• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号

ios - 使用客户端证书和 secp512r1 的 TLS 1.2 连接失败

[复制链接]
菜鸟教程小白 发表于 2022-12-11 18:53:51 | 显示全部楼层 |阅读模式 打印 上一主题 下一主题

我正在尝试实现双向 TLS 连接。这是流程:

  • 我生成 csr 请求(使用椭圆曲线 key ,secp512r1)
  • 向服务器发送签名请求并接收公钥证书作为响应
  • 我使用在步骤 2 中收到的公钥证书和我的 ECC secp512r1 私钥制作 p12 证书。我将它保存为 Documents 中的“ca.p12”文件
  • 当我收到 NSURLAuthenticationMethodClientCertificate 挑战时,我会使用此证书中的凭据解决它
  • Get Error Domain=NSURLErrorDomain Code=-1200 "发生 SSL 错误,无法与服务器建立安全连接。"

在检查服务器和客户端之间的流量时,它似乎是客户端问题。

问题:

  1. iOS 9/10 是否支持 TLS 握手中的椭圆曲线键 secp512r1?
  2. 我错过了什么重要的事情吗?

任何想法,建议都非常感谢。谢谢。

public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {

//server trust works fine
if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
    if (self.shouldTrustProtectionSpace(space: challenge.protectionSpace)) {
        completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
    }
}
//This one causes the issue
else if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate) {
    let identityAndTrust: IdentityAndTrust = self.extractIdentity()

    let urlCredential: URLCredential = URLCredential(
        identity: identityAndTrust.identityRef,
        certificates: identityAndTrust.certArray as? [AnyObject],
        persistence: URLCredential.Persistence.forSession)
        completionHandler(.useCredential, urlCredential)
    }
}

struct IdentityAndTrust {
    var identityRef: SecIdentity
    var trust: SecTrust
    var certArray: AnyObject
}

func extractIdentity() -> IdentityAndTrust {
    var identityAndTrust: IdentityAndTrust!
    var securityError: OSStatus = errSecSuccess

    var path = NSSearchPathForDirectoriesInDomains(.documentDirectory, .userDomainMask, true)[0] as String
    path = path + "/ca.p12"
    //let path: String = NSBundle.mainBundle().pathForResource("client", ofType: "p12")!
    let PKCS12Data = NSData(contentsOfFile:path)!
    let key: NSString = kSecImportExportPassphrase as NSString
    let options: NSDictionary = [key : "123"]
    //create variable for holding security information
    //var privateKeyRef: SecKeyRef? = nil

    var items: CFArray?

    securityError = SecPKCS12Import(PKCS12Data, options, &items)

    if securityError == errSecSuccess {
        let certItems: CFArray = items as CFArray!
        let certItemsArray: Array = certItems as Array
        let dict: AnyObject? = certItemsArray.first
        if let certEntry: Dictionary = dict as? Dictionary<String, AnyObject> {

            // grab the identity
            let identityPointer: AnyObject? = certEntry["identity"]
            let secIdentityRef: SecIdentity = identityPointer as! SecIdentity!
            print("\(identityPointer)  :::: \(secIdentityRef)")
            // grab the trust
            let trustPointer: AnyObject? = certEntry["trust"]
            let trustRef: SecTrust = trustPointer as! SecTrust
            print("\(trustPointer)  :::: \(trustRef)")

            // grab the certificate chain
            var certRef: SecCertificate?
            SecIdentityCopyCertificate(secIdentityRef, &certRef)
            let certArray: NSMutableArray = NSMutableArray()

            let reader = DmailReader.sharedReader
            let caCertString = reader.getCACert()
            let cerData = X509Utility.der(fromData: caCertString)

            let convertedData = cerData as! CFData
            let caCert = SecCertificateCreateWithData(nil, convertedData)
            certArray.add(certRef as SecCertificate!)
            certArray.add(caCert!)

            identityAndTrust = IdentityAndTrust(identityRef: secIdentityRef, trust: trustRef, certArray:  certArray)
        }
    }
    return identityAndTrust
}



Best Answer-推荐答案


服务器似乎使用证书链响应了我的 csr 请求:一个客户端证书和一个中间证书。我只解析了第一个,显然跳过了中间。

 /*identity only contains client cert. Certificates is the array of intermediate certificates (in my case its 1, can be more)*/
 NSURLCredential *credential = [[NSURLCredential alloc]initWithIdentity:identity
                                                           certificates:certificates
                                                            persistence:NSURLCredentialPersistencePermanent];

然后传入 urlSession:didReceiveChallenge:completionHandler:

completionHandler(.useCredential, urlCredential)

关于ios - 使用客户端证书和 secp512r1 的 TLS 1.2 连接失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42141722/

回复

使用道具 举报

懒得打字嘛,点击右侧快捷回复 【右侧内容,后台自定义】
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

关注0

粉丝2

帖子830918

发布主题
阅读排行 更多
广告位

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap