【问题标题】:How to use X509 client Certificate in IOS? [duplicate]如何在 IOS 中使用 X509 客户端证书? [复制]
【发布时间】:2014-05-17 17:24:06
【问题描述】:

我在 Asp.net 中有 Merchantlink Payment Gateway 的代码。现在我想在 IOS 中实现同样的目标。

在这个 Asp.net 代码中,他们使用某种 X509 证书并首先将其安装在本地用户机器上,然后在 HttpWebRequest 方法中传递此证书。下面是Asp.net中使用的代码sn-p。注意:证书ObjectObjectX509Certificate2

webRequest = (HttpWebRequest)WebRequest.Create("Some URI");
webRequest.ProtocolVersion = HttpVersion.Version10;
webRequest.Method = "POST";
webRequest.UserAgent = "AGENT NAME";
webRequest.ContentType = "text/xml";
webRequest.ContentLength = requestBytes.Length;
webRequest.KeepAlive = false;
webRequest.ClientCertificates.Add(cert);

然后

System.Net.ServicePointManager.ServerCertificateValidationCallback =
    delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    { return true; };

    using (Stream requestStream = webRequest.GetRequestStream())
    {
        requestStream.Write(requestBytes, 0, requestBytes.Length);
        using (HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse())
        {
            Stream dataStream = webResponse.GetResponseStream();
            StreamReader reader = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();
            txtResponse.Text = responseFromServer;
        }
    }

我不知道如何在 iOS 的 Objective C 中实现这一点,任何人都可以让我指导一下,我们如何使用 NSURLRequest 添加客户端证书以及如何在 IOS 中加载证书并使用 @987654329 发送@。

【问题讨论】:

    标签: ios x509 client-certificates x509certificate2


    【解决方案1】:

    ...下面是Asp.net中使用的代码sn-p

    您提供的代码表明您执行任何服务器验证。你接受了一切,甚至是来自坏人的伪造证书(攻击者感谢你):

    System.Net.ServicePointManager.ServerCertificateValidationCallback =
        delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        { return true; };
    

    我不知道如何在 Objective C for IOS 中实现这一点......

    您需要使用NSURLConnectionDelegate 并提供-connection:didReceiveAuthenticationChallenge: 的实现。


    OWASP 有一些示例代码来执行公钥固定。 OWASP 代码与您的代码相反。 OWASP 代码可确保您始终与预期的主机对话(而不是与您的代码一样使用证书回答的任何主机)。见Certificate and Public Key Pinning

    至少,OWASP 代码会向您展示证书验证中的一些活动部分。


    这里有一些 C# 代码加载单个 CA,然后使用单个 CA 验证链:How to verify chain in RemoteCertificateValidationCallback?。这可能是您应该如何在 ASP.net 中执行 ServerCertificateValidationCallback 的方式。它要求您在任何商店中安装 CA。而且它避免了 CA Zoo(数百个 CA,任何人都可以认证服务器)。

    您需要获得 CA 才能使用 Merchantlink。任何试图声称自己是 Merchantlink 或 Merchanlink 的 CA 的人都会导致失败。这是一件好事,因为它会成为一个坏人。


    发现 CA 并将其用于验证:

    $ openssl s_client -connect www.merchantlink.com:443
    CONNECTED(00000003)
    depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -
        For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ...
    

    从上面,您需要使用 Verisign 的 Class 3 CA。所以去Use of Root Certificates,下载Root 3, VeriSign Class 3 Primary CA - G5

    使用正确的 root,您将不会从 OpenSSL 收到验证错误(注意使用 -CAfile PCA-3G5.pem):

    $ openssl s_client -connect www.merchantlink.com:443 -CAfile PCA-3G5.pem 
    CONNECTED(00000003)
    depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
    verify return:1
    depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
    verify return:1
    depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA
    verify return:1
    depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2578637, C = US, postalCode = 10017, ST = New York, L = New York, street = 270 Park Avenue, O = "Chase Paymentech Solutions, LLC.", OU = Enterprise Web Architecture, CN = www.merchantlink.com
    verify return:1
    ---
    Certificate chain
     0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2578637/C=US/postalCode=10017/ST=New York/L=New York/street=270 Park Avenue/O=Chase Paymentech Solutions, LLC./OU=Enterprise Web Architecture/CN=www.merchantlink.com
       i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
     1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
       i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
       i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    ---
    ...
    Start Time: 1397396657
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
    ...
    

    【讨论】:

      猜你喜欢
      • 2023-03-03
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2011-03-25
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多