CRL and OCSP behavior of iOS / Security.Framework?

一世执手 提交于 2019-11-29 07:48:40

问题


I'm trying to figure out what iOS' policy is when verifying certificates using Security.Framework regarding revocation of certificates. I cannot find information about this in the docs for iOS. In the context of an iPad project I'm working on at the moment, there is reason to demand checking revocation status for some certs. Anyone ideas on how to force CRL / OCSP checking during cert verification using Security.Framework? Or do I need to "fall back" to OpenSSL to accomplish this?

It seems that also on Mac OS X 10.6 CRL / OCSP checks are done optionally and have to be turned on manually through Keychain Access.

Martijn


回答1:


I have an answer to this question by Apple guys, I posted the full answer here:

Details on SSL/TLS certificate revocation mechanisms on iOS

To sum it up, there are several things to keep in mind for OCSP implementation on iOS:

  • OCSP policy cannot be configured at this moment
  • it works for the EV certificates only
  • high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
  • SecTrustEvaluate is a blocking network operation
  • it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail



回答2:


I just did this on iOS in GCDAsyncSocket.

For a given SecTrustRef trust; do this

SecPolicyRef policy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod)
SecTrustSetPolicies(trust, policy);
SecTrustResultType trustResultType = kSecTrustResultInvalid;
OSStatus status = SecTrustEvaluate(trust, &trustResultType);
if (status == errSecSuccess && trustResultType == kSecTrustResultProceed)
{
   //good!
}
else
{
   //not good
}

//edit to check the trustResultType




回答3:


I was able to enable CRL checking for a SecTrustRef object on iOS 10:

SecTrustRef trust = ...; // from TLS challenge
CFArrayRef oldPolicies;
SecTrustCopyPolicies(trust, &oldPolicies);
SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod);
NSArray *newPolicies = [(__bridge NSArray *)oldPolicies arrayByAddingObject(__bridge id)revocationPolicy];
CFRelease(oldPolicies);
SecTrustSetPolicies(trust, (__bridge CFArrayRef)newPolicies);
SecTrustSetNetworkFetchAllowed(trust, true);

// Check the trust object
SecTrustResult result = kSecTrustResultInvalid;
SecTrustEvaluate(trust, &result);
// cert revoked -> kSecTrustResultRecoverableTrustFailure

Calling SecTrustSetNetworkFetchAllowed was key. Without that call, SecTrustEvaluate returned kSecTrustResultUnspecified instead.



来源:https://stackoverflow.com/questions/5625642/crl-and-ocsp-behavior-of-ios-security-framework

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!