AFNetworking 3.0 and SSL authentication with setSessionDidReceiveAuthenticationChallengeBlock

Question

I'm attempting to migrating from AFNetworking 2.0 to 3.0.

In the previous version I would create an AFHTTPRequestOperation and handle client SSL authentication in another block with setWillSendRequestForAuthenticationChallengeBlock.

For example:

[operation setWillSendRequestForAuthenticationChallengeBlock:^(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge) {
    if ([challenge previousFailureCount] > 0) {
        //this will cause an authentication failure
        [[challenge sender] cancelAuthenticationChallenge:challenge];
        return;
    }

    //this is checking the server certificate
    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {

        SecTrustResultType result;
        //This takes the serverTrust object and checkes it against your keychain
        SecTrustEvaluate(challenge.protectionSpace.serverTrust, &result);

Could someone show me an example of how to do this with AFHTTPSessionManager?

Do I need to make requests using AFURLSessionManager instead? I do see a block method there:

(void)setSessionDidReceiveAuthenticationChallengeBlock:(nullable NSURLSessionAuthChallengeDisposition (^)(NSURLSession *session, NSURLAuthenticationChallenge *challenge, NSURLCredential * _Nullable __autoreleasing * _Nullable credential))block

Answer 1

I'm working on the same problem, all I found is currently this issue on AFNetworking with some help.

Basically set the block - (void)setTaskDidReceiveAuthenticationChallengeBlock:([long block variable type here])block; in your AFURLSessionManager

The certificate is saved in p12 format. You need to change the filename of your cert and the passphrase in these two lines:

NSData *p12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"p12"]];

CFStringRef password = CFSTR("YOURPASSPHRASE");

The whole code to set this block looks something like this:

    AFHTTPRequestSerializer *reqSerializer = [AFHTTPRequestSerializer serializer];
    NSMutableURLRequest *request;
    request = [reqSerializer requestWithMethod:method URLString:[actionURL absoluteString] parameters:nil error:nil];

    AFSecurityPolicy *securityPolicy = [[AFSecurityPolicy alloc] init];
    [securityPolicy setAllowInvalidCertificates:kAllowsInvalidSSLCertificate];

    AFHTTPRequestOperation *operation = [[AFHTTPRequestOperation alloc] initWithRequest:request];
    operation.responseSerializer = [AFHTTPResponseSerializer serializer];

    [operation setSecurityPolicy:securityPolicy];

    [operation setWillSendRequestForAuthenticationChallengeBlock:^(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge) {
        if ([challenge previousFailureCount] > 0) {
            //this will cause an authentication failure
            [[challenge sender] cancelAuthenticationChallenge:challenge];
            NSLog(@"Bad Username Or Password");
            return;
        }

        //this is checking the server certificate
        if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
            SecTrustResultType result;
            //This takes the serverTrust object and checkes it against your keychain
            SecTrustEvaluate(challenge.protectionSpace.serverTrust, &result);

            //if we want to ignore invalid server for certificates, we just accept the server
            if (kAllowsInvalidSSLCertificate) {
                [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
                return;
            } else if(result == kSecTrustResultProceed || result == kSecTrustResultUnspecified) {
                //When testing this against a trusted server I got kSecTrustResultUnspecified every time. But the other two match the description of a trusted server
                [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
                return;
            }
        } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {
            //this handles authenticating the client certificate

            /*
             What we need to do here is get the certificate and an an identity so we can do this:
             NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identity certificates:myCerts persistence:NSURLCredentialPersistencePermanent];
             [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];

             It's easy to load the certificate using the code in -installCertificate
             It's more difficult to get the identity.
             We can get it from a .p12 file, but you need a passphrase:
             */

            NSData *p12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"p12"]];

            CFStringRef password = CFSTR("YOURPASSPHRASE");
            const void *keys[] = { kSecImportExportPassphrase };
            const void *values[] = { password };
            CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
            CFArrayRef p12Items;

            OSStatus result = SecPKCS12Import((__bridge CFDataRef)p12Data, optionsDictionary, &p12Items);

            if(result == noErr) {
                CFDictionaryRef identityDict = CFArrayGetValueAtIndex(p12Items, 0);
                SecIdentityRef identityApp =(SecIdentityRef)CFDictionaryGetValue(identityDict,kSecImportItemIdentity);

                SecCertificateRef certRef;
                SecIdentityCopyCertificate(identityApp, &certRef);

                SecCertificateRef certArray[1] = { certRef };
                CFArrayRef myCerts = CFArrayCreate(NULL, (void *)certArray, 1, NULL);
                CFRelease(certRef);

                NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:(__bridge NSArray *)myCerts persistence:NSURLCredentialPersistencePermanent];
                CFRelease(myCerts);

                [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
            } else {
                [[challenge sender] cancelAuthenticationChallenge:challenge];
            }
        } else if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodDefault || [[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodNTLM) {

            // For normal authentication based on username and password. This could be NTLM or Default.
            /*
             DAVCredentials *cred = _parentSession.credentials;
             NSURLCredential *credential = [NSURLCredential credentialWithUser:cred.username password:cred.password persistence:NSURLCredentialPersistenceForSession];
             [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
             */

            NSLog(@"BASIC AUTHENTICATION");

        } else {
            //If everything fails, we cancel the challenge.
            [[challenge sender] cancelAuthenticationChallenge:challenge];
        }
    }];

    [operation setCompletionBlockWithSuccess:^(AFHTTPRequestOperation *operation, id responseObject) {

        NSLog(@"Success");

    } failure:^(AFHTTPRequestOperation *operation, NSError *error) {

        NSLog(@"Failure");

    }];

    [[NSOperationQueue mainQueue] addOperation:operation];

See this link: https://github.com/AFNetworking/AFNetworking/issues/2316#issuecomment-115181437

I'm trying this right now.