Server certificate invalidation detection based on ios,android
Last Update:2016-01-06
Source: Internet
Author: User
<span id="Label3"></p><p><p>1. Preface</p></p><p><p>On the current ios,android mobile phone, when the mobile phone application for SSL communication, the mobile phone side of the default is not to do server certificate failure monitoring.</p></p><p><p>On ios, the system periodically obtains the certificate information for the server that is accessed and then it exists locally.</p></p><p><p>On the Android side, the system is not monitored for any server certificates.</p></p><p><p>2. impact</p></p><p><p>If an app does not perform any certificate validation checks when it communicates with the server, it can cause security issues such as user information disclosure.</p></p><p><p>3. Workaround</p></p><p><p>There are two methods of server certificate validity detection, CRL detection and OCSP Detection.</p></p><p><p>The main benefit of OCSP detection is timeliness and efficiency. This article mainly introduces the implementation method from the OCSP Angle.</p></p><p><p>3.1 iOS side</p></p><p><p>On the iOS side, there are different methods of server validity detection for different communication methods</p></p><p><p>wkwebview,nsurlsession,nsurlconnection, etc. can be solved by a common method.</p></p><p><p>The core code is as Follows:</p></p><pre><span style="color: #008080;"><span style="color: #008080;">1</span></span>- (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>) Urlsession: (nsurlsession *) session didreceivechallenge: (nsurlauthenticationchallenge *) Challenge Completionhandler: (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>(^) (nsurlsessionauthchallengedisposition, nsurlcredential *<span style="color: #000000;"><span style="color: #000000;">_nullable)) Completionhandler</span></span><span style="color: #008080;"><span style="color: #008080;">2</span></span> <span style="color: #000000;"><span style="color: #000000;">{</span></span><span style="color: #008080;"><span style="color: #008080;">3</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span><span style="color: #000000;"><span style="color: #000000;">([challenge.protectionSpace.authenticationMethod Isequaltostring:nsurlauthenticationmethodservertrust]) { </span></span><span style="color: #008080;"><span style="color: #008080;">4</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span><span style="color: #000000;">([[[[[ <span style="color: #000000;">UTILCRLOCSP alloc] init] isservertrustproceedorunspecifiedwithauthenticationchallenge:challenge]) {</span></span><span style="color: #008080;"><span style="color: #008080;">5</span></span> <span style="color: #000000;"><span style="color: #000000;">Completionhandler (nsurlsessionauthchallengeusecredential, [nsurlcredential credentialForTrust:challenge.pr otectionspace.servertrust]);</span></span><span style="color: #008080;"><span style="color: #008080;">6</span></span>}<span style="color: #0000ff;"><span style="color: #0000ff;">Else</span></span><span style="color: #000000;"><span style="color: #000000;"> {</span></span><span style="color: #008080;"><span style="color: #008080;">7</span></span> <span style="color: #000000;"><span style="color: #000000;">Completionhandler (nsurlsessionauthchallengecancelauthenticationchallenge, nil);</span></span><span style="color: #008080;"><span style="color: #008080;">8</span></span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;">9</span></span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;">Ten</span></span> <span style="color: #000000;"><span style="color: #000000;">}</span></span><span style="color: #008080;"><span style="color: #008080;"></span> one</span> <span style="color: #008080;"><span style="color: #008080;"></span> a</span>- (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>) Urlsession: (nsurlsession *) session task: (nsurlsessiontask *) task didcompletewitherror: (nserror *<span style="color: #000000;"><span style="color: #000000;">) Error</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">{</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">[self updateTextViewMessage:error.description];</span></span><span style="color: #008080;"><span style="color: #008080;"></span> the</span> <span style="color: #000000;"><span style="color: #000000;">}</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #008080;"><span style="color: #008080;"></span> -</span>- (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>) Urlsession: (nsurlsession *) session datatask: (nsurlsessiondatatask *) datatask didreceiveresponse: (NSURLResponse *) Response Completionhandler: (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>(^<span style="color: #000000;"><span style="color: #000000;">) (NSURLSESSIONRESPONSEDISPOSITION)) Completionhandler</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">{</span></span><span style="color: #008080;"><span style="color: #008080;"></span> +</span> <span style="color: #000000;"><span style="color: #000000;">[self updateTextViewMessage:response.description];</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">}</span></span><span style="color: #008080;"><span style="color: #008080;"></span> +</span> <span style="color: #008080;"><span style="color: #008080;"></span> a</span>- (<span style="color: #0000ff;"><span style="color: #0000ff;">void</span></span>) connection: (nsurlconnection *) Connection willsendrequestforauthenticationchallenge: ( Nsurlauthenticationchallenge *<span style="color: #000000;"><span style="color: #000000;">) Challenge</span></span><span style="color: #008080;"><span style="color: #008080;"></span> at</span> <span style="color: #000000;"><span style="color: #000000;">{</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span><span style="color: #000000;"><span style="color: #000000;">([challenge.protectionSpace.authenticationMethod Isequaltostring:nsurlauthenticationmethodservertrust]) { </span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span><span style="color: #000000;">([[[[[ <span style="color: #000000;">UTILCRLOCSP alloc] init] isservertrustproceedorunspecifiedwithauthenticationchallenge:challenge]) {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">[challenge.sender usecredential:[nsurlcredential credentialForTrust:challenge.protectionSpace.serverTrust] forauthenticationchallenge:challenge];</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span>}<span style="color: #0000ff;"><span style="color: #0000ff;">Else</span></span><span style="color: #000000;"><span style="color: #000000;"> {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;">[challenge.sender cancelauthenticationchallenge:challenge];</span></span><span style="color: #008080;"><span style="color: #008080;"></span> in</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> to</span>}</pre><p><p></p></p><p><p>For communication methods such as webview,cfnetwork, some other methods need to be implemented.</p></p><p><p>Refer to the Apple website for Details.</p></p><p><p></p></p><p><p>3.2 Android-side Implementation</p></p><p><p>On the Android side, crl-related APIs can quickly detect certificate Validity.</p></p><p><p>however, the implementation of OCSP does not support any related functions, so it needs to be developed from Scratch.</p></p><p><p>Development can refer to the relevant content of Bouncycastle for development, This article mainly introduces the implementation process of OCSP</p></p><pre><span style="color: #008080;"><span style="color: #008080;">1</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span>(<span style="color: #0000ff;"><span style="color: #0000ff;">true</span></span>|| Basicresponse.issignaturevalid (<span style="color: #0000ff;"><span style="color: #0000ff;">New</span></span>Jcacontentverifierproviderbuilder (). Setprovider (<span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #800000;"><span style="color: #800000;">BC</span></span><span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #000000;"><span style="color: #000000;">). Build (rootcert.getpublickey ()</span> ))) {</span><span style="color: #008080;"><span style="color: #008080;">2</span></span>singleresp[] responses =<span style="color: #000000;"><span style="color: #000000;">basicresponse.getresponses ();</span></span><span style="color: #008080;"><span style="color: #008080;">3</span></span> <span style="color: #008080;"><span style="color: #008080;">4</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">byte</span></span>[] reqnonce =<span style="color: #000000;"><span style="color: #000000;">getnonce (request.getextension (ocspobjectidentifiers.id_pkix_ocsp_nonce));</span></span><span style="color: #008080;"><span style="color: #008080;">5</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">byte</span></span>[] resnonce =<span style="color: #000000;"><span style="color: #000000;">getnonce (basicresponse.getextension (ocspobjectidentifiers.id_pkix_ocsp_nonce));</span></span><span style="color: #008080;"><span style="color: #008080;">6</span></span> <span style="color: #008080;"><span style="color: #008080;">7</span></span> <span style="color: #008000;"><span style="color: #008000;">//</span></span><span style="color: #008000;"><span style="color: #008000;">Validate the Nonce if it is present</span></span><span style="color: #008080;"><span style="color: #008080;">8</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span>(reqnonce = =<span style="color: #0000ff;"><span style="color: #0000ff;">NULL</span></span>|| Resnonce = =<span style="color: #0000ff;"><span style="color: #0000ff;">NULL</span></span>||<span style="color: #000000;"><span style="color: #000000;">arrays.equals (reqnonce, Resnonce)) {</span></span><span style="color: #008080;"><span style="color: #008080;">9</span></span> <span style="color: #008080;"><span style="color: #008080;">Ten</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;"></span> for</span>(<span style="color: #0000ff;"><span style="color: #0000ff;">int</span></span>i =<span style="color: #800080;"><span style="color: #800080;">0</span></span>; i! =<span style="color: #000000;"><span style="color: #000000;">responses.length;) {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> one</span>Putlog (<span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #800000;"><span style="color: #800000;">OCSP Certificate</span> number</span><span style="color: #800000;"><span style="color: #800000;">"</span></span>+<span style="color: #000000;"><span style="color: #000000;">responses[i].getcertid (). getserialnumber ());</span></span><span style="color: #008080;"><span style="color: #008080;"></span> a</span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span>(responses[i].getcertstatus () = =<span style="color: #000000;"><span style="color: #000000;">CERTIFICATESTATUS.GOOD) {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span>Putlog (<span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #800000;"><span style="color: #800000;">---OCSP Status Good</span></span><span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #000000;"><span style="color: #000000;">);</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">return</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">true</span></span><span style="color: #000000;"><span style="color: #000000;">;</span></span><span style="color: #008080;"><span style="color: #008080;"></span> the</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">Else</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">if</span></span><span style="color: #000000;"><span style="color: #000000;">(responses[i].getcertstatus () instanceof Revokedstatus) {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span>Putlog (<span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #800000;"><span style="color: #800000;">---OCSP Status Revoked</span></span><span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #000000;"><span style="color: #000000;">);</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">return</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">false</span></span><span style="color: #000000;"><span style="color: #000000;">;</span></span><span style="color: #008080;"><span style="color: #008080;"></span> +</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #0000ff;"><span style="color: #0000ff;">Else</span></span><span style="color: #000000;"><span style="color: #000000;"> {</span></span><span style="color: #008080;"><span style="color: #008080;"></span> +</span>Putlog (<span style="color: #800000;"><span style="color: #800000;">"</span></span><span style="color: #800000;"><span style="color: #800000;">---OCSP Status</span></span><span style="color: #800000;"><span style="color: #800000;">"</span></span>+<span style="color: #000000;"><span style="color: #000000;">responses[i].getcertstatus ());</span></span><span style="color: #008080;"><span style="color: #008080;"></span> a</span> <span style="color: #0000ff;"><span style="color: #0000ff;">return</span></span> <span style="color: #0000ff;"><span style="color: #0000ff;">false</span></span><span style="color: #000000;"><span style="color: #000000;">;</span></span><span style="color: #008080;"><span style="color: #008080;"></span> at</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span> <span style="color: #000000;"><span style="color: #000000;"> }</span></span><span style="color: #008080;"><span style="color: #008080;"></span> -</span>}</pre><p><p>4. Summary</p></p><p><p>This article simply introduces the certificate validity detection based on ocsp, and how to apply it in the real project needs coder own thinking.</p></p><p><p></p></p><p><p>Server certificate invalidation detection based on ios,android</p></p></span>
