7 Replies
      Latest reply on Nov 20, 2017 8:51 AM by iThinker
      Docomo Level 1 Level 1 (0 points)

        I want to know how to implement evaluation of certificates revocation(CRL/OCSP) to my iOS apps.

        Does iOS support CRL/OCSP?

        If yes, which Swift/Objective-C API support them?

         

        Thanks.

        • Re: Evaluation of certificates revocation (CRL/OCSP)
          eskimo Apple Staff Apple Staff (10,425 points)

          Does iOS support CRL/OCSP?

          Yes (although, by default, it’s only done under very limited circumstances).

          If yes, which Swift/Objective-C API support them?

          There’s API for this in <Security/SecPolicy.h>.  If you search the header for revocation, you’ll find the relevant bits.

          IMPORTANT The last time I checked (in the iOS 8 timeframe) there was no way to ‘fail secure’, that is, do a revocation check that fails if the revocation server can’t be contacted (that is, kSecRevocationRequirePositiveResponse did not work) (r. 12925208).  I don’t know if that was fixed in iOS 9.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Evaluation of certificates revocation (CRL/OCSP)
              eskimo Apple Staff Apple Staff (10,425 points)

              The last time I checked (in the iOS 8 timeframe) there was no way to ‘fail secure’, that is, do a revocation check that fails if the revocation server can’t be contacted (that is, kSecRevocationRequirePositiveResponse did not work) (r. 12925208).  I don’t know if that was fixed in iOS 9.

              I took a look at this bug and it seems we worked on it in iOS 9 / OS X 10.11.  I can’t be sure whether it’ll meet your needs—I haven’t had a chance to play with this myself—but it’s definitely worth a detailed look.

              Share and Enjoy

              Quinn "The Eskimo!"
              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
              let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: Evaluation of certificates revocation (CRL/OCSP)
                  buzzy Level 1 Level 1 (0 points)

                  I need to check the server certificate revocation state in every call to NSURLSessionDelegate didReceiveChallenge on the protection space  NSURLAuthenticationMethodServerTrust.

                  So I took a look at <Security/SecPolicy.h> and extended the SecTrustRef serverTrust with the additional policy like:

                   

                  SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod | kSecRevocationRequirePositiveResponse);

                   

                  But after the execution of SecTrustEvaluate I always get the negative result kSecTrustResultRecoverableTrustFailure when the kSecRevocationRequirePositiveResponse option is set on the revocation policy.

                   

                  So does this revocation check enforcement work in iOS 9.2?

                  Are there any other restrictions like EV certificate qualification on the serverTrust leaf certificate needed?

                  Which X509 attributes must be present in the server certificate to get the CRL / OCSP evaluation to work properly?

                    • Re: Evaluation of certificates revocation (CRL/OCSP)
                      josephm Level 1 Level 1 (0 points)

                      Hey,

                       

                      It's bin a long time since this question was posted. We are facing the same questions with our app and could not find a proper documentation that answers that.

                      Did anyone got any insights or answers regarding these questions?

                       

                      Are CRL checked for all types of certificates or only EV certificates?

                      And what attributes are required in the certificate to make it work?

                       

                      Where can we find resources and documentation to better understant the restriction of CRL on iOS?

                       

                      Thanks

                        • Re: Evaluation of certificates revocation (CRL/OCSP)
                          eskimo Apple Staff Apple Staff (10,425 points)

                          The details of the default revocation checking policy are deliberately not documented because they are subject to change.  If you want guaranteed revocation checks, you’ll have to use an explicit revocation policy (SecPolicyCreateRevocation).  Alternatively — and this is the direction I recommend you go because revocation checking is fundamentally broken IMO — option it to certificate transparency via NSRequiresCertificateTransparency.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                          WWDC runs Mon, 5 Jun through to Fri, 9 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

                    • Re: Evaluation of certificates revocation (CRL/OCSP)
                      iThinker Level 1 Level 1 (0 points)

                      It does not seem to be working on iOS 10.3.

                      I have certificates with crl behind https. I set policy

                      SecPolicyRef crlPolicy = SecPolicyCreateRevocation(kSecRevocationCRLMethod | kSecRevocationRequirePositiveResponse);
                      

                      and allow network requests explicitly, but I get recoverable failure for all certificates, no matter if they are valid or revoked.

                      If I don't set `kSecRevocationRequirePositiveResponse` then I get unspecified result for all certificates, both valid and revoked.

                      There is no way to check certificate validity properly using Foundation.