From be1c7e50e1e8809ea56f2c9d472eccd8ffd73a97 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 04:57:58 +0200 Subject: Adding upstream version 1.44.3. Signed-off-by: Daniel Baumann --- .../project.pbxproj | 456 +++++++++++++++++++++ .../SSLCertificatePinning/ISPCertificatePinning.h | 62 +++ .../SSLCertificatePinning/ISPCertificatePinning.m | 112 +++++ .../ISPPinnedNSURLConnectionDelegate.h | 23 ++ .../ISPPinnedNSURLConnectionDelegate.m | 49 +++ .../ISPPinnedNSURLSessionDelegate.h | 23 ++ .../ISPPinnedNSURLSessionDelegate.m | 47 +++ .../SSLCertificatePinning-Prefix.pch | 9 + .../NSURLConnectionTests.m | 154 +++++++ .../SSLCertificatePinningTests/NSURLSessionTests.m | 145 +++++++ .../SSLCertificatePinningTests-Info.plist | 22 + .../SSLPinsTestUtility.h | 15 + .../SSLPinsTestUtility.m | 57 +++ ...lass3PublicPrimaryCertificationAuthority-G5.der | Bin 0 -> 1239 bytes .../en.lproj/InfoPlist.strings | 2 + .../www.isecpartners.com.der | Bin 0 -> 1876 bytes 16 files changed, 1176 insertions(+) create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.h create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.h create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings create mode 100644 web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der (limited to 'web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning') diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj new file mode 100644 index 00000000..84ee1521 --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj @@ -0,0 +1,456 @@ +// !$*UTF8*$! +{ + archiveVersion = 1; + classes = { + }; + objectVersion = 46; + objects = { + +/* Begin PBXBuildFile section */ + 8C40DA3C188600A600A231CD /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA3B188600A600A231CD /* Foundation.framework */; }; + 8C40DA41188600A600A231CD /* ISPCertificatePinning.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */; }; + 8C40DA43188600A600A231CD /* ISPCertificatePinning.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */; }; + 8C40DA4A188600A600A231CD /* XCTest.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA49188600A600A231CD /* XCTest.framework */; }; + 8C40DA4B188600A600A231CD /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA3B188600A600A231CD /* Foundation.framework */; }; + 8C40DA4D188600A600A231CD /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA4C188600A600A231CD /* UIKit.framework */; }; + 8C40DA50188600A600A231CD /* libSSLCertificatePinning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */; }; + 8C40DA56188600A600A231CD /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA54188600A600A231CD /* InfoPlist.strings */; }; + 8C40DA631886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */; }; + 8C40DA661886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */; }; + 8C40DA681886071000A231CD /* NSURLConnectionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA671886071000A231CD /* NSURLConnectionTests.m */; }; + 8C40DA6A1886071C00A231CD /* NSURLSessionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA691886071C00A231CD /* NSURLSessionTests.m */; }; + 8C40DA6D1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */; }; + 8C40DA6F1886142800A231CD /* www.isecpartners.com.der in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */; }; + 8CC9C1F9189EF097000525D6 /* SSLPinsTestUtility.m in Sources */ = {isa = PBXBuildFile; fileRef = 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */; }; +/* End PBXBuildFile section */ + +/* Begin PBXContainerItemProxy section */ + 8C40DA4E188600A600A231CD /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 8C40DA30188600A600A231CD /* Project object */; + proxyType = 1; + remoteGlobalIDString = 8C40DA37188600A600A231CD; + remoteInfo = SSLCertificatePinning; + }; +/* End PBXContainerItemProxy section */ + +/* Begin PBXCopyFilesBuildPhase section */ + 8C40DA36188600A600A231CD /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = "include/$(PRODUCT_NAME)"; + dstSubfolderSpec = 16; + files = ( + 8C40DA41188600A600A231CD /* ISPCertificatePinning.h in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXCopyFilesBuildPhase section */ + +/* Begin PBXFileReference section */ + 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSSLCertificatePinning.a; sourceTree = BUILT_PRODUCTS_DIR; }; + 8C40DA3B188600A600A231CD /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; }; + 8C40DA3F188600A600A231CD /* SSLCertificatePinning-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "SSLCertificatePinning-Prefix.pch"; sourceTree = ""; }; + 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ISPCertificatePinning.h; sourceTree = ""; }; + 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ISPCertificatePinning.m; sourceTree = ""; }; + 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = SSLCertificatePinningTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + 8C40DA49188600A600A231CD /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; }; + 8C40DA4C188600A600A231CD /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = Library/Frameworks/UIKit.framework; sourceTree = DEVELOPER_DIR; }; + 8C40DA53188600A600A231CD /* SSLCertificatePinningTests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "SSLCertificatePinningTests-Info.plist"; sourceTree = ""; }; + 8C40DA55188600A600A231CD /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = ""; }; + 8C40DA611886017400A231CD /* ISPPinnedNSURLConnectionDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ISPPinnedNSURLConnectionDelegate.h; sourceTree = ""; }; + 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ISPPinnedNSURLConnectionDelegate.m; sourceTree = ""; }; + 8C40DA641886045C00A231CD /* ISPPinnedNSURLSessionDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ISPPinnedNSURLSessionDelegate.h; sourceTree = ""; }; + 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ISPPinnedNSURLSessionDelegate.m; sourceTree = ""; }; + 8C40DA671886071000A231CD /* NSURLConnectionTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = NSURLConnectionTests.m; sourceTree = ""; }; + 8C40DA691886071C00A231CD /* NSURLSessionTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = NSURLSessionTests.m; sourceTree = ""; }; + 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "VeriSignClass3PublicPrimaryCertificationAuthority-G5.der"; sourceTree = ""; }; + 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = www.isecpartners.com.der; sourceTree = ""; }; + 8CC9C1F7189EF097000525D6 /* SSLPinsTestUtility.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SSLPinsTestUtility.h; sourceTree = ""; }; + 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SSLPinsTestUtility.m; sourceTree = ""; }; +/* End PBXFileReference section */ + +/* Begin PBXFrameworksBuildPhase section */ + 8C40DA35188600A600A231CD /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 8C40DA3C188600A600A231CD /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 8C40DA45188600A600A231CD /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 8C40DA50188600A600A231CD /* libSSLCertificatePinning.a in Frameworks */, + 8C40DA4A188600A600A231CD /* XCTest.framework in Frameworks */, + 8C40DA4D188600A600A231CD /* UIKit.framework in Frameworks */, + 8C40DA4B188600A600A231CD /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXFrameworksBuildPhase section */ + +/* Begin PBXGroup section */ + 8C40DA2F188600A600A231CD = { + isa = PBXGroup; + children = ( + 8C40DA3D188600A600A231CD /* SSLCertificatePinning */, + 8C40DA51188600A600A231CD /* SSLCertificatePinningTests */, + 8C40DA3A188600A600A231CD /* Frameworks */, + 8C40DA39188600A600A231CD /* Products */, + ); + sourceTree = ""; + }; + 8C40DA39188600A600A231CD /* Products */ = { + isa = PBXGroup; + children = ( + 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */, + 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */, + ); + name = Products; + sourceTree = ""; + }; + 8C40DA3A188600A600A231CD /* Frameworks */ = { + isa = PBXGroup; + children = ( + 8C40DA3B188600A600A231CD /* Foundation.framework */, + 8C40DA49188600A600A231CD /* XCTest.framework */, + 8C40DA4C188600A600A231CD /* UIKit.framework */, + ); + name = Frameworks; + sourceTree = ""; + }; + 8C40DA3D188600A600A231CD /* SSLCertificatePinning */ = { + isa = PBXGroup; + children = ( + 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */, + 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */, + 8C40DA3E188600A600A231CD /* Supporting Files */, + 8C40DA611886017400A231CD /* ISPPinnedNSURLConnectionDelegate.h */, + 8C40DA641886045C00A231CD /* ISPPinnedNSURLSessionDelegate.h */, + 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */, + 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */, + ); + path = SSLCertificatePinning; + sourceTree = ""; + }; + 8C40DA3E188600A600A231CD /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 8C40DA3F188600A600A231CD /* SSLCertificatePinning-Prefix.pch */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 8C40DA51188600A600A231CD /* SSLCertificatePinningTests */ = { + isa = PBXGroup; + children = ( + 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */, + 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */, + 8C40DA671886071000A231CD /* NSURLConnectionTests.m */, + 8C40DA691886071C00A231CD /* NSURLSessionTests.m */, + 8CC9C1F7189EF097000525D6 /* SSLPinsTestUtility.h */, + 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */, + 8C40DA52188600A600A231CD /* Supporting Files */, + ); + path = SSLCertificatePinningTests; + sourceTree = ""; + }; + 8C40DA52188600A600A231CD /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 8C40DA53188600A600A231CD /* SSLCertificatePinningTests-Info.plist */, + 8C40DA54188600A600A231CD /* InfoPlist.strings */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; +/* End PBXGroup section */ + +/* Begin PBXNativeTarget section */ + 8C40DA37188600A600A231CD /* SSLCertificatePinning */ = { + isa = PBXNativeTarget; + buildConfigurationList = 8C40DA5B188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinning" */; + buildPhases = ( + 8C40DA34188600A600A231CD /* Sources */, + 8C40DA35188600A600A231CD /* Frameworks */, + 8C40DA36188600A600A231CD /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = SSLCertificatePinning; + productName = SSLCertificatePinning; + productReference = 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */; + productType = "com.apple.product-type.library.static"; + }; + 8C40DA47188600A600A231CD /* SSLCertificatePinningTests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 8C40DA5E188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinningTests" */; + buildPhases = ( + 8C40DA44188600A600A231CD /* Sources */, + 8C40DA45188600A600A231CD /* Frameworks */, + 8C40DA46188600A600A231CD /* Resources */, + ); + buildRules = ( + ); + dependencies = ( + 8C40DA4F188600A600A231CD /* PBXTargetDependency */, + ); + name = SSLCertificatePinningTests; + productName = SSLCertificatePinningTests; + productReference = 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; +/* End PBXNativeTarget section */ + +/* Begin PBXProject section */ + 8C40DA30188600A600A231CD /* Project object */ = { + isa = PBXProject; + attributes = { + LastUpgradeCheck = 0500; + ORGANIZATIONNAME = "iSEC Partners"; + }; + buildConfigurationList = 8C40DA33188600A600A231CD /* Build configuration list for PBXProject "SSLCertificatePinning" */; + compatibilityVersion = "Xcode 3.2"; + developmentRegion = English; + hasScannedForEncodings = 0; + knownRegions = ( + en, + ); + mainGroup = 8C40DA2F188600A600A231CD; + productRefGroup = 8C40DA39188600A600A231CD /* Products */; + projectDirPath = ""; + projectRoot = ""; + targets = ( + 8C40DA37188600A600A231CD /* SSLCertificatePinning */, + 8C40DA47188600A600A231CD /* SSLCertificatePinningTests */, + ); + }; +/* End PBXProject section */ + +/* Begin PBXResourcesBuildPhase section */ + 8C40DA46188600A600A231CD /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 8C40DA6D1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der in Resources */, + 8C40DA6F1886142800A231CD /* www.isecpartners.com.der in Resources */, + 8C40DA56188600A600A231CD /* InfoPlist.strings in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXResourcesBuildPhase section */ + +/* Begin PBXSourcesBuildPhase section */ + 8C40DA34188600A600A231CD /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 8C40DA43188600A600A231CD /* ISPCertificatePinning.m in Sources */, + 8C40DA631886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m in Sources */, + 8C40DA661886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 8C40DA44188600A600A231CD /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 8C40DA681886071000A231CD /* NSURLConnectionTests.m in Sources */, + 8C40DA6A1886071C00A231CD /* NSURLSessionTests.m in Sources */, + 8CC9C1F9189EF097000525D6 /* SSLPinsTestUtility.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXSourcesBuildPhase section */ + +/* Begin PBXTargetDependency section */ + 8C40DA4F188600A600A231CD /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 8C40DA37188600A600A231CD /* SSLCertificatePinning */; + targetProxy = 8C40DA4E188600A600A231CD /* PBXContainerItemProxy */; + }; +/* End PBXTargetDependency section */ + +/* Begin PBXVariantGroup section */ + 8C40DA54188600A600A231CD /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 8C40DA55188600A600A231CD /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; +/* End PBXVariantGroup section */ + +/* Begin XCBuildConfiguration section */ + 8C40DA59188600A600A231CD /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 7.0; + ONLY_ACTIVE_ARCH = YES; + SDKROOT = iphoneos; + }; + name = Debug; + }; + 8C40DA5A188600A600A231CD /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = YES; + ENABLE_NS_ASSERTIONS = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 7.0; + SDKROOT = iphoneos; + VALIDATE_PRODUCT = YES; + }; + name = Release; + }; + 8C40DA5C188600A600A231CD /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + DSTROOT = /tmp/SSLCertificatePinning.dst; + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; + OTHER_LDFLAGS = "-ObjC"; + PRODUCT_NAME = "$(TARGET_NAME)"; + SKIP_INSTALL = YES; + }; + name = Debug; + }; + 8C40DA5D188600A600A231CD /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + DSTROOT = /tmp/SSLCertificatePinning.dst; + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; + OTHER_LDFLAGS = "-ObjC"; + PRODUCT_NAME = "$(TARGET_NAME)"; + SKIP_INSTALL = YES; + }; + name = Release; + }; + 8C40DA5F188600A600A231CD /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; + FRAMEWORK_SEARCH_PATHS = ( + "$(SDKROOT)/Developer/Library/Frameworks", + "$(inherited)", + "$(DEVELOPER_FRAMEWORKS_DIR)", + ); + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + INFOPLIST_FILE = "SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist"; + PRODUCT_NAME = "$(TARGET_NAME)"; + WRAPPER_EXTENSION = xctest; + }; + name = Debug; + }; + 8C40DA60188600A600A231CD /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; + FRAMEWORK_SEARCH_PATHS = ( + "$(SDKROOT)/Developer/Library/Frameworks", + "$(inherited)", + "$(DEVELOPER_FRAMEWORKS_DIR)", + ); + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; + INFOPLIST_FILE = "SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist"; + PRODUCT_NAME = "$(TARGET_NAME)"; + WRAPPER_EXTENSION = xctest; + }; + name = Release; + }; +/* End XCBuildConfiguration section */ + +/* Begin XCConfigurationList section */ + 8C40DA33188600A600A231CD /* Build configuration list for PBXProject "SSLCertificatePinning" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 8C40DA59188600A600A231CD /* Debug */, + 8C40DA5A188600A600A231CD /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 8C40DA5B188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinning" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 8C40DA5C188600A600A231CD /* Debug */, + 8C40DA5D188600A600A231CD /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 8C40DA5E188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinningTests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 8C40DA5F188600A600A231CD /* Debug */, + 8C40DA60188600A600A231CD /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; +/* End XCConfigurationList section */ + }; + rootObject = 8C40DA30188600A600A231CD /* Project object */; +} diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h new file mode 100644 index 00000000..fddc504e --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h @@ -0,0 +1,62 @@ +// +// ISPCertificatePinning.h +// SSLCertificatePinning v3 +// +// Created by Alban Diquet on 1/14/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + + +/** This class implements certificate pinning utility functions. + + First, the certificates and domains to pin should be loaded using + setupSSLPinsUsingDictionnary:. This method will store them in + "~/Library/SSLPins.plist". + + Then, the verifyPinnedCertificateForTrust:andDomain: method can be + used to validate that at least one the certificates pinned to a + specific domain is in the server's certificate chain when connecting to + it. This method should be used for example in the + connection:willSendRequestForAuthenticationChallenge: method of the + NSURLConnectionDelegate object that is used to perform the connection. + + Alternatively, the ISPPinnedNSURLSessionDelegate or + ISPPinnedNSURLConnectionDelegate classes can be directly used + to create a delegate class performing certificate pinning. + + */ +@interface ISPCertificatePinning : NSObject + + +/** + Certificate pinning loading method + + This method takes a dictionary with domain names as keys and arrays of DER- + encoded certificates as values, and stores them in a pre-defined location on + the filesystem. The ability to specify multiple certificates for a single + domain is useful when transitioning from an expiring certificate to a new one. + + @param certificates a dictionnary with domain names as keys and arrays of DER-encoded certificates as values + @return BOOL successfully loaded the public keys and domains + + */ ++ (BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates; + + +/** + Certificate pinning validation method + + This method accesses the certificates previously loaded using the + setupSSLPinsUsingDictionnary: method and inspects the trust object's + certificate chain in order to find at least one certificate pinned to the + given domain. SecTrustEvaluate() should always be called before this method to + ensure that the certificate chain is valid. + + @param trust the trust object whose certificate chain must contain the certificate previously pinned to the given domain + @param domain the domain we're trying to connect to + @return BOOL found the domain's pinned certificate in the trust object's certificate chain + + */ ++ (BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain; + +@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m new file mode 100644 index 00000000..584b974f --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m @@ -0,0 +1,112 @@ +// +// ISPCertificatePinning.m +// SSLCertificatePinning +// +// Created by Alban Diquet on 1/14/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + +#import "ISPCertificatePinning.h" + + +// All the pinned certificate are stored in this plist on the filesystem +#define PINNED_KEYS_FILE_PATH "~/Library/SSLPins.plist" + + +@implementation ISPCertificatePinning + + + ++ (BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates { + if (domainsAndCertificates == nil) { + return NO; + } + + // Serialize the dictionary to a plist + NSError *error; + NSData *plistData = [NSPropertyListSerialization dataWithPropertyList:domainsAndCertificates + format:NSPropertyListXMLFormat_v1_0 + options:0 + error:&error]; + if (plistData == nil) { + NSLog(@"Error serializing plist: %@", error); + return NO; + } + + // Write the plist to a pre-defined location on the filesystem + NSError *writeError; + if ([plistData writeToFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath] + options:NSDataWritingAtomic + error:&writeError] == NO) { + NSLog(@"Error saving plist to the filesystem: %@", writeError); + return NO; + } + + return YES; +} + + ++ (BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain { + if ((trust == NULL) || (domain == nil)) { + return NO; + } + + // Deserialize the plist that contains our SSL pins + NSDictionary *SSLPinsDict = [NSDictionary dictionaryWithContentsOfFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath]]; + if (SSLPinsDict == nil) { + NSLog(@"Error accessing the SSL Pins plist at %@", @PINNED_KEYS_FILE_PATH); + return NO; + } + + // Do we have certificates pinned for this domain ? + NSArray *trustedCertificates = [SSLPinsDict objectForKey:domain]; + if ((trustedCertificates == nil) || ([trustedCertificates count] < 1)) { + return NO; + } + + // For each pinned certificate, check if it is part of the server's cert trust chain + // We only need one of the pinned certificates to be in the server's trust chain + for (NSData *pinnedCertificate in trustedCertificates) { + + // Check each certificate in the server's trust chain (the trust object) + // Unfortunately the anchor/CA certificate cannot be accessed this way + CFIndex certsNb = SecTrustGetCertificateCount(trust); + for(int i=0;i + +#import "ISPPinnedNSURLSessionDelegate.h" +#import "ISPCertificatePinning.h" + + +@implementation ISPPinnedNSURLSessionDelegate + +- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler { + + if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { + + SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; + NSString *domain = [[challenge protectionSpace] host]; + SecTrustResultType trustResult; + + // Validate the certificate chain with the device's trust store anyway + // This *might* give use revocation checking + SecTrustEvaluate(serverTrust, &trustResult); + if (trustResult == kSecTrustResultUnspecified) { + + // Look for a pinned certificate in the server's certificate chain + if ([ISPCertificatePinning verifyPinnedCertificateForTrust:serverTrust andDomain:domain]) { + + // Found the certificate; continue connecting + completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); + } + else { + // The certificate wasn't found in the certificate chain; cancel the connection + completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); + } + } + else { + // Certificate chain validation failed; cancel the connection + completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); + } + } +} + +@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch new file mode 100644 index 00000000..eb2007ec --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch @@ -0,0 +1,9 @@ +// +// Prefix header +// +// The contents of this file are implicitly included at the beginning of every source file. +// + +#ifdef __OBJC__ + #import +#endif diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m new file mode 100644 index 00000000..53d86078 --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m @@ -0,0 +1,154 @@ +// +// NSURLConnectionTests.m +// SSLCertificatePinning +// +// Created by Alban Diquet on 1/14/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + +#import + +#import "ISPPinnedNSURLConnectionDelegate.h" +#import "ISPCertificatePinning.h" +#import "SSLPinsTestUtility.h" + + +// Delegate we'll use for our tests +@interface NSURLConnectionDelegateTest : ISPPinnedNSURLConnectionDelegate + @property BOOL connectionFinished; + @property BOOL connectionSucceeded; +@end + + + +@interface NSURLConnectionTests : XCTestCase + +@end + + +@implementation NSURLConnectionTests + + +- (void)setUp +{ + [super setUp]; +} + +- (void)tearDown +{ + [super tearDown]; +} + +#pragma mark SSL pinning test + + +// This is sample code to demonstrate how to implement certificate pinning with NSURLConnection +- (void)testNSURLConnectionSSLPinning +{ + + // Create our SSL pins dictionnary for Twitter, iSEC and NCC + NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary]; + if (domainsToPin == nil) { + NSLog(@"Failed to pin a certificate"); + } + + + // Save the SSL pins so that our connection delegates automatically use them + if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) { + NSLog(@"Failed to pin the certificates"); + } + + // Connect to Twitter + NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://twitter.com/"]]; + NSURLConnectionDelegateTest *connectionDelegate = [[NSURLConnectionDelegateTest alloc] init]; + NSURLConnection *connection=[[NSURLConnection alloc] initWithRequest:request delegate:connectionDelegate]; + [connection start]; + + // Connect to iSEC + NSURLRequest *request2 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"]]; + NSURLConnectionDelegateTest *connectionDelegate2 = [[NSURLConnectionDelegateTest alloc] init]; + NSURLConnection *connection2 = [[NSURLConnection alloc] initWithRequest:request2 delegate:connectionDelegate2]; + [connection2 start]; + + // Connect to NCC Group => will fail because we pinned a wrong certificate + NSURLRequest *request3 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"]]; + NSURLConnectionDelegateTest *connectionDelegate3 = [[NSURLConnectionDelegateTest alloc] init]; + NSURLConnection *connection3 = [[NSURLConnection alloc] initWithRequest:request3 delegate:connectionDelegate3]; + [connection3 start]; + + + // Do some polling to wait for the connections to complete +#define POLL_INTERVAL 0.2 // 200ms +#define N_SEC_TO_POLL 3.0 // poll for 3s +#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL + + NSUInteger pollCount = 0; + while (!(connectionDelegate.connectionFinished && connectionDelegate2.connectionFinished && connectionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) { + NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL]; + [[NSRunLoop currentRunLoop] runUntilDate:untilDate]; + pollCount++; + } + + if (pollCount == MAX_POLL_COUNT) { + XCTFail(@"Could not connect in time"); + } + + + // The first two connections should succeed + XCTAssertTrue(connectionDelegate.connectionSucceeded, @"Connection to Twitter failed"); + XCTAssertTrue(connectionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed"); + + // The last connection should fail + XCTAssertFalse(connectionDelegate3.connectionSucceeded, @"Connection to NCC succeeded"); +} + + +@end + + +#pragma mark Delegate class + +@implementation NSURLConnectionDelegateTest + +@synthesize connectionSucceeded; +@synthesize connectionFinished; + +-(instancetype) init { + if (self = [super init]) + { + self.connectionSucceeded = NO; + self.connectionFinished = NO; + } + return self; +} + + +- (void)connectionDidFinishLoading:(NSURLConnection *)connection { + self.connectionSucceeded = YES; + self.connectionFinished = YES; +} + +- (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error { + self.connectionSucceeded = NO; + self.connectionFinished = YES; +} + +- (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data { + self.connectionSucceeded = YES; + self.connectionFinished = YES; +} + +- (NSCachedURLResponse *)connection:(NSURLConnection *)connection willCacheResponse:(NSCachedURLResponse *)cachedResponse { + return cachedResponse; +} + +- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response { + self.connectionSucceeded = YES; + self.connectionFinished = YES; +} + +- (NSURLRequest *)connection:(NSURLConnection *)connection willSendRequest:(NSURLRequest *)request redirectResponse:(NSURLResponse *)redirectResponse { + return request; +} + +@end \ No newline at end of file diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m new file mode 100644 index 00000000..5f1da51b --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m @@ -0,0 +1,145 @@ +// +// NSURLSessionTests.m +// SSLCertificatePinning +// +// Created by Alban Diquet on 1/14/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + +#import + +#import "ISPPinnedNSURLSessionDelegate.h" +#import "ISPCertificatePinning.h" +#import "SSLPinsTestUtility.h" + + +// Delegate we'll use for our tests +@interface NSURLSessionTaskDelegateTest : ISPPinnedNSURLSessionDelegate +@property BOOL connectionFinished; +@property BOOL connectionSucceeded; +@end + + +@interface NSURLSessionTests : XCTestCase + +@end + +@implementation NSURLSessionTests + +- (void)setUp +{ + [super setUp]; +} + +- (void)tearDown +{ + [super tearDown]; +} + + +#pragma mark SSL pinning test +- (void)testNSURLSessionSSLPinning +{ + + // Create our SSL pins dictionnary for Twitter, iSEC and NCC + NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary]; + if (domainsToPin == nil) { + NSLog(@"Failed to pin a certificate"); + } + + // Save the SSL pins so that our session delegates automatically use them + if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) { + NSLog(@"Failed to pin the certificates"); + } + + + // Connect to Twitter + NSURLSessionTaskDelegateTest *sessionDelegate1 = [[NSURLSessionTaskDelegateTest alloc] init]; + NSURLSession *session1 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate1 delegateQueue:nil]; + + NSURLSessionDataTask *dataTask1 = [session1 dataTaskWithURL:[NSURL URLWithString:@"https://twitter.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { + + sessionDelegate1.connectionFinished = YES; + if (!error) { + sessionDelegate1.connectionSucceeded = YES; + } + }]; + [dataTask1 resume]; + + + // Connect to iSEC + NSURLSessionTaskDelegateTest *sessionDelegate2 = [[NSURLSessionTaskDelegateTest alloc] init]; + NSURLSession *session2 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate2 delegateQueue:nil]; + + NSURLSessionDataTask *dataTask2 = [session2 dataTaskWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { + + sessionDelegate2.connectionFinished = YES; + if (!error) { + sessionDelegate2.connectionSucceeded = YES; + } + }]; + [dataTask2 resume]; + + + // Connect to NCC Group => will fail because we pinned a wrong certificate + NSURLSessionTaskDelegateTest *sessionDelegate3 = [[NSURLSessionTaskDelegateTest alloc] init]; + NSURLSession *session3 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate3 delegateQueue:nil]; + + NSURLSessionDataTask *dataTask3 = [session3 dataTaskWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { + + sessionDelegate3.connectionFinished = YES; + if (!error) { + sessionDelegate3.connectionSucceeded = YES; + } + }]; + [dataTask3 resume]; + + + // Do some polling to wait for the connections to complete +#define POLL_INTERVAL 0.2 // 200ms +#define N_SEC_TO_POLL 3.0 // poll for 3s +#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL + + NSUInteger pollCount = 0; + while (!(sessionDelegate1.connectionFinished && sessionDelegate2.connectionFinished && sessionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) { + NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL]; + [[NSRunLoop currentRunLoop] runUntilDate:untilDate]; + pollCount++; + } + + if (pollCount == MAX_POLL_COUNT) { + XCTFail(@"Could not connect in time"); + } + + + // The first two connections should succeed + XCTAssertTrue(sessionDelegate1.connectionSucceeded, @"Connection to Twitter failed"); + XCTAssertTrue(sessionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed"); + + // The last connection should fail + XCTAssertFalse(sessionDelegate3.connectionSucceeded, @"Connection to NCC succeeded"); +} + + +@end + + + + +#pragma mark Delegate class + +@implementation NSURLSessionTaskDelegateTest + + @synthesize connectionSucceeded; + @synthesize connectionFinished; + + -(instancetype) init { + if (self = [super init]) + { + self.connectionSucceeded = NO; + self.connectionFinished = NO; + } + return self; + } + +@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist new file mode 100644 index 00000000..ccba61f8 --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist @@ -0,0 +1,22 @@ + + + + + CFBundleDevelopmentRegion + en + CFBundleExecutable + ${EXECUTABLE_NAME} + CFBundleIdentifier + com.isecpartners.${PRODUCT_NAME:rfc1034identifier} + CFBundleInfoDictionaryVersion + 6.0 + CFBundlePackageType + BNDL + CFBundleShortVersionString + 1.0 + CFBundleSignature + ???? + CFBundleVersion + 1 + + diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h new file mode 100644 index 00000000..56dde1ac --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h @@ -0,0 +1,15 @@ +// +// SSLPinsTestUtility.h +// SSLCertificatePinning +// +// Created by Alban Diquet on 2/2/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + +#import + +@interface SSLPinsTestUtility : NSObject + ++ (NSDictionary*) setupTestSSLPinsDictionnary; + +@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m new file mode 100644 index 00000000..7a5eb22c --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m @@ -0,0 +1,57 @@ +// +// SSLPinsTestUtility.m +// SSLCertificatePinning +// +// Created by Alban Diquet on 2/2/14. +// Copyright (c) 2014 iSEC Partners. All rights reserved. +// + +#import "SSLPinsTestUtility.h" +#import "ISPCertificatePinning.h" + +@implementation SSLPinsTestUtility + + ++ (NSData*)loadCertificateFromFile:(NSString*)fileName { + NSString *certPath = [[NSBundle bundleForClass:[self class]] pathForResource:fileName ofType:@"der"]; + NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath]; + return certData; +} + + ++ (NSDictionary*) setupTestSSLPinsDictionnary { + // Build our dictionnary of domain => certificates + NSMutableDictionary *domainsToPin = [[NSMutableDictionary alloc] init]; + + + // For Twitter, we pin the anchor/CA certificate + NSData *twitterCertData = [SSLPinsTestUtility loadCertificateFromFile:@"VeriSignClass3PublicPrimaryCertificationAuthority-G5"]; + if (twitterCertData == nil) { + NSLog(@"Failed to load a certificate"); + return nil; + } + NSArray *twitterTrustedCerts = [NSArray arrayWithObject:twitterCertData]; + [domainsToPin setObject:twitterTrustedCerts forKey:@"twitter.com"]; + + + // For iSEC, we pin the server/leaf certificate + NSData *isecCertData = [SSLPinsTestUtility loadCertificateFromFile:@"www.isecpartners.com"]; + if (isecCertData == nil) { + NSLog(@"Failed to load a certificate"); + return nil; + } + // We also pin Twitter's CA cert just to show that you can pin multiple certs to a single domain + // This is useful when transitioning between two certificates on the server + // The connection will be succesful if at least one of the pinned certs is found in the server's certificate trust chain + NSArray *iSECTrustedCerts = [NSArray arrayWithObjects:isecCertData, twitterCertData, nil]; + [domainsToPin setObject:iSECTrustedCerts forKey:@"www.isecpartners.com"]; + + + // For NCC group, we pin an invalid certificate (Twitter's) + NSArray *NCCTrustedCerts = [NSArray arrayWithObject:twitterCertData]; + [domainsToPin setObject:NCCTrustedCerts forKey:@"www.nccgroup.com"]; + + return domainsToPin; +} + +@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der new file mode 100644 index 00000000..9818d19d Binary files /dev/null and b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der differ diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings new file mode 100644 index 00000000..477b28ff --- /dev/null +++ b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings @@ -0,0 +1,2 @@ +/* Localized versions of Info.plist keys */ + diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der new file mode 100644 index 00000000..886cf483 Binary files /dev/null and b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der differ -- cgit v1.2.3