美文网首页
[转]Android 根证书管理与证书验证 (1)

[转]Android 根证书管理与证书验证 (1)

作者: 原野大神 | 来源:发表于2020-10-27 20:21 被阅读0次

    转自https://sq.163yun.com/blog/article/188781576532541440

    PKI 体系依赖证书执行极为关键的身份验证,以此确认服务端的可信任性。证书验证在 SSL/TLS 握手过程中完成,验证过程通常包含三个步骤:

    1. 验证证书的合法性:这一步主要是验证证书是由合法有效的 CA 签发的。在客户端预先保存一个可靠的 CA 的根证书库,比如 FiexFox、Chrome、Android、Microsoft 等都有维护自己的根证书库,并据此验证服务端证书链的合法性。PKI 体系借助于可靠的中心化身份验证系统,即 CA,为服务端的身份合法性背书。根证书库的安全是 PKI 系统正常工作非常关键的部分。

    2. 验证证书域名的匹配性:服务端的证书都是为特定域名签发的,证书就像是网站的身份证一样。通过验证域名匹配性,可以有效的防止身份的仿冒,比如经营着 A 网站的经营者,拦截用户请求,并冒充 B 网站的身份,盗取信息。如果客户端不对域名的匹配性做检查,则将造成极大的攻击面,拿到任何一个域名的合法证书的人都将可以仿冒目标服务器。

    3. 证书钉扎验证:这是 PKI 体系中比较新的一种增强安全性的机制。目前的证书签发机构 CA 非常多,总数大概有几百个上千个,每个 CA 都可以为任何域名签发合法有效的证书,因而众多的 CA 就造成了非常大的攻击面。比如某个 CA 被攻破,或者犯了其它什么错误,为攻击者签发了 www.google.com 等域名的证书,则攻击者将可以仿冒这些网站。证书钉扎机制正是为了解决这一问题而产生——证书钉扎机制中,在客户端将特定域名的证书与特定的签发者绑定,即客户端只承认特定签发者签发的某个域名的证书,而不承认其它 CA 为该域名签发的证书。通过这种方式,来解除大量 CA 这个攻击面的威胁。

    在 Android 系统的 Java 应用程序中,证书验证通常由不同层面的多个组件完成。第一步的证书合法性验证,主要由 Java 标准库的 javax.net.ssl.SSLSocketstartHandshake() 方法中完成,后面两个步骤由更上层的组件完成,比如 HTTPS 库 OkHttp 等。

    本文主要讨论 Android 中根证书库的管理和证书的合法性验证。(本文分析说明主要依据 android-7.1.1/android-7.1.2 系统的行为,可以通过 Google 的 <u>OpenGrok 服务器</u> 阅读 Android 系统的源码。)

    Android 的根证书管理

    在 AOSP 源码库中,CA 根证书主要存放在 system/ca-certificates 目录下,而在 Android 系统中,则存放在 /system/etc/security/ 目录下,以 Android 7.1.1 系统的 Pixel 设备为例:

    sailfish:/ # ls -l  /system/etc/security/
    total 40
    drwxr-xr-x 2 root root 4096 2017-07-18 16:37 cacerts
    drwxr-xr-x 2 root root 4096 2017-07-18 16:36 cacerts_google
    -rw-r--r-- 1 root root 4995 2017-07-18 16:03 mac_permissions.xml
    -rw-r--r-- 1 root root 1073 2017-07-18 16:59 otacerts.zip
    
    

    其中 cacerts_google 目录下的根证书,主要用于 system/update_engineexternal/libbrillosystem/core/crash_reporter 等模块,cacerts 目录下的根证书则用于所有的应用。cacerts 目录下的根证书,即 Android 系统的根证书库,像下面这样:

    sailfish:/ # ls -l /system/etc/security/cacerts
    total 2408
    -rw-r--r-- 1 root root 4767 2017-07-18 16:37 00673b5b.0
    -rw-r--r-- 1 root root 7195 2017-07-18 16:37 02756ea4.0
    -rw-r--r-- 1 root root 4919 2017-07-18 16:37 02b73561.0
    -rw-r--r-- 1 root root 7142 2017-07-18 16:37 03f2b8cf.0
    -rw-r--r-- 1 root root 2877 2017-07-18 16:37 04f60c28.0
    -rw-r--r-- 1 root root 4836 2017-07-18 16:37 052e396b.0
    -rw-r--r-- 1 root root 5322 2017-07-18 16:37 08aef7bb.0
    -rw-r--r-- 1 root root 4922 2017-07-18 16:37 0d5a4e1c.0
    -rw-r--r-- 1 root root 2308 2017-07-18 16:37 0d69c7e1.0
    -rw-r--r-- 1 root root 4614 2017-07-18 16:37 10531352.0
    -rw-r--r-- 1 root root 4716 2017-07-18 16:37 111e6273.0
    -rw-r--r-- 1 root root 5375 2017-07-18 16:37 119afc2e.0
    -rw-r--r-- 1 root root 4927 2017-07-18 16:37 124bbd54.0
    . . . . . .
    
    

    它们都是 PEM 格式的 X.509 证书。Android 系统通过 SystemCertificateSourceDirectoryCertificateSourceCertificateSource 等类管理系统根证书库。CertificateSource定义(位于frameworks/base/core/java/android/security/net/config/CertificateSource.java)了可以对根证书库执行的操作,主要是对根证书的获取和查找:

    package android.security.net.config;
    
    import java.security.cert.X509Certificate;
    import java.util.Set;
    
    /** @hide */
    public interface CertificateSource {
        Set<X509Certificate> getCertificates();
        X509Certificate findBySubjectAndPublicKey(X509Certificate cert);
        X509Certificate findByIssuerAndSignature(X509Certificate cert);
        Set<X509Certificate> findAllByIssuerAndSignature(X509Certificate cert);
        void handleTrustStorageUpdate();
    }
    
    

    DirectoryCertificateSource 类则基于文件系统上分开存放的根证书文件的形式保存的根证书库,提供证书的创建、获取和查找操作,这个类的定义(位于frameworks/base/core/java/android/security/net/config/DirectoryCertificateSource.java)如下:

    package android.security.net.config;
    
    import android.os.Environment;
    import android.os.UserHandle;
    import android.util.ArraySet;
    import android.util.Log;
    import android.util.Pair;
    import java.io.BufferedInputStream;
    import java.io.File;
    import java.io.FileInputStream;
    import java.io.InputStream;
    import java.io.IOException;
    import java.security.cert.Certificate;
    import java.security.cert.CertificateException;
    import java.security.cert.CertificateFactory;
    import java.security.cert.X509Certificate;
    import java.util.Collections;
    import java.util.Set;
    import libcore.io.IoUtils;
    
    import com.android.org.conscrypt.Hex;
    import com.android.org.conscrypt.NativeCrypto;
    
    import javax.security.auth.x500.X500Principal;
    
    /**
     * {@link CertificateSource} based on a directory where certificates are stored as individual files
     * named after a hash of their SubjectName for more efficient lookups.
     * @hide
     */
    abstract class DirectoryCertificateSource implements CertificateSource {
        private static final String LOG_TAG = "DirectoryCertificateSrc";
        private final File mDir;
        private final Object mLock = new Object();
        private final CertificateFactory mCertFactory;
    
        private Set<X509Certificate> mCertificates;
    
        protected DirectoryCertificateSource(File caDir) {
            mDir = caDir;
            try {
                mCertFactory = CertificateFactory.getInstance("X.509");
            } catch (CertificateException e) {
                throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e);
            }
        }
    
        protected abstract boolean isCertMarkedAsRemoved(String caFile);
    
        @Override
        public Set<X509Certificate> getCertificates() {
            // TODO: loading all of these is wasteful, we should instead use a keystore style API.
            synchronized (mLock) {
                if (mCertificates != null) {
                    return mCertificates;
                }
    
                Set<X509Certificate> certs = new ArraySet<X509Certificate>();
                if (mDir.isDirectory()) {
                    for (String caFile : mDir.list()) {
                        if (isCertMarkedAsRemoved(caFile)) {
                            continue;
                        }
                        X509Certificate cert = readCertificate(caFile);
                        if (cert != null) {
                            certs.add(cert);
                        }
                    }
                }
                mCertificates = certs;
                return mCertificates;
            }
        }
    
        @Override
        public X509Certificate findBySubjectAndPublicKey(final X509Certificate cert) {
            return findCert(cert.getSubjectX500Principal(), new CertSelector() {
                @Override
                public boolean match(X509Certificate ca) {
                    return ca.getPublicKey().equals(cert.getPublicKey());
                }
            });
        }
    
    

    获取根证书库的 getCertificates() 操作在第一次被调用时,遍历文件系统,并加载系统所有的根证书文件,并缓存起来,以备后面访问。根证书的查找操作,主要依据证书文件的文件名进行,证书文件被要求以 [SubjectName 的哈希值].[Index] 的形式命名。

