Merged upstream/master back to resolve conflicts

AFNetworking/AFURLConnectionOperation.m

@@ -218,7 +218,12 @@ static inline BOOL AFStateTransitionIsValid(AFOperationState fromState, AFOperat
             OSStatus status = SecTrustCreateWithCertificates(certificates, policy, &allowedTrust);
             NSAssert(status == noErr, @"SecTrustCreateWithCertificates error: %ld", (long int)status);
             
+            SecTrustResultType result = 0;
+            status = SecTrustEvaluate(allowedTrust, &result);
+            NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status);
+            
             SecKeyRef allowedPublicKey = SecTrustCopyPublicKey(allowedTrust);            
+            NSCParameterAssert(allowedPublicKey);
             [publicKeys addObject:(__bridge_transfer id)allowedPublicKey];
 
             CFRelease(allowedTrust);
@@ -548,58 +553,50 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe
 {
     if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
         SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
-        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
+        switch (self.SSLPinningMode) {
-        NSData *certificateData = (__bridge_transfer NSData *)SecCertificateCopyData(certificate);
+            case AFSSLPinningModePublicKey: {
+                id publicKey = (__bridge_transfer id)SecTrustCopyPublicKey(serverTrust);
                 
-        if ([[[self class] pinnedCertificates] containsObject:certificateData]) {
+                if ([[self.class pinnedPublicKeys] containsObject:publicKey]) {
-            NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
+                    NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
-            [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
+                    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
-        } else {
+                } else {
-            switch (self.SSLPinningMode) {
+                    [[challenge sender] cancelAuthenticationChallenge:challenge];
-                case AFSSLPinningModePublicKey: {
+                }
-                    id publicKey = (__bridge_transfer id)SecTrustCopyPublicKey(serverTrust);
                 
-                    if ([[self.class pinnedPublicKeys] containsObject:publicKey]) {
+                break;
+            }
+            case AFSSLPinningModeCertificate: {
+                SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
+                NSData *serverCertificateData = (__bridge_transfer NSData *)SecCertificateCopyData(serverCertificate);
+                
+                if ([[[self class] pinnedCertificates] containsObject:serverCertificateData]) {
+                    NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
+                    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
+                } else {
+                    [[challenge sender] cancelAuthenticationChallenge:challenge];
+                }
+                
+                break;
+            }
+            case AFSSLPinningModeNone: {
+                if(self.allowInvalidSSLCertificate == YES){
+                    NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
+                    [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
+                }
+                else {
+                    SecTrustResultType result = 0;
+                    OSStatus status = SecTrustEvaluate(serverTrust, &result);
+                    NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status);
+                    
+                    if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) {
                         NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
                         [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
                     } else {
                         [[challenge sender] cancelAuthenticationChallenge:challenge];
                     }
-
-                    break;
-                }
-                case AFSSLPinningModeCertificate: {
-                    SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
-                    NSData *serverCertificateData = (__bridge_transfer NSData *)SecCertificateCopyData(serverCertificate);
-
-                    if ([[[self class] pinnedCertificates] containsObject:serverCertificateData]) {
-                        NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
-                        [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
-                    } else {
-                        [[challenge sender] cancelAuthenticationChallenge:challenge];
-                    }
-                    
-                    break;
-                }
-                case AFSSLPinningModeNone: {
-                    if(self.allowInvalidSSLCertificate == YES){
-                        NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
-                        [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
-                    }
-                    else {
-                        SecTrustResultType result = 0;
-                        OSStatus status = SecTrustEvaluate(serverTrust, &result);
-                        NSAssert(status == noErr, @"SecTrustEvaluate error: %ld", (long int)status);
-                        
-                        if (result == kSecTrustResultUnspecified || result == kSecTrustResultProceed) {
-                            NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
-                            [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
-                        } else {
-                            [[challenge sender] cancelAuthenticationChallenge:challenge];
-                        }
-                    }
-                    break;
                 }
+                break;
             }
         }
     }
@@ -610,7 +607,7 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe
 - (BOOL)connection:(NSURLConnection *)connection
 canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
 {
-    if(self.allowInvalidSSLCertificate &&
+    if(self.allowInvalidSSLCertificate == YES &&
        [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
             return YES;
     }
@@ -628,7 +625,7 @@ canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
 didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
 {
 
-    if(self.allowInvalidSSLCertificate
+    if(self.allowInvalidSSLCertificate == YES
        && [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
         [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
         return;

Example/AFNetworking iOS Example.xcodeproj/project.pbxproj

@@ -7,6 +7,7 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		2982AD3217107C0000FFF048 /* adn.cer in Resources */ = {isa = PBXBuildFile; fileRef = 2982AD3117107C0000FFF048 /* adn.cer */; };
 		F8129C7415910C37009BFE23 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = F8129C7215910C37009BFE23 /* AppDelegate.m */; };
 		F818101615E6A0C600EF93C2 /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 50ABD6EC159FC2CE001BE42C /* MobileCoreServices.framework */; };
 		F88812F016C533D6003C8B8C /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F8E469E013957DF100DB05C8 /* Security.framework */; };
@@ -40,6 +41,7 @@
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
+		2982AD3117107C0000FFF048 /* adn.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = adn.cer; sourceTree = SOURCE_ROOT; };
 		50ABD6EC159FC2CE001BE42C /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = System/Library/Frameworks/MobileCoreServices.framework; sourceTree = SDKROOT; };
 		F8129C3815910830009BFE23 /* Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = Prefix.pch; sourceTree = SOURCE_ROOT; };
 		F8129C7215910C37009BFE23 /* AppDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = SOURCE_ROOT; };
@@ -198,6 +200,7 @@
 		F8E4696B1395739D00DB05C8 /* Supporting Files */ = {
 			isa = PBXGroup;
 			children = (
+				2982AD3117107C0000FFF048 /* adn.cer */,
 				F8DA09E31396AC040057D0CC /* main.m */,
 				F8129C3815910830009BFE23 /* Prefix.pch */,
 				F8E4696C1395739D00DB05C8 /* iOS-Info.plist */,
@@ -319,6 +322,7 @@
 				F8A847C1161F51A300940F39 /* Default-568h@2x.png in Resources */,
 				F8A847C3161F523E00940F39 /* Default.png in Resources */,
 				F8A847C5161F524200940F39 /* Default@2x.png in Resources */,
+				2982AD3217107C0000FFF048 /* adn.cer in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

Example/Classes/AFAppDotNetAPIClient.m

@@ -49,6 +49,8 @@ static NSString * const kAFAppDotNetAPIBaseURLString = @"https://alpha-api.app.n
     // Accept HTTP Header; see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.1
 	[self setDefaultHeader:@"Accept" value:@"application/json"];
     
+    [self setDefaultSSLPinningMode:AFSSLPinningModePublicKey];
+    
     return self;
 }