCode: NSInteger? = nil
    public var delegate = SendImagesInterface?()

    init(url: String) {       
        self.url = url
    }

    public func send(images_to_data: NSMutableArray ,user: UserInfo) {

        var error : NSError?
        var data_to_send : NSData = NSJSONSerialization.dataWithJSONObject(jsontoSend,
            options: NSJSONWritingOptions(0), error: &error)!

        var completeURL: AnyObject? = AnyObject?()
        completeURL = NSURL(string: (self.url)!+(self.urladditional)!)

        let cachePolicy = NSURLRequestCachePolicy.ReloadIgnoringLocalCacheData
        var request = NSMutableURLRequest(URL: completeURL as NSURL, cachePolicy: cachePolicy, timeoutInterval: 30.0)
        request.HTTPMethod = "POST"
        request.HTTPBody = data_to_send

        sendImages = NSURLConnection(request: request, delegate: self)!
        self.my_data = NSMutableData()
    }

    func connection(connection: NSURLConnection!, didFailWithError error: NSError!) {
        println("Error to connect with URL")
        self.my_data = nil
    }

    func connection(connection: NSURLConnection!, didReceiveData data: NSData!) {
        println("Receiving data")
        self.my_data!.appendData(data)
    }

    func connection(connection: NSURLConnection, didReceiveResponse response: NSURLResponse) {            
        println("Receiving response headers")
        var httpResponse = response as NSHTTPURLResponse
        statusCode = httpResponse.statusCode
    }

    func connectionDidFinishLoading(connection: NSURLConnection!){
        println("Conexion finished")
    }
}

现在，为了增强安全性，我想使用HTTPS连接。 我该如何实现？ 我有一个.der格式的证书，我认为这是iOS使用的证书。

Answer 1

您需要做的是使用NSURLCredential响应URLSession(_:didReceiveChallenge:completionHandler:)委托调用。

基本步骤是：

1. 将捆绑包中的证书加载到CFDataRef 。
2. 从NSURLCredential所需的证书中提取身份。
3. 将提取的身份与SecIdentityCopyCertificate一起使用以创建SecCertificateRef 。
4. 使用init(identity:certificates:persistence:)创建NSURLCredential

此示例显示如何提取从捆绑软件加载的证书的身份和信任：

struct IdentityAndTrust {        
    var identity:SecIdentityRef
    var trust:SecTrustRef
}

func extractIdentity(certData:NSData, certPassword:String) -> IdentityAndTrust {

    var identityAndTrust:IdentityAndTrust!
    var securityError:OSStatus = errSecSuccess;

    var items:Unmanaged<CFArray>?
    var certOptions:CFDictionary = [ kSecImportExportPassphrase.takeRetainedValue() as String: certPassword ];
    securityError = SecPKCS12Import(certData, certOptions, &items);

    if securityError == 0 {

        let certItems:CFArray = items?.takeUnretainedValue() as CFArray!;
        let certItemsArray:Array = certItems as Array
        let dict:AnyObject? = certItemsArray.first;

        if let certEntry:Dictionary = dict as? Dictionary<String, AnyObject> {
            let identityPointer:AnyObject? = certEntry["identity"];
            let secIdentityRef:SecIdentityRef = identityPointer as SecIdentityRef!;

            let trustPointer:AnyObject? = certEntry["trust"];
            let trustRef:SecTrustRef = trustPointer as SecTrustRef;

            identityAndTrust = IdentityAndTrust(identity: secIdentityRef, trust: trustRef);
        }
    } 

    return identityAndTrust;
}

---

您需要牢记一些事情，最重要的是证书可以过期。 您应该意识到，有时可能必须更改证书，因此从一开始就为可能发生的情况做准备。 此外，与NSURLConnection NSURLSession ，您应该更喜欢NSURLSession ，因为在每个版本中，不赞成使用的方法越来越多。

您可以在此处找到一些有关如何处理证书和信任的示例。