I'm using GCD AsyncSocket to create client application to connect to server java create by SSLServer Socket with self-sign certificate. With one way authentication, I can init SSL socket and communication well. But with two way authentication, I don't know how to implement it. At iOS client, I will have a client's certificate and server will trust client base on this certificate. I can read certificate from .p12 file well too. Many thanks to any advice.
Asked
Active
Viewed 1,233 times
1 Answers
0
After many lucky process. It was resolved. With server andoird and client android follow in this tutorial : http://www.herongyang.com/JDK/SSL-Client-Authentication.html With 2 way authentication. Server will require client's certificate. You can call this at didConnectToHost delegate. NSMutableDictionary *sslSettings = [[NSMutableDictionary alloc] init];
SecIdentityRef identityout; // You can get SecIdentityRef object from *.p12 keystore file. SSL Socket Server will authentication client base on this certificate. At server side, we will add client's certificate to trust manager.
[sslSettings setObject:@0 forKey:GCDAsyncSocketSSLProtocolVersionMax];
[sslSettings setObject:@YES forKey:GCDAsyncSocketManuallyEvaluateTrust]; // This will call a delegate method socket:(GCDAsyncSocket *)sock didReceiveTrust: ...
[sslSettings setObject:[[NSArray alloc] initWithObjects:(__bridge id)(identityout), nil] forKey:GCDAsyncSocketSSLCertificates];
[self.asyncSocket startTLS:sslSettings];
At didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL))completionHandler. Client will authenticate Server's certificate manual.
You can get server's certificate with this code: SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(trust, 0);
With self-sign certificate, you must add Server's certificate to keychain and check the Server's certificate with SecTrustEvaluate method. Or you can Compare server certificate and saved in this way:
SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(trust, 0); SecCertificateRef savedCertificate = SecTrustGetCertificateAtIndex(self.saveServerTrust, 0);
NSLog(@"Server's certificate subject: %@",summaryString);
NSLog(@"Saved certificate subject: %@",summaryString1);
if(nil == serverCertificate || nil == savedCertificate)
NSLog(@"Faile");
CFDataRef serverCertificateData = SecCertificateCopyData(serverCertificate);
CFDataRef saveCertificateData = SecCertificateCopyData(savedCertificate);
const UInt8* const serverData = CFDataGetBytePtr(serverCertificateData);
const CFIndex serverDataSize = CFDataGetLength(serverCertificateData);
NSData* cert1 = [NSData dataWithBytes:serverData length:(NSUInteger)serverDataSize];
const UInt8* const SaveCertificateData = CFDataGetBytePtr(saveCertificateData);
const CFIndex SaveCertificateDataSize = CFDataGetLength(serverCertificateData);
NSData* cert2= [NSData dataWithBytes:SaveCertificateData length:(NSUInteger)SaveCertificateDataSize];
if (cert1 == nil || cert2 == nil) {
NSLog(@"Certificate NULL");
completionHandler(NO);
return;
}
const BOOL equal = [cert1 isEqualToData:cert2];
if (equal) {
NSLog(@"Certificate match");
completionHandler(YES);
}
else{
NSLog(@"Certificate not match");
completionHandler(NO);
}`
duong dang
- 11
- 5
-
Hi, could you take a look at this thread? http://stackoverflow.com/questions/42773518/gcdasyncsocket-with-client-authentication – LoveMeSomeFood Mar 13 '17 at 21:15