无法使用iPhone中的客户端证书进行身份验证
问题描述:
我使用基于.net的REST服务配置了双向SSL。在我的iphone端,我已经在设备配置文件中安装了服务器证书,并且客户端证书被捆绑为应用程序资源。服务器证书验证工作正常,但客户端证书验证失败。以下是我的代码片段
- (void)connection:(NSURLConnection *) connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
NSLog(@"Authentication challenge with host: %@", challenge.protectionSpace.host);
if([challenge previousFailureCount] == 0) {
NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
NSString *authMethod = [protectionSpace authenticationMethod];
if(authMethod == NSURLAuthenticationMethodServerTrust) {
NSLog(@"Verifying The Trust");
[[challenge sender] useCredential:[NSURLCredential credentialForTrust:[protectionSpace serverTrust]] forAuthenticationChallenge:challenge];
}
else if(authMethod == NSURLAuthenticationMethodClientCertificate) {
NSLog(@"Trying Certificate");
// load cert
NSString *thePath = [[NSBundle mainBundle]
pathForResource:@"Myclientcertificate" ofType:@"pfx"];
NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];
CFDataRef inPKCS12Data = (CFDataRef)PKCS12Data;
OSStatus status = noErr;
SecIdentityRef myIdentity;
SecTrustRef myTrust;
status = extractIdentityAndTrust(
inPKCS12Data,
&myIdentity,
&myTrust);
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult);
}
SecCertificateRef myCertificate;
SecIdentityCopyCertificate(myIdentity, &myCertificate);
const void *certs[] = { myCertificate };
CFArrayRef certsArray = CFArrayCreate(NULL, certs, 1, NULL);
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:(NSArray*)certsArray persistence:NSURLCredentialPersistencePermanent];
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
}
}
}
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
BOOL result;
NSLog(@"canAuthenticateAgainstProtectionSpace: %@", protectionSpace.authenticationMethod);
if ([protectionSpace authenticationMethod] == NSURLAuthenticationMethodServerTrust) {
result= YES;
} else if([protectionSpace authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {
result = YES;
}
return result;
}
OSStatus extractIdentityAndTrust(CFDataRef inPKCS12Data, SecIdentityRef *identity, SecTrustRef *trust){
OSStatus securityError = errSecSuccess;
CFStringRef password = CFSTR("1234");
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(
NULL, keys,
values, 1,
NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import(inPKCS12Data,
optionsDictionary,
&items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue (myIdentityAndTrust,
kSecImportItemIdentity);
*identity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
*trust = (SecTrustRef)tempTrust;
}
if (optionsDictionary) {
CFRelease(optionsDictionary);
}
return securityError;
}
我的连接失败,出现下面提到的错误。
{
NSErrorFailingURLKey = "https://myIpdaddress/Service1.svc/test/random";
NSErrorFailingURLStringKey = "https://myIpdaddress/Service1.svc/test/random";
NSLocalizedDescription = "The server \U201cmyIpdaddress\U201d requires a client certificate.";
NSUnderlyingError = "Error Domain=kCFErrorDomainCFNetwork Code=-1206 \"The server \U201cmyIpdaddress\U201d requires a client certificate.\" UserInfo=0x4b240b0 {NSErrorFailingURLKey=https://myIpdaddress/Service1.svc/test/random, NSErrorFailingURLStringKey=https://myIpdaddress/Service1.svc/test/random, NSLocalizedDescription=The server \U201cmyIpdaddress\U201d requires a client certificate.}";
}
请帮助我如何reslove这一点。
答
我遇到了这个完全相同的问题。
解决方法是纠正'主机'HTTP标头。
我正在使用的包括端口和路径的一部分。一旦我纠正这个头只包括网址的主机部分,事情开始工作。
我认为服务器拒绝我的身份时,我有错误的主机头,我认为“需要客户端证书”消息是一般性的回应,也可能意味着服务器不接受证书提交。