From 4f5245a7cec5ab6e0cbef58780ebce4f6e5d8104 Mon Sep 17 00:00:00 2001 From: Maximillian Dornseif Date: Sat, 5 Oct 2013 10:02:08 +0200 Subject: [PATCH] Assert that no impossible pinning configuration exists If you use certificate pinning you MUST provide at least one certificate/key file within the application bundle. If you don't, you will not be able to preform any successfull network requests. I have been bitten several times by not correctly including a Certificate/Key in the bundle and spend far too much time debugging this. This two assertations catch this programming error. Not including a Certificate/Key in the bundle while demanding pinning is obviously a programming error and not a runtime issue. Hope this helps a tiny bit to get more widespread adoption of certificate pinning. --- AFNetworking/AFURLConnectionOperation.m | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index 595ea86..dbc1d27 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -623,7 +623,8 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe switch (self.SSLPinningMode) { case AFSSLPinningModePublicKey: { NSArray *pinnedPublicKeys = [self.class pinnedPublicKeys]; - + NSAssert([pinnedPublicKeys count] > 0, @"AFSSLPinningModePublicKey needs at least one key file in the application bundle"); + for (id publicKey in trustChain) { for (id pinnedPublicKey in pinnedPublicKeys) { if (AFSecKeyIsEqualToKey((__bridge SecKeyRef)publicKey, (__bridge SecKeyRef)pinnedPublicKey)) { @@ -638,6 +639,7 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe break; } case AFSSLPinningModeCertificate: { + NSAssert([[self.class pinnedCertificates] count] > 0, @"AFSSLPinningModeCertificate needs at least one certificate file in the application bundle"); for (id serverCertificateData in trustChain) { if ([[self.class pinnedCertificates] containsObject:serverCertificateData]) { NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];