Swift-Swift中带有流的证书固定
尝试使用流(无https)将证书固定到我的连接。我必须将证书和密码密钥发送到服务器(nginx)。当我使用postman或RESTAPI时,一切都很好。但是,我无法通过套接字配置它 我试着遵循这个模式 但是,我也必须把钥匙送到那里。因此,我根据给定的证书和密钥生成了一个.p12证书,但仍然无法正确连接 这是我的SocketConnectManager:Swift-Swift中带有流的证书固定,swift,sockets,certificate-pinning,Swift,Sockets,Certificate Pinning,尝试使用流(无https)将证书固定到我的连接。我必须将证书和密码密钥发送到服务器(nginx)。当我使用postman或RESTAPI时,一切都很好。但是,我无法通过套接字配置它 我试着遵循这个模式 但是,我也必须把钥匙送到那里。因此,我根据给定的证书和密钥生成了一个.p12证书,但仍然无法正确连接 这是我的SocketConnectManager: class SocketConnectionManager: NSObject, StreamDelegate { var input
class SocketConnectionManager: NSObject, StreamDelegate {
var inputStream: InputStream!
var outputStream: OutputStream!
func addAnchorToTrust(trust: SecTrust, certificates: NSMutableArray) -> SecTrust {
SecTrustSetAnchorCertificates(trust, certificates)
return trust
}
public func createStreams(host: CFString, port: UInt32) {
if let inputStream = inputStream, inputStream.streamStatus == .open {
inputStream.close()
}
if let outputStream = outputStream, outputStream.streamStatus == .open {
outputStream.close()
}
inputStream = nil
outputStream = nil
var readStream: Unmanaged<CFReadStream>?
var writeStream: Unmanaged<CFWriteStream>?
CFStreamCreatePairWithSocketToHost(nil, host, port, &readStream, &writeStream)
inputStream = readStream!.takeRetainedValue()
outputStream = writeStream!.takeRetainedValue()
inputStream.setProperty(StreamSocketSecurityLevel.negotiatedSSL, forKey: .socketSecurityLevelKey)
outputStream.setProperty(StreamSocketSecurityLevel.negotiatedSSL, forKey: .socketSecurityLevelKey)
inputStream.setProperty(StreamNetworkServiceTypeValue.voice, forKey: Stream.PropertyKey.networkServiceType)
outputStream.setProperty(StreamNetworkServiceTypeValue.voIP, forKey: Stream.PropertyKey.networkServiceType)
let sslSettings : [NSString: Any] = [
NSString(format: kCFStreamSSLValidatesCertificateChain): kCFBooleanFalse,
NSString(format: kCFStreamSSLPeerName): kCFNull,
NSString(format: kCFStreamSSLIsServer): kCFBooleanFalse
]
// Set the SSL/TLS settingson the streams
inputStream!.setProperty(sslSettings, forKey: kCFStreamPropertySSLSettings as Stream.PropertyKey)
outputStream!.setProperty(sslSettings, forKey: kCFStreamPropertySSLSettings as Stream.PropertyKey)
}
// This is where we get all our events (haven't finished writing this class)
func stream(_ aStream: Stream, handle eventCode: Stream.Event) {
switch eventCode {
case Stream.Event.endEncountered:
print("End Encountered")
break
case Stream.Event.openCompleted:
print("Open Completed")
break
case Stream.Event.hasSpaceAvailable:
print("Has Space Available")
// If you try and obtain the trust object (aka kCFStreamPropertySSLPeerTrust) before the stream is available for writing I found that the oject is always nil!
var sslTrustInput: SecTrust? = inputStream!.property(forKey:kCFStreamPropertySSLPeerTrust as Stream.PropertyKey) as! SecTrust?
var sslTrustOutput: SecTrust? = outputStream!.property(forKey:kCFStreamPropertySSLPeerTrust as Stream.PropertyKey) as! SecTrust?
if (sslTrustInput == nil) {
print("INPUT TRUST NIL")
}
else {
print("INPUT TRUST NOT NIL")
}
if (sslTrustOutput == nil) {
print("OUTPUT TRUST NIL")
}
else {
print("OUTPUT TRUST NOT NIL")
}
// Get our certificate reference. Make sure to add your root certificate file into your project.
let certP = PKCS12.init(mainBundleResource: "Certificates", resourceType: "p12", password: "1234");
let array: NSMutableArray = NSMutableArray()
array.add(certP.identity!)
array.add(certP.certChain!)
sslTrustInput = addAnchorToTrust(trust: sslTrustInput!, certificates: array)
sslTrustOutput = addAnchorToTrust(trust: sslTrustOutput!, certificates: array)
var result: SecTrustResultType = SecTrustResultType.unspecified
// This is it! Evaulate the trust.
let error: OSStatus = SecTrustEvaluate(sslTrustInput!, &result)
// An error occured evaluating the trust check the OSStatus codes for Apple at osstatus.com
if (error != noErr) {
print("Evaluation Failed")
}
if (result != SecTrustResultType.proceed && result != SecTrustResultType.unspecified) {
// Trust failed. This will happen if you faile to add the trusted anchor as mentioned above
print("Peer is not trusted :(")
}
else {
// Peer certificate is trusted. Now we can send data. Woohoo!
print("Peer is trusted :)")
}
break
case Stream.Event.hasBytesAvailable:
print("Has Bytes Available")
break
case Stream.Event.errorOccurred:
print("Error Occured")
break
default:
print("Default")
break
}
}
}
server {
listen 444 ssl;
proxy_ssl on;
proxy_pass backend;
ssl_certificate /etc/ssl/domain.com/domain.com.cert;
ssl_certificate_key /etc/ssl/domain.com/domain.com.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
access_log /var/log/nginx/stream-access.log basic;
error_log /var/log/nginx/stream-error.log debug;
}