发表新帖
发表新帖

CRL and OCSP behavior of iOS / Security.Framework?

后端 未结
关注
3 1862
一个人的身影
一个人的身影 2020-12-30 07:49

I\'m trying to figure out what iOS\' policy is when verifying certificates using Security.Framework regarding revocation of certificates. I cannot find information about thi

相关标签:
3条回答
  • 渐次进展
    2020-12-30 08:10

    I was able to enable CRL checking for a SecTrustRef object on iOS 10:

    SecTrustRef trust = ...; // from TLS challenge
CFArrayRef oldPolicies;
SecTrustCopyPolicies(trust, &oldPolicies);
SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod);
NSArray *newPolicies = [(__bridge NSArray *)oldPolicies arrayByAddingObject(__bridge id)revocationPolicy];
CFRelease(oldPolicies);
SecTrustSetPolicies(trust, (__bridge CFArrayRef)newPolicies);
SecTrustSetNetworkFetchAllowed(trust, true);

// Check the trust object
SecTrustResult result = kSecTrustResultInvalid;
SecTrustEvaluate(trust, &result);
// cert revoked -> kSecTrustResultRecoverableTrustFailure

    Calling SecTrustSetNetworkFetchAllowed was key. Without that call, SecTrustEvaluate returned kSecTrustResultUnspecified instead.

    0 讨论(0)
  • 后悔当初
    2020-12-30 08:17

    I just did this on iOS in GCDAsyncSocket.

    For a given SecTrustRef trust; do this

    SecPolicyRef policy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod)
SecTrustSetPolicies(trust, policy);
SecTrustResultType trustResultType = kSecTrustResultInvalid;
OSStatus status = SecTrustEvaluate(trust, &trustResultType);
if (status == errSecSuccess && trustResultType == kSecTrustResultProceed)
{
   //good!
}
else
{
   //not good
}

    //edit to check the trustResultType

    0 讨论(0)
  • 佛祖请我去吃肉
    2020-12-30 08:18

    I have an answer to this question by Apple guys, I posted the full answer here:

    Details on SSL/TLS certificate revocation mechanisms on iOS

    To sum it up, there are several things to keep in mind for OCSP implementation on iOS:

    • OCSP policy cannot be configured at this moment
    • it works for the EV certificates only
    • high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
    • SecTrustEvaluate is a blocking network operation
    • it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail
    0 讨论(0)
 看不清?
提交回复
热议问题