客戶端驗證服務端證書:
需要http配置路徑需要域名
1:先項目中倒入服務端證書 sever.cer,
2.然後設置 AFSecurityPolicy
self.manager = [AFHTTPRequestOperationManager manager];
self.manager.responseSerializer = [[AFHTTPResponseSerializer alloc] init];
[self.manager.requestSerializer setValue:@"iphone" forHTTPHeaderField:@"header-platform"];
self.manager.securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];
self.manager.securityPolicy.allowInvalidCertificates = YES;
self.manager.securityPolicy.validatesDomainName = NO;
self.manager.securityPolicy.validatesCertificateChain = NO;
客戶端會變了項目中的證書和服務端的證書匹配
服務端驗證客戶端證書,首先把服務端的證書client.p12 導入到服務端的密鑰庫裏
然後在 AFURLConnectionOperation.m中加入以下方法
- (OSStatus)extractIdentity:(CFDataRef)inP12Data :(SecIdentityRef*)identity {
OSStatus securityError = errSecSuccess;
CFStringRef password = CFSTR("clic1234");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import(inP12Data, options, &items);
if (securityError == 0)
{
CFDictionaryRef ident = CFArrayGetValueAtIndex(items,0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);
*identity = (SecIdentityRef)tempIdentity;
}
if (options) {
CFRelease(options);
}
return securityError;
}
把AFURLConnectionOperation.m中的
- (void)connection:(NSURLConnection *)connection
willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
替換成
- (void)connection:(NSURLConnection *)connection
willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
NSString *thePath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];
NSLog(@"thePath===========%@",thePath);
NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
SecIdentityRef identity = NULL;
// extract the ideneity from the certificate
[self extractIdentity :inPKCS12Data :&identity];
SecCertificateRef certificate = NULL;
SecIdentityCopyCertificate (identity, &certificate);
const void *certs[] = {certificate};
// CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);
// create a credential from the certificate and ideneity, then reply to the challenge with the credential
//NSLog(@"identity=========%@",identity);
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:nil persistence:NSURLCredentialPersistencePermanent];
// credential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)certArray persistence:NSURLCredentialPersistencePermanent];
[challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
}
然後就可以進行雙向認證了
,
更多相關文章
折騰了兩天終于搞好了,查看了很多資料並嘗試了上十次才終于配置好,爲了大家不走彎路,特寫此文 一. 服務端環境 CNETOS-6.5 Tomcat 7 jdk7 openssl-1.0.2-beta1.tar.gz 二.源碼安裝及證書申請與簽發 將openssl-1.0.2-beta1.tar.gz ...
系統需求: 1. Windows系統或Linux系統 2. 安裝並配置JDK 1.6.0_13 3. 安裝並配置Tomcat 6.0 第一步:爲服務器生成證書 1. Windows系統 "運行"控制台,進入%JAVA_HOME%/bin目錄 使用keytool爲Tomcat生成證 ...
本文是1:1模式,N:1模式請參見新的一篇博客<SSL雙向認證(高清版)> -- 我是 標題太長了不知道該怎麽起,索性就把keyword列出來吧~ WebService的WS-*搞了一天沒搞定,看樣子PHP應該是徹底抛棄SOAP協議了,google翻爛了也沒找到什麽靠譜的解決方案. 合作 ...
OpenSSL生成證書 要生成證書的目錄下建立幾個文件和文件夾,有./demoCA/ ./demoCA/newcerts/ ./demoCA/private/ ./demoCA/index.txt (空文件,生成證書時會將數據記錄寫入)./demoCA/serial (在serial文件中寫入第一個 ...
1.在tomcat中安裝axis2插件 2.生成證書,用jdk自帶的keytool 服務端 keytool -genkey -alias Server -dname "CN=192.168.10.100, OU=JH, O=JH, L=HangZhou, S=ZheJiang, C=CN& ...
1. 證書層級結構2. 服務器結構tomcat不要求認證客戶端,nginx要求認證客戶端3. tomcat配置注意點tomcat的服務器證書的CN必須爲tomcat_backend4. nginx配置注意點使用openssl從pfx文件中導出pem格式公鑰1openssl pkcs12 -clcer ...
一.爲什麽要實施雙向認證(Why)雙向認證一般使用在B2B系統或企業內部系統中,目的就是阻止無關人員訪問系統,哪怕就一個登錄頁面也不行.只有系統管理員給你發放了證書,你才能訪問到該系統.二.准備工作(Getting ready)1. 你系統中要有JDK2. 你要有一個Servlet容器,這裏使用to ...
很久沒有更新LAMP的相關文檔了,剛好最近單位做項目需要用到apache的SSL虛擬主機雙向認證,剛好之前在做LAMP的時候順帶做過SSL模塊加載,SO參考了google大量文檔,用了半天時間搞定,這裏總結出來給大家分享一下. 該方案是爲了實現apache下實現SSL虛擬主機雙向認證,從而實現可信任 ...
源地址: