SocketRocket和iOS证书固定

Question

我目前正在使用SocketRocket作为我的iOS应用程序的WebSocket实现,并希望将我的服务器CA作为具有SR_SSLPinnedCertificates属性的可信证书.我正在寻找一个加载一个或多个证书以传递到SocketRocket的好例子.我有以下代码可以工作,但我不确定它是否正确或是否有更直接的方法.

CFArrayRef keyref = NULL;
NSString *path = [[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
NSData *data = [[NSData alloc] initWithContentsOfFile:path];
OSStatus status = SecPKCS12Import((__bridge CFDataRef)data, (__bridge CFDictionaryRef)[NSDictionary dictionaryWithObject:@"eftl_key_pass" forKey:(__bridge id)kSecImportExportPassphrase], &keyref);
if (status == noErr) {
    CFDictionaryRef identityDict = CFArrayGetValueAtIndex(keyref, 0);
    SecIdentityRef identityRef = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
    SecCertificateRef certRef = NULL;
    SecIdentityCopyCertificate(identityRef, &certRef);
}

Answer 1

因此,使用SocketRocket进行证书固定:

首先,我们需要NSURLRequest从一个NSURL而不是NSURL 初始化SocketRocket .

NSURL *url = [[NSURL alloc] initWithString:@"wss://path-to-socket:1234"];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:url];

然后,让我们设置证书.您的证书必须采用二进制DER格式,而不是base64编码的PEM.证书文件应该在您的主包中.

NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"myOwnCertificate" ofType:@"cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:cerPath];
CFDataRef certDataRef = (__bridge CFDataRef)certData;
SecCertificateRef certRef = SecCertificateCreateWithData(NULL, certDataRef);
id certificate = (__bridge id)certRef;

然后,我们将请求的固定证书设置为一个数组,其中只包含我们之前设置的数据.

[request setSR_SSLPinnedCertificates:@[certificate]];

现在我们可以最终确定套接字.

SRWebSocket *socket = [[SRWebSocket alloc] initWithURLRequest:request];       
[socket open];