证书固定在Alamofire中 [英] Certificate pinning in Alamofire

问题描述

我正在创建一个访问HTTPS Web服务的iPad应用。我想实现固定，但是遇到了问题。

I am creating an iPad app that accesses HTTPS web services. I want to implement pinning, but am having issues.

该类创建Alamofire管理器（大部分取自文档）：

This class creates the Alamofire Manager (mostly taken from documentation):

class NetworkManager {

    var manager: Manager?

    init() {
        let serverTrustPolicies: [String: ServerTrustPolicy] = [
            "www.google.co.uk": .PinCertificates(
                certificates: ServerTrustPolicy.certificatesInBundle(),
                validateCertificateChain: true,
                validateHost: true
            ),
            "insecure.expired-apis.com": .DisableEvaluation
        ]

        manager = Alamofire.Manager(
            configuration: NSURLSessionConfiguration.defaultSessionConfiguration(),
            serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
        )
    }
}

此函数进行调用：

static let networkManager = NetworkManager()

public static func testPinning() {
    networkManager.manager!.request(.GET, "https://www.google.co.uk").response { response in
        if response.1 != nil {
            print("Success")
            print(response.1)
            print(response.1?.statusCode)
        } else {
            print("Error")
            print(response.3)
        }
    }
}

证书已保存在项目中，并显示在目标>构建阶段>复制捆绑资源下。

The certificate is saved in the project and shows under 'Targets > Build Phases > Copy Bundle Resources'.

我每次发出请求时都收到以下错误（来自 testPinning（）中的else块） >）：

I am currently receiving the following error every time I make the request (from the else block in testPinning()):

Optional(Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLKey=https://www.google.co.uk/, NSLocalizedDescription=cancelled, NSErrorFailingURLStringKey=https://www.google.co.uk/})

推荐答案

因此，问题在于证书以错误的格式保存。

So, the issue was that the certificate was saved in the wrong format.

ServerTrustPolicy.certificatesIn Bundle（）根据扩展列表查找捆绑中的所有证书，然后尝试使用 SecCertificateCreateWithData 加载它们。根据其文档，此函数：

ServerTrustPolicy.certificatesInBundle() finds all certificates in the bundle based on a list of extensions, then tries to load them using SecCertificateCreateWithData. Per its documentation, this function:

如果在data参数中传递的数据不是有效的
DER编码，则返回NULL X.509证书

Returns NULL if the data passed in the data parameter is not a valid DER-encoded X.509 certificate

在Firefox中导出证书时，文件底部会弹出格式浏览器。选择 X.509证书（DER），您将为此获得正确格式的证书。

When you export a certificate in Firefox, you have a "format" pop-up at the bottom of the file browser. Select "X.509 Certificate (DER)", and you should get a certificate in the right format for this purpose.

这篇关于证书固定在Alamofire中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！