Ios 证书固定错误:扩展密钥用法与证书用法不匹配
我使用“keytool-keyalg RSA-keysize 2048-storetype PKCS12”命令生成p12格式的证书,然后将其安装在Mac上并导出cer证书 但是当我请求服务器时发生了一个错误 iOS:11.4,Swift:5,Alamofire:5.2 错误:扩展密钥用法与证书用法不匹配Ios 证书固定错误:扩展密钥用法与证书用法不匹配,ios,swift,ssl,certificate,Ios,Swift,Ssl,Certificate,我使用“keytool-keyalg RSA-keysize 2048-storetype PKCS12”命令生成p12格式的证书,然后将其安装在Mac上并导出cer证书 但是当我请求服务器时发生了一个错误 iOS:11.4,Swift:5,Alamofire:5.2 错误:扩展密钥用法与证书用法不匹配 serverTrustEvaluationFailed(reason: Alamofire.AFError.ServerTrustFailureReason.trustEvaluationFai
serverTrustEvaluationFailed(reason: Alamofire.AFError.ServerTrustFailureReason.trustEvaluationFailed(error: Optional(Error Domain=NSOSStatusErrorDomain Code=-67609 "“***” certificate is not permitted for this usage" UserInfo={NSLocalizedDescription=“***” certificate is not permitted for this usage, NSUnderlyingError=0x6000006233c0 {Error Domain=NSOSStatusErrorDomain Code=-67609 "Certificate 0 “***” has errors: Extended key usage does not match certificate usage;" UserInfo={NSLocalizedDescription=Certificate 0 “***” has errors: Extended key usage does not match certificate usage;}}})))
error:Certificate Pinning Error
服务器配置:
server:
port: ***
servlet:
context-path: /fik
ssl:
key-store: classpath:ssl/fik-server-730.p12
key-store-password: ****
key-store-type: PKCS12
key-alias: fik-cer
Swift代码:
final class AlamofireClient {
let evaluators = ["47.*.*.*": PinnedCertificatesTrustEvaluator(certificates: [Certificates.stackExchange], acceptSelfSignedCertificates: true)]
let session: Session
private init() {
session = Session(serverTrustManager: ServerTrustManager(evaluators: evaluators))
}
private static let shared = AlamofireClient()
static func doPost(api: String, parameters: [String: String]) -> String {
var dict = parameters
let timestamp = Int64(Date().timeIntervalSince1970 * 1000)
dict["timestamp"] = "\(timestamp)"
let sign = self.getSign(dict: dict)
let url = CHConstants.ApiGateway + api
let headers: HTTPHeaders = [
HTTPHeader(name: "Content-Type", value: "application/json"),
HTTPHeader(name: "signature", value: sign),
HTTPHeader(name: "time", value: "\(timestamp)")
]
shared.session.request(url, method: .post, parameters: parameters, encoder: JSONParameterEncoder.default, headers: headers).responseJSON { response in
switch response.result {
case .success:
print("value:\(response.value)")
print("data:\(response.data)")
case let .failure(error):
let isServerTrustEvaluationError = error.asAFError?.isServerTrustEvaluationError ?? false
let message: String
if isServerTrustEvaluationError {
message = "Certificate Pinning Error"
} else {
message = error.localizedDescription
}
print(error)
print("error:\(message)")
}
}
return "ok"
}
private static func getSign(dict: [String: String]) -> String {
...
return sign
}
}
struct Certificates {
static let stackExchange = Certificates.certificate(filename: "fik-server-730", type: "cer")
private static func certificate(filename: String, type: String) -> SecCertificate {
let filePath = Bundle.main.path(forResource: filename, ofType: type)!
let data = try! Data(contentsOf: URL(fileURLWithPath: filePath))
let certificate = SecCertificateCreateWithData(nil, data as CFData)!
return certificate
}
}
查看,生成证书时,需要将ExtendedkeyUsage
的扩展名设置为serverAuth
:
keytool-keyalg RSA-keysize 2048-storetype PKCS12-ext EKU=serverAuth
是的,完成了。你帮了我。非常感谢你的比赛。哈哈