如何在IOS中使用X509客户端证书?

时间:2014-04-05 09:26:58

标签: ios x509 client-certificates x509certificate2

我在Asp.net中有Merchantlink Payment Gateway的代码。现在我想在IOS中实现同样的目标。

在这个Asp.net代码中,他们使用某种X509证书并首先在localuser机器上安装它,然后在HttpWebRequest方法中传递此证书。以下是Asp.net中使用的代码片段。注意:证书ObjectObject的{​​{1}}。

X509Certificate2

然后

webRequest = (HttpWebRequest)WebRequest.Create("Some URI");
webRequest.ProtocolVersion = HttpVersion.Version10;
webRequest.Method = "POST";
webRequest.UserAgent = "AGENT NAME";
webRequest.ContentType = "text/xml";
webRequest.ContentLength = requestBytes.Length;
webRequest.KeepAlive = false;
webRequest.ClientCertificates.Add(cert);

我不知道如何在目标C中为IOS实现此目标任何人都可以请我指导为此我们如何添加System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; }; using (Stream requestStream = webRequest.GetRequestStream()) { requestStream.Write(requestBytes, 0, requestBytes.Length); using (HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse()) { Stream dataStream = webResponse.GetResponseStream(); StreamReader reader = new StreamReader(dataStream); string responseFromServer = reader.ReadToEnd(); txtResponse.Text = responseFromServer; } } 客户端证书以及如何在IOS中加载证书和使用NSURLRequest发送。

1 个答案:

答案 0 :(得分:0)

  

...以下是Asp.net中使用的代码片段

您提供的代码表明您 NOT 正在执行任何服务器验证。你接受了一切,甚至是一个坏人伪造的证书(攻击者也谢谢你):

System.Net.ServicePointManager.ServerCertificateValidationCallback =
    delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    { return true; };

  

我不知道如何在IOS的Objective C中实现这一目标......

您需要使用NSURLConnectionDelegate并为-connection:didReceiveAuthenticationChallenge:提供实施。


OWASP有一些示例代码来执行公钥锁定。 OWASP代码与您的代码相反。 OWASP代码确保您始终与预期的主机(而不是任何使用类似代码的证书进行回答的主机)进行通信。请参阅Certificate and Public Key Pinning

至少,OWASP代码会向您显示证书验证中的一些移动部分。


以下是一些C#代码,它们加载单个CA,然后使用单个CA验证链:How to verify chain in RemoteCertificateValidationCallback?。它可能是你应该如何在ASP.net中进行ServerCertificateValidationCallback。它要求您在任何商店中安装CA.它避免了CA Zoo(数百个CA,允许任何人认证服务器)。

您需要让CA for Merchantlink使用它。任何试图声称他们是Merchantlink或Merchanlink的CA的人都会导致失败。这是一件好事,因为它会成为一个坏人。


要发现CA并将其用于验证:

$ openssl s_client -connect www.merchantlink.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -
    For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
...

从上面,您需要使用Verisign的Class 3 CA.所以转到Use of Root Certificates,然后下载 Root 3,VeriSign Class 3主CA-G5

使用正确的root,您将从OpenSSL获取验证错误(请注意使用-CAfile PCA-3G5.pem):

$ openssl s_client -connect www.merchantlink.com:443 -CAfile PCA-3G5.pem 
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2578637, C = US, postalCode = 10017, ST = New York, L = New York, street = 270 Park Avenue, O = "Chase Paymentech Solutions, LLC.", OU = Enterprise Web Architecture, CN = www.merchantlink.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2578637/C=US/postalCode=10017/ST=New York/L=New York/street=270 Park Avenue/O=Chase Paymentech Solutions, LLC./OU=Enterprise Web Architecture/CN=www.merchantlink.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
...
Start Time: 1397396657
Timeout   : 300 (sec)
Verify return code: 0 (ok)
...