diff options
Diffstat (limited to 'debian/vendor-h2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m')
-rw-r--r-- | debian/vendor-h2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/debian/vendor-h2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m b/debian/vendor-h2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m deleted file mode 100644 index 584b974..0000000 --- a/debian/vendor-h2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m +++ /dev/null @@ -1,112 +0,0 @@ -// -// ISPCertificatePinning.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import "ISPCertificatePinning.h" - - -// All the pinned certificate are stored in this plist on the filesystem -#define PINNED_KEYS_FILE_PATH "~/Library/SSLPins.plist" - - -@implementation ISPCertificatePinning - - - -+ (BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates { - if (domainsAndCertificates == nil) { - return NO; - } - - // Serialize the dictionary to a plist - NSError *error; - NSData *plistData = [NSPropertyListSerialization dataWithPropertyList:domainsAndCertificates - format:NSPropertyListXMLFormat_v1_0 - options:0 - error:&error]; - if (plistData == nil) { - NSLog(@"Error serializing plist: %@", error); - return NO; - } - - // Write the plist to a pre-defined location on the filesystem - NSError *writeError; - if ([plistData writeToFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath] - options:NSDataWritingAtomic - error:&writeError] == NO) { - NSLog(@"Error saving plist to the filesystem: %@", writeError); - return NO; - } - - return YES; -} - - -+ (BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain { - if ((trust == NULL) || (domain == nil)) { - return NO; - } - - // Deserialize the plist that contains our SSL pins - NSDictionary *SSLPinsDict = [NSDictionary dictionaryWithContentsOfFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath]]; - if (SSLPinsDict == nil) { - NSLog(@"Error accessing the SSL Pins plist at %@", @PINNED_KEYS_FILE_PATH); - return NO; - } - - // Do we have certificates pinned for this domain ? - NSArray *trustedCertificates = [SSLPinsDict objectForKey:domain]; - if ((trustedCertificates == nil) || ([trustedCertificates count] < 1)) { - return NO; - } - - // For each pinned certificate, check if it is part of the server's cert trust chain - // We only need one of the pinned certificates to be in the server's trust chain - for (NSData *pinnedCertificate in trustedCertificates) { - - // Check each certificate in the server's trust chain (the trust object) - // Unfortunately the anchor/CA certificate cannot be accessed this way - CFIndex certsNb = SecTrustGetCertificateCount(trust); - for(int i=0;i<certsNb;i++) { - - // Extract the certificate - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, i); - NSData* DERCertificate = (__bridge NSData*) SecCertificateCopyData(certificate); - - // Compare the two certificates - if ([pinnedCertificate isEqualToData:DERCertificate]) { - return YES; - } - } - - // Check the anchor/CA certificate separately - SecCertificateRef anchorCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(pinnedCertificate)); - if (anchorCertificate == NULL) { - break; - } - - NSArray *anchorArray = [NSArray arrayWithObject:(__bridge id)(anchorCertificate)]; - if (SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)(anchorArray)) != 0) { - CFRelease(anchorCertificate); - break; - } - - SecTrustResultType trustResult; - SecTrustEvaluate(trust, &trustResult); - if (trustResult == kSecTrustResultUnspecified) { - // The anchor certificate was pinned - CFRelease(anchorCertificate); - return YES; - } - CFRelease(anchorCertificate); - } - - // If we get here, we didn't find any matching certificate in the chain - return NO; -} - -@end |