AFSecurityPolicy这个类是针对HTTPS连接时做的证书认证,这里我们假设你已经对HTTPS连接有了一定的了解。
也是比较简单的一个类啊,看源码吧
typedef NS_ENUM(NSUInteger, AFSSLPinningMode) {
AFSSLPinningModeNone,
AFSSLPinningModePublicKey,
AFSSLPinningModeCertificate,
};
一个枚举类型,定义了HTTPS的三种验证模式:
AFSSLPinningModeNone这个模式本地没有保存证书,只验证服务器证书是不是系统受信任证书列表里的证书签发的。
AFSSLPinningModePublicKey这个模式表示本地存有证书,验证证书的有效期等信息,也就是将本地证书设置为锚点证书,然后验证证书有效性,再判断本地证书和服务器证书是否一致。
AFSSLPinningModeCertificate这个模式同样是本地存有证书,只是验证时只验证证书里的公钥,不验证证书的有效期等信息。
/**
只读属性,证书验证模式,只能在初始化的时候设置
*/
@property (readonly, nonatomic, assign) AFSSLPinningMode SSLPinningMode;
/**
本地证书的集合
*/
@property (nonatomic, strong, nullable) NSSet <NSData *> *pinnedCertificates;
/**
是否允许无效的证书,默认是NO
*/
@property (nonatomic, assign) BOOL allowInvalidCertificates;
/**
是否验证域名,默认是YES
*/
@property (nonatomic, assign) BOOL validatesDomainName;
AFSecurityPolicy的一些基本属性,都很简单。
/**
返回指定目录下的证书
*/
+ (NSSet <NSData *> *)certificatesInBundle:(NSBundle *)bundle;
/**
默认验证策略的初始化
*/
+ (instancetype)defaultPolicy;
/**
根据制定的验证模式初始化
*/
+ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode;
/**
根据指定的验证模式和本地证书初始化
*/
+ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSSet <NSData *> *)pinnedCertificates;
/**
返回服务器证书是否能够被信任,在NSUrlSessionDelegate的`URLSession:(NSURLSession *)session
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler`方法中被调用
serverTrust 服务器证书验证对象
domain 域名
*/
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
forDomain:(nullable NSString *)domain;
如果不制定验证模式,就是在默认的AFSSLPinningModeNone验证模式下验证,所以不需要本地证书,但是如果要自己设置验证模式,就可能需要本地证书,所以需要指定证书或者获取工程下的所有证书。
#if !TARGET_OS_IOS && !TARGET_OS_WATCH && !TARGET_OS_TV
static NSData * AFSecKeyGetData(SecKeyRef key) {
CFDataRef data = NULL;
__Require_noErr_Quiet(SecItemExport(key, kSecFormatUnknown, kSecItemPemArmour, NULL, &data), _out);
return (__bridge_transfer NSData *)data;
_out:
if (data) {
CFRelease(data);
}
return nil;
}
#endif
OSStatus SecItemExport(CFTypeRef secItemOrArray, SecExternalFormat outputFormat, SecItemImportExportFlags flags, const SecItemImportExportKeyParameters *keyParams, CFDataRef _Nullable *exportedData);这个函数是把secItemOrArray导出到exportedData。
__Require_noErr_Quiet(errorCode, exceptionLabel)就是当errocode不为0时 goto到exceptionLabel执行。
static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) {
#if TARGET_OS_IOS || TARGET_OS_WATCH || TARGET_OS_TV
return [(__bridge id)key1 isEqual:(__bridge id)key2];
#else
return [AFSecKeyGetData(key1) isEqual:AFSecKeyGetData(key2)];
#endif
}
这个很简单,比较两个key是否相等,用于AFSSLPinningModePublicKey模式下比较公钥。
static id AFPublicKeyForCertificate(NSData *certificate) {
id allowedPublicKey = nil;
SecCertificateRef allowedCertificate;
SecCertificateRef allowedCertificates[1];
CFArrayRef tempCertificates = nil;
SecPolicyRef policy = nil;
SecTrustRef allowedTrust = nil;
SecTrustResultType result;
/**
certificate转换为SecCertificateRef类型的证书
certificate 通过(__bridge CFDataRef)转换成 CFDataRef
allocator CFAllocator分配证书。
data DER编码的X.509证书。
*/
allowedCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificate);
//allowedCertificate如果是空跳转到_out
__Require_Quiet(allowedCertificate != NULL, _out);
// 给allowedCertificates赋值
allowedCertificates[0] = allowedCertificate;
// 新建CF数组 tempCertificates
tempCertificates = CFArrayCreate(NULL, (const void **)allowedCertificates, 1, NULL);
// 新建policy为X.509
policy = SecPolicyCreateBasicX509();
// 根据证书、验证策略、创建SecTrustRef对象赋值给allowedTrust,如果出错就跳到_out标记处
__Require_noErr_Quiet(SecTrustCreateWithCertificates(tempCertificates, policy, &allowedTrust), _out);
// 校验证书,出错跳转到_out。
__Require_noErr_Quiet(SecTrustEvaluate(allowedTrust, &result), _out);
//copy出allowedTrust的公钥
allowedPublicKey = (__bridge_transfer id)SecTrustCopyPublicKey(allowedTrust);
_out:
...
