How does SSL Hostname matching work on JWS?

心不动则不痛 提交于 2021-02-17 03:07:56

问题


When using Google SafetyNet for Android the documentation suggest that you

Validate the SSL certificate chain and use SSL Hostname matching to ensure the leaf certification was issues to attest.android.com

Now how does this work? I would have assumed that I get the JWS message inspect the certs and signature etc but would validate against a cert grabbed from attest.android.com, but attest.android.com is not a live host.

Does SSL signing cater for validation without previously knowing the public key of the domain? i.e. Can I validate everything from incoming JWS message? I don't see how this is possible, is it?


回答1:


Unfortunately, the documentation is not very descriptive as what you have to do.

The JWS data includes three sections: the header, the payload and the signature. Simplifying things, the header contains the public key certificates used to sign the payload, and the signature is included at the end.

To validate a SafetyNet JWS, you first need to extract the certificates embedded in the header. These certificates have trust chains that can be validated to a public root certificate, so you should verify that these are indeed valid certificates, and that they are issued to attest.android.com.

Then you take out the signature, and verify it against the embedded certificates.

If you check this, then you can trust the payload. But before looking at basicIntegrity and ctsProfileMatch, please ensure that apkPackageName, apkDigestSha256 and apkCertificateDigestSha256 match those of your app, so you know that the response actually comes from your unmodified app.

Optimally, your programming language should include a JWS library and an SSL library that can do this for you, so you don't have to write this yourself. The public sample includes a Java sample for you to peruse.



来源:https://stackoverflow.com/questions/44262107/how-does-ssl-hostname-matching-work-on-jws

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!