我们试图在企业iOS应用程序中使用客户端SSL证书进行用户身份验证.
>我们可以在服务器上生成客户端ssl证书
>用户可以通过.mobileconfig安装
> Safari中的Web服务器的认证与安装的证书一起使用.
>从iOS应用程序内部发出http请求失败(不使用证书).
我们如何让这个工作?谢谢!
解决方法
概述:
您已在设备钥匙串上安装了客户端SSL证书.
Safari.app和Mail.app可以访问这个钥匙串,而iOS应用没有.
原因是我们开发的应用程序是沙盒,在非越狱设备中没有任何访问权限.
随着safari访问它,连接和认证服务器的挑战没有任何麻烦.
解:
将导出的P12文件与App捆绑在一起,并引用它来查找服务器正在查找的正确的客户端证书.它实际上是一种解决方法.硬编码是获取P12文件的可靠方法.
执行:
在NSURLConenction委托中的方法是willSendRequestForAuthenticationChallenge.您需要考虑NSURLAuthenticationMethodClientCertificate挑战类型,以处理服务器挑战.这是我们实现了从嵌入式P12文件中提取正确的证书身份的魔力的地方.代码如下
- - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
- if ([challenge prevIoUsFailureCount] > 0) {
- //this will cause an authentication failure
- [[challenge sender] cancelAuthenticationChallenge:challenge];
- NSLog(@"Bad Username Or Password");
- return;
- }
- //this is checking the server certificate
- if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
- SecTrustResultType result;
- //This takes the serverTrust object and checkes it against your keychain
- SecTrustEvaluate(challenge.protectionSpace.serverTrust,&result);
- //if we want to ignore invalid server for certificates,we just accept the server
- if (kSPAllowInvalidServerCertificates) {
- [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
- return;
- } else if(result == kSecTrustResultProceed || result == kSecTrustResultConfirm || result == kSecTrustResultUnspecified) {
- //When testing this against a trusted server I got kSecTrustResultUnspecified every time. But the other two match the description of a trusted server
- [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
- return;
- }
- } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {
- //this handles authenticating the client certificate
- /*
- What we need to do here is get the certificate and an an identity so we can do this:
- NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:myCerts persistence:NSURLCredentialPersistencePermanent];
- [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
- It's easy to load the certificate using the code in -installCertificate
- It's more difficult to get the identity.
- We can get it from a .p12 file,but you need a passphrase:
- */
- NSString *p12Path = [[BundleManager bundleForCurrentSkin] pathForResource:kP12FileName ofType:@"p12"];
- NSData *p12Data = [[NSData alloc] initWithContentsOfFile:p12Path];
- CFStringRef password = CFSTR("PASSWORD");
- const void *keys[] = { kSecImportExportPassphrase };
- const void *values[] = { password };
- CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL,keys,values,1,NULL,NULL);
- CFArrayRef p12Items;
- OSStatus result = SecPKCS12Import((CFDataRef)p12Data,optionsDictionary,&p12Items);
- if(result == noErr) {
- CFDictionaryRef identityDict = CFArrayGetValueAtIndex(p12Items,0);
- SecIdentityRef identityApp =(SecIdentityRef)CFDictionaryGetValue(identityDict,kSecImportItemIdentity);
- SecCertificateRef certRef;
- SecIdentityCopyCertificate(identityApp,&certRef);
- SecCertificateRef certArray[1] = { certRef };
- CFArrayRef myCerts = CFArrayCreate(NULL,(void *)certArray,NULL);
- CFRelease(certRef);
- NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:(NSArray *)myCerts persistence:NSURLCredentialPersistencePermanent];
- CFRelease(myCerts);
- [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
- }
- } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodDefault || [[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodNTLM) {
- // For normal authentication based on username and password. This could be NTLM or Default.
- DAVCredentials *cred = _parentSession.credentials;
- NSURLCredential *credential = [NSURLCredential credentialWithUser:cred.username password:cred.password persistence:NSURLCredentialPersistenceForSession];
- [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
- } else {
- //If everything fails,we cancel the challenge.
- [[challenge sender] cancelAuthenticationChallenge:challenge];
- }
- }
希望这可以帮助