return allowedPublicKey;
}
这个函数就是获取证书文件的公钥,需要了解的知识点都写在注释里了,看一下就可以了。
static BOOL AFServerTrustIsValid(SecTrustRef serverTrust) {
BOOL isValid = NO;
SecTrustResultType result;
__Require_noErr_Quiet(SecTrustEvaluate(serverTrust, &result), _out);
isValid = (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
_out:
return isValid;
}
这个函数就是判断SecTrustRef对象是否是有效的,SecTrustEvaluate(serverTrust, &result)这句就是验证serverTrust,然后把验证结果赋值给result。
kSecTrustResultUnspecified表示系统里有该证书的根证书,而且校验通过。
kSecTrustResultProceed用户设置了锚点证书,验证通过。
static NSArray * AFCertificateTrustChainForServerTrust(SecTrustRef serverTrust) {
CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
NSMutableArray *trustChain = [NSMutableArray arrayWithCapacity:(NSUInteger)certificateCount];
for (CFIndex i = 0; i < certificateCount; i++) {
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
[trustChain addObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)];
}
return [NSArray arrayWithArray:trustChain];
}
这个函数是用来获取服务器提供需要验证的证书链。
SecTrustGetCertificateCount获取SecTrustRef对象中的证书数量。
SecTrustGetCertificateAtIndex获取SecTrustRef对象中的第index个证书。
static NSArray * AFPublicKeyTrustChainForServerTrust(SecTrustRef serverTrust) {
SecPolicyRef policy = SecPolicyCreateBasicX509();
CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
NSMutableArray *trustChain = [NSMutableArray arrayWithCapacity:(NSUInteger)certificateCount];
for (CFIndex i = 0; i < certificateCount; i++) {
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
SecCertificateRef someCertificates[] = {certificate};
CFArrayRef certificates = CFArrayCreate(NULL, (const void **)someCertificates, 1, NULL);
SecTrustRef trust;
__Require_noErr_Quiet(SecTrustCreateWithCertificates(certificates, policy, &trust), _out);
SecTrustResultType result;
__Require_noErr_Quiet(SecTrustEvaluate(trust, &result), _out);
[trustChain addObject:(__bridge_transfer id)SecTrustCopyPublicKey(trust)];
_out:
...
continue;
}
CFRelease(policy);
return [NSArray arrayWithArray:trustChain];
}
前面和获取服务器验证证书链的方法都一样,就不说了。
CFArrayCreate(NULL, (const void **)someCertificates, 1, NULL);从someCertificates数组中copy 1个元素用于新创建的C数组中。
SecTrustCreateWithCertificates(certificates, policy, &trust)根据证书certificates和验证策略policy创建一个SecTrustRef对象。
SecTrustCopyPublicKey (trust)获取SecTrustRef对象中的publickey。
中间一些初始化、获取本地证书的方法就不说了,直接看重点
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
forDomain:(NSString *)domain
{
//log里已经说得很清楚了,如果你要验证自签名证书的域名,那么就不能用AFSSLPinningModeNone模式,
//而且必须copy服务器证书到本地
if (domain && self.allowInvalidCertificates && self.validatesDomainName && (self.SSLPinningMode == AFSSLPinningModeNone || [self.pinnedCertificates count] == 0)) {
// https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html
// According to the docs, you should only trust your provided certs for evaluation.
