第28月第4天 __bridge_transfer

1.

/* NSObject.h

Copyright (c) 1994-2018, Apple Inc. All rights reserved.

*/

#if __has_feature(objc_arc)

// After using a CFBridgingRetain on an NSObject, the caller must take responsibility for calling CFRelease at an appropriate time.

NS_INLINE CF_RETURNS_RETAINED CFTypeRef _Nullable CFBridgingRetain(id _Nullable X) {

return (__bridge_retained CFTypeRef)X;

}

NS_INLINE id _Nullable CFBridgingRelease(CFTypeRef CF_CONSUMED _Nullable X) {

return (__bridge_transfer id)X;

}

https://www.jianshu.com/p/5c98ac2dab58

2.

SecIdentityRef

https://github.com/xd520/TianjintouNew/blob/79bbeb3915a469d88becce954682d3709c2aedb2/Https.m

https://cloud.tencent.com/developer/ask/109329

3.

https://github.com/search?l=Objective-C&p=2&q=publicKeyIdentifier&type=Code

4.

- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
                  forDomain:(NSString *)domain
{
    if (domain && self.allowInvalidCertificates && self.validatesDomainName && (self.SSLPinningMode == AFSSLPinningModeNone || [self.pinnedCertificates count] == )) {
        // https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html
        //  According to the docs, you should only trust your provided certs for evaluation.
        //  Pinned certificates are added to the trust. Without pinned certificates,
        //  there is nothing to evaluate against.
        //
        //  From Apple Docs:
        //          "Do not implicitly trust self-signed certificates as anchors (kSecTrustOptionImplicitAnchors).
        //           Instead, add your own (self-signed) CA certificate to the list of trusted anchors."
        NSLog(@"In order to validate a domain name for self signed certificates, you MUST use pinning.");
        return NO;
    }

    NSMutableArray *policies = [NSMutableArray array];
    if (self.validatesDomainName) {
    //如果要验证域名，就通过域名来生成Policy
        [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
    } else {
    //不验证域名，就默认基于X.509
        [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
    }

    //设置policies
    SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);

    if (self.SSLPinningMode == AFSSLPinningModeNone) {
    //不校验证书，只要允许过期无效证书或者serverTrust验证通过，即可信任
        return self.allowInvalidCertificates || AFServerTrustIsValid(serverTrust);
    } else if (!AFServerTrustIsValid(serverTrust) && !self.allowInvalidCertificates) {
    //否则，就不可信任
        return NO;
    }

//到了这里就说明：
//1.通过了证书的验证
//2.allowInvalidCertificates = YES

    switch (self.SSLPinningMode) {
        case AFSSLPinningModeNone:
        default:
            return NO;
        case AFSSLPinningModeCertificate: {
            //验证全部证书
            NSMutableArray *pinnedCertificates = [NSMutableArray array];
            for (NSData *certificateData in self.pinnedCertificates) {
                [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
            }
            SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);

            //验证证书是否可信任
            if (!AFServerTrustIsValid(serverTrust)) {
                return NO;
            }

            // obtain the chain after being validated, which *should* contain the pinned certificate in the last position (if it's the Root CA)
            NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust);

            //整个证书链都跟本地的证书匹配才通过验证
            for (NSData *trustChainCertificate in [serverCertificates reverseObjectEnumerator]) {
                if ([self.pinnedCertificates containsObject:trustChainCertificate]) {
                    return YES;
                }
            }

            return NO;
        }
        case AFSSLPinningModePublicKey: {
            NSUInteger trustedPublicKeyCount = ;
            NSArray *publicKeys = AFPublicKeyTrustChainForServerTrust(serverTrust);

            //只要有公钥相匹配就通过
            for (id trustChainPublicKey in publicKeys) {
                for (id pinnedPublicKey in self.pinnedPublicKeys) {
                    if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)trustChainPublicKey, (__bridge SecKeyRef)pinnedPublicKey)) {
                        trustedPublicKeyCount += ;
                    }
                }
            }
            return trustedPublicKeyCount > ;
        }
    }

    return NO;
}

https://www.jianshu.com/p/f522d041cd91

NSMutableArray *policies = [NSMutableArray array];

// BasicX509 不验证域名是否相同
SecPolicyRef policy = SecPolicyCreateBasicX509();
[policies addObject:(__bridge_transfer id)policy];
SecTrustSetPolicies(trust, (__bridge CFArrayRef)policies);

https://www.cnblogs.com/oc-bowen/p/5896041.html

5.

    NSArray *serverCertificates = @[@"a",@"b",@"c",@"d",@"e",@"f"];

    for (NSString *trustChainCertificate in serverCertificates) {
        NSLog(@"str:%@",trustChainCertificate);
    }
    NSLog(@"---------------");
    NSSet *set = [[NSSet alloc] initWithArray:serverCertificates];

    for (NSString *trustChainCertificate in [set objectEnumerator]) {
        NSLog(@"str:%@",trustChainCertificate);
    }

当枚举一个NSArray的时候：

• 使用 for (id object in array) 如果是顺序枚举

• 使用 for (id object in [array reverseObjectEnumerator]) 如果是倒序枚举

• 使用 for (NSInteger i = 0; i < count; i++) 如果你需要知道它的索引值，或者需要改变数组

• 尝试 [array enumerateObjectsWithOptions:usingBlock:] 如果你的代码受益于并行执行

当枚举一个NSSet的时候：

• 使用  for (id object in set) 大多数时候

• 使用 for (id object in [set copy]) 如果你需要修改集合(但是会很慢)

• 尝试 [array enumerateObjectsWithOptions:usingBlock:] 如果你的代码受益于并行执行

当枚举一个NSDictionary的时候：

• 使用  for (id object in set) 大多数时候

• 使用 for (id object in [set copy]) 如果你需要修改词典

• 尝试 [array enumerateObjectsWithOptions:usingBlock:] 如果你的代码受益于并行执行

https://www.cnblogs.com/mafeng/p/5222295.html