Dynamic certificate pinning

2020-05-26 03:37发布

问题:

I have an iOS application that will be distributed to multiple customers, each using their own network infrastructure. I would like to add some certificate pinning capabilities, but I need to do it in a dynamic fashion since I cannot ship the app with the cert/pubkey bundled, as doing so would require a different build for each customer.

My idea is to query the per-client configured HTTPS server on app startup, get the certificate, potentially extract the public key and then pin it.

Is it possible to do this in Swift or Objective-C? I have not been able to find relevant code samples or documentation.

回答1:

Operationally, it will be a lot easier to manage and recover from misconfigurations if you embed the certificates or keys in the App. If you just pin whatever certificate the server sent to the App the first time, you have no mechanism to support a new certificate once the current one expires or gets rotated. If that's still what you would like to do, I would recommend looking at the HPKP specification, which implements the same mechanism but for browsers: https://tools.ietf.org/html/rfc7469

Also, if the App servers are not directly under your control, there is a high change that pinning will end up bricking the App, if the server's certificate unexpectedly changes. Will the team building the App be informed about infrastructure/certificate changes on the App/customer servers, so they can release an update just in time? If not, you should not do it.



回答2:

Its possible. I haven't tried myself, but I think you are looking for something like this.

https://github.com/wultra/ssl-pinning-ios