这两天一直在研究如何用UIWebView访问HTTPS站点,试过很多方法,但都有这样那样的缺陷,下面简单分享一下,希望各位提点意见:
1。调用私有API
最简单,也最危险的方法,调用 setAllowsAnyHTTPSCertificate:forHost ,后果怎么样就不用我说了吧。
2. libCurl
这是一个开源项目,用C语言写的URL转换库,是基于于openssl的,可以支持目前大部分的URL,包括DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET 和 TFTP,而且用这个不会使用苹果禁止的私有API,所以可以顺利通过App Store的审核。 但是有一个问题,就是要自己编译libcurl和openssl
的两个静态库,其中的配置比较麻烦,不熟悉在unix环境下编译静态库的朋友们可能就会皱眉头了。这有两个链接,可以参考 :
http://www.therareair.com/2009/01/01/tutorial-how-to-compile-openssl-for-the-iphone/
http://www.yifeiyang.net/iphone-web-development-skills-of-the-article-5-https-server-using-libcurl-to-connect/
编译成功后,将libcurl引入工程,再加上下面这些代码,就可以顺利访问HTTPS站点了
/*************** 调用libcurl 访问HTTPS站点 ****************
const char *urlstring=[homeUrl cStringUsingEncoding:NSUTF8StringEncoding];
CURL *curl;
CURLcode res;
char* buffer;
int buflen=1024;
size_t* n;
curl = curl_easy_init();
if (curl) {
curl_easy_setopt(curl, CURLOPT_URL, "https://10.20.7.236/login.aspx?ReturnUrl=%2f");
//curl_easy_setopt(curl, CURLOPT_URL, urlstring);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
res = curl_easy_perform(curl);
if (0 != res) {
fprintf(stderr, "curl error: %d\n", res);
}
//res=curl_easy_recv(curl, buffer, buflen, n);
//printf("%s",buffer);
curl_easy_cleanup(curl);
}
*****************************************************/
通过联机调试在我的ipod上成功的访问到了HTTPS站点,在控制台中可以看到网页的内容,剩下的就是如何把这些内容存到一个字符数组里面,再通过调用UIwebView的loadHTMLString方法,就可以显示内容了, 不过最后这一步我还没有找到方法,希望有兴趣的朋友可以帮我解决这个问题。
3。ASIHTTPRequest
这个开源项目也是流行很久了, 但是一般都是用来替代NSURLConnection,其实里面的功能还是挺强大的,只是对于HTTPS访问这一块我有点不太满意,
里面有一个方法,是可以直接忽略证书验证的,
disabling secure certificate validation
You may wish to use this for testing purposes if you have a self-signed secure certificate. I recommend purchasing a certificate from a trusted certificate authority and leaving certificate validation turned on for production applications.
[request setValidatesSecureCertificate:NO];
但是这样做有一点危险,如果是放在企业环境里部署的话,那外面的人都可以访问内部的网站了,SSL这一层就形同虚设。所以我又找了一下,发现他还有另一个方法,可以设置客户端的证书:
Client certificates support
If your server requires the use of client certificates, as of v1.8 it is now possible to send them with your request.
// Will send the certificate attached to the identity (identity is a SecIdentityRef)
[request setClientCertificateIdentity:identity];
// Add an additional certificate (where cert is a SecCertificateRef)
[request setClientCertificates:[NSArray arrayWithObject:(id)cert]];
There is a helper function in 'ClientCertificateTests.m' in the iPhone / iPad sample app that can create a SecIdentityRef from PKCS12 data (this function only works on iOS).
这个方法需要把p12文件放进工程里面,然后调用[ClientCertificateTest extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data]; 来获取identity
,这个方法是这样的
+ (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data
{
OSStatus securityError = errSecSuccess;
NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"" forKey:(id)kSecImportExportPassphrase];
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((CFDataRef)inPKCS12Data,(CFDictionaryRef)optionsDictionary,&items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failed with error code %d",(int)securityError);
return NO;
}
return YES;
}
这个方法需要引用到Security.framework这个框架(我第一次没有引用,结果报错,我想官方的东西怎么还有错呢,郁闷了好久才发现是这个框架没有引用,晕死)。之后应该就是通过[ASIHTTPRequest startSynchronous] 可以访问HTTPS网站了。 为什么说是应该呢? 因为我也没有试出来,呵呵 ```可能是证书的问题,我在extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data 这个方法里获取到的securityError
为-26275 ,在网上找了半天也没找出个结果来,所以也只能暂时搁置了。
-(void) viewHomePage{
NSURL *url=[NSURL URLWithString:homeUrl];
NSBundle *bundle = [NSBundle mainBundle]; //取得mainBundle
NSString *plistPath = [bundle pathForResource:@"Root" ofType:@"plist"]; //取得文件路径
// 或可以写成
// NSString *plistPath = [[NSBundle mainBundle] pathForResource:@"文件名" ofType:@"plist"];
//读取到一个NSDictionary
NSArray *array=[[NSArray alloc]initWithContentsOfFile:plistPath];
NSDictionary *dictionary = [array objectAtIndex:1];
NSUserDefaults *defaults=[NSUserDefaults standardUserDefaults];
[defaults registerDefaults:dictionary];
BOOL needAuthentication=[defaults boolForKey:@"needAuth"];
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
NSData *PKCS12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"ioa.bingosoft.net" ofType:@"pfx"]];
[SenchaShellViewController extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data];
//****************** 调用 ASIHTTPRequest 访问HTTPS站点 ****************
ASIHTTPRequest *request = [ASIHTTPRequest requestWithURL:url];
[request setClientCertificateIdentity:identity];
//[request setValidatesSecureCertificate:NO];
//[request startSynchronous];
[request setValidatesSecureCertificate:needAuthentication];
[request startSynchronous];
NSError *error = [request error];
if (!error) {
[self.viewer loadHTMLString:[request responseString] baseURL: [request url]];
}
else {
NSLog(@"Error: %@", error );
}
}
4。 官方API
最后一个是官方的API, 按理说这个应该放到最前面,因为是官方的嘛,但是实际上我一次都没有试成功过,所以有点怀疑他的真实性,不过也许有人成功了,所以也拿上来讨论一下。
简单来说通过NSurlconnection的这两个委托方法来忽略认证,关于Certificate Authentication是有官方文档的,但是官方文档太长了,我没有心思看完,所以还没有深入研究下去。
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
}
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
//if ([trustedHosts containsObject:challenge.protectionSpace.host])
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]
forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
} |
|
