客户端证书验证与证书固定相结合
Client certificate validation in combination with certificate pinning
在使用客户端证书进行身份验证后,是否需要执行证书锁定?有人可以给我解释一下吗?
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodClientCertificate)
{
Console.WriteLine("Client Cert!");
var options = NSDictionary.FromObjectAndKey(NSObject.FromObject(This._passphrase), SecImportExport.Passphrase);
NSDictionary[] importResult;
if (This?._certificate == null) return;
if (This?._passphrase == null) return;
var x509Certificate = new X509Certificate(This._certificate, This._passphrase);
SecStatusCode statusCode = SecImportExport.ImportPkcs12(This._certificate, options, out importResult);
var identityHandle = importResult[0][SecImportExport.Identity];
var identity = new SecIdentity(identityHandle.Handle);
var certificate = new SecCertificate(x509Certificate.GetRawCertData());
SecCertificate[] certificates = { certificate };
NSUrlCredential credential = NSUrlCredential.FromIdentityCertificatesPersistance(identity, certificates, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
return;
}
*Logic for SSL Pinning*
由于在"clientcertificate request and client authentication"部分之后有一个return语句,证书固定的逻辑将永远不会执行,所以我问自己在与客户端进行身份验证后这部分是否过时了证书.
客户端证书用于根据服务器对客户端进行身份验证,仅此而已。服务器证书用于确保您与正确的服务器通信。
不能通过发送客户端证书来代替正确检查服务器证书。否则,中间人攻击者可以简单地向客户端索取客户端证书,希望客户端接受攻击者伪造的服务器证书作为交换。
在使用客户端证书进行身份验证后,是否需要执行证书锁定?有人可以给我解释一下吗?
if (challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodClientCertificate)
{
Console.WriteLine("Client Cert!");
var options = NSDictionary.FromObjectAndKey(NSObject.FromObject(This._passphrase), SecImportExport.Passphrase);
NSDictionary[] importResult;
if (This?._certificate == null) return;
if (This?._passphrase == null) return;
var x509Certificate = new X509Certificate(This._certificate, This._passphrase);
SecStatusCode statusCode = SecImportExport.ImportPkcs12(This._certificate, options, out importResult);
var identityHandle = importResult[0][SecImportExport.Identity];
var identity = new SecIdentity(identityHandle.Handle);
var certificate = new SecCertificate(x509Certificate.GetRawCertData());
SecCertificate[] certificates = { certificate };
NSUrlCredential credential = NSUrlCredential.FromIdentityCertificatesPersistance(identity, certificates, NSUrlCredentialPersistence.ForSession);
completionHandler(NSUrlSessionAuthChallengeDisposition.UseCredential, credential);
return;
}
*Logic for SSL Pinning*
由于在"clientcertificate request and client authentication"部分之后有一个return语句,证书固定的逻辑将永远不会执行,所以我问自己在与客户端进行身份验证后这部分是否过时了证书.
客户端证书用于根据服务器对客户端进行身份验证,仅此而已。服务器证书用于确保您与正确的服务器通信。
不能通过发送客户端证书来代替正确检查服务器证书。否则,中间人攻击者可以简单地向客户端索取客户端证书,希望客户端接受攻击者伪造的服务器证书作为交换。