#####
推荐使用Pod导入,方便库管理
pod 'AFNetworking'
推荐使用继承自AFHTTPSessionManager创建单例方法
// // NHAFEngine.h // NHCerSecurityPro // // Created by hu jiaju on 15/7/30. // Copyright (c) 2015年 hu jiaju. All rights reserved. // #import <AFNetworking/AFNetworking.h> @interface NHAFEngine : AFHTTPSessionManager /** * @brief network engine singleton * * @return instance */ + (NHAFEngine *)share;
3.0之前版本:
/** * @brief cancel a request * * @param path the request's path */ - (void)cancelRequestForpath:(NSString *)path { NSArray *operations = [[self operationQueue] operations]; NSUInteger count = [operations count]; if (operations && count) { for (NSOperation *operator in operations) { AFHTTPRequestOperation *requestOperation = (AFHTTPRequestOperation *)operator; NSURLRequest *request = [requestOperation request]; NSURL *url = [request URL]; NSString *urlString = [url absoluteString]; NSString *urlPath = [url path]; if ([urlPath isEqualToString:path] || [urlString rangeOfString:path].location != NSNotFound) { [requestOperation cancel]; NSLog(@"request path :%@ canceld!",url.path); } } } }
3.0之后版本(目前3.x版本弃用了NSURLConnection类等,详见官方)
/** * @brief cancel a request * * @param path the request's path */ - (void)cancelRequestForpath:(NSString *)path { NSArray *dataTasks = self.dataTasks; for (NSURLSessionDataTask *task in dataTasks) { NSURLRequest *request = task.originalRequest; NSURL *url = [request URL]; NSString *urlString = [url absoluteString]; NSString *urlPath = [url path]; if ([urlPath isEqualToString:path] || [urlString rangeOfString:path].location != NSNotFound) { [task cancel]; NSLog(@"request path :%@ canceld!",url.path); } } }
其他用法方法详见例子
#####
工具包在PROJECT_DIR->同名文件夹->Security,实现加密方法:1.AES随机秘钥生成
2.AES加解密
3.RSA加解密
4.RSA签名、验签
由于我们CA购买时仅支持单向认证,所以不再介绍单向认证,这里以自签名(self-signed)Certificate为例说明(原理不再介绍 网上很多)
1.生成CA私钥和自签名证书
->step 1>准备
> cd/etc/pki/CA
> touch serial
> touchindex.txt
> echo"00" > serial
->step 2>生成CA私钥
> cd/etc/pki/CA/private
> openssl genrsa -out cakey.pem 2048
->step 3>生成CA自签名证书,再生成一个DER格式的证书为iOS做准备
> cd/etc/pki/CA
> openssl req -new –x509 –key private/cakey.pem –out cacert.pem –days 3650
> openssl x509 -in cacert.pem -outform DER -out ca.cer
2.生成服务器私钥和证书
->step 1>找到一个合适存放私钥的目录文件夹
> cd/home/ssl/server
->step 2>生成服务器私钥
> openssl genrsa -out server-key.pem 2048
->step 3>生成服务器证书请求
> openssl req -new -key server-key.pem -out server-req.csr -days 3650
->step 4>生成服务器证书(由本地CA签发),再生成一个DER格式的证书为iOS做准备
> openssl ca -in server-req.csr -out server-cert.pem -days 3650
> openssl x509 -in server-cert.pem -outform DER -out server.cer
3.生成客户端私钥和证书
->step 1>找到一个合适存放客户端私钥的目录文件夹
> cd/home/ssl/client
->step 2>生成客户端私钥
> openssl genrsa -out client-key.pem 2048
->step 3>生成客户端证书请求
> openssl req -new -key client-key.pem -out client-req.csr -days 3650
->step 4>生成客户端证书(由本地CA签发)
> openssl ca -in client-req.csr -out client -cert.pem -days 3650
->step 5>将证书转换为DER和p12格式(p12文件用来安全分发客户端证书,一般需要密码保护,此密码会在客户端使用)
> openssl x509 -in client-cert.pem -outform DER -out client.cer
> openssl pkcs12 -export -clcerts -in client-cert.pem -inkey client-key.pem -out client.p12
打开/etc/nginx/nginx.conf,在Server配置中增加以下内容:
listen 443;
ssl on;
ssl_certificate /home/ssl/server/server-cert.pem;
ssl_certificate_key /home/ssl/server/server-key.pem;
ssl_client_certificate /etc/pki/CA/cacert.pem;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
1.工程配置及资源
->step 1>info.pist配置(iOS9.x+)
因为是自签名证书。所以需要设置ATS(APP Transition Security),相关设置自行解决
->step 2>资源配置
将在服务器上生成的服务器证书server.cer和客户端P12文件client.p12拷贝到本地,加入到工程的Bundle Resource里
->step 3>代码实现
代码较长,详见示例
1.设置完ATS后,在设置AFSecurityPolicy时要将ValidatesDomainName属性设置为false,否则验证失败
1.iOS7及之前:
可以子类化NSURLProtocol,在这里处理证书认证问题
2.iOS8.0+及之后
iOS8.0之后UIWebView不再自动捕获Protocol,所以可以通过NSURLSession或NSURLConnection进行手动处理(依各人喜好),详见示例
nanhujiaju@gmail.com