信任用於HTTPS連接的自簽名證書

Question

我正在使用連接服務器的Swift創建一個iOS應用。 這是我用來上傳圖片的代碼：

public class SendImages: NSObject,NSURLConnectionDelegate {

    var user = UserInfo?()
    var url = String?()
    var urladditional = String?()
    var sendImages: NSURLConnection = NSURLConnection()
    var my_data:NSMutableData? = nil
    var statusCode: NSInteger? = nil
    public var delegate = SendImagesInterface?()

    init(url: String) {       
        self.url = url
    }

    public func send(images_to_data: NSMutableArray ,user: UserInfo) {

        var error : NSError?
        var data_to_send : NSData = NSJSONSerialization.dataWithJSONObject(jsontoSend,
            options: NSJSONWritingOptions(0), error: &error)!

        var completeURL: AnyObject? = AnyObject?()
        completeURL = NSURL(string: (self.url)!+(self.urladditional)!)

        let cachePolicy = NSURLRequestCachePolicy.ReloadIgnoringLocalCacheData
        var request = NSMutableURLRequest(URL: completeURL as NSURL, cachePolicy: cachePolicy, timeoutInterval: 30.0)
        request.HTTPMethod = "POST"
        request.HTTPBody = data_to_send

        sendImages = NSURLConnection(request: request, delegate: self)!
        self.my_data = NSMutableData()
    }

    func connection(connection: NSURLConnection!, didFailWithError error: NSError!) {
        println("Error to connect with URL")
        self.my_data = nil
    }

    func connection(connection: NSURLConnection!, didReceiveData data: NSData!) {
        println("Receiving data")
        self.my_data!.appendData(data)
    }

    func connection(connection: NSURLConnection, didReceiveResponse response: NSURLResponse) {            
        println("Receiving response headers")
        var httpResponse = response as NSHTTPURLResponse
        statusCode = httpResponse.statusCode
    }

    func connectionDidFinishLoading(connection: NSURLConnection!){
        println("Conexion finished")
    }
}

現在，為了增強安全性，我想使用HTTPS連接。 我該如何實現？ 我有一個.der格式的證書，我認為這是iOS使用的證書。

Answer 1

您需要做的是使用NSURLCredential響應URLSession(_:didReceiveChallenge:completionHandler:)委托調用。

基本步驟是：

1. 將捆綁包中的證書加載到CFDataRef 。
2. 從NSURLCredential所需的證書中提取身份。
3. 將提取的身份與SecIdentityCopyCertificate一起使用以創建SecCertificateRef 。
4. 使用init(identity:certificates:persistence:)創建NSURLCredential

此示例顯示如何提取從捆綁軟件加載的證書的身份和信任：

struct IdentityAndTrust {        
    var identity:SecIdentityRef
    var trust:SecTrustRef
}

func extractIdentity(certData:NSData, certPassword:String) -> IdentityAndTrust {

    var identityAndTrust:IdentityAndTrust!
    var securityError:OSStatus = errSecSuccess;

    var items:Unmanaged<CFArray>?
    var certOptions:CFDictionary = [ kSecImportExportPassphrase.takeRetainedValue() as String: certPassword ];
    securityError = SecPKCS12Import(certData, certOptions, &items);

    if securityError == 0 {

        let certItems:CFArray = items?.takeUnretainedValue() as CFArray!;
        let certItemsArray:Array = certItems as Array
        let dict:AnyObject? = certItemsArray.first;

        if let certEntry:Dictionary = dict as? Dictionary<String, AnyObject> {
            let identityPointer:AnyObject? = certEntry["identity"];
            let secIdentityRef:SecIdentityRef = identityPointer as SecIdentityRef!;

            let trustPointer:AnyObject? = certEntry["trust"];
            let trustRef:SecTrustRef = trustPointer as SecTrustRef;

            identityAndTrust = IdentityAndTrust(identity: secIdentityRef, trust: trustRef);
        }
    } 

    return identityAndTrust;
}

---

您需要牢記一些事情，最重要的是證書可以過期。 您應該意識到，有時可能必須更改證書，因此從一開始就為可能發生的情況做准備。 此外，與NSURLConnection NSURLSession ，您應該更喜歡NSURLSession ，因為在每個版本中，不贊成使用的方法越來越多。

您可以在此處找到一些有關如何處理證書和信任的示例。