登录注册
最新博客
最新资源下载
Android 根证书管理与证书验证(1)
达芬奇密码2018-08-17 13:40PKI 体系依赖证书执行极为关键的身份验证,以此确认服务端的可信任性。证书验证在 SSL/TLS 握手过程中完成,验证过程通常包含三个步骤:
验证证书的合法性:这一步主要是验证证书是由合法有效的 CA 签发的。在客户端预先保存一个可靠的 CA 的根证书库,比如 FiexFox、Chrome、Android、Microsoft 等都有维护自己的根证书库,并据此验证服务端证书链的合法性。PKI 体系借助于可靠的中心化身份验证系统,即 CA,为服务端的身份合法性背书。根证书库的安全是 PKI 系统正常工作非常关键的部分。
验证证书域名的匹配性:服务端的证书都是为特定域名签发的,证书就像是网站的身份证一样。通过验证域名匹配性,可以有效的防止身份的仿冒,比如经营着 A 网站的经营者,拦截用户请求,并冒充 B 网站的身份,盗取信息。如果客户端不对域名的匹配性做检查,则将造成极大的攻击面,拿到任何一个域名的合法证书的人都将可以仿冒目标服务器。
证书钉扎验证:这是 PKI 体系中比较新的一种增强安全性的机制。目前的证书签发机构 CA 非常多,总数大概有几百个上千个,每个 CA 都可以为任何域名签发合法有效的证书,因而众多的 CA 就造成了非常大的攻击面。比如某个 CA 被攻破,或者犯了其它什么错误,为攻击者签发了 www.google.com 等域名的证书,则攻击者将可以仿冒这些网站。证书钉扎机制正是为了解决这一问题而产生——证书钉扎机制中,在客户端将特定域名的证书与特定的签发者绑定,即客户端只承认特定签发者签发的某个域名的证书,而不承认其它 CA 为该域名签发的证书。通过这种方式,来解除大量 CA 这个攻击面的威胁。
在 Android 系统的 Java 应用程序中,证书验证通常由不同层面的多个组件完成。第一步的证书合法性验证,主要由 Java 标准库的 javax.net.ssl.SSLSocket 在 startHandshake() 方法中完成,后面两个步骤由更上层的组件完成,比如 HTTPS 库 OkHttp 等。
本文主要讨论 Android 中根证书库的管理和证书的合法性验证。(本文分析说明主要依据 android-7.1.1/android-7.1.2 系统的行为,可以通过 Google 的 OpenGrok 服务器 阅读 Android 系统的源码。)
Android 的根证书管理
在 AOSP 源码库中,CA 根证书主要存放在 system/ca-certificates 目录下,而在 Android 系统中,则存放在 /system/etc/security/ 目录下,以 Android 7.1.1 系统的 Pixel 设备为例:
sailfish:/ # ls -l /system/etc/security/
total 40
drwxr-xr-x 2 root root 4096 2017-07-18 16:37 cacerts
drwxr-xr-x 2 root root 4096 2017-07-18 16:36 cacerts_google
-rw-r--r-- 1 root root 4995 2017-07-18 16:03 mac_permissions.xml
-rw-r--r-- 1 root root 1073 2017-07-18 16:59 otacerts.zip
其中 cacerts_google 目录下的根证书,主要用于 system/update_engine、external/libbrillo 和 system/core/crash_reporter 等模块,cacerts 目录下的根证书则用于所有的应用。cacerts 目录下的根证书,即 Android 系统的根证书库,像下面这样:
sailfish:/ # ls -l /system/etc/security/cacerts
total 2408
-rw-r--r-- 1 root root 4767 2017-07-18 16:37 00673b5b.0
-rw-r--r-- 1 root root 7195 2017-07-18 16:37 02756ea4.0
-rw-r--r-- 1 root root 4919 2017-07-18 16:37 02b73561.0
-rw-r--r-- 1 root root 7142 2017-07-18 16:37 03f2b8cf.0
-rw-r--r-- 1 root root 2877 2017-07-18 16:37 04f60c28.0
-rw-r--r-- 1 root root 4836 2017-07-18 16:37 052e396b.0
-rw-r--r-- 1 root root 5322 2017-07-18 16:37 08aef7bb.0
-rw-r--r-- 1 root root 4922 2017-07-18 16:37 0d5a4e1c.0
-rw-r--r-- 1 root root 2308 2017-07-18 16:37 0d69c7e1.0
-rw-r--r-- 1 root root 4614 2017-07-18 16:37 10531352.0
-rw-r--r-- 1 root root 4716 2017-07-18 16:37 111e6273.0
-rw-r--r-- 1 root root 5375 2017-07-18 16:37 119afc2e.0
-rw-r--r-- 1 root root 4927 2017-07-18 16:37 124bbd54.0
. . . . . .
它们都是 PEM 格式的 X.509 证书。Android 系统通过 SystemCertificateSource、DirectoryCertificateSource 和 CertificateSource 等类管理系统根证书库。CertificateSource定义(位于frameworks/base/core/java/android/security/net/config/CertificateSource.java)了可以对根证书库执行的操作,主要是对根证书的获取和查找:
package android.security.net.config;
import java.security.cert.X509Certificate;
import java.util.Set;
/** @hide */
public interface CertificateSource {
Set<X509Certificate> getCertificates();
X509Certificate findBySubjectAndPublicKey(X509Certificate cert);
X509Certificate findByIssuerAndSignature(X509Certificate cert);
Set<X509Certificate> findAllByIssuerAndSignature(X509Certificate cert);
void handleTrustStorageUpdate();
}
DirectoryCertificateSource 类则基于文件系统上分开存放的根证书文件的形式保存的根证书库,提供证书的创建、获取和查找操作,这个类的定义(位于frameworks/base/core/java/android/security/net/config/DirectoryCertificateSource.java)如下:
package android.security.net.config; import android.os.Environment; import android.os.UserHandle; import android.util.ArraySet; import android.util.Log; import android.util.Pair; import java.io.BufferedInputStream; import java.io.File; import java.io.FileInputStream; import java.io.InputStream; import java.io.IOException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collections; import java.util.Set; import libcore.io.IoUtils; import com.android.org.conscrypt.Hex; import com.android.org.conscrypt.NativeCrypto; import javax.security.auth.x500.X500Principal; /** * {@link CertificateSource} based on a directory where certificates are stored as individual files * named after a hash of their SubjectName for more efficient lookups. * @hide */ abstract class DirectoryCertificateSource implements CertificateSource { private static final String LOG_TAG = "DirectoryCertificateSrc"; private final File mDir; private final Object mLock = new Object(); private final CertificateFactory mCertFactory; private Set<X509Certificate> mCertificates; protected DirectoryCertificateSource(File caDir) { mDir = caDir; try { mCertFactory = CertificateFactory.getInstance("X.509"); } catch (CertificateException e) { throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e); } } protected abstract boolean isCertMarkedAsRemoved(String caFile); @Override public Set<X509Certificate> getCertificates() { // TODO: loading all of these is wasteful, we should instead use a keystore style API. synchronized (mLock) { if (mCertificates != null) { return mCertificates; } Set<X509Certificate> certs = new ArraySet<X509Certificate>(); if (mDir.isDirectory()) { for (String caFile : mDir.list()) { if (isCertMarkedAsRemoved(caFile)) { continue; } X509Certificate cert = readCertificate(caFile); if (cert != null) { certs.add(cert); } } } mCertificates = certs; return mCertificates; } } @Override public X509Certificate findBySubjectAndPublicKey(final X509Certificate cert) { return findCert(cert.getSubjectX500Principal(), new CertSelector() { @Override public boolean match(X509Certificate ca) { return ca.getPublicKey().equals(cert.getPublicKey()); } }); }@Override public X509Certificate findByIssuerAndSignature(final X509Certificate cert) { return findCert(cert.getIssuerX500Principal(), new CertSelector() { @Override public boolean match(X509Certificate ca) { try { cert.verify(ca.getPublicKey()); return true; } catch (Exception e) { return false; } } }); } @Override public Set<X509Certificate> findAllByIssuerAndSignature(final X509Certificate cert) { return findCerts(cert.getIssuerX500Principal(), new CertSelector() { @Override public boolean match(X509Certificate ca) { try { cert.verify(ca.getPublicKey()); return true; } catch (Exception e) { return false; } } }); } @Override public void handleTrustStorageUpdate() { synchronized (mLock) { mCertificates = null; } } private static interface CertSelector { boolean match(X509Certificate cert); } private Set<X509Certificate> findCerts(X500Principal subj, CertSelector selector) { String hash = getHash(subj); Set<X509Certificate> certs = null; for (int index = 0; index >= 0; index++) { String fileName = hash + "." + index; if (!new File(mDir, fileName).exists()) { break; } if (isCertMarkedAsRemoved(fileName)) { continue; } X509Certificate cert = readCertificate(fileName); if (cert == null) { continue; } if (!subj.equals(cert.getSubjectX500Principal())) { continue; } if (selector.match(cert)) { if (certs == null) { certs = new ArraySet<X509Certificate>(); } certs.add(cert); } } return certs != null ? certs : Collections.<X509Certificate>emptySet(); } private X509Certificate findCert(X500Principal subj, CertSelector selector) { String hash = getHash(subj); for (int index = 0; index >= 0; index++) { String fileName = hash + "." + index; if (!new File(mDir, fileName).exists()) { break; } if (isCertMarkedAsRemoved(fileName)) { continue; } X509Certificate cert = readCertificate(fileName); if (cert == null) { continue; } if (!subj.equals(cert.getSubjectX500Principal())) { continue; } if (selector.match(cert)) { return cert; } } return null; } private String getHash(X500Principal name) { int hash = NativeCrypto.X509_NAME_hash_old(name); return Hex.intToHexString(hash, 8); } private X509Certificate readCertificate(String file) { InputStream is = null; try { is = new BufferedInputStream(new FileInputStream(new File(mDir, file))); return (X509Certificate) mCertFactory.generateCertificate(is); } catch (CertificateException | IOException e) { Log.e(LOG_TAG, "Failed to read certificate from " + file, e); return null; } finally { IoUtils.closeQuietly(is); } } }
获取根证书库的 getCertificates() 操作在第一次被调用时,遍历文件系统,并加载系统所有的根证书文件,并缓存起来,以备后面访问。根证书的查找操作,主要依据证书文件的文件名进行,证书文件被要求以 [SubjectName 的哈希值].[Index] 的形式命名。
SystemCertificateSource 类主要定义(位于frameworks/base/core/java/android/security/net/config/SystemCertificateSource.java)了系统根证书库的路径,以及无效一个根证书的机制:
package android.security.net.config;
import android.os.Environment;
import android.os.UserHandle;
import java.io.File;
/**
* {@link CertificateSource} based on the system trusted CA store.
* @hide
*/
public final class SystemCertificateSource extends DirectoryCertificateSource {
private static class NoPreloadHolder {
private static final SystemCertificateSource INSTANCE = new SystemCertificateSource();
}
private final File mUserRemovedCaDir;
private SystemCertificateSource() {
super(new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts"));
File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
mUserRemovedCaDir = new File(configDir, "cacerts-removed");
}
public static SystemCertificateSource getInstance() {
return NoPreloadHolder.INSTANCE;
}
@Override
protected boolean isCertMarkedAsRemoved(String caFile) {
return new File(mUserRemovedCaDir, caFile).exists();
}
}
Android 系统的根证书位于 /system/etc/security/cacerts/ 目录下。用户可以通过将特定根证书复制到用户配置目录的 cacerts-removed 目录下来无效一个根证书。
Android framework 还提供了另外一个用于加载并访问用户根证书库的组件 UserCertificateSource,这个类的定义(位于 frameworks/base/core/java/android/security/net/config/UserCertificateSource.java)如下:
package android.security.net.config;
import android.os.Environment;
import android.os.UserHandle;
import java.io.File;
/**
* {@link CertificateSource} based on the user-installed trusted CA store.
* @hide
*/
public final class UserCertificateSource extends DirectoryCertificateSource {
private static class NoPreloadHolder {
private static final UserCertificateSource INSTANCE = new UserCertificateSource();
}
private UserCertificateSource() {
super(new File(
Environment.getUserConfigDirectory(UserHandle.myUserId()), "cacerts-added"));
}
public static UserCertificateSource getInstance() {
return NoPreloadHolder.INSTANCE;
}
@Override
protected boolean isCertMarkedAsRemoved(String caFile) {
return false;
}
}
这个组件与 SystemCertificateSource 类似,只是它定义了用户根证书库的路径。
相关的几个组件结构如下图:
证书链合法性验证
有了根证书库之后,根证书库又是如何被用于 SSL/TLS 握手的证书验证过程的呢?
证书的合法性由 Java 标准库的 javax.net.ssl.SSLSocket 在 startHandshake() 方法中完成。对于 Android 系统而言,SSLSocket 基于 OpenSSL 库实现,这一实现由 external/conscrypt 模块提供,SSLSocket 的实现为 OpenSSLSocketImpl 类(位于external/conscrypt/src/main/java/org/conscrypt/OpenSSLSocketImpl.java)。
OpenSSLSocketImpl.startHandshake() 中的 SSL/TLS 握手是一个极为精巧的过程,我们略过详细的握手过程,主要关注证书验证的部分。
OpenSSLSocketImpl.startHandshake() 通过 NativeCrypto 类(位于external/conscrypt/src/main/java/org/conscrypt/NativeCrypto.java)中的静态本地层方法 SSL_do_handshake() 方法执行握手操作:
/**
* Returns the sslSessionNativePointer of the negotiated session. If this is
* a server negotiation, supplying the {@code alpnProtocols} will enable
* ALPN negotiation.
*/
public static native long SSL_do_handshake(long sslNativePointer,
FileDescriptor fd,
SSLHandshakeCallbacks shc,
int timeoutMillis,
boolean client_mode,
byte[] npnProtocols,
byte[] alpnProtocols)
throws SSLException, SocketTimeoutException, CertificateException;
NativeCrypto 类内部定义了一组将会在本地层由与 SSL 握手相关的 OpenSSL C/C++ 代码调用的回调 SSLHandshakeCallbacks,在上面的 SSL_do_handshake() 方法中,这组回调作为参数传入本地层。
SSLHandshakeCallbacks 定义如下:
/**
* A collection of callbacks from the native OpenSSL code that are
* related to the SSL handshake initiated by SSL_do_handshake.
*/
public interface SSLHandshakeCallbacks {
/**
* Verify that we trust the certificate chain is trusted.
*
* @param sslSessionNativePtr pointer to a reference of the SSL_SESSION
* @param certificateChainRefs chain of X.509 certificate references
* @param authMethod auth algorithm name
*
* @throws CertificateException if the certificate is untrusted
*/
public void verifyCertificateChain(long sslSessionNativePtr, long[] certificateChainRefs,
String authMethod) throws CertificateException;
/**
* Called on an SSL client when the server requests (or
* requires a certificate). The client can respond by using
* SSL_use_certificate and SSL_use_PrivateKey to set a
* certificate if has an appropriate one available, similar to
* how the server provides its certificate.
*
* @param keyTypes key types supported by the server,
* convertible to strings with #keyType
* @param asn1DerEncodedX500Principals CAs known to the server
*/
public void clientCertificateRequested(byte[] keyTypes,
byte[][] asn1DerEncodedX500Principals)
throws CertificateEncodingException, SSLException;
/**
* Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key
* exchange.
*
* @param identityHint PSK identity hint provided by the server or {@code null} if no hint
* provided.
* @param identity buffer to be populated with PSK identity (NULL-terminated modified UTF-8)
* by this method. This identity will be provided to the server.
* @param key buffer to be populated with key material by this method.
*
* @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an
* error occurred in which case the handshake will be aborted.
*/
public int clientPSKKeyRequested(String identityHint, byte[] identity, byte[] key);
/**
* Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key
* exchange.
*
* @param identityHint PSK identity hint provided by this server to the client or
* {@code null} if no hint was provided.
* @param identity PSK identity provided by the client.
* @param key buffer to be populated with key material by this method.
*
* @return number of bytes this method stored in the {@code key} buffer or {@code 0} if an
* error occurred in which case the handshake will be aborted.
*/
public int serverPSKKeyRequested(String identityHint, String identity, byte[] key);
/**
* Called when SSL state changes. This could be handshake completion.
*/
public void onSSLStateChange(long sslSessionNativePtr, int type, int val);
}
其中 verifyCertificateChain() 回调用于服务端证书的验证。Android 系统通过这一回调,将根证书库的管理模块和底层 OpenSSL 的 SSL/TLS 握手及身份验证连接起来。
的实现如下:
@SuppressWarnings("unused") // used by NativeCrypto.SSLHandshakeCallbacks
@Override
public void verifyCertificateChain(long sslSessionNativePtr, long[] certRefs, String authMethod)
throws CertificateException {
try {
X509TrustManager x509tm = sslParameters.getX509TrustManager();
if (x509tm == null) {
throw new CertificateException("No X.509 TrustManager");
}
if (certRefs == null || certRefs.length == 0) {
throw new SSLException("Peer sent no certificate");
}
OpenSSLX509Certificate[] peerCertChain = new OpenSSLX509Certificate[certRefs.length];
for (int i = 0; i < certRefs.length; i++) {
peerCertChain[i] = new OpenSSLX509Certificate(certRefs[i]);
}
// Used for verifyCertificateChain callback
handshakeSession = new OpenSSLSessionImpl(sslSessionNativePtr, null, peerCertChain,
getHostnameOrIP(), getPort(), null);
boolean client = sslParameters.getUseClientMode();
if (client) {
Platform.checkServerTrusted(x509tm, peerCertChain, authMethod, this);
if (sslParameters.isCTVerificationEnabled(getHostname())) {
byte[] tlsData = NativeCrypto.SSL_get_signed_cert_timestamp_list(
sslNativePointer);
byte[] ocspData = NativeCrypto.SSL_get_ocsp_response(sslNativePointer);
CTVerifier ctVerifier = sslParameters.getCTVerifier();
CTVerificationResult result =
ctVerifier.verifySignedCertificateTimestamps(peerCertChain, tlsData, ocspData);
if (result.getValidSCTs().size() == 0) {
throw new CertificateException("No valid SCT found");
}
}
} else {
String authType = peerCertChain[0].getPublicKey().getAlgorithm();
Platform.checkClientTrusted(x509tm, peerCertChain, authType, this);
}
} catch (CertificateException e) {
throw e;
} catch (Exception e) {
throw new CertificateException(e);
} finally {
// Clear this before notifying handshake completed listeners
handshakeSession = null;
}
}
相关阅读:
本文来自网易实践者社区,经作者韩鹏飞授权发布。
分享至:
