0

私はいくつかのコントローラが独自の接続と完全に動作するデータを管理しています。私は単に、コードの重複を避けるために、canAuthenticateAgainstProtectionSpaceとdidReceiveAuthenticationChallengeを一元化したいと考えています。NSURLConnection認証集中コントローラ

私はクラスを無効にしようとしましたが、成功しませんでした。

クラスとプロトコル:

#import <Foundation/Foundation.h> 

@protocol SSLPiningDelegate; 

@interface SSLPiningDelegate : NSURLConnection <NSURLConnectionDelegate> 
{ 
    id<SSLPiningDelegate> delegate; 
} 

@property (nonatomic,assign) id<SSLPiningDelegate> delegate; 

@end 



@protocol SSLPiningDelegate <NSURLConnectionDelegate> 
@optional 
-(id)initWithDelegate:(id)delegate; 
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace; 
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge; 

@end 

コード:

#import "SSLPiningDelegate.h" 


@interface SSLPiningDelegate() 
{ 
    CFArrayRef caChainArrayRef; 
    BOOL checkHostname; 

} 


@end 

@implementation SSLPiningDelegate 

-(id)initWithDelegate:(id)delegate { 
    //CGRect rect = [[UIScreen mainScreen] bounds]; 
    if ((self = [super init])) { 
     _delegate = delegate; 
    } 
    return self; 
} 

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace { 

    return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]; 
} 

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { 

    // TODO manage this correctly 
    checkHostname = YES; 

    NSString * derCaPath; 
    NSMutableArray * chain = [NSMutableArray array]; 

    for(int i=0; i<= 3; i++) 
    { 
     if (i==0) 
      derCaPath = [[NSBundle mainBundle] pathForResource:@"xxx" ofType:@"cer"]; 
     else if (i==1) 
      derCaPath = [[NSBundle mainBundle] pathForResource:@"comodorsacertificationauthority" ofType:@"cer"]; 
     else if (i==2) 
      derCaPath = [[NSBundle mainBundle] pathForResource:@"xxx" ofType:@"cer"]; 
     else 
      derCaPath = [[NSBundle mainBundle] pathForResource:@"xxx" ofType:@"cer"]; 

     NSData *derCA = [NSData dataWithContentsOfFile:derCaPath]; 

     SecCertificateRef caRef = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)derCA); 

     [chain addObject:(__bridge id)(caRef)]; 
    } 


    caChainArrayRef = CFBridgingRetain(chain); 
    NSLog(@"Loading::didReceiveAuthenticationChallenge --- chain of trust length %lu", (unsigned long)[chain count]); 

    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) 
    { 
     SecTrustRef trust = nil; 
     SecTrustResultType result = kSecTrustResultInvalid; 
     OSStatus err = errSecSuccess; 

     { 
      NSLog(@"Chain received from the server (working 'up'):"); 
      CFIndex certificateCount = SecTrustGetCertificateCount(challenge.protectionSpace.serverTrust); 
      for(int i = 0; i < certificateCount; i++) { 
       SecCertificateRef certRef = SecTrustGetCertificateAtIndex(challenge.protectionSpace.serverTrust, i); 
       CFStringRef str = SecCertificateCopySubjectSummary(certRef); 
       NSLog(@" %02i: %@", 1+i, str); 
       CFRelease(str); 
      } 

      NSLog(@"Local Roots we trust:"); 
      for(int i = 0; i < CFArrayGetCount(caChainArrayRef); i++) { 
       SecCertificateRef certRef = (SecCertificateRef) CFArrayGetValueAtIndex(caChainArrayRef, i); 
       CFStringRef str = SecCertificateCopySubjectSummary(certRef); 
       NSLog(@" %02i: %@", 1+i, str); 
       CFRelease(str); 
      } 
     } 

     if (checkHostname) { 
      // We use the standard Policy of SSL - which also checks hostnames. 
      // -- see SecPolicyCreateSSL() for details. 
      // 
      trust = challenge.protectionSpace.serverTrust; 
      // 
#if DEBUG 
      NSLog(@"The certificate is expected to match '%@' as the hostname", 
        challenge.protectionSpace.host); 
#endif 
     } 
     else { 
      // Create a new Policy - which goes easy on the hostname. 
      // 

      // Extract the chain of certificates provided by the server. 
      // 
      CFIndex certificateCount = SecTrustGetCertificateCount(challenge.protectionSpace.serverTrust); 
      NSMutableArray * chain = [NSMutableArray array]; 

      for(int i = 0; i < certificateCount; i++) { 
       SecCertificateRef certRef = SecTrustGetCertificateAtIndex(challenge.protectionSpace.serverTrust, i); 
       [chain addObject:(__bridge id)(certRef)]; 
      } 

      for(int i = 0; i < CFArrayGetCount(caChainArrayRef); i++) { 
       SecCertificateRef certRef = (SecCertificateRef) CFArrayGetValueAtIndex(caChainArrayRef, i); 
       [chain addObject:(__bridge id)(certRef)]; 
      } 