// Pinned certificates are added to the trust. Without pinned certificates,
// there is nothing to evaluate against.
//
// From Apple Docs:
// "Do not implicitly trust self-signed certificates as anchors (kSecTrustOptionImplicitAnchors).
// Instead, add your own (self-signed) CA certificate to the list of trusted anchors."
NSLog(@"In order to validate a domain name for self signed certificates, you MUST use pinning.");
return NO;
}
NSMutableArray *policies = [NSMutableArray array];
// 如果需要验证domain,那么就需要SecPolicyCreateSSL函数创建验证策略,
//server 参数为true表示验证整个SSL证书链
//hostname 传入domain,用于判断整个证书链上的domain是否和此处传入domain一致
if (self.validatesDomainName) {
[policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
} else {
// 如果不需要验证domain,就使用默认的BasicX509验证策略
[policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
}
// 为serverTrust设置验证策略
SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);
// 如果SSLPinningMode为 AFSSLPinningModeNone,表示你不使用SSL pinning
//使用AFServerTrustIsValid函数验证serverTrust是否可信任,如果信任返回YES
//判断用户是否信任自建证书,如果信任返回YES
if (self.SSLPinningMode == AFSSLPinningModeNone) {
return self.allowInvalidCertificates || AFServerTrustIsValid(serverTrust);
}
//如果不允许自建证书,serverTrust又不被信任,那么就表示验证不通过返回NO
else if (!AFServerTrustIsValid(serverTrust) && !self.allowInvalidCertificates) {
return NO;
}
switch (self.SSLPinningMode) {
case AFSSLPinningModeNone:
default:
return NO;
//使用SSL Pinning方式验证证书
//要验证整个证书一致才能通过
case AFSSLPinningModeCertificate: {
NSMutableArray *pinnedCertificates = [NSMutableArray array];
for (NSData *certificateData in self.pinnedCertificates) {
//SecCertificateCreateWithData函数把本地存储的服务器证书拷贝数据转换为DER编码的 X.509证书
//然后加入pinnedCertificates数组中
[pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
}
// 将pinnedCertificates设置成需要参与验证的Anchor Certificate(锚点证书,通过SecTrustSetAnchorCertificates设置了参与校验锚点证书之后,假如验证的数字证书是这个锚点证书的子节点,即验证的数字证书是由锚点证书对应CA或子CA签发的,或是该证书本身,则信任该证书),具体就是调用SecTrustEvaluate来验证。
SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);
//判断服务器证书是否是有效的(是否由上面设置的锚点证书或其子证书签发,有效期等信息)
if (!AFServerTrustIsValid(serverTrust)) {
return NO;
}
// 获取服务器需要验证的证书链
NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust);
//验证是否有本地证书与服务器返回的证书量一致的,如果有就返回YES
for (NSData *trustChainCertificate in [serverCertificates reverseObjectEnumerator]) {
if ([self.pinnedCertificates containsObject:trustChainCertificate]) {
return YES;
}
}
return NO;
}
//验证公钥(Publickey)一致就可以了
case AFSSLPinningModePublicKey: {
NSUInteger trustedPublicKeyCount = 0;
//获取服务器返回的证书的Publickey
NSArray *publicKeys = AFPublicKeyTrustChainForServerTrust(serverTrust);
// 依次遍历本地Publickey和服务器Publickey,如果有一致的,那么就给trustedPublicKeyCount +1
for (id trustChainPublicKey in publicKeys) {
for (id pinnedPublicKey in self.pinnedPublicKeys) {
//用AFSecKeyIsEqualToKey函数验证publickey
if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)trustChainPublicKey, (__bridge SecKeyRef)pinnedPublicKey)) {
trustedPublicKeyCount += 1;
}
}
}
return trustedPublicKeyCount > 0;
}
}
return NO;
}
需要解释的都放在注释里了
如有错误,请不吝赐教,谢谢!
