diff options
Diffstat (limited to 'web/server/h2o/libh2o/deps/ssl-conservatory/ios')
17 files changed, 0 insertions, 1265 deletions
diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/README.md b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/README.md deleted file mode 100644 index 34bf4eda8..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/README.md +++ /dev/null @@ -1,89 +0,0 @@ -The SSL Conservatory: iOS Certificate Pinning -============================================= - - -When an iOS application only needs to communicate to a well-defined set of -servers over SSL or HTTPS, the security of the app's network communications can -be improved through SSL pinning. By requiring a specific certificate to be part -of the server's certificate chain, the threat of a rogue CA or a CA compromise -is significantly reduced. - - -### The ISPCertificatePinning class - -#### Description - -This class allows developers to whitelist a list of certificates for a given -domain in order to require at least one these "pinned" certificates to be part -of the server's certificate chain received when connecting to the domain over -SSL or HTTPS. - -This gives developers the flexibility to pin the CA/anchor certificate, the -server/leaf certificate, or any intermediate certificate for a given domain. -Each option has different advantages and limitations; for example, pinning the -server/leaf certificate provides the best security but this certificate is going -to change more often than the CA/anchor certificate. - -A change in the certificate presented by the server (for example because the -previous certificate expired) will result in the application being unable to -connect to the server until its pinned certificate has been updated as well. -To address this scenario, multiple certificates can be pinned to a single -domain. This gives developers the ability to transition from an expiring -certificate to a new one by releasing a new version of their application that -pins both certificates to the server's domain. - - -#### API - -The ISPCertificatePinning class exposes two methods: - -##### +(BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates -This method takes a dictionary with domain names as keys and arrays of -DER-encoded certificates as values, and stores them in a pre-defined location on -the filesystem. The ability to specify multiple certificates for a single -domain is useful when transitioning from an expiring certificate to a new one - -##### +(BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain -This method accesses the certificates previously loaded using the -setupSSLPinsUsingDictionnary: method and inspects the trust object's -certificate chain in order to find at least one certificate pinned to the -given domain. SecTrustEvaluate() should always be called before this method to -ensure that the certificate chain is valid. - - -### Convenience delegate classes for NSURLConnection and NSURLSession - -This library also provides convenience classes for connections relying on -NSURLConnection and NSURLSession. The ISPPinnedNSURLConnectionDelegate and -ISPPinnedNSURLSessionDelegate implement the connection authentication methods -within respectively the NSURLConnectionDelegate and NSURLSessionDelegate -protocols, in order to automatically validate the server's certificate based on -SSL pins loaded using the setupSSLPinsUsingDictionnary: method. - -To implement certificate pinning in their Apps, developers should simply extend -these classes when creating their own connection delegates. - - -### Sample code - -The Xcode unit tests within SSLCertificatePinningTests contain sample code -demonstrating how to implement certificate pinning when using NSURLConnection -and NSURLSession. - - -### Changelog - -* v3: Turned the Xcode project into a static library. - Added certificate pinning delegate class for NSURLSession connections. -* v2: Added the ability to pin multiple certificates to a single domain. -* v1: Initial release. - - -### License - -See ../LICENSE. - - -### Author - -Alban Diquet - https://github.com/nabla-c0d3 diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj deleted file mode 100644 index 84ee1521b..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning.xcodeproj/project.pbxproj +++ /dev/null @@ -1,456 +0,0 @@ -// !