iOS內建認證，校正https請求

標籤：.com   cfa   ios   root   請求   pre   sel   tty   設定ip   

有些情況處於安全的考慮需要https請求，但是為了防止網域名稱解析很多情況下會使用IP進行訪問。一般的服務不會針對IP去申請認證，所以我們可以自己實現ssl登入過程，保證請求的安全性。

一.首先需要自己本地產生ssl認證以及搭建一個本地服務

Mac apache本地配置ssl認證 及 iOS OTA部署： http://www.jianshu.com/p/bd016015efe7

產生的crt轉換成cer的方法

openssl x509 -in test.crt -out test.cer -outform der

二.實現代碼

初始化NSURLSession，將認證匯入對應的xcode項目中

NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration];configuration.requestCachePolicy = NSURLRequestReloadIgnoringLocalCacheData;configuration.timeoutIntervalForRequest = 120;NSURLSession *session = [NSURLSession sessionWithConfiguration:configuration                                                 delegate:self                                            delegateQueue:[[NSOperationQueue alloc] init]];

產生的ssl認證需要設定ip，而且校正的時候也會去校正這個ip。但是更多情況下是不去校正這個ip的，因為代碼內部可能只有一個認證，但是服務可能會有多套部署，如果去校正ip，會限制服務的擴充（很多項目都會做自己的DNS策略，ip經常會改變）。

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler{    NSString *host = challenge.protectionSpace.host;    BOOL isIp = [self _isIp:host];    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {        if (isIp) {            // Get            NSData *certData =[NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"server" ofType:@"cer"]];            if (certData) {                SecTrustRef trust = [[challenge protectionSpace] serverTrust];                                NSMutableArray *policies = [NSMutableArray array];
　　　　　　　　　 //如果需要校正IP，需要把下面的注釋開啟，把下面X509這段代碼注釋掉
　　　　　　　　　 //[policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];                [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];                SecTrustSetPolicies(trust, (__bridge CFArrayRef)policies);                                SecCertificateRef rootcert = SecCertificateCreateWithData(kCFAllocatorDefault,CFBridgingRetain(certData));                const void *array[1] = { rootcert };                CFArrayRef certs = CFArrayCreate(NULL, array, 1, &kCFTypeArrayCallBacks);                int err;                SecTrustResultType trustResult = 0;                err = SecTrustSetAnchorCertificates(trust, certs);                if (err == noErr) {                    err = SecTrustEvaluate(trust,&trustResult);                }                BOOL trusted = (err == noErr) && ((trustResult == kSecTrustResultProceed) || (trustResult == kSecTrustResultUnspecified));                if (!trusted) {                    NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] ;                    completionHandler(NSURLSessionAuthChallengeUseCredential, credential);                } else {                    //如果校正失敗了，就校正一下認證資料，一般不建議走這段邏輯，因為不能夠保證服務是否安全                    NSMutableArray *pinnedCertificates = [NSMutableArray array];                    [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData)];                    SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)pinnedCertificates);                                        NSArray *serverCertificates = [self _certificateTrustChainForServerTrust:trust];                                        for (NSData *trustChainCertificate in [serverCertificates reverseObjectEnumerator]) {                        if ([certData isEqualToData:trustChainCertificate]) {                            NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] ;                            completionHandler(NSURLSessionAuthChallengeUseCredential, credential);                        }                    }                }            }        } else {            NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust];            completionHandler(NSURLSessionAuthChallengeUseCredential, credential);        }    }}- (BOOL)_isIp:(NSString*)aHost{    NSString *regex = @"((2[0-4]\\d|25[0-5]|[01]?\\d\\d?)\\.){3}(2[0-4]\\d|25[0-5]|[01]?\\d\\d?)";    NSPredicate *pred = [NSPredicate predicateWithFormat:@"SELF MATCHES %@", regex];        return [pred evaluateWithObject:aHost];}- (NSArray *)_certificateTrustChainForServerTrust:(SecTrustRef)serverTrust{    CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);    NSMutableArray *trustChain = [NSMutableArray arrayWithCapacity:(NSUInteger)certificateCount];        for (CFIndex i = 0; i < certificateCount; i++) {        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);        [trustChain addObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)];    }        return [NSArray arrayWithArray:trustChain];}

https請求構建

    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://127.0.0.1:443/index.html"]];        NSURLSessionDataTask *task = [_session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {        completionHandler(((NSHTTPURLResponse*)response).statusCode, data ? [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding] : nil, error);    }];        [task resume];

網上的例子有很多，但是很多沒有考慮不校正IP的情境。希望本文能夠給大家一個參考

iOS內建認證，校正https請求