如何在Swift中将证书固定添加到NSURLSession?
OWASP website仅包含Objective-C和NSURLConnection的示例.
Swift 3更新:
只需为NSURLSessionDelegate定义一个委托类并实现didReceiveChallenge函数(此代码改编自objective-c OWASP示例):
- class NSURLSessionPinningDelegate: NSObject,URLSessionDelegate {
- func urlSession(_ session: URLSession,didReceive challenge: URLAuthenticationChallenge,completionHandler: @escaping (URLSession.AuthChallengeDisposition,URLCredential?) -> Swift.Void) {
- // Adapted from OWASP https://www.owasp.org/index.PHP/Certificate_and_Public_Key_Pinning#iOS
- if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
- if let serverTrust = challenge.protectionSpace.serverTrust {
- var secresult = SecTrustResultType.invalid
- let status = SecTrustEvaluate(serverTrust,&secresult)
- if(errSecSuccess == status) {
- if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust,0) {
- let serverCertificateData = SecCertificateCopyData(serverCertificate)
- let data = CFDataGetBytePtr(serverCertificateData);
- let size = CFDataGetLength(serverCertificateData);
- let cert1 = NSData(bytes: data,length: size)
- let file_der = Bundle.main.path(forResource: "certificateFile",ofType: "der")
- if let file = file_der {
- if let cert2 = NSData(contentsOfFile: file) {
- if cert1.isEqual(to: cert2 as Data) {
- completionHandler(URLSession.AuthChallengeDisposition.useCredential,URLCredential(trust:serverTrust))
- return
- }
- }
- }
- }
- }
- }
- }
- // Pinning Failed
- completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge,nil)
- }
- }
(你可以找到一个Gist for Swift 2 here – from the initial answer)
然后使用openssl为您的网站创建.der文件
- openssl s_client -connect my-https-website.com:443 -showcerts < /dev/null | openssl x509 -outform DER > my-https-website.der
并将其添加到xcode项目中.仔细检查它是否存在于“复制包资源”列表中的“构建阶段”选项卡中.否则将其拖放到此列表中.
最后在您的代码中使用它来发出URL请求:
- if let url = NSURL(string: "https://my-https-website.com") {
- let session = URLSession(
- configuration: URLSessionConfiguration.ephemeral,delegate: NSURLSessionPinningDelegate(),delegateQueue: nil)
- let task = session.dataTask(with: url as URL,completionHandler: { (data,response,error) -> Void in
- if error != nil {
- print("error: \(error!.localizedDescription): \(error!)")
- } else if data != nil {
- if let str = NSString(data: data!,encoding: String.Encoding.utf8.rawValue) {
- print("Received data:\n\(str)")
- } else {
- print("Unable to convert data to text")
- }
- }
- })
- task.resume()
- } else {
- print("Unable to create NSURL")
- }
