diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index eafddba..96a4cdb 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -218,7 +218,12 @@ static inline BOOL AFStateTransitionIsValid(AFOperationState fromState, AFOperat OSStatus status = SecTrustCreateWithCertificates(certificates, policy, &allowedTrust); NSAssert(status == noErr, @"SecTrustCreateWithCertificates error: %ld", (long int)status); - SecKeyRef allowedPublicKey = SecTrustCopyPublicKey(allowedTrust); + SecTrustResultType result = 0; + status = SecTrustEvaluate(allowedTrust, &result); + NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); + + SecKeyRef allowedPublicKey = SecTrustCopyPublicKey(allowedTrust); + NSCParameterAssert(allowedPublicKey); [publicKeys addObject:(__bridge_transfer id)allowedPublicKey]; CFRelease(allowedTrust); @@ -548,58 +553,50 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe { if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0); - NSData *certificateData = (__bridge_transfer NSData *)SecCertificateCopyData(certificate); - - if ([[[self class] pinnedCertificates] containsObject:certificateData]) { - NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; - [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - switch (self.SSLPinningMode) { - case AFSSLPinningModePublicKey: { - id publicKey = (__bridge_transfer id)SecTrustCopyPublicKey(serverTrust); - - if ([[self.class pinnedPublicKeys] containsObject:publicKey]) { - NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; - [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] cancelAuthenticationChallenge:challenge]; - } - - break; + switch (self.SSLPinningMode) { + case AFSSLPinningModePublicKey: { + id publicKey = (__bridge_transfer id)SecTrustCopyPublicKey(serverTrust); + + if ([[self.class pinnedPublicKeys] containsObject:publicKey]) { + NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; + [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; + } else { + [[challenge sender] cancelAuthenticationChallenge:challenge]; } - case AFSSLPinningModeCertificate: { - SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0); - NSData *serverCertificateData = (__bridge_transfer NSData *)SecCertificateCopyData(serverCertificate); - - if ([[[self class] pinnedCertificates] containsObject:serverCertificateData]) { - NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; - [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] cancelAuthenticationChallenge:challenge]; - } + + break; + } + case AFSSLPinningModeCertificate: { + SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0); + NSData *serverCertificateData = (__bridge_transfer NSData *)SecCertificateCopyData(serverCertificate); + + if ([[[self class] pinnedCertificates] containsObject:serverCertificateData]) { + NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; + [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; + } else { + [[challenge sender] cancelAuthenticationChallenge:challenge]; + } + + break; + } + case AFSSLPinningModeNone: { + if(self.allowInvalidSSLCertificate == YES){ + NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; + [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; + } + else { + SecTrustResultType result = 0; + OSStatus status = SecTrustEvaluate(serverTrust, &result); + NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); - break; - } - case AFSSLPinningModeNone: { - if(self.allowInvalidSSLCertificate == YES){ + if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) { NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; + } else { + [[challenge sender] cancelAuthenticationChallenge:challenge]; } - else { - SecTrustResultType result = 0; - OSStatus status = SecTrustEvaluate(serverTrust, &result); - NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status); - - if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) { - NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; - [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] cancelAuthenticationChallenge:challenge]; - } - } - break; } + break; } } } @@ -610,7 +607,7 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace { - if(self.allowInvalidSSLCertificate && + if(self.allowInvalidSSLCertificate == YES && [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { return YES; } @@ -628,7 +625,7 @@ canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { - if(self.allowInvalidSSLCertificate + if(self.allowInvalidSSLCertificate == YES && [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; return; diff --git a/Example/AFNetworking iOS Example.xcodeproj/project.pbxproj b/Example/AFNetworking iOS Example.xcodeproj/project.pbxproj index d89b181..f3e7dd8 100644 --- a/Example/AFNetworking iOS Example.xcodeproj/project.pbxproj +++ b/Example/AFNetworking iOS Example.xcodeproj/project.pbxproj @@ -7,6 +7,7 @@ objects = { /* Begin PBXBuildFile section */ + 2982AD3217107C0000FFF048 /* adn.cer in Resources */ = {isa = PBXBuildFile; fileRef = 2982AD3117107C0000FFF048 /* adn.cer */; }; F8129C7415910C37009BFE23 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = F8129C7215910C37009BFE23 /* AppDelegate.m */; }; F818101615E6A0C600EF93C2 /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 50ABD6EC159FC2CE001BE42C /* MobileCoreServices.framework */; }; F88812F016C533D6003C8B8C /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F8E469E013957DF100DB05C8 /* Security.framework */; }; @@ -40,6 +41,7 @@ /* End PBXBuildFile section */ /* Begin PBXFileReference section */ + 2982AD3117107C0000FFF048 /* adn.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = adn.cer; sourceTree = SOURCE_ROOT; }; 50ABD6EC159FC2CE001BE42C /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = System/Library/Frameworks/MobileCoreServices.framework; sourceTree = SDKROOT; }; F8129C3815910830009BFE23 /* Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = Prefix.pch; sourceTree = SOURCE_ROOT; }; F8129C7215910C37009BFE23 /* AppDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = SOURCE_ROOT; }; @@ -198,6 +200,7 @@ F8E4696B1395739D00DB05C8 /* Supporting Files */ = { isa = PBXGroup; children = ( + 2982AD3117107C0000FFF048 /* adn.cer */, F8DA09E31396AC040057D0CC /* main.m */, F8129C3815910830009BFE23 /* Prefix.pch */, F8E4696C1395739D00DB05C8 /* iOS-Info.plist */, @@ -319,6 +322,7 @@ F8A847C1161F51A300940F39 /* Default-568h@2x.png in Resources */, F8A847C3161F523E00940F39 /* Default.png in Resources */, F8A847C5161F524200940F39 /* Default@2x.png in Resources */, + 2982AD3217107C0000FFF048 /* adn.cer in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/Example/Classes/AFAppDotNetAPIClient.m b/Example/Classes/AFAppDotNetAPIClient.m index f0bc2f1..7859d90 100644 --- a/Example/Classes/AFAppDotNetAPIClient.m +++ b/Example/Classes/AFAppDotNetAPIClient.m @@ -49,6 +49,8 @@ static NSString * const kAFAppDotNetAPIBaseURLString = @"https://alpha-api.app.n // Accept HTTP Header; see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.1 [self setDefaultHeader:@"Accept" value:@"application/json"]; + [self setDefaultSSLPinningMode:AFSSLPinningModePublicKey]; + return self; } diff --git a/Example/adn.cer b/Example/adn.cer new file mode 100644 index 0000000..614e784 Binary files /dev/null and b/Example/adn.cer differ