动态证书固定 [英] Dynamic certificate pinning
问题描述
我有一个iOS应用程序,该应用程序将分发给多个客户,每个客户都使用自己的网络基础结构.我想添加一些证书固定功能,但是我需要以动态方式进行,因为我无法在捆绑了cert/pubkey的情况下交付该应用程序,因为这样做需要针对每个客户的不同构建.
I have an iOS application that will be distributed to multiple customers, each using their own network infrastructure. I would like to add some certificate pinning capabilities, but I need to do it in a dynamic fashion since I cannot ship the app with the cert/pubkey bundled, as doing so would require a different build for each customer.
我的想法是在应用启动时查询按客户端配置的HTTPS服务器,获取证书,潜在地提取公钥,然后将其固定.
My idea is to query the per-client configured HTTPS server on app startup, get the certificate, potentially extract the public key and then pin it.
是否可以在Swift或Objective-C中执行此操作?我找不到相关的代码示例或文档.
Is it possible to do this in Swift or Objective-C? I have not been able to find relevant code samples or documentation.
推荐答案
从操作上讲,如果将证书或密钥嵌入到应用程序中,从错误配置中进行管理和恢复将容易得多.如果仅固定服务器第一次发送给应用程序的任何证书,则一旦当前证书过期或轮换使用,便没有机制来支持新证书.如果这仍然是您想要做的,我建议您查看HPKP规范,该规范实现了与浏览器相同的机制:
Operationally, it will be a lot easier to manage and recover from misconfigurations if you embed the certificates or keys in the App. If you just pin whatever certificate the server sent to the App the first time, you have no mechanism to support a new certificate once the current one expires or gets rotated. If that's still what you would like to do, I would recommend looking at the HPKP specification, which implements the same mechanism but for browsers: https://tools.ietf.org/html/rfc7469
此外,如果应用服务器不是直接在您的控制之下,则很大的变化是:如果服务器的证书意外更改,则固定将最终使应用变砖.是否会向构建App的团队通知有关App/客户服务器上的基础架构/证书更改的信息,以便他们可以及时发布更新?如果没有,则不应该这样做.
Also, if the App servers are not directly under your control, there is a high change that pinning will end up bricking the App, if the server's certificate unexpectedly changes. Will the team building the App be informed about infrastructure/certificate changes on the App/customer servers, so they can release an update just in time? If not, you should not do it.
这篇关于动态证书固定的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
