离子 + 电容器的 SSL 固定问题

Posted 2023-02-19

【中文标题】离子 + 电容器的 SSL 固定问题

【英文标题】：SSL Pinning Issue with Ionic + Capacitor

【发布时间】：2019-11-13 09:47:39

【问题描述】：

正如官方文档 [1] 中所述，我一直在尝试使用 Cordova Advanced HTTP 插件 [2] 在 Ionic + Angular + Capacitor 项目中实现 SSL Pinning。

但是，每次我用 Xcode 打开 ios 应用程序时，它都会记录一个错误 [3] 说证书无效，我认为这是错误的。

2019-07-02 09:20:13.211085+0530 App[481:58424] TIC SSL Trust Error [1:0x280002100]: 3:0
2019-07-02 09:20:13.228677+0530 App[481:58424] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2019-07-02 09:20:13.228721+0530 App[481:58424] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> HTTP load failed (error code: -1202 [3:-9813])
2019-07-02 09:20:13.228908+0530 App[481:58418] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> finished with error - code: -1202
2019-07-02 09:20:13.231665+0530 App[481:58415] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk." UserInfo=NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x10408e200) s: sni96286.cloudflaressl.com i: COMODO ECC Domain Validation Secure Server CA 2>",
    "<cert(0x104067800) s: COMODO ECC Domain Validation Secure Server CA 2 i: COMODO ECC Certification Authority>",
    "<cert(0x10408ee00) s: COMODO ECC Certification Authority i: AddTrust External CA Root>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://reqres.in/api/users/2, NSErrorFailingURLStringKey=https://reqres.in/api/users/2, NSUnderlyingError=0x283b578d0 Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo=_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x28070d4d0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x10408e200) s: sni96286.cloudflaressl.com i: COMODO ECC Domain Validation Secure Server CA 2>",
    "<cert(0x104067800) s: COMODO ECC Domain Validation Secure Server CA 2 i: COMODO ECC Certification Authority>",
    "<cert(0x10408ee00) s: COMODO ECC Certification Authority i: AddTrust External CA Root>"
), _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1>"
), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x28070d4d0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk. [-1202]
⚡️  [log] - -2   
⚡️  [log] - The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk.   
⚡️  [log] - undefined

GitHub [4] 上提供了我的示例应用程序以及我所采取的步骤，我想知道如何将 SSL Pinning 正确集成到我的应用程序中。理想情况下，如果您可以分叉/克隆我的项目并在其中尝试解决方法，这对每个人都会很方便。

[1]https://ionicframework.com/docs/native/http

[2]https://github.com/silkimen/cordova-plugin-advanced-http

[3]https://github.com/ashenwgt/ionic-capacitor-ssl-pinning/blob/master/logs/xcode-log.backup

[4]https://github.com/ashenwgt/ionic-capacitor-ssl-pinning

任何帮助将不胜感激。

【问题讨论】：

你能解决这个问题吗？

@TIER0011 我们无法按照上述方法让它工作。但是我们可以设法用本地语言构建插件以与我们的 Ionic 应用程序集成并使 SSL 固定工作。无论如何，就我们的研究而言，我可以保证，除非您在内部从头开始构建所有东西，否则没有直接的方法可以实现这一目标。

【参考方案1】：

出现此问题是因为 ionic webpack 配置在构建操作开始时擦除了 IOS 的 www 文件夹。

为确保您的证书不会被删除，您必须使用 webpack 的自定义复制配置而不是 config.xml 资源文件来复制它。

我就是这样解决的：

1 - 在项目的根目录下创建一个文件夹 certificates/，其中包含您的 *.cer 文件

2 - 在项目的根目录下创建一个文件 copy.config.js，内容如下

// provide a name for an entry, it can be anything such as 'copyAssets' or 'copyFonts'
// then provide an object with a `src` array of globs and a `dest` string
module.exports = 
    copyAssets: 
        src: ['SRC/assets/**/*'],
        dest: 'WWW/assets'
    ,
    copyIndexContent: 
        src: ['SRC/index.html', 'SRC/manifest.json', 'SRC/service-worker.js'],
        dest: 'WWW'
    ,
    copyFonts: 
        src: ['ROOT/node_modules/ionicons/dist/fonts/**/*', 'ROOT/node_modules/ionic-angular/fonts/**/*'],
        dest: 'WWW/assets/fonts'
    ,
    copyPolyfills: 
        src: [`ROOT/node_modules/ionic-angular/polyfills/$process.env.IONIC_POLYFILL_FILE_NAME`],
        dest: 'BUILD'
    ,
    copySwToolbox: 
        src: ['ROOT/node_modules/sw-toolbox/sw-toolbox.js'],
        dest: 'BUILD'
    ,
    copyCertificates: 
        src: ['certificates/**/*'],
        dest: 'WWW/certificates'
    

3 - 在您的 package.json 文件中添加以下配置

"config": 
    "ionic_copy": "copy.config.js"

祝你好运！ ?

【讨论】：

非常感谢！这个解决方案在 Ionic 3 上对我有用。

不客气?