Since the launch of https, clients have also increasingly demanded on network security. Even after iOS9, Apple mandated that https requests must be supported.
What is https? How does it ensure data security?
Simply put, https is http+TLS/SSL. It is another layer of modules that process encrypted information on http. Information transmission between the server and the client is encrypted through TLS, which means that the data in transmission is encrypted. If you do not know the private key, you cannot truly know the true meaning of the transmission content.
The entire https one-way verification process is briefly summarized as follows:
- It means that the user initiates a request, and the server responds and returns a certificate, which contains some basic information and public keys.
- After the user obtains the certificate, he will verify whether the certificate is legal or not, and the request will be terminated.
- A random number is generated as a symmetric encryption key, and the random number is encrypted with the public key returned by the server. Then return to the server.
- The server gets the encrypted random number, decrypts it with the private key, and then uses the decrypted random number (symmetric key) to encrypt the data that needs to be returned. After the encryption is completed, the data is transmitted to the user.
- Finally, the user gets the encrypted data and uses the random number (symmetric key) at the beginning to decrypt the data. The whole process is completed.
Of course, this is just a one-way authentication. https will also have two-way authentication, which is also very simple than one-way authentication. There is only the step of server verification client.
So in AFNetworking, we need to complete the configuration of self-signed certificates:
// Self-signed certificate in the pathNSString *certFilePath = [[NSBundle mainBundle] pathForResource:@"service" ofType:@"cer"]; // Convert self-signed certificates to binary dataNSData *certData = [NSData dataWithContentsOfFile:certFilePath]; // Put binary data into NSSetNSSet *certSet = [NSSet setWithObject:certData]; /* AFSecurityPolicy instantiation method in AFNetworking The first parameter: AFSSLPinningModeNone, //No verification AFSSLPinningModePublicKey, //Only verify public keys AFSSLPinningModeCertificate, //Verify the certificate The second parameter: NSSet that stores binary certificate data */ AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certSet]; // shareManager is an instance object of a class inherited from AFHTTPSessionManager = policy;
In this way, if the server wants to verify the self-signed certificate during request, the following methods in the AFSecurityPolicy class will be called
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
forDomain:(NSString *)domain
AFNetworking is a one-way verification performed in this method. If you need two-way verification, you also need to rewrite this method to achieve two-way verification. (Two-way verification is used more frequently in banking and other apps)
One problem that can occur when using a self-signed certificate in this method is
[pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
This line of code may have nil added to the array, that is, the self-signed certificate has not been obtained.
Solution:
- Change the .crt certificate sent from the backend, modify the suffix.cer, and import the keychain.
- Then export the certificate from the keychain and pull it into the project to use it directly
The essential reason is that the self-signed certificate of the backend needs to be decoded base64 before it can be used.
Summary:
Through research on self-signed certificates, we have a deeper and deeper understanding of https, and at the same time read and understand the source code of AFSecurityPolicy in AFNetworking.
The above is all the content of this article. I hope it will be helpful to everyone's study and I hope everyone will support me more.