    SystemCertificateSource 类主要定义(位于frameworks/base/core/java/android/security/net/config/SystemCertificateSource.java)了系统根证书库的路径,以及无效一个根证书的机制:

    package android.security.net.config;
    
    import android.os.Environment;
    import android.os.UserHandle;
    import java.io.File;
    
    /**
     * {@link CertificateSource} based on the system trusted CA store.
     * @hide
     */
    public final class SystemCertificateSource extends DirectoryCertificateSource {
        private static class NoPreloadHolder {
            private static final SystemCertificateSource INSTANCE = new SystemCertificateSource();
        }
    
        private final File mUserRemovedCaDir;
    
        private SystemCertificateSource() {
            super(new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts"));
            File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
            mUserRemovedCaDir = new File(configDir, "cacerts-removed");
        }
    
        public static SystemCertificateSource getInstance() {
            return NoPreloadHolder.INSTANCE;
        }
    
        @Override
        protected boolean isCertMarkedAsRemoved(String caFile) {
            return new File(mUserRemovedCaDir, caFile).exists();
        }
    }
    
    

    Android 系统的根证书位于 /system/etc/security/cacerts/ 目录下。用户可以通过将特定根证书复制到用户配置目录的 cacerts-removed 目录下来无效一个根证书。

    Android framework 还提供了另外一个用于加载并访问用户根证书库的组件 UserCertificateSource,这个类的定义(位于 frameworks/base/core/java/android/security/net/config/UserCertificateSource.java)如下:

    package android.security.net.config;
    
    import android.os.Environment;
    import android.os.UserHandle;
    import java.io.File;
    
    /**
     * {@link CertificateSource} based on the user-installed trusted CA store.
     * @hide
     */
    public final class UserCertificateSource extends DirectoryCertificateSource {
        private static class NoPreloadHolder {
            private static final UserCertificateSource INSTANCE = new UserCertificateSource();
        }
    
        private UserCertificateSource() {
            super(new File(
                    Environment.getUserConfigDirectory(UserHandle.myUserId()), "cacerts-added"));
        }
    
        public static UserCertificateSource getInstance() {
            return NoPreloadHolder.INSTANCE;
        }
    
        @Override
        protected boolean isCertMarkedAsRemoved(String caFile) {
            return false;
        }
    }
    
    

    这个组件与 SystemCertificateSource 类似,只是它定义了用户根证书库的路径。

    相关的几个组件结构如下图:

    image

    证书链合法性验证

    有了根证书库之后,根证书库又是如何被用于 SSL/TLS 握手的证书验证过程的呢?

    证书的合法性由 Java 标准库的 javax.net.ssl.SSLSocketstartHandshake() 方法中完成。对于 Android 系统而言,SSLSocket 基于 OpenSSL 库实现,这一实现由 external/conscrypt 模块提供,SSLSocket 的实现为 OpenSSLSocketImpl 类(位于external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java)。

    OpenSSLSocketImpl.startHandshake() 中的 SSL/TLS 握手是一个极为精巧的过程,我们略过详细的握手过程,主要关注证书验证的部分。

    OpenSSLSocketImpl.startHandshake() 通过 NativeCrypto 类(位于external/conscrypt/src/main/java/org/conscrypt/NativeCrypto.java)中的静态本地层方法 SSL_do_handshake() 方法执行握手操作:

        /**
         * Returns the sslSessionNativePointer of the negotiated session. If this is
         * a server negotiation, supplying the {@code alpnProtocols} will enable
         * ALPN negotiation.
         */
        public static native long SSL_do_handshake(long sslNativePointer,
                                                   FileDescriptor fd,
                                                   SSLHandshakeCallbacks shc,
                                                   int timeoutMillis,
                                                   boolean client_mode,
                                                   byte[] npnProtocols,
                                                   byte[] alpnProtocols)
            throws SSLException, SocketTimeoutException, CertificateException;
    
    

    NativeCrypto 类内部定义了一组将会在本地层由与 SSL 握手相关的 OpenSSL C/C++ 代码调用的回调 SSLHandshakeCallbacks,在上面的 SSL_do_handshake() 方法中,这组回调作为参数传入本地层。

    SSLHandshakeCallbacks 定义如下:

        /**
         * A collection of callbacks from the native OpenSSL code that are
         * related to the SSL handshake initiated by SSL_do_handshake.
         */
        public interface SSLHandshakeCallbacks {
            /**
             * Verify that we trust the certificate chain is trusted.
             *
             * @param sslSessionNativePtr pointer to a reference of the SSL_SESSION
             * @param certificateChainRefs chain of X.509 certificate references
             * @param authMethod auth algorithm name
             *
             * @throws CertificateException if the certificate is untrusted
             */
            public void verifyCertificateChain(long sslSessionNativePtr, long[] certificateChainRefs,
                    String authMethod) throws CertificateException;
    