$*UTF8*$! -{ - archiveVersion = 1; - classes = { - }; - objectVersion = 46; - objects = { - -/* Begin PBXBuildFile section */ - 8C40DA3C188600A600A231CD /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA3B188600A600A231CD /* Foundation.framework */; }; - 8C40DA41188600A600A231CD /* ISPCertificatePinning.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */; }; - 8C40DA43188600A600A231CD /* ISPCertificatePinning.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */; }; - 8C40DA4A188600A600A231CD /* XCTest.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA49188600A600A231CD /* XCTest.framework */; }; - 8C40DA4B188600A600A231CD /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA3B188600A600A231CD /* Foundation.framework */; }; - 8C40DA4D188600A600A231CD /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA4C188600A600A231CD /* UIKit.framework */; }; - 8C40DA50188600A600A231CD /* libSSLCertificatePinning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */; }; - 8C40DA56188600A600A231CD /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA54188600A600A231CD /* InfoPlist.strings */; }; - 8C40DA631886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */; }; - 8C40DA661886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */; }; - 8C40DA681886071000A231CD /* NSURLConnectionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA671886071000A231CD /* NSURLConnectionTests.m */; }; - 8C40DA6A1886071C00A231CD /* NSURLSessionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 8C40DA691886071C00A231CD /* NSURLSessionTests.m */; }; - 8C40DA6D1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */; }; - 8C40DA6F1886142800A231CD /* www.isecpartners.com.der in Resources */ = {isa = PBXBuildFile; fileRef = 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */; }; - 8CC9C1F9189EF097000525D6 /* SSLPinsTestUtility.m in Sources */ = {isa = PBXBuildFile; fileRef = 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */; }; -/* End PBXBuildFile section */ - -/* Begin PBXContainerItemProxy section */ - 8C40DA4E188600A600A231CD /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 8C40DA30188600A600A231CD /* Project object */; - proxyType = 1; - remoteGlobalIDString = 8C40DA37188600A600A231CD; - remoteInfo = SSLCertificatePinning; - }; -/* End PBXContainerItemProxy section */ - -/* Begin PBXCopyFilesBuildPhase section */ - 8C40DA36188600A600A231CD /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 2147483647; - dstPath = "include/$(PRODUCT_NAME)"; - dstSubfolderSpec = 16; - files = ( - 8C40DA41188600A600A231CD /* ISPCertificatePinning.h in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXCopyFilesBuildPhase section */ - -/* Begin PBXFileReference section */ - 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSSLCertificatePinning.a; sourceTree = BUILT_PRODUCTS_DIR; }; - 8C40DA3B188600A600A231CD /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; }; - 8C40DA3F188600A600A231CD /* SSLCertificatePinning-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "SSLCertificatePinning-Prefix.pch"; sourceTree = "<group>"; }; - 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ISPCertificatePinning.h; sourceTree = "<group>"; }; - 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ISPCertificatePinning.m; sourceTree = "<group>"; }; - 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = SSLCertificatePinningTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; - 8C40DA49188600A600A231CD /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; }; - 8C40DA4C188600A600A231CD /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = Library/Frameworks/UIKit.framework; sourceTree = DEVELOPER_DIR; }; - 8C40DA53188600A600A231CD /* SSLCertificatePinningTests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "SSLCertificatePinningTests-Info.plist"; sourceTree = "<group>"; }; - 8C40DA55188600A600A231CD /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; }; - 8C40DA611886017400A231CD /* ISPPinnedNSURLConnectionDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ISPPinnedNSURLConnectionDelegate.h; sourceTree = "<group>"; }; - 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ISPPinnedNSURLConnectionDelegate.m; sourceTree = "<group>"; }; - 8C40DA641886045C00A231CD /* ISPPinnedNSURLSessionDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ISPPinnedNSURLSessionDelegate.h; sourceTree = "<group>"; }; - 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ISPPinnedNSURLSessionDelegate.m; sourceTree = "<group>"; }; - 8C40DA671886071000A231CD /* NSURLConnectionTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = NSURLConnectionTests.m; sourceTree = "<group>"; }; - 8C40DA691886071C00A231CD /* NSURLSessionTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = NSURLSessionTests.m; sourceTree = "<group>"; }; - 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "VeriSignClass3PublicPrimaryCertificationAuthority-G5.der"; sourceTree = "<group>"; }; - 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = www.isecpartners.com.der; sourceTree = "<group>"; }; - 8CC9C1F7189EF097000525D6 /* SSLPinsTestUtility.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SSLPinsTestUtility.h; sourceTree = "<group>"; }; - 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SSLPinsTestUtility.m; sourceTree = "<group>"; }; -/* End PBXFileReference section */ - -/* Begin PBXFrameworksBuildPhase section */ - 8C40DA35188600A600A231CD /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 8C40DA3C188600A600A231CD /* Foundation.framework in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 8C40DA45188600A600A231CD /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 8C40DA50188600A600A231CD /* libSSLCertificatePinning.a in Frameworks */, - 8C40DA4A188600A600A231CD /* XCTest.framework in Frameworks */, - 8C40DA4D188600A600A231CD /* UIKit.framework in Frameworks */, - 8C40DA4B188600A600A231CD /* Foundation.framework in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXFrameworksBuildPhase section */ - -/* Begin PBXGroup section */ - 8C40DA2F188600A600A231CD = { - isa = PBXGroup; - children = ( - 8C40DA3D188600A600A231CD /* SSLCertificatePinning */, - 8C40DA51188600A600A231CD /* SSLCertificatePinningTests */, - 8C40DA3A188600A600A231CD /* Frameworks */, - 8C40DA39188600A600A231CD /* Products */, - ); - sourceTree = "<group>"; - }; - 8C40DA39188600A600A231CD /* Products */ = { - isa = PBXGroup; - children = ( - 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */, - 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */, - ); - name = Products; - sourceTree = "<group>"; - }; - 8C40DA3A188600A600A231CD /* Frameworks */ = { - isa = PBXGroup; - children = ( - 8C40DA3B188600A600A231CD /* Foundation.framework */, - 8C40DA49188600A600A231CD /* XCTest.framework */, - 8C40DA4C188600A600A231CD /* UIKit.framework */, - ); - name = Frameworks; - sourceTree = "<group>"; - }; - 8C40DA3D188600A600A231CD /* SSLCertificatePinning */ = { - isa = PBXGroup; - children = ( - 8C40DA40188600A600A231CD /* ISPCertificatePinning.h */, - 8C40DA42188600A600A231CD /* ISPCertificatePinning.m */, - 8C40DA3E188600A600A231CD /* Supporting Files */, - 8C40DA611886017400A231CD /* ISPPinnedNSURLConnectionDelegate.h */, - 8C40DA641886045C00A231CD /* ISPPinnedNSURLSessionDelegate.h */, - 8C40DA651886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m */, - 8C40DA621886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m */, - ); - path = SSLCertificatePinning; - sourceTree = "<group>"; - }; - 8C40DA3E188600A600A231CD /* Supporting Files */ = { - isa = PBXGroup; - children = ( - 8C40DA3F188600A600A231CD /* SSLCertificatePinning-Prefix.pch */, - ); - name = "Supporting Files"; - sourceTree = "<group>"; - }; - 8C40DA51188600A600A231CD /* SSLCertificatePinningTests */ = { - isa = PBXGroup; - children = ( - 8C40DA6E1886142800A231CD /* www.isecpartners.com.der */, - 8C40DA6C1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der */, - 8C40DA671886071000A231CD /* NSURLConnectionTests.m */, - 8C40DA691886071C00A231CD /* NSURLSessionTests.m */, - 8CC9C1F7189EF097000525D6 /* SSLPinsTestUtility.h */, - 8CC9C1F8189EF097000525D6 /* SSLPinsTestUtility.m */, - 8C40DA52188600A600A231CD /* Supporting Files */, - ); - path = SSLCertificatePinningTests; - sourceTree = "<group>"; - }; - 8C40DA52188600A600A231CD /* Supporting Files */ = { - isa = PBXGroup; - children = ( - 8C40DA53188600A600A231CD /* SSLCertificatePinningTests-Info.plist */, - 8C40DA54188600A600A231CD /* InfoPlist.strings */, - ); - name = "Supporting Files"; - sourceTree = "<group>"; - }; -/* End