Alamofire without evaluation and with sending client certificate

心已入冬 提交于 2021-01-28 06:20:22

问题


Hello i am currently going crazy with alamofire :). What I'm trying to do is to disable evaluation because server has no valid SSL certificate but I have to connect by https and I have to send a x509 certificate made on IOS device by OpenSSL I am currently using alamofire 4 and I was trying to do:

open class CertTrustPolicyManager: ServerTrustPolicyManager {

    open override func serverTrustPolicy(forHost host: String) -> ServerTrustPolicy? {
    let policy = ServerTrustPolicy.disableEvaluation;

 //   let policy = ServerTrustPolicy.pinCertificates(certificates: [certificateToPin], validateCertificateChain: true, validateHost: false);

  //  var policy  = ServerTrustPolicy.pinCertificates(certificates: [certificateToPin], validateCertificateChain: false, validateHost: false);

return policy
}
    let trustPolicies = CertTrustPolicyManager(policies: [:])

    let alamofireManager:SessionManager = Alamofire.SessionManager(configuration: configuration, delegate: SessionDelegate(), serverTrustPolicyManager: trustPolicies)

also trying

var serverTrustPolicy:[String: ServerTrustPolicy] = [
    Router.baseURLString : .pinCertificates(
        certificates: [certificateToPin],
        validateCertificateChain: false,
        validateHost: false)

]


let alamofireManager:SessionManager = Alamofire.SessionManager(configuration: configuration, delegate: SessionDelegate(), serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicy))

First approach with let policy = ServerTrustPolicy.disableEvaluation; gave me successful connection but then I'm unable to pin certificate ( or I don't know how)

second approach produces and god knows whats next :)

2017-05-10 08:37:13.801894+0200 App[10117:1120893] [] nw_coretls_callback_handshake_message_block_invoke_3 tls_handshake_continue: [-9812]
2017-05-10 08:37:13.802 App[10117:1120907] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

I don't even know if I'm sending it correctly.

any tips?

EDIT this made my connection good but I'm not sending certificate

 alamofireManager.delegate.sessionDidReceiveChallenge = { session, challenge in
            var disposition: URLSession.AuthChallengeDisposition = .performDefaultHandling
            var credential: URLCredential?

            if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
                disposition = URLSession.AuthChallengeDisposition.useCredential
                credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)
            } else {
                if challenge.previousFailureCount > 0 {
                    disposition = .cancelAuthenticationChallenge
                } else {
                    credential = alamofireManager.session.configuration.urlCredentialStorage?.defaultCredential(for: challenge.protectionSpace)

                    if credential != nil {
                        disposition = .useCredential
                    }
                }
            }

            return (disposition, credential)
        }

Cheers


回答1:


Problem self solved.

now the answer for SENDING CLIENT SIDE CERTIFICATE maybe someone will need it :)

We need PKCS12 to send certificate so

import Foundation

public class PKCS12 {
    let label:String?
    let keyID:NSData?
    let trust:SecTrust?
    let certChain:[SecTrust]?
    let identity:SecIdentity?

    public init(PKCS12Data:NSData,password:String)
    {
        let importPasswordOption:NSDictionary = [kSecImportExportPassphrase as NSString:password]
        var items : CFArray?
        let secError:OSStatus = SecPKCS12Import(PKCS12Data, importPasswordOption, &items)

        guard secError == errSecSuccess else {
            if secError == errSecAuthFailed {
                NSLog("ERROR: SecPKCS12Import returned errSecAuthFailed. Incorrect password?")
            }
            fatalError("SecPKCS12Import returned an error trying to import PKCS12 data")
        }

        guard let theItemsCFArray = items else { fatalError()  }
        let theItemsNSArray:NSArray = theItemsCFArray as NSArray
        guard let dictArray = theItemsNSArray as? [[String:AnyObject]] else { fatalError() }

        func f<T>(key:CFString) -> T? {
            for d in dictArray {
                if let v = d[key as String] as? T {
                    return v
                }
            }
            return nil
        }

