我在Asp.net中有Merchantlink Payment Gateway的代码。现在我想在IOS中实现同样的目标。
在这个Asp.net代码中,他们使用某种X509证书并首先在localuser机器上安装它,然后在HttpWebRequest方法中传递此证书。以下是Asp.net中使用的代码片段。注意:证书Object是Object的{{1}}。
X509Certificate2然后
webRequest = (HttpWebRequest)WebRequest.Create("Some URI");
webRequest.ProtocolVersion = HttpVersion.Version10;
webRequest.Method = "POST";
webRequest.UserAgent = "AGENT NAME";
webRequest.ContentType = "text/xml";
webRequest.ContentLength = requestBytes.Length;
webRequest.KeepAlive = false;
webRequest.ClientCertificates.Add(cert);
我不知道如何在目标C中为IOS实现此目标任何人都可以请我指导为此我们如何添加System.Net.ServicePointManager.ServerCertificateValidationCallback =
delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{ return true; };
using (Stream requestStream = webRequest.GetRequestStream())
{
requestStream.Write(requestBytes, 0, requestBytes.Length);
using (HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse())
{
Stream dataStream = webResponse.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
string responseFromServer = reader.ReadToEnd();
txtResponse.Text = responseFromServer;
}
}
客户端证书以及如何在IOS中加载证书和使用NSURLRequest发送。
答案 0 :(得分:0)
...以下是Asp.net中使用的代码片段
您提供的代码表明您 NOT 正在执行任何服务器验证。你接受了一切,甚至是一个坏人伪造的证书(攻击者也谢谢你):
System.Net.ServicePointManager.ServerCertificateValidationCallback =
delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{ return true; };
我不知道如何在IOS的Objective C中实现这一目标......
您需要使用NSURLConnectionDelegate并为-connection:didReceiveAuthenticationChallenge:提供实施。
OWASP有一些示例代码来执行公钥锁定。 OWASP代码与您的代码相反。 OWASP代码确保您始终与预期的主机(而不是任何使用类似代码的证书进行回答的主机)进行通信。请参阅Certificate and Public Key Pinning。
至少,OWASP代码会向您显示证书验证中的一些移动部分。
以下是一些C#代码,它们加载单个CA,然后使用单个CA验证链:How to verify chain in RemoteCertificateValidationCallback?。它可能是你应该如何在ASP.net中进行ServerCertificateValidationCallback。它不要求您在任何商店中安装CA.它避免了CA Zoo(数百个CA,允许任何人认证服务器)。
您需要让CA for Merchantlink使用它。任何试图声称他们是Merchantlink或Merchanlink的CA的人都会导致失败。这是一件好事,因为它会成为一个坏人。
要发现CA并将其用于验证:
$ openssl s_client -connect www.merchantlink.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -
For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
...
从上面,您需要使用Verisign的Class 3 CA.所以转到Use of Root Certificates,然后下载 Root 3,VeriSign Class 3主CA-G5 。
使用正确的root,您将不从OpenSSL获取验证错误(请注意使用-CAfile PCA-3G5.pem):
$ openssl s_client -connect www.merchantlink.com:443 -CAfile PCA-3G5.pem
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2578637, C = US, postalCode = 10017, ST = New York, L = New York, street = 270 Park Avenue, O = "Chase Paymentech Solutions, LLC.", OU = Enterprise Web Architecture, CN = www.merchantlink.com
verify return:1
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2578637/C=US/postalCode=10017/ST=New York/L=New York/street=270 Park Avenue/O=Chase Paymentech Solutions, LLC./OU=Enterprise Web Architecture/CN=www.merchantlink.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
...
Start Time: 1397396657
Timeout : 300 (sec)
Verify return code: 0 (ok)
...