如何为要在iOS应用程序包中使用的AFNetworking创建.cer文件 [英] How to create .cer file for AFNetworking to be used in iOS app bundle

问题描述

我一直在网上看到.cer文件是什么以及如何生成文件的脱节帐户，以便应用程序可以通过https与服务器正确通信。

I keep seeing disjointed accounts all over the web of what the .cer file is and how to generate it so that the app can properly communicate with the server via https.

引用此源，一个人说：

1）现在，您需要在软件包中包含.cer文件，以获取链中所有证书。因此，至少必须存在两个证书文件（您的证书和根CA）。在我们的情况下，我们还需要一个中间产品。

1) You now need .cer files in your bundle for all certificates in the chain. So, at least, two certificate files must be present (your certificate and the root CA). In our case, we needed an intermediate as well.

2）这些证书必须按特定顺序排列。具体来说，用于固定与您通信的主机的证书必须首先在固定证书/密钥列表中。其余的顺序看起来并不重要。这是因为AFSecurityPolicy使用数组中的第一个对象来验证主机名。

2) These certificates must be in a particular order. Specifically, the certificate that certifies the host that you are communicating with must be first in the list of pinned certificates/keys. It doesn't look like the order of the rest of them matter. This is because AFSecurityPolicy uses the first object in the array to validate the host name.

3）如果您正在与根域进行通信，则主机验证将对通配符证书失败。例如，考虑指向* .foo.com的证书。如果您正在与foo.com通信，则主机检查将失败，因为主机组件计数将不匹配。我知道需要进行这种早期优化，但是在达到专门处理通配符域的逻辑之前，它就失败了。

3) The host validation fails for wildcard certificates if you are communicating with the root domain. For example, consider a certificate pointed at *.foo.com. If you are communicating with foo.com, the host check will fail because the host component counts will not match. I understand the need for this early optimization, but it fails before it even reaches the logic that specifically handles wildcard domains.

官方文档支持在此处。

我想为了生成此文件，必须按特定顺序将其整个证书链的内容放入一个.cer文件中。我记得在某处看到过此消息，但似乎找不到它。

I suppose that in order to generate this, one must cat the contents of their whole cert chain into a .cer file in a specific order. I remember seeing this posted somewhere, but can't seem to find it.

问题是，为AFNetworking创建.cer文件的可靠方法是什么？

The question is, what is the undebatable method of creating a .cer file for AFNetworking?

更新：

经过更多研究，在我看来，您只是简单地使用.crt文件并对它执行此操作：

After more research, it seems to me that you simply take the .crt file and perform this on it:

openssl x509 -in www.mydomain.com.crt -out www.mydomain.com.cer -outform der

但是，即使执行了此操作并将.cer附加到我的应用程序捆绑包中，我仍然在这里出现错误：

However, even after doing this and attaching the .cer to my app bundle, I get an error here:

+ (NSArray *)pinnedPublicKeys {
    static NSArray *_pinnedPublicKeys = nil;
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        NSArray *pinnedCertificates = [self pinnedCertificates];
        NSMutableArray *publicKeys = [NSMutableArray arrayWithCapacity:[pinnedCertificates count]];

    for (NSData *data in pinnedCertificates) {
        SecCertificateRef allowedCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)data);
        NSParameterAssert(allowedCertificate);

错误出现在最后一行，我想在上一行尝试分配 allowedCertificate ， SecCertificateCreateWithData 具有以下描述：

The error comes in at the last line. I suppose that in the preceding line where it attempts to assign an allowedCertificate, SecCertificateCreateWithData has the following description:

/*!
    @function SecCertificateCreateWithData
    @abstract Create a certificate given it's DER representation as a CFData.
    @param allocator CFAllocator to allocate the certificate with.
    @param certificate DER encoded X.509 certificate.
    @result Return NULL if the passed-in data is not a valid DER-encoded
    X.509 certificate, return a SecCertificateRef otherwise.
*/

很明显，它返回NULL，但我不知道为什么。我的特定证书格式正确。但是，我确实注意到在 pinnedCertificates 数组中还有其他证书，但是我不知道从何处获取它们。我似乎也找不到或打印出来。据我所知，我在应用程序捆绑包中只有一个，但似乎显示的更多。

Clearly it is returning a NULL, but I don't know why. My specific certificate is in the correct format. However, I did notice that there were other 'certificates' in the pinnedCertificates array, but I have no idea where it is getting them. Nor can I seem to find them or print them out. As far as I know, I only have the one in the app bundle, but it seems to show more than that.

最后一行中的assert产生的错误是：

The error generated from the assert on the last line is:

***由于未捕获的异常'NSInternalInconsistencyException'而终止应用程序，原因：'无效的参数不令人满意：allowedCertificate'

推荐答案

假设您正在使用AFNetworking 2.5，请执行以下步骤：

Assuming you are using AFNetworking 2.5 the steps described below:

• 在服务器上安装有效证书



• 创建.cer文件 openssl x509 -in www_yourdomain_com.crt -out www_yourdomain_com.cer -outform der

将.cer文件添加到应用项目。重要提示：切勿在项目中添加私钥！！！

Add .cer file to app project. IMPORTANT: Never add private key to your project!!!

设置AFNetworking安全策略

Setup AFNetworking secure policy

- (AFSecurityPolicy *)securityPolicy {
   AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
   [securityPolicy setAllowInvalidCertificates:NO];
   [securityPolicy setValidatesDomainName:YES];
   return securityPolicy;
}

在拨打网络电话时在网络管理器上设置策略

Set policy on network manager when making network call

 AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
 [manager setSecurityPolicy:[self securityPolicy]];

无需手动加载.cer文件，如果您使用 policyWithPinningMode：pinningMode 方法创建安全策略AFNetworking会自动将其固定。

There's no need to manually load .cer file, if you're using policyWithPinningMode:pinningMode method to create security policy AFNetworking automatically pins them.

这篇关于如何为要在iOS应用程序包中使用的AFNetworking创建.cer文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！