IOS verification of the HTTPS certificate chain

HTTPS is the same as HTTP from the perspective of final data parsing. HTTPS puts the HTTP protocol packets into the SSL/TSL layer and encrypts the IP datagram in the TCP/IP layer to ensure the security of the transmitted data, and for the receiving end, after the packets received by SSL/TSL are decrypted, the data is passed to the HTTP protocol layer.

The SSL/TSL consists of four handshakes, mainly exchanging three messages:

1. Digital certificates;

2. three random numbers;

3. Encrypt the communication protocol.

The communication process is as follows:

Digital certificates

The certificate is usually sent to the client by the server, the receiver verifies whether the certificate is issued by a trusted CA, or is relative to the local certificate, to determine if the certificate is trustworthy, and if two-way authentication is required, both the server and the client need to send a digital certificate to the other party for verification.

The generation of a digital certificate is hierarchical, from the leaf node certificate to the root certificate layer (expiration, signature, and so on), when it encounters the root certificate, it is found in the list of trusted certificates as a trusted anchor, then validation passes. For example, in the keychain you can see that the certificate that a brokerage company applies to is not in the list of trusted certificates in the system.

The following is a brief description of the contents of the digital certificate as a representative of the certificate in a Wave SDK:

Certificate Fields	Certificate Description
Issuer Name	Information about the entity that publishes and signs the certificate
Serial number	Digital Certificate Authority (Certificate Authority, CA) give the certificate a unique integer, a digital certificate a serial number
Subject Name	Information that is used to identify the digital certificate
Public key Information	Publicly available key information
Signature	Data obtained after the certificate content is computed using the signature algorithm to verify that the certificate has been tampered with

Three random numbers

These three random numbers form the "conversation key" that is used to decrypt the data for symmetric encryption during subsequent communication. First the client first sends the first random number N1, then the server returns the second random number N2 (this process simultaneously sends the digital certificate to the client), both of which are plaintext, and the third random number N3, the client uses the public key of the digital certificate for asymmetric encryption, to the server , and the server decrypts the third random number with a private key that only it knows. After both the server and the client have three random number n1+n2+n3, the two ends use these three random numbers to generate a "conversation key", after which the communication uses this "conversation key" for symmetric and decryption.

Encrypted communication protocol

The two sides discussed which encryption method to use, if the two supported encryption method does not match, then cannot communicate. Because this process, the server's private key is only used to decrypt the third random number, never transmitted in the network, as long as the private key is not compromised, then the data is safe.

Below is the main introduction of nsurlconnection support HTTPS implementation of the certificate as a trusted anchor code application.

Sdwebimagedownloaderoperation

(void)connection:(nsurlconnection *)connection Willsendrequestforauthenticationchallenge:(nsurlauthenticationchallenge *)Challenge {

The way to secure space through Challenge.protectionSpace.authenticationMethod requires our certification

if ([Challenge. Protectionspace. Authenticationmethod isequaltostring:nsurlauthenticationmethodservertrust]) {

if (! (self. ) Options & sdwebimagedownloaderallowinvalidsslcertificates) &&

[Challenge. Sender Respondstoselector:@selector(performdefaulthandlingforauthenticationchallenge :)]) {

[Challenge. Sender Performdefaulthandlingforauthenticationchallenge:challenge];

} else {

nsurlcredential *Credential = [nsurlcredential credentialfortrust:challenge. Protectionspace. Servertrust];

[[Challenge Sender] usecredential:credential Forauthenticationchallenge:challenge];

}

} else {

if ([Challenge previousfailurecount] = = 0) {

if (self. Credential) {

[[Challenge Sender] usecredential:self. Credential forauthenticationchallenge:challenge];

} else {

[[Challenge Sender] continuewithoutcredentialforauthenticationchallenge: Challenge];

}

} else {

[[Challenge Sender] continuewithoutcredentialforauthenticationchallenge: Challenge];

}

}

}

Stockpromotionviewcontroller used in WebView

- (BOOL)webView:(UIWebView *)webView shouldstartloadwithrequest: (nsurlrequest *)request Navigationtype:(uiwebviewnavigationtype) navigationtype

{

nsstring* Scheme = [[request URL] scheme];

//Determine if HTTPS is not

if ([scheme isequaltostring:@"https"])

{

if (self. authed)

{

return YES;

}

nsurlconnection* conn = [[nsurlconnection alloc] initwithrequest: [nsurlrequest requestwithurl:request. URL] delegate:self];

[conn start];

[webView stoploading];

return NO;

}

return YES;

}

- (void)connection:(nsurlconnection *)connection Willsendrequestforauthenticationchallenge:(nsurlauthenticationchallenge *)Challenge

{

if ([Challenge previousfailurecount]= = 0)

{

self. authed = YES;

//nsurlcredential This class is an immutable object that represents an authentication credential. The actual type of the credential declares the constructor of the class to determine. The callback will receive a challenge

nsurlcredential* cre = [nsurlcredential credentialfortrust:Challenge . protectionspace. Servertrust];

[Challenge. Sender usecredential:cre forauthenticationchallenge:challenge];

}

}

- (nsurlrequest *)connection:(nsurlconnection *)connection Willsendrequest:(nsurlrequest *)request Redirectresponse:( Nsurlresponse *)response

{

return request;

}

- (void)connection:(nsurlconnection *)connection Didreceiveresponse :(nsurlresponse *)response

{

self. authed = YES;

//webview Reload Request.

[self. WebView loadrequest:[nsurlrequest requestwithurl:connection. Currentrequest. URL]];

[connection cancel];

}

IOS verification of the HTTPS certificate chain