Add support for for SSL client certificate authentication.

Philipp Schmid
Commit 550c5ea911751b7a9271203c2266e145d29010c8 550c5ea9 1 parent e2301e7f
Showing 2 changed files with 58 additions and 4 deletions
Classes/ASIHTTPRequest.h
Classes/ASIHTTPRequest.m
--- a/Classes/ASIHTTPRequest.h
View file @550c5ea
+++ b/Classes/ASIHTTPRequest.h
View file @550c5ea
@@ -325,6 +325,9 @@ extern unsigned long const ASIWWANBandwidthThrottleAmount;
 	
 	// When NO, requests will not check the secure certificate is valid (use for self-signed certificates during development, DO NOT USE IN PRODUCTION) Default is YES
 	BOOL validatesSecureCertificate;
+     
+     // If not nil and the URL scheme is https, CFNetwork configured to supply a client certificate
+     SecIdentityRef clientCertificateIdentity;
 	
 	// Details on the proxy to use - you could set these yourself, but it's probably best to let ASIHTTPRequest detect the system proxy settings
 	NSString *proxyHost;
@@ -593,6 +596,10 @@ extern unsigned long const ASIWWANBandwidthThrottleAmount;
 + (NSTimeInterval)defaultTimeOutSeconds;
 + (void)setDefaultTimeOutSeconds:(NSTimeInterval)newTimeOutSeconds;
 
+ #pragma mark client certificate
+ 
+ - (void)setClientCertificateIdentity:(SecIdentityRef)anIdentity;
+ 
 #pragma mark session credentials
 
 + (NSMutableArray *)sessionProxyCredentialsStore;
--- a/Classes/ASIHTTPRequest.m
View file @550c5ea
+++ b/Classes/ASIHTTPRequest.m
View file @550c5ea
@@ -354,6 +354,11 @@ static NSOperationQueue *sharedQueue = nil;
 	[responseStatusMessage release];
 	[connectionInfo release];
 	[requestID release];
+     
+     if (clientCertificateIdentity) {
+ 		CFRelease(clientCertificateIdentity);
+ 	}
+     
 	[super dealloc];
 }
 
@@ -910,10 +915,36 @@ static NSOperationQueue *sharedQueue = nil;
         return;
     }
 
- 	// Tell CFNetwork not to validate SSL certificates
- 	if (![self validatesSecureCertificate] && [[[[self url] scheme] lowercaseString] isEqualToString:@"https"]) {
- 		CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, [NSMutableDictionary dictionaryWithObject:(NSString *)kCFBooleanFalse forKey:(NSString *)kCFStreamSSLValidatesCertificateChain]); 
- 	}
+ 
+     
+     
+     //
+     // Handle SSL certificate settings
+     //
+     if([[[[self url] scheme] lowercaseString] isEqualToString:@"https"]) {
+         NSMutableDictionary *sslProperties = [[NSMutableDictionary alloc] initWithCapacity:1];
+         
+         // Tell CFNetwork not to validate SSL certificates
+         if (![self validatesSecureCertificate]) {
+             [sslProperties setObject:(NSString *)kCFBooleanFalse forKey:(NSString *)kCFStreamSSLValidatesCertificateChain];
+         }
+         
+         // Tell CFNetwork to use a client certificate
+         if (clientCertificateIdentity) {
+             CFArrayRef ca = CFArrayCreate(NULL, (const void **)&clientCertificateIdentity, 1, NULL);
+             
+             [sslProperties setObject:(NSArray *)ca forKey:(NSString *)kCFStreamSSLCertificates];
+             
+             CFRelease(ca);
+         }
+         
+         CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, sslProperties);
+         
+         [sslProperties release];
+     }
+     
+     
+     
 	
 	//
 	// Handle proxy settings
@@ -1349,6 +1380,7 @@ static NSOperationQueue *sharedQueue = nil;
 	[headRequest setTimeOutSeconds:[self timeOutSeconds]];
 	[headRequest setUseHTTPVersionOne:[self useHTTPVersionOne]];
 	[headRequest setValidatesSecureCertificate:[self validatesSecureCertificate]];
+     [headRequest setClientCertificateIdentity:clientCertificateIdentity];
 	[headRequest setPACurl:[self PACurl]];
 	[headRequest setShouldPresentCredentialsBeforeChallenge:[self shouldPresentCredentialsBeforeChallenge]];
 	[headRequest setNumberOfTimesToRetryOnTimeout:[self numberOfTimesToRetryOnTimeout]];
@@ -3078,6 +3110,7 @@ static NSOperationQueue *sharedQueue = nil;
 	[newRequest setUseHTTPVersionOne:[self useHTTPVersionOne]];
 	[newRequest setShouldRedirect:[self shouldRedirect]];
 	[newRequest setValidatesSecureCertificate:[self validatesSecureCertificate]];
+     [newRequest setClientCertificateIdentity:clientCertificateIdentity];
 	[newRequest setPACurl:[self PACurl]];
 	[newRequest setShouldPresentCredentialsBeforeChallenge:[self shouldPresentCredentialsBeforeChallenge]];
 	[newRequest setNumberOfTimesToRetryOnTimeout:[self numberOfTimesToRetryOnTimeout]];
@@ -3099,6 +3132,20 @@ static NSOperationQueue *sharedQueue = nil;
 	defaultTimeOutSeconds = newTimeOutSeconds;
 }
 
+ 
+ #pragma mark client certificate
+ 
+ - (void)setClientCertificateIdentity:(SecIdentityRef)anIdentity {
+     if(clientCertificateIdentity) {
+         CFRelease(clientCertificateIdentity);
+     }
+     
+     clientCertificateIdentity = anIdentity;
+     
+     CFRetain(clientCertificateIdentity);
+ }
+ 
+ 
 #pragma mark session credentials
 
 + (NSMutableArray *)sessionProxyCredentialsStore