            /**
             * Called on an SSL client when the server requests (or
             * requires a certificate). The client can respond by using
             * SSL_use_certificate and SSL_use_PrivateKey to set a
             * certificate if has an appropriate one available, similar to
             * how the server provides its certificate.
             *
             * @param keyTypes key types supported by the server,
             * convertible to strings with #keyType
             * @param asn1DerEncodedX500Principals CAs known to the server
             */
            public void clientCertificateRequested(byte[] keyTypes,
                                                   byte[][] asn1DerEncodedX500Principals)
                throws CertificateEncodingException, SSLException;
    
            /**
             * Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key
             * exchange.
             *
             * @param identityHint PSK identity hint provided by the server or {@code null} if no hint
             *        provided.
             * @param identity buffer to be populated with PSK identity (NULL-terminated modified UTF-8)
             *        by this method. This identity will be provided to the server.
             * @param key buffer to be populated with key material by this method.
             *
             * @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an
             *         error occurred in which case the handshake will be aborted.
             */
            public int clientPSKKeyRequested(String identityHint, byte[] identity, byte[] key);
    
            /**
             * Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key
             * exchange.
             *
             * @param identityHint PSK identity hint provided by this server to the client or
             *        {@code null} if no hint was provided.
             * @param identity PSK identity provided by the client.
             * @param key buffer to be populated with key material by this method.
             *
             * @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an
             *         error occurred in which case the handshake will be aborted.
             */
            public int serverPSKKeyRequested(String identityHint, String identity, byte[] key);
    
            /**
             * Called when SSL state changes. This could be handshake completion.
             */
            public void onSSLStateChange(long sslSessionNativePtr, int type, int val);
        }
    
    

    其中 verifyCertificateChain() 回调用于服务端证书的验证。Android 系统通过这一回调,将根证书库的管理模块和底层 OpenSSL 的 SSL/TLS 握手及身份验证连接起来。

    的实现如下:

        @SuppressWarnings("unused") // used by NativeCrypto.SSLHandshakeCallbacks
        @Override
        public void verifyCertificateChain(long sslSessionNativePtr, long[] certRefs, String authMethod)
                throws CertificateException {
            try {
                X509TrustManager x509tm = sslParameters.getX509TrustManager();
                if (x509tm == null) {
                    throw new CertificateException("No X.509 TrustManager");
                }
                if (certRefs == null || certRefs.length == 0) {
                    throw new SSLException("Peer sent no certificate");
                }
                OpenSSLX509Certificate[] peerCertChain = new OpenSSLX509Certificate[certRefs.length];
                for (int i = 0; i < certRefs.length; i++) {
                    peerCertChain[i] = new OpenSSLX509Certificate(certRefs[i]);
                }
    
                // Used for verifyCertificateChain callback
                handshakeSession = new OpenSSLSessionImpl(sslSessionNativePtr, null, peerCertChain,
                        getHostnameOrIP(), getPort(), null);
    
                boolean client = sslParameters.getUseClientMode();
                if (client) {
                    Platform.checkServerTrusted(x509tm, peerCertChain, authMethod, this);
                    if (sslParameters.isCTVerificationEnabled(getHostname())) {
                        byte[] tlsData = NativeCrypto.SSL_get_signed_cert_timestamp_list(
                                            sslNativePointer);
                        byte[] ocspData = NativeCrypto.SSL_get_ocsp_response(sslNativePointer);
    
                        CTVerifier ctVerifier = sslParameters.getCTVerifier();
                        CTVerificationResult result =
                            ctVerifier.verifySignedCertificateTimestamps(peerCertChain, tlsData, ocspData);
    
                        if (result.getValidSCTs().size() == 0) {
                            throw new CertificateException("No valid SCT found");
                        }
                    }
                } else {
                    String authType = peerCertChain[0].getPublicKey().getAlgorithm();
                    Platform.checkClientTrusted(x509tm, peerCertChain, authType, this);
                }
            } catch (CertificateException e) {
                throw e;
            } catch (Exception e) {
                throw new CertificateException(e);
            } finally {
                // Clear this before notifying handshake completed listeners
                handshakeSession = null;
            }
        }
    
    

    相关文章

      网友评论

          本文标题:[转]Android 根证书管理与证书验证 (1)

          本文链接:https://www.haomeiwen.com/subject/zyxfvktx.html