1

我正在使用 GCD AsyncSocket 创建客户端应用程序以连接到由 SSLServer 套接字创建的带有自签名证书的服务器 java。通过单向身份验证,我可以很好地初始化 SSL 套接字和通信。但是通过双向身份验证,我不知道如何实现它。在 iOS 客户端,我将拥有一个客户端的证书,服务器将基于此证书信任客户端。我也可以很好地从 .p12 文件中读取证书。非常感谢任何建议。

4

1 回答 1

0

经过许多幸运的过程。解决了。在本教程中使用服务器 andoird 和客户端 android:http ://www.herongyang.com/JDK/SSL-Client-Authentication.html 使用 2 路身份验证。服务器将需要客户端的证书。您可以在 didConnectToHost 委托处调用它。NSMutableDictionary *sslSettings = [[NSMutableDictionary alloc] init];

    SecIdentityRef identityout; // You can get SecIdentityRef object from *.p12 keystore file. SSL Socket Server will authentication client base on this certificate. At server side, we will add client's certificate to trust manager.

    [sslSettings setObject:@0 forKey:GCDAsyncSocketSSLProtocolVersionMax];
    [sslSettings setObject:@YES forKey:GCDAsyncSocketManuallyEvaluateTrust]; // This will call a delegate method socket:(GCDAsyncSocket *)sock didReceiveTrust: ...
    [sslSettings setObject:[[NSArray alloc] initWithObjects:(__bridge id)(identityout), nil] forKey:GCDAsyncSocketSSLCertificates];        
    [self.asyncSocket startTLS:sslSettings];

在 didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL))completionHandler。客户端将验证服务器的证书手册。您可以使用以下代码获取服务器的证书:SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(trust, 0);

使用自签名证书,您必须将服务器的证书添加到钥匙串并使用 SecTrustEvaluate 方法检查服务器的证书。或者您可以比较服务器证书并以这种方式保存:

SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(trust, 0); SecCertificateRef savedCertificate = SecTrustGetCertificateAtIndex(self.saveServerTrust, 0);
    NSLog(@"Server's certificate subject: %@",summaryString);
    NSLog(@"Saved certificate subject: %@",summaryString1);


    if(nil == serverCertificate || nil == savedCertificate)
        NSLog(@"Faile");

CFDataRef serverCertificateData = SecCertificateCopyData(serverCertificate);
CFDataRef saveCertificateData = SecCertificateCopyData(savedCertificate);

const UInt8* const serverData = CFDataGetBytePtr(serverCertificateData);
const CFIndex serverDataSize = CFDataGetLength(serverCertificateData);
NSData* cert1 = [NSData dataWithBytes:serverData length:(NSUInteger)serverDataSize];

const UInt8* const SaveCertificateData = CFDataGetBytePtr(saveCertificateData);
const CFIndex SaveCertificateDataSize = CFDataGetLength(serverCertificateData);
NSData* cert2= [NSData dataWithBytes:SaveCertificateData length:(NSUInteger)SaveCertificateDataSize];

if (cert1 == nil || cert2 == nil) {
    NSLog(@"Certificate NULL");
    completionHandler(NO);
    return;
}

const BOOL equal = [cert1 isEqualToData:cert2];

if (equal) {

    NSLog(@"Certificate match");
    completionHandler(YES);
}
else{
    NSLog(@"Certificate not match");
    completionHandler(NO);
}`
于 2014-11-19T03:41:13.673 回答