本篇文章为项目需求调研时所写demo中的部分代码讲解。由于项目需求,访问服务是https的,并且使用的是TLS加密方式。
关于https和ssl的原理,请到此处阅读HTTPS与SSL(一) 这篇文章!
下面说明使用MKNetworkit网络库实现的代码:
- (void)testClientCertificate { SecIdentityRef identity = NULL; SecTrustRef trust = NULL; NSString *p12 = [[NSBundle mainBundle] pathForResource:@"testClient" ofType:@"p12"]; NSData *PKCS12Data = [NSData dataWithContentsOfFile:p12]; [[self class] extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data]; NSString *url = @"https://218.244.131.231/ManicureShop/api/order/pay/%@"; NSDictionary *dic = @{@"request" : @{ @"orderNo" : @"1409282102222110030643", @"type" : @(2) } }; _signString = nil; NSData *postData = [NSJSONSerialization dataWithJSONObject:dic options:NSJSONWritingPrettyPrinted error:nil]; NSString *sign = [self signWithSignKey:@"test" params:dic]; NSMutableData *body = [postData mutableCopy]; NSLog(@"%@", [[NSString alloc] initWithData:body encoding:NSUTF8StringEncoding]); url = [NSString stringWithFormat:url, sign]; MKNetworkEngine *engine = [[MKNetworkEngine alloc] initWithHostName:@"218.244.131.231"]; NSString *path = [NSString stringWithFormat:@"/ManicureShop/api/order/pay/%@", sign]; MKNetworkOperation *op = [engine operationWithPath:path params:dic httpMethod:@"POST" ssl:YES]; op.postDataEncoding = MKNKPostDataEncodingTypeJSON; // 传JOSN // 这个是app bundle 路径下的自签证书 op.clientCertificate = [[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:@"testClient.p12"]; // 这个是自签证书的密码 op.clientCertificatePassword = @"testHttps"; // 由于自签名的证书是需要忽略的,所以这里需要设置为YES,表示允许 op.shouldContinueWithInvalidCertificate = YES; [op addCompletionHandler:^(MKNetworkOperation *completedOperation) { NSLog(@"%@", completedOperation.responseJSON); } errorHandler:^(MKNetworkOperation *completedOperation, NSError *error) { NSLog(@"%@", [error description]); }]; [engine enqueueOperation:op]; return; } // 下面这段代码是提取和校验证书的数据的 + (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data { OSStatus securityError = errSecSuccess; // 证书密钥 NSDictionary *optionsDictionary = @{@"testHttps": (__bridge id)kSecImportExportPassphrase}; CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL); securityError = SecPKCS12Import((__bridge CFDataRef)inPKCS12Data, (__bridge CFDictionaryRef)optionsDictionary, &items); if (securityError == 0) { CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0); const void *tempIdentity = NULL; tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity); *outIdentity = (SecIdentityRef)tempIdentity; const void *tempTrust = NULL; tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust); *outTrust = (SecTrustRef)tempTrust; } else { NSLog(@"Failed with error code %d",(int)securityError); return NO; } return YES; }
下面说明一下使用AFNetworking网络库访问的方式:
- (void)testClientCertificate { SecIdentityRef identity = NULL; SecTrustRef trust = NULL; NSString *p12 = [[NSBundle mainBundle] pathForResource:@"testClient" ofType:@"p12"]; NSData *PKCS12Data = [NSData dataWithContentsOfFile:p12]; [[self class] extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data]; NSString *url = @"https://218.244.131.231/ManicureShop/api/order/pay/%@"; NSDictionary *dic = @{@"request" : @{ @"orderNo" : @"1409282102222110030643", @"type" : @(2) } }; _signString = nil; NSData *postData = [NSJSONSerialization dataWithJSONObject:dic options:NSJSONWritingPrettyPrinted error:nil]; NSString *sign = [self signWithSignKey:@"test" params:dic]; NSMutableData *body = [postData mutableCopy]; NSLog(@"%@", [[NSString alloc] initWithData:body encoding:NSUTF8StringEncoding]); url = [NSString stringWithFormat:url, sign]; AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager]; manager.requestSerializer = [AFJSONRequestSerializer serializer]; manager.responseSerializer = [AFJSONResponseSerializer serializer]; [manager.requestSerializer setValue:@"application/json" forHTTPHeaderField:@"Accept"]; [manager.requestSerializer setValue:@"application/json" forHTTPHeaderField:@"Content-Type"]; manager.responseSerializer.acceptableContentTypes = [NSSet setWithArray:@[@"application/json", @"text/plain"]]; manager.securityPolicy = [self customSecurityPolicy]; [manager POST:url parameters:dic success:^(AFHTTPRequestOperation *operation, id responseObject) { NSLog(@"JSON: %@", responseObject); } failure:^(AFHTTPRequestOperation *operation, NSError *error) { NSLog(@"Error: %@", error); }]; } // 下面这段代码是处理SSL安全性问题的: /**** SSL Pinning ****/ - (AFSecurityPolicy*)customSecurityPolicy { NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"testClient" ofType:@"cer"]; NSData *certData = [NSData dataWithContentsOfFile:cerPath]; AFSecurityPolicy *securityPolicy = [AFSecurityPolicy defaultPolicy]; [securityPolicy setAllowInvalidCertificates:YES]; [securityPolicy setPinnedCertificates:@[certData]]; [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate]; /**** SSL Pinning ****/ return securityPolicy; }
为了实现访问https tls加密方式,我也费了不少时间来查,这里写下此文章,希望对大家有用!
下面是几个问题是笔者的CSDN博客上朋友们提出的部分问题,笔者在这里可以回答这几个问题。
请注意,这里的signWithSignKey
只是一个加密算法,关于加密的算法,通常是前端与后端要采用统一的加密规则来实现的,因此大家不要想着让我把这个加密算法扔给你们就可以的。
解决办法:找到你们的后端开发人员,协调加密算法,写出伪代码,然后苹果、安卓和后台三端按照伪代码实现出自己的加密算法。
后台给你的不是p12
证书就是cer
证书,直接放到工程里面就可以了,然后引进工程中。引入正确才能读取下内容。
不用担心安全的问题,因此这个证书只是我们前端为了检验而已,而服务端还会再验证的。
承接:ThinkPHP项目开发、网站项目开发、微信项目开发、微信小程序项目开发、App开发,欢迎联系标哥QQ632840804