PBXGroup section */ - -/* Begin PBXNativeTarget section */ - 8C40DA37188600A600A231CD /* SSLCertificatePinning */ = { - isa = PBXNativeTarget; - buildConfigurationList = 8C40DA5B188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinning" */; - buildPhases = ( - 8C40DA34188600A600A231CD /* Sources */, - 8C40DA35188600A600A231CD /* Frameworks */, - 8C40DA36188600A600A231CD /* CopyFiles */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = SSLCertificatePinning; - productName = SSLCertificatePinning; - productReference = 8C40DA38188600A600A231CD /* libSSLCertificatePinning.a */; - productType = "com.apple.product-type.library.static"; - }; - 8C40DA47188600A600A231CD /* SSLCertificatePinningTests */ = { - isa = PBXNativeTarget; - buildConfigurationList = 8C40DA5E188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinningTests" */; - buildPhases = ( - 8C40DA44188600A600A231CD /* Sources */, - 8C40DA45188600A600A231CD /* Frameworks */, - 8C40DA46188600A600A231CD /* Resources */, - ); - buildRules = ( - ); - dependencies = ( - 8C40DA4F188600A600A231CD /* PBXTargetDependency */, - ); - name = SSLCertificatePinningTests; - productName = SSLCertificatePinningTests; - productReference = 8C40DA48188600A600A231CD /* SSLCertificatePinningTests.xctest */; - productType = "com.apple.product-type.bundle.unit-test"; - }; -/* End PBXNativeTarget section */ - -/* Begin PBXProject section */ - 8C40DA30188600A600A231CD /* Project object */ = { - isa = PBXProject; - attributes = { - LastUpgradeCheck = 0500; - ORGANIZATIONNAME = "iSEC Partners"; - }; - buildConfigurationList = 8C40DA33188600A600A231CD /* Build configuration list for PBXProject "SSLCertificatePinning" */; - compatibilityVersion = "Xcode 3.2"; - developmentRegion = English; - hasScannedForEncodings = 0; - knownRegions = ( - en, - ); - mainGroup = 8C40DA2F188600A600A231CD; - productRefGroup = 8C40DA39188600A600A231CD /* Products */; - projectDirPath = ""; - projectRoot = ""; - targets = ( - 8C40DA37188600A600A231CD /* SSLCertificatePinning */, - 8C40DA47188600A600A231CD /* SSLCertificatePinningTests */, - ); - }; -/* End PBXProject section */ - -/* Begin PBXResourcesBuildPhase section */ - 8C40DA46188600A600A231CD /* Resources */ = { - isa = PBXResourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 8C40DA6D1886080800A231CD /* VeriSignClass3PublicPrimaryCertificationAuthority-G5.der in Resources */, - 8C40DA6F1886142800A231CD /* www.isecpartners.com.der in Resources */, - 8C40DA56188600A600A231CD /* InfoPlist.strings in Resources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXResourcesBuildPhase section */ - -/* Begin PBXSourcesBuildPhase section */ - 8C40DA34188600A600A231CD /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 8C40DA43188600A600A231CD /* ISPCertificatePinning.m in Sources */, - 8C40DA631886017400A231CD /* ISPPinnedNSURLConnectionDelegate.m in Sources */, - 8C40DA661886045C00A231CD /* ISPPinnedNSURLSessionDelegate.m in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - 8C40DA44188600A600A231CD /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 8C40DA681886071000A231CD /* NSURLConnectionTests.m in Sources */, - 8C40DA6A1886071C00A231CD /* NSURLSessionTests.m in Sources */, - 8CC9C1F9189EF097000525D6 /* SSLPinsTestUtility.m in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; -/* End PBXSourcesBuildPhase section */ - -/* Begin PBXTargetDependency section */ - 8C40DA4F188600A600A231CD /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 8C40DA37188600A600A231CD /* SSLCertificatePinning */; - targetProxy = 8C40DA4E188600A600A231CD /* PBXContainerItemProxy */; - }; -/* End PBXTargetDependency section */ - -/* Begin PBXVariantGroup section */ - 8C40DA54188600A600A231CD /* InfoPlist.strings */ = { - isa = PBXVariantGroup; - children = ( - 8C40DA55188600A600A231CD /* en */, - ); - name = InfoPlist.strings; - sourceTree = "<group>"; - }; -/* End PBXVariantGroup section */ - -/* Begin XCBuildConfiguration section */ - 8C40DA59188600A600A231CD /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_MODULES = YES; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - COPY_PHASE_STRIP = NO; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_DYNAMIC_NO_PIC = NO; - GCC_OPTIMIZATION_LEVEL = 0; - GCC_PREPROCESSOR_DEFINITIONS = ( - "DEