我当前正在通过使用didReceiveChallenge回调将证书传递给服务器来移植用于执行客户端ssl身份验证的代码。
源实现使用Windows winhttp框架,当由于ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED而导致请求失败时,我只是根据服务器使用WinHttpQueryOption(request,
WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST, &IssuerList,&BuffSize))请求的颁发者列表在本地计算机中查找证书。
然后,我使用WinHttpSetOption(request, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, certificate, sizeof(certificate))将此证书添加到服务器请求中,然后重新发送。
现在,我正在尝试使用AFNetworking框架在macOS中执行相同的功能。
因此,我遇到了带有挑战的回调didReceiveChallenge,它相当于Windows案例request。挑战在于携带正确的证书。
但是,我目前不知道如何根据挑战查找此证书。如何从“挑战”中获得发行人名单(相当于WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST)?
这是我当前在ObjectiveC中的实现:
-(void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler
{
// check if client side certificate is required by server.
if ([challenge.protectionSpace.authenticationMethod
isEqualToString:NSURLAuthenticationMethodClientCertificate]) {
NSData *p12data = [NSData dataWithContentsOfFile:@"/tmp/client.p12"];
CFDataRef inP12data = (__bridge CFDataRef)p12data;
// here I get the trust and identity from the p12 file
SecIdentityRef myIdentity;
SecTrustRef myTrust;
extractIdentityAndTrust(inP12data, &myIdentity, &myTrust);
//now I need to find the right certificate according to what server is asking for ...
}
}