      // And create a bland policy which only checks signature paths. 
      // 
      if (err == errSecSuccess) 
       err = SecTrustCreateWithCertificates((__bridge CFArrayRef)(chain), 
                SecPolicyCreateBasicX509(), &trust); 
#if DEBUG 
      NSLog(@"The certificate is NOT expected to match the hostname '%@' ", 
        challenge.protectionSpace.host); 
#endif 
     } 

     // Explicity specify the list of certificates we actually trust (i.e. those I have hardcoded 
     // in the app - rather than those provided by some randon server on the internet). 
     // 
     if (err == errSecSuccess) 
      err = SecTrustSetAnchorCertificates(trust,caChainArrayRef); 

     // And only use above - i.e. do not check the system its global keychain or something 
     // else the user may have fiddled with. 
     // 
     if (err == errSecSuccess) 
      err = SecTrustSetAnchorCertificatesOnly(trust, YES); 

     if (err == errSecSuccess) 
      err = SecTrustEvaluate(trust, &result); 

     if (err == errSecSuccess) { 
      switch (result) { 
       case kSecTrustResultProceed: 
        // User gave explicit permission to trust this specific 
        // root at some point (in the past). 
        // 
        NSLog(@"GOOD. kSecTrustResultProceed - the user explicitly trusts this CA"); 
        [challenge.sender useCredential:[NSURLCredential credentialForTrust:trust] 
         forAuthenticationChallenge:challenge]; 
        goto done; 
        break; 
       case kSecTrustResultUnspecified: 
        // The chain is technically valid and matches up to the root 
        // we provided. The user has not had any say in this though, 
        // hence it is not a kSecTrustResultProceed. 
        // 
        NSLog(@"GOOD. kSecTrustResultUnspecified - So things are technically trusted. But the user was not involved."); 
        [challenge.sender useCredential:[NSURLCredential credentialForTrust:trust] 
         forAuthenticationChallenge:challenge]; 
        goto done; 
        break; 
       case kSecTrustResultInvalid: 
        NSLog(@"FAIL. kSecTrustResultInvalid"); 
        break; 
       case kSecTrustResultDeny: 
        NSLog(@"FAIL. kSecTrustResultDeny (i.e. user said no explicitly)"); 
        break; 
       case kSecTrustResultFatalTrustFailure: 
        NSLog(@"FAIL. kSecTrustResultFatalTrustFailure"); 
        break; 
       case kSecTrustResultOtherError: 
        NSLog(@"FAIL. kSecTrustResultOtherError"); 
        break; 
       case kSecTrustResultRecoverableTrustFailure: 
        NSLog(@"FAIL. kSecTrustResultRecoverableTrustFailure (i.e. user could say OK, but has not been asked this)"); 
        break; 
       default: 
        NSAssert(NO,@"Unexpected result: %d", result); 
        break; 
      } 
      // Reject. 
      [challenge.sender cancelAuthenticationChallenge:challenge]; 
      goto done; 
     }; 

     //CFStringRef str =SecCopyErrorMessageString(err,NULL); 
     //NSLog(@"Internal failure to validate: result %@", str); 
     //CFRelease(str); 

     [[challenge sender] cancelAuthenticationChallenge:challenge]; 

    done: 
     if (!checkHostname) 
      CFRelease(trust); 
     return; 
    } 
    // In this example we can cancel at this point - as we only do 
    // canAuthenticateAgainstProtectionSpace against ServerTrust. 
    // 
    // But in other situations a more gentle continue may be appropriate. 
    // 
    // [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge]; 

    NSLog(@"Not something we can handle - so we're canceling it."); 
    [challenge.sender cancelAuthenticationChallenge:challenge]; 
} 


@end 

私は、コントローラに

#import <UIKit/UIKit.h> 
#import "TagUIViewControllerLoading.h" 
#import <Foundation/Foundation.h> 
#import "SSLPiningDelegate.h" 

@interface Loading : TagUIViewControllerLoading <SSLPiningDelegate> 

を宣言しかし、デリゲートが呼び出されることはありません。

何か助けが歓迎されるでしょう。

答えて

0

実際、私は3番目のレベル(デリゲートを持つコントローラのビルドを呼び出すコントローラ)でデリゲートしようとしていました。 2番目のコントローラレベルで囲まれたコードは完全に動作しています。