在企业iOS应用中使用来自.mobileconfig的客户端SSL证书。

问题描述 投票:12回答:2

我们正在尝试在企业iOS应用中使用客户端SSL证书进行用户认证。

  • 我们可以在服务器上生成客户端SSL证书。
  • 用户可以通过.mobileconfig进行安装。
  • 在Safari中使用安装的证书对Web服务器进行认证。
  • 从iOS应用内部发出http请求会失败(未使用证书)。

我们如何让它工作?谢谢!我们正在尝试使用客户端SSL。

ios authentication ssl ssl-certificate enterprise
2个回答
8
投票

概述。

你已经在设备钥匙链上安装了客户端SSL证书。

Safari.app和Mail.app可以访问这个钥匙链,而iOS应用却不能。

原因是我们开发的应用都是沙盒的,在非越狱设备中没有任何访问权限。

由于safari有访问权,所以它在连接和认证时没有遇到任何问题,以应对服务器的挑战。

解决方法:在导出的P12文件中加入

将导出的P12文件与App捆绑在一起,并参考它来找到服务器正在寻找的正确的客户端证书,这实际上是一个变通方法。硬编码是抓取P12文件的可靠方法。

实现方式。

问题方法是 willSendRequestForAuthenticationChallengeNSURLConenction delegate. 你需要考虑到 NSURLAuthenticationMethodClientCertificate 挑战类型,以便处理服务器挑战。这就是我们实现从嵌入的P12文件中提取正确的证书身份的神奇之处。代码如下

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
    if ([challenge previousFailureCount] > 0) {
       //this will cause an authentication failure
       [[challenge sender] cancelAuthenticationChallenge:challenge];
       NSLog(@"Bad Username Or Password");        
       return;
    }



     //this is checking the server certificate
        if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
            SecTrustResultType result;
            //This takes the serverTrust object and checkes it against your keychain
            SecTrustEvaluate(challenge.protectionSpace.serverTrust, &result);

            //if we want to ignore invalid server for certificates, we just accept the server
            if (kSPAllowInvalidServerCertificates) {
                [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
                return;
            } else if(result == kSecTrustResultProceed || result == kSecTrustResultConfirm ||  result == kSecTrustResultUnspecified) {
                //When testing this against a trusted server I got kSecTrustResultUnspecified every time. But the other two match the description of a trusted server
                [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
                return;
            }
        } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {
        //this handles authenticating the client certificate

       /* 
 What we need to do here is get the certificate and an an identity so we can do this:
   NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:myCerts persistence:NSURLCredentialPersistencePermanent];
   [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];

   It's easy to load the certificate using the code in -installCertificate
   It's more difficult to get the identity.
   We can get it from a .p12 file, but you need a passphrase:
   */

   NSString *p12Path = [[BundleManager bundleForCurrentSkin] pathForResource:kP12FileName ofType:@"p12"];
   NSData *p12Data = [[NSData alloc] initWithContentsOfFile:p12Path];

   CFStringRef password = CFSTR("PASSWORD");
   const void *keys[] = { kSecImportExportPassphrase };
   const void *values[] = { password };
   CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
   CFArrayRef p12Items;

   OSStatus result = SecPKCS12Import((CFDataRef)p12Data, optionsDictionary, &p12Items);

   if(result == noErr) {
             CFDictionaryRef identityDict = CFArrayGetValueAtIndex(p12Items, 0);
             SecIdentityRef identityApp =(SecIdentityRef)CFDictionaryGetValue(identityDict,kSecImportItemIdentity);

             SecCertificateRef certRef;
             SecIdentityCopyCertificate(identityApp, &certRef);

             SecCertificateRef certArray[1] = { certRef };
             CFArrayRef myCerts = CFArrayCreate(NULL, (void *)certArray, 1, NULL);
             CFRelease(certRef);

             NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:(NSArray *)myCerts persistence:NSURLCredentialPersistencePermanent];
             CFRelease(myCerts);

             [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
         }
    } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodDefault || [[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodNTLM) {
   // For normal authentication based on username and password. This could be NTLM or Default.

        DAVCredentials *cred = _parentSession.credentials;
        NSURLCredential *credential = [NSURLCredential credentialWithUser:cred.username password:cred.password persistence:NSURLCredentialPersistenceForSession];
    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
    } else {
        //If everything fails, we cancel the challenge.
        [[challenge sender] cancelAuthenticationChallenge:challenge];
    }
}

参考文献。参考文献1, 参考文献2, 参考文献3

希望能帮到你

0
投票

我创建了一个包来与TLS socketsiOSObj-C一起工作。我把它连接到一个节点服务器上,但它可能与其他服务器一起工作。更重要的是,我有关于正确创建证书的重要资源的链接,鉴于最近的iOS 13 TLS限制。我希望它能有一定的帮助。

https:/github.comeamonwhiter73IOSObjCWebSocketstreemaster。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.