        self.label = f(key: kSecImportItemLabel)
        self.keyID = f(key: kSecImportItemKeyID)
        self.trust = f(key: kSecImportItemTrust)
        self.certChain = f(key: kSecImportItemCertChain)
        self.identity =  f(key: kSecImportItemIdentity)
    }
}

extension URLCredential {
    public convenience init?(PKCS12 thePKCS12:PKCS12) {
        if let identity = thePKCS12.identity {
            self.init(
                identity: identity,
                certificates: thePKCS12.certChain,
                persistence: URLCredential.Persistence.forSession)
        }
        else { return nil }
    }
}

we need x509 also to do PKCS12 I was in need of generating certificates dynamically so theres the code bridged from C

-(void) createX509{
    OPENSSL_init();

    NSString *docPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Documents/cert"];
    NSString *docPathKey = [NSHomeDirectory() stringByAppendingPathComponent:@"Documents/key"];
    NSString *docPathp12 = [NSHomeDirectory() stringByAppendingPathComponent:@"Documents/p12"];


    NSString *dataFile = [NSString stringWithContentsOfFile:docPath
                                                   encoding:NSUTF8StringEncoding
                                                      error:NULL];

    FILE *fp = fopen(docPath.UTF8String, "r");

    if(fp == NULL){
        fp = fopen(docPath.UTF8String, "w+");
        FILE *fpKey = fopen(docPathKey.UTF8String, "w+");

    EVP_PKEY * pkey;
    pkey = EVP_PKEY_new();

    RSA * rsa;
    rsa = RSA_generate_key(
                           2048,   /* number of bits for the key - 2048 is a sensible value */
                           RSA_F4, /* exponent - RSA_F4 is defined as 0x10001L */
                           NULL,   /* callback - can be NULL if we aren't displaying progress */
                           NULL    /* callback argument - not needed in this case */
                           );

    EVP_PKEY_assign_RSA(pkey, rsa);

    X509 * x509;
    x509 = X509_new();

    ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);

    X509_gmtime_adj(X509_get_notBefore(x509), 0);
    X509_gmtime_adj(X509_get_notAfter(x509), 31536000000L);

    X509_set_pubkey(x509, pkey);

    X509_NAME * name;
    name = X509_get_subject_name(x509);

    X509_NAME_add_entry_by_txt(name, "C",  MBSTRING_ASC,
                               (unsigned char *)"CA", -1, -1, 0);
    X509_NAME_add_entry_by_txt(name, "O",  MBSTRING_ASC,
                               (unsigned char *)"company", -1, -1, 0);
    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
                               (unsigned char *)"localhost", -1, -1, 0);

    X509_set_issuer_name(x509, name);

    X509_sign(x509, pkey, EVP_sha1());

        [@"" writeToFile:docPath
                   atomically:YES
                     encoding:NSUTF8StringEncoding
                        error:NULL];
        fp = fopen(docPath.UTF8String, "a+");
        PEM_write_X509(
                       fp,   /* write the certificate to the file we've opened */
                       x509 /* our certificate */);
        PEM_write_PrivateKey(fpKey, pkey, NULL, NULL, 0, NULL, NULL);
        fflush(fpKey);
        fclose(fpKey);
        fflush(fp);
        fclose(fp);
        dataFile = [NSString stringWithContentsOfFile:docPath
                                             encoding:NSUTF8StringEncoding
                                                error:NULL];

        OpenSSL_add_all_algorithms();
        OpenSSL_add_all_ciphers();
        OpenSSL_add_all_digests();

        PKCS12* p12;
        p12 = PKCS12_create("password", "login", pkey, x509, NULL, 0,0,0,0,0);

        if(!p12) {
            fprintf(stderr, "Error creating PKCS#12 structure\n");
            ERR_print_errors_fp(stderr);
            exit(1);
        }
        fp = fopen(docPathp12.UTF8String, "w+");

        if (!(fp = fopen(docPathp12.UTF8String, "wb"))) {
            ERR_print_errors_fp(stderr);
            exit(1);
        }
        i2d_PKCS12_fp(fp, p12);
        PKCS12_free(p12);
        fflush(fp);
        fclose(fp);


