123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342 |
- // AFSecurityPolicy.m
- // Copyright (c) 2011–2016 Alamofire Software Foundation ( http://alamofire.org/ )
- //
- // Permission is hereby granted, free of charge, to any person obtaining a copy
- // of this software and associated documentation files (the "Software"), to deal
- // in the Software without restriction, including without limitation the rights
- // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- // copies of the Software, and to permit persons to whom the Software is
- // furnished to do so, subject to the following conditions:
- //
- // The above copyright notice and this permission notice shall be included in
- // all copies or substantial portions of the Software.
- //
- // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- // THE SOFTWARE.
- #import "AFSecurityPolicy.h"
- #import <AssertMacros.h>
- #if !TARGET_OS_IOS && !TARGET_OS_WATCH && !TARGET_OS_TV
- static NSData * AFSecKeyGetData(SecKeyRef key) {
- CFDataRef data = NULL;
- __Require_noErr_Quiet(SecItemExport(key, kSecFormatUnknown, kSecItemPemArmour, NULL, &data), _out);
- return (__bridge_transfer NSData *)data;
- _out:
- if (data) {
- CFRelease(data);
- }
- return nil;
- }
- #endif
- static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) {
- #if TARGET_OS_IOS || TARGET_OS_WATCH || TARGET_OS_TV
- return [(__bridge id)key1 isEqual:(__bridge id)key2];
- #else
- return [AFSecKeyGetData(key1) isEqual:AFSecKeyGetData(key2)];
- #endif
- }
- static id AFPublicKeyForCertificate(NSData *certificate) {
- id allowedPublicKey = nil;
- SecCertificateRef allowedCertificate;
- SecPolicyRef policy = nil;
- SecTrustRef allowedTrust = nil;
- SecTrustResultType result;
- allowedCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificate);
- __Require_Quiet(allowedCertificate != NULL, _out);
- policy = SecPolicyCreateBasicX509();
- __Require_noErr_Quiet(SecTrustCreateWithCertificates(allowedCertificate, policy, &allowedTrust), _out);
- #pragma clang diagnostic push
- #pragma clang diagnostic ignored "-Wdeprecated-declarations"
- __Require_noErr_Quiet(SecTrustEvaluate(allowedTrust, &result), _out);
- #pragma clang diagnostic pop
- allowedPublicKey = (__bridge_transfer id)SecTrustCopyPublicKey(allowedTrust);
- _out:
- if (allowedTrust) {
- CFRelease(allowedTrust);
- }
- if (policy) {
- CFRelease(policy);
- }
- if (allowedCertificate) {
- CFRelease(allowedCertificate);
- }
- return allowedPublicKey;
- }
- static BOOL AFServerTrustIsValid(SecTrustRef serverTrust) {
- BOOL isValid = NO;
- SecTrustResultType result;
- #pragma clang diagnostic push
- #pragma clang diagnostic ignored "-Wdeprecated-declarations"
- __Require_noErr_Quiet(SecTrustEvaluate(serverTrust, &result), _out);
- #pragma clang diagnostic pop
- isValid = (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed);
- _out:
- return isValid;
- }
- static NSArray * AFCertificateTrustChainForServerTrust(SecTrustRef serverTrust) {
- CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
- NSMutableArray *trustChain = [NSMutableArray arrayWithCapacity:(NSUInteger)certificateCount];
- for (CFIndex i = 0; i < certificateCount; i++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
- [trustChain addObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)];
- }
- return [NSArray arrayWithArray:trustChain];
- }
- static NSArray * AFPublicKeyTrustChainForServerTrust(SecTrustRef serverTrust) {
- SecPolicyRef policy = SecPolicyCreateBasicX509();
- CFIndex certificateCount = SecTrustGetCertificateCount(serverTrust);
- NSMutableArray *trustChain = [NSMutableArray arrayWithCapacity:(NSUInteger)certificateCount];
- for (CFIndex i = 0; i < certificateCount; i++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, i);
- SecCertificateRef someCertificates[] = {certificate};
- CFArrayRef certificates = CFArrayCreate(NULL, (const void **)someCertificates, 1, NULL);
- SecTrustRef trust;
- __Require_noErr_Quiet(SecTrustCreateWithCertificates(certificates, policy, &trust), _out);
- SecTrustResultType result;
- #pragma clang diagnostic push
- #pragma clang diagnostic ignored "-Wdeprecated-declarations"
- __Require_noErr_Quiet(SecTrustEvaluate(trust, &result), _out);
- #pragma clang diagnostic pop
- [trustChain addObject:(__bridge_transfer id)SecTrustCopyPublicKey(trust)];
- _out:
- if (trust) {
- CFRelease(trust);
- }
- if (certificates) {
- CFRelease(certificates);
- }
- continue;
- }
- CFRelease(policy);
- return [NSArray arrayWithArray:trustChain];
- }
- #pragma mark -
- @interface AFSecurityPolicy()
- @property (readwrite, nonatomic, assign) AFSSLPinningMode SSLPinningMode;
- @property (readwrite, nonatomic, strong) NSSet *pinnedPublicKeys;
- @end
- @implementation AFSecurityPolicy
- + (NSSet *)certificatesInBundle:(NSBundle *)bundle {
- NSArray *paths = [bundle pathsForResourcesOfType:@"cer" inDirectory:@"."];
- NSMutableSet *certificates = [NSMutableSet setWithCapacity:[paths count]];
- for (NSString *path in paths) {
- NSData *certificateData = [NSData dataWithContentsOfFile:path];
- [certificates addObject:certificateData];
- }
- return [NSSet setWithSet:certificates];
- }
- + (instancetype)defaultPolicy {
- AFSecurityPolicy *securityPolicy = [[self alloc] init];
- securityPolicy.SSLPinningMode = AFSSLPinningModeNone;
- return securityPolicy;
- }
- + (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode {
- NSSet <NSData *> *defaultPinnedCertificates = [self certificatesInBundle:[NSBundle mainBundle]];
- return [self policyWithPinningMode:pinningMode withPinnedCertificates:defaultPinnedCertificates];
- }
- + (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSSet *)pinnedCertificates {
- AFSecurityPolicy *securityPolicy = [[self alloc] init];
- securityPolicy.SSLPinningMode = pinningMode;
- [securityPolicy setPinnedCertificates:pinnedCertificates];
- return securityPolicy;
- }
- - (instancetype)init {
- self = [super init];
- if (!self) {
- return nil;
- }
- self.validatesDomainName = YES;
- return self;
- }
- - (void)setPinnedCertificates:(NSSet *)pinnedCertificates {
- _pinnedCertificates = pinnedCertificates;
- if (self.pinnedCertificates) {
- NSMutableSet *mutablePinnedPublicKeys = [NSMutableSet setWithCapacity:[self.pinnedCertificates count]];
- for (NSData *certificate in self.pinnedCertificates) {
- id publicKey = AFPublicKeyForCertificate(certificate);
- if (!publicKey) {
- continue;
- }
- [mutablePinnedPublicKeys addObject:publicKey];
- }
- self.pinnedPublicKeys = [NSSet setWithSet:mutablePinnedPublicKeys];
- } else {
- self.pinnedPublicKeys = nil;
- }
- }
- #pragma mark -
- - (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
- forDomain:(NSString *)domain
- {
- if (domain && self.allowInvalidCertificates && self.validatesDomainName && (self.SSLPinningMode == AFSSLPinningModeNone || [self.pinnedCertificates count] == 0)) {
- // https://developer.apple.com/library/mac/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html
- // According to the docs, you should only trust your provided certs for evaluation.
- // Pinned certificates are added to the trust. Without pinned certificates,
- // there is nothing to evaluate against.
- //
- // From Apple Docs:
- // "Do not implicitly trust self-signed certificates as anchors (kSecTrustOptionImplicitAnchors).
- // Instead, add your own (self-signed) CA certificate to the list of trusted anchors."
- NSLog(@"In order to validate a domain name for self signed certificates, you MUST use pinning.");
- return NO;
- }
- NSMutableArray *policies = [NSMutableArray array];
- if (self.validatesDomainName) {
- [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
- } else {
- [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
- }
- SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);
- if (self.SSLPinningMode == AFSSLPinningModeNone) {
- return self.allowInvalidCertificates || AFServerTrustIsValid(serverTrust);
- } else if (!self.allowInvalidCertificates && !AFServerTrustIsValid(serverTrust)) {
- return NO;
- }
- switch (self.SSLPinningMode) {
- case AFSSLPinningModeCertificate: {
- NSMutableArray *pinnedCertificates = [NSMutableArray array];
- for (NSData *certificateData in self.pinnedCertificates) {
- [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
- }
- SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);
- if (!AFServerTrustIsValid(serverTrust)) {
- return NO;
- }
- // obtain the chain after being validated, which *should* contain the pinned certificate in the last position (if it's the Root CA)
- NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust);
-
- for (NSData *trustChainCertificate in [serverCertificates reverseObjectEnumerator]) {
- if ([self.pinnedCertificates containsObject:trustChainCertificate]) {
- return YES;
- }
- }
-
- return NO;
- }
- case AFSSLPinningModePublicKey: {
- NSUInteger trustedPublicKeyCount = 0;
- NSArray *publicKeys = AFPublicKeyTrustChainForServerTrust(serverTrust);
- for (id trustChainPublicKey in publicKeys) {
- for (id pinnedPublicKey in self.pinnedPublicKeys) {
- if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)trustChainPublicKey, (__bridge SecKeyRef)pinnedPublicKey)) {
- trustedPublicKeyCount += 1;
- }
- }
- }
- return trustedPublicKeyCount > 0;
- }
-
- default:
- return NO;
- }
-
- return NO;
- }
- #pragma mark - NSKeyValueObserving
- + (NSSet *)keyPathsForValuesAffectingPinnedPublicKeys {
- return [NSSet setWithObject:@"pinnedCertificates"];
- }
- #pragma mark - NSSecureCoding
- + (BOOL)supportsSecureCoding {
- return YES;
- }
- - (instancetype)initWithCoder:(NSCoder *)decoder {
- self = [self init];
- if (!self) {
- return nil;
- }
- self.SSLPinningMode = [[decoder decodeObjectOfClass:[NSNumber class] forKey:NSStringFromSelector(@selector(SSLPinningMode))] unsignedIntegerValue];
- self.allowInvalidCertificates = [decoder decodeBoolForKey:NSStringFromSelector(@selector(allowInvalidCertificates))];
- self.validatesDomainName = [decoder decodeBoolForKey:NSStringFromSelector(@selector(validatesDomainName))];
- self.pinnedCertificates = [decoder decodeObjectOfClass:[NSSet class] forKey:NSStringFromSelector(@selector(pinnedCertificates))];
- return self;
- }
- - (void)encodeWithCoder:(NSCoder *)coder {
- [coder encodeObject:[NSNumber numberWithUnsignedInteger:self.SSLPinningMode] forKey:NSStringFromSelector(@selector(SSLPinningMode))];
- [coder encodeBool:self.allowInvalidCertificates forKey:NSStringFromSelector(@selector(allowInvalidCertificates))];
- [coder encodeBool:self.validatesDomainName forKey:NSStringFromSelector(@selector(validatesDomainName))];
- [coder encodeObject:self.pinnedCertificates forKey:NSStringFromSelector(@selector(pinnedCertificates))];
- }
- #pragma mark - NSCopying
- - (instancetype)copyWithZone:(NSZone *)zone {
- AFSecurityPolicy *securityPolicy = [[[self class] allocWithZone:zone] init];
- securityPolicy.SSLPinningMode = self.SSLPinningMode;
- securityPolicy.allowInvalidCertificates = self.allowInvalidCertificates;
- securityPolicy.validatesDomainName = self.validatesDomainName;
- securityPolicy.pinnedCertificates = [self.pinnedCertificates copyWithZone:zone];
- return securityPolicy;
-
- }
- @end
|