Swift 3 How to validate server certificate using SSL Pinning and AlamoFire?
10,100
I solved it pretty simply leveraging an online blog, AlamoFire and openssl.
I used AlamoFire for the networking on iOS.
I used an article about SSL pinning on iOS to get on the right direction.
I used openssl to convert my cert to der format.
Der
conversion through openssl
.
openssl x509 -in cert.crt -out cert.der -outform DER
You will need to add the der formatted cert to your app bundle.
Swift 3 implementation
// Your hostname and endpoint
let hostname = "YOUR_HOST_NAME"
let endpoint = "YOUR_ENDPOINT"
let cert = "YOUR_CERT" // e.g. for cert.der, this should just be "cert"
// Set up certificates
let pathToCert = Bundle.main.path(forResource: cert, ofType: "der")
let localCertificate = NSData(contentsOfFile: pathToCert!)
let certificates = [SecCertificateCreateWithData(nil, localCertificate!)!]
// Configure the trust policy manager
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
certificates: certificates,
validateCertificateChain: true,
validateHost: true
)
let serverTrustPolicies = [hostname: serverTrustPolicy]
let serverTrustPolicyManager = ServerTrustPolicyManager(policies: serverTrustPolicies)
// Configure session manager with trust policy
afManager = SessionManager(
configuration: URLSessionConfiguration.default,
serverTrustPolicyManager: serverTrustPolicyManager
)
afManager.request(endpoint, method: .get).responseJSON { response in
debugPrint("All Response Info: \(response)")
}
Related videos on Youtube
![willpnw](https://i.stack.imgur.com/RfiNR.jpg?s=256&g=1)
Author by
willpnw
I like developing UIs for embedded systems, networking, scripting, and all things linux
Updated on June 05, 2022Comments
-
willpnw about 2 years
I'm writing an app in swift 3 that needs to talk to my server. I have the full certificate chain in der and crt format which I am the CA for(Not to be confused with self signed). How do I use this in my app to validate my server? Below is my rest call and response
Rest Call:
var request = URLRequest(url: URL(string: "https://myserver/login")!) request.addValue("Content-Type", forHTTPHeaderField: "application/json") request.httpMethod = "GET" let session = URLSession.shared session.dataTask(with: request) {data, response, err in print("=========================DATA===============================") if data != nil { print(data!) } print("=========================RESPONSE===============================") if response != nil { print(response!) } print("=========================ERR===============================") if err != nil { print(err!) } }.resume()
Output:
=========================DATA=============================== =========================RESPONSE=============================== =========================ERR=============================== Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x60800011f020>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=( "<cert(0x7fae4803d200) s: myserver i: MySubCA>", "<cert(0x7fae48047000) s: MySubCA i: MyRootCA>", "<cert(0x7fae48044600) s: MyRootCA i: MyRootCA>" ), NSUnderlyingError=0x60800005a040 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x60800011f020>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7fae4803d200) s: myserver i: MySubCA>", "<cert(0x7fae48047000) s: MySubCA i: MyRootCA>", "<cert(0x7fae48044600) s: MyRootCA i: MyRootCA>" )}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://myserver/login, NSErrorFailingURLStringKey=https://myserver/login, NSErrorClientCertificateStateKey=0}
-
Anurag Sharma almost 7 yearsNicely explained. Loved it!
-
Shahrukh almost 7 yearsHow to get .der certificate not valid after date in swift.
-
nyxee almost 7 yearsi like the links also. nice sharing. All info is available. I hope to expand on this in the spirit of sharing.
-
Gangireddy Rami Reddy almost 7 yearsIs there any possible to add the .pem certificate in same place
-
nyxee almost 7 years@GRamiReddy, if you use
cert.pem
in place ofcert.crt
in the command to getDER
format it still works. that isopenssl x509 -in cert.pem -out cert.der -outform DER