    }

The pkcs12 and x05 is now made so we continue in swift

 public let alamofireManager: SessionManager = {
        let obj = OpenSSL();
        obj.createX509()

        var path  = NSSearchPathForDirectoriesInDomains(.documentDirectory, .userDomainMask, true).first;
        var certPEM:String!;
        var keyPEM:String!;
        var certificateToPin:SecCertificate!;
        var pkcs12:PKCS12?;
        do{
            try certPEM = String(contentsOfFile: path! + "/cert").replacingOccurrences(of: "\n", with: "")
            try keyPEM = String(contentsOfFile: path! + "/key").replacingOccurrences(of: "\n", with: "")
            let p12 = NSData(contentsOfFile: path! + "/p12");
             pkcs12 = PKCS12.init(PKCS12Data: p12!, password: "password")

            let docsurl = try! FileManager.default.url(for:.documentDirectory, in: .userDomainMask, appropriateFor: nil, create: false)

            let urlAp = docsurl.appendingPathComponent("cert");
            var cert64 = certPEM.replacingOccurrences(of: "-----BEGIN CERTIFICATE-----", with: "")
            cert64 = cert64.replacingOccurrences(of: "-----END CERTIFICATE-----", with: "")
            let certificateData = NSData(base64Encoded: cert64, options: .ignoreUnknownCharacters)
            certificateToPin = SecCertificateCreateWithData(kCFAllocatorMalloc, certificateData!)

            var trust: SecTrust?

            let policy = SecPolicyCreateBasicX509()
            let status = SecTrustCreateWithCertificates(certificateToPin!, policy, &trust)
            let publicKey:SecKey?;
            if status == errSecSuccess {
                publicKey = SecTrustCopyPublicKey(trust!)!;
            }

            let dictionary = SecPolicyCopyProperties(policy)

        }catch{
            print("err")
        }


        let configuration = URLSessionConfiguration.default
        configuration.timeoutIntervalForResource = Request.settings.timeout


        let trustPolicies = CertTrustPolicyManager(policies: [:])


        var serverTrustPolicy:[String: ServerTrustPolicy] = [
            Router.baseURLString : .pinCertificates(
                certificates: [certificateToPin],
                validateCertificateChain: false,
                validateHost: false)
        ]


        var alamofireManager:SessionManager = Alamofire.SessionManager(configuration: configuration, delegate: SessionDelegate(), serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicy))

        alamofireManager.delegate.sessionDidReceiveChallenge = { session, challenge in
            var disposition: URLSession.AuthChallengeDisposition = .useCredential
            var credential: URLCredential?

            if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
                disposition = URLSession.AuthChallengeDisposition.useCredential
                credential = URLCredential(trust: challenge.protectionSpace.serverTrust!)

            } else {
                if challenge.previousFailureCount > 0 {
                    disposition = .cancelAuthenticationChallenge
                } else {
                    credential = alamofireManager.session.configuration.urlCredentialStorage?.defaultCredential(for: challenge.protectionSpace)

                    if credential != nil {
                        disposition = .useCredential
                    }
                }
            }

            let certs = [certificateToPin]
            let persist = URLCredential.Persistence.forSession;

            return (disposition, URLCredential.init(PKCS12: pkcs12!))
        }


        return alamofireManager
    }()

There I was in need to get certificates, probably some of code is useless or badly wrote but its working ( I'm new to IOS :) ), I was also converting PEM certificates to DER there but after these operations I was finally able to do insecure connection with sending client side and created certificate with Alamofire.

The code above is gathered from everywhere!

Cheers



来源:https://stackoverflow.com/questions/43885199/alamofire-without-evaluation-and-with-sending-client-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!