// ssl bidirectional authentication双向验证

- (void)bidirectionalAuthentication {

AFHTTPRequestSerializer*reqSerializer = [AFHTTPRequestSerializerserializer];

NSMutableURLRequest*request;

request = [reqSerializerrequestWithMethod:@"GET"URLString:WFHTTPURLparameters:nilerror:nil];

AFSecurityPolicy*securityPolicy = [[AFSecurityPolicyalloc]init];

[securityPolicysetAllowInvalidCertificates:kAllowsInvalidSSLCertificate];

AFHTTPRequestOperation*operation = [[AFHTTPRequestOperationalloc]initWithRequest:request];

operation.responseSerializer= [AFHTTPResponseSerializerserializer];

[operationsetSecurityPolicy:securityPolicy];

[operationsetWillSendRequestForAuthenticationChallengeBlock:^(NSURLConnection*connection,NSURLAuthenticationChallenge*challenge) {

if([challengepreviousFailureCount] >0) {

//this will cause an authentication failure

[[challengesender]cancelAuthenticationChallenge:challenge];

NSLog(@"Bad Username Or Password");

return;

}

//this is checking the server certificate

if([challenge.protectionSpace.authenticationMethodisEqualToString:NSURLAuthenticationMethodServerTrust]) {

SecTrustResultTyperesult;

//This takes the serverTrust object and checkes it against your keychain

SecTrustEvaluate(challenge.protectionSpace.serverTrust, &result);

//if we want to ignore invalid server for certificates, we just accept the server

if(kAllowsInvalidSSLCertificate) {

[challenge.senderuseCredential:[NSURLCredentialcredentialForTrust: challenge.protectionSpace.serverTrust]forAuthenticationChallenge: challenge];

return;

}elseif(result ==kSecTrustResultProceed|| result ==kSecTrustResultUnspecified) {

//When testing this against a trusted server I got kSecTrustResultUnspecified every time. But the other two match the description of a trusted server

[challenge.senderuseCredential:[NSURLCredentialcredentialForTrust: challenge.protectionSpace.serverTrust]forAuthenticationChallenge: challenge];

return;

}

}elseif([[challengeprotectionSpace]authenticationMethod] ==NSURLAuthenticationMethodClientCertificate) {

//this handles authenticating the client certificate

/*

What we need to do here is get the certificate and an an identity so we can do this:

NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:myCerts persistence:NSURLCredentialPersistencePermanent];

[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];

It's easy to load the certificate using the code in -installCertificate

It's more difficult to get the identity.

We can get it from a .p12 file, but you need a passphrase:

*/

NSData*p12Data = [NSDatadataWithContentsOfFile:[[NSBundlemainBundle]pathForResource:@"ios"ofType:@"pfx"]];

// your p12 password

CFStringRefpassword =CFSTR("p12 PASSPHRASE");

constvoid*keys[] = {kSecImportExportPassphrase};

constvoid*values[] = { password };

CFDictionaryRefoptionsDictionary =CFDictionaryCreate(NULL, keys, values,1,NULL,NULL);

CFArrayRefp12Items;

OSStatusresult =SecPKCS12Import((__bridgeCFDataRef)p12Data, optionsDictionary, &p12Items);

if(result ==noErr) {

CFDictionaryRefidentityDict =CFArrayGetValueAtIndex(p12Items,0);

SecIdentityRefidentityApp =(SecIdentityRef)CFDictionaryGetValue(identityDict,kSecImportItemIdentity);

SecCertificateRefcertRef;

SecIdentityCopyCertificate(identityApp, &certRef);

SecCertificateRefcertArray[1] = { certRef };

CFArrayRefmyCerts =CFArrayCreate(NULL, (void*)certArray,1,NULL);

CFRelease(certRef);

NSURLCredential*credential = [NSURLCredentialcredentialWithIdentity:identityAppcertificates:(__bridgeNSArray*)myCertspersistence:NSURLCredentialPersistencePermanent];

CFRelease(myCerts);

[[challengesender]useCredential:credentialforAuthenticationChallenge:challenge];

}else{

[[challengesender]cancelAuthenticationChallenge:challenge];

}

}elseif([[challengeprotectionSpace]authenticationMethod] ==NSURLAuthenticationMethodDefault|| [[challengeprotectionSpace]authenticationMethod] ==NSURLAuthenticationMethodNTLM) {

// For normal authentication based on username and password. This could be NTLM or Default.

/*

DAVCredentials *cred = _parentSession.credentials;

NSURLCredential *credential = [NSURLCredential credentialWithUser:cred.username password:cred.password persistence:NSURLCredentialPersistenceForSession];

[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];

*/

NSLog(@"BASIC AUTHENTICATION");

}else{

//If everything fails, we cancel the challenge.

[[challengesender]cancelAuthenticationChallenge:challenge];

}

}];

[operationsetCompletionBlockWithSuccess:^(AFHTTPRequestOperation*operation,idresponseObject) {

//对AFHTTPRequestOperation返回的responseObject获取字符串形式的数据，在转成json

NSString*html = operation.responseString;

NSData* data = [htmldataUsingEncoding:NSUTF8StringEncoding];

iddict = [NSJSONSerializationJSONObjectWithData:dataoptions:0error:nil];

NSLog(@"获取到的数据为：%@",dict);

}failure:^(AFHTTPRequestOperation*operation,NSError*error) {

NSLog(@"error:%@",error);

}];

[[NSOperationQueuemainQueue]addOperation:operation];

}