Evaluation of certificates revocation (CRL/OCSP)

I want to know how to implement evaluation of certificates revocation(CRL/OCSP) to my iOS apps.

Does iOS support CRL/OCSP?

If yes, which Swift/Objective-C API support them?


Thanks.

Replies

Does iOS support CRL/OCSP?

Yes (although, by default, it’s only done under very limited circumstances).

If yes, which Swift/Objective-C API support them?

There’s API for this in

<Security/SecPolicy.h>
. If you search the header for revocation, you’ll find the relevant bits.

IMPORTANT The last time I checked (in the iOS 8 timeframe) there was no way to ‘fail secure’, that is, do a revocation check that fails if the revocation server can’t be contacted (that is,

kSecRevocationRequirePositiveResponse
did not work) (r. 12925208). I don’t know if that was fixed in iOS 9.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The last time I checked (in the iOS 8 timeframe) there was no way to ‘fail secure’, that is, do a revocation check that fails if the revocation server can’t be contacted (that is, kSecRevocationRequirePositiveResponse did not work) (r. 12925208). I don’t know if that was fixed in iOS 9.

I took a look at this bug and it seems we worked on it in iOS 9 / OS X 10.11. I can’t be sure whether it’ll meet your needs—I haven’t had a chance to play with this myself—but it’s definitely worth a detailed look.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I need to check the server certificate revocation state in every call to NSURLSessionDelegate didReceiveChallenge on the protection space NSURLAuthenticationMethodServerTrust.

So I took a look at <Security/SecPolicy.h> and extended the SecTrustRef serverTrust with the additional policy like:


SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod | kSecRevocationRequirePositiveResponse);


But after the execution of SecTrustEvaluate I always get the negative result kSecTrustResultRecoverableTrustFailure when the kSecRevocationRequirePositiveResponse option is set on the revocation policy.


So does this revocation check enforcement work in iOS 9.2?

Are there any other restrictions like EV certificate qualification on the serverTrust leaf certificate needed?

Which X509 attributes must be present in the server certificate to get the CRL / OCSP evaluation to work properly?

Hey,


It's bin a long time since this question was posted. We are facing the same questions with our app and could not find a proper documentation that answers that.

Did anyone got any insights or answers regarding these questions?


Are CRL checked for all types of certificates or only EV certificates?

And what attributes are required in the certificate to make it work?


Where can we find resources and documentation to better understant the restriction of CRL on iOS?


Thanks

The details of the default revocation checking policy are deliberately not documented because they are subject to change. If you want guaranteed revocation checks, you’ll have to use an explicit revocation policy (

SecPolicyCreateRevocation
). Alternatively — and this is the direction I recommend you go because revocation checking is fundamentally broken IMO — option it to certificate transparency via
NSRequiresCertificateTransparency
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Session 701 from WWDC this year went into a lot of detail about OCSP and OCSP stapling - is it worth spending any time worrying about OCSP stapling, or just use `NSRequiresCertificateTransparency` and forget about it?

It does not seem to be working on iOS 10.3.

I have certificates with crl behind https. I set policy

SecPolicyRef crlPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod | kSecRevocationRequirePositiveResponse);

and allow network requests explicitly, but I get recoverable failure for all certificates, no matter if they are valid or revoked.

If I don't set `kSecRevocationRequirePositiveResponse` then I get unspecified result for all certificates, both valid and revoked.

There is no way to check certificate validity properly using Foundation.