客户端验证服务端证书:

需要http配置路径需要域名

1:先项目中倒入服务端证书 sever.cer,

2.然后设置 AFSecurityPolicy

self.manager = [AFHTTPRequestOperationManager manager];

     

        self.manager.responseSerializer = [[AFHTTPResponseSerializer alloc] init];

        [self.manager.requestSerializer setValue:@"iphone" forHTTPHeaderField:@"header-platform"];

        self.manager.securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];

    

        self.manager.securityPolicy.allowInvalidCertificates = YES;

        self.manager.securityPolicy.validatesDomainName = NO;

        self.manager.securityPolicy.validatesCertificateChain = NO;

客户端会变了项目中的证书和服务端的证书匹配

服务端验证客户端证书,首先把服务端的证书client.p12 导入到服务端的密钥库里

然后在 AFURLConnectionOperation.m中加入以下方法

- (OSStatus)extractIdentity:(CFDataRef)inP12Data :(SecIdentityRef*)identity {

    OSStatus securityError = errSecSuccess;

    

    CFStringRef password = CFSTR("你的证书密码");

    const void *keys[] = { kSecImportExportPassphrase };

    const void *values[] = { password };

    

    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);

    

    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

    securityError = SecPKCS12Import(inP12Data, options, &items);

    

    if (securityError == 0)

    {

        CFDictionaryRef ident = CFArrayGetValueAtIndex(items,0);

        const void *tempIdentity = NULL;

        tempIdentity = CFDictionaryGetValue(ident, kSecImportItemIdentity);

        *identity = (SecIdentityRef)tempIdentity;

    }

    

    if (options) {

        CFRelease(options);

    }

    

    return securityError;

}

把AFURLConnectionOperation.m中的

- (void)connection:(NSURLConnection *)connection

willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge

替换成

- (void)connection:(NSURLConnection *)connection

willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge

{

                        NSString *thePath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"];

                        NSLog(@"thePath===========%@",thePath);

                        NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:thePath];

                        CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;

    

                        SecIdentityRef identity = NULL;

                        // extract the ideneity from the certificate

                        [self extractIdentity :inPKCS12Data :&identity];

            

                        SecCertificateRef certificate = NULL;

                        SecIdentityCopyCertificate (identity, &certificate);

            

                        const void *certs[] = {certificate};

//                        CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);

                        // create a credential from the certificate and ideneity, then reply to the challenge with the credential

                        //NSLog(@"identity=========%@",identity);

                        NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:nil persistence:NSURLCredentialPersistencePermanent];

            

//           credential = [NSURLCredential credentialWithIdentity:identity certificates:(__bridge NSArray*)certArray persistence:NSURLCredentialPersistencePermanent];

            

            [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];

            

}

然后就可以进行双向认证了