I'm currently using SocketRocket as the WebSocket implementation for my iOS applications and would like to pin my server's CA as a trusted certificate with the SR_SSLPinnedCertificates property. I'm looking for a good example of loading one or more certificates to pass into SocketRocket. I've got the following code to work but I'm not sure it's correct or if there is a more straight-forward approach.
CFArrayRef keyref = NULL;
NSString *path = [[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
NSData *data = [[NSData alloc] initWithContentsOfFile:path];
OSStatus status = SecPKCS12Import((__bridge CFDataRef)data, (__bridge CFDictionaryRef)[NSDictionary dictionaryWithObject:@"eftl_key_pass" forKey:(__bridge id)kSecImportExportPassphrase], &keyref);
if (status == noErr) {
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(keyref, 0);
SecIdentityRef identityRef = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
SecCertificateRef certRef = NULL;
SecIdentityCopyCertificate(identityRef, &certRef);
}
Certificate pinning with SocketRocket is done thus:
First, we need to initialize SocketRocket from an NSURLRequest, rather than from an NSURL.
NSURL *url = [[NSURL alloc] initWithString:@"wss://path-to-socket:1234"];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:url];
Then, let's set up the certificate. It's crucial that your certificate be in the binary DER format, rather than the base64-encoded PEM. The certificate file should be in your main bundle.
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"myOwnCertificate" ofType:@"cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:cerPath];
CFDataRef certDataRef = (__bridge CFDataRef)certData;
SecCertificateRef certRef = SecCertificateCreateWithData(NULL, certDataRef);
id certificate = (__bridge id)certRef;
We then set the request's pinned certificates to an array containing just the one we set up previously.
[request setSR_SSLPinnedCertificates:@[certificate]];
And now we can finalize the socket.
SRWebSocket *socket = [[SRWebSocket alloc] initWithURLRequest:request];
[socket open];
For the code in Swift:
if let pinnedCertificatePath = NSBundle.mainBundle().pathForResource("subdomain.yourwebsite.com", ofType: "der"),
let pinnedCertificateData = NSData(contentsOfFile: pinnedCertificatePath),
let cert = SecCertificateCreateWithData(nil, pinnedCertificateData) {
request.SR_SSLPinnedCertificates = [cert]
// make the websocket call!
let ws = SRWebSocket(URLRequest: request)
// configure the websocket
ws.open()
} else {
NSLog("Failed to open websocket, could not find pinned certificate!")
}
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 神经病院院长 的文章《SocketRocket and iOS certificate pinning》','https://www.manongdao.com/article-709400.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}