Assert that no impossible pinning configuration exists
If you use certificate pinning you MUST provide at least one certificate/key file within the application bundle. If you don't, you will not be able to preform any successfull network requests. I have been bitten several times by not correctly including a Certificate/Key in the bundle and spend far too much time debugging this. This two assertations catch this programming error. Not including a Certificate/Key in the bundle while demanding pinning is obviously a programming error and not a runtime issue. Hope this helps a tiny bit to get more widespread adoption of certificate pinning.
This commit is contained in:
Maximillian Dornseif
parent
9fd6fea066
commit
4f5245a7ce
1 changed files with 3 additions and 1 deletions
|
|
@ -623,7 +623,8 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe
|
|||
switch (self.SSLPinningMode) {
|
||||
case AFSSLPinningModePublicKey: {
|
||||
NSArray *pinnedPublicKeys = [self.class pinnedPublicKeys];
|
||||
|
||||
NSAssert([pinnedPublicKeys count] > 0, @"AFSSLPinningModePublicKey needs at least one key file in the application bundle");
|
||||
|
||||
for (id publicKey in trustChain) {
|
||||
for (id pinnedPublicKey in pinnedPublicKeys) {
|
||||
if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)publicKey, (__bridge SecKeyRef)pinnedPublicKey)) {
|
||||
|
|
@ -638,6 +639,7 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe
|
|||
break;
|
||||
}
|
||||
case AFSSLPinningModeCertificate: {
|
||||
NSAssert([[self.class pinnedCertificates] count] > 0, @"AFSSLPinningModeCertificate needs at least one certificate file in the application bundle");
|
||||
for (id serverCertificateData in trustChain) {
|
||||
if ([[self.class pinnedCertificates] containsObject:serverCertificateData]) {
|
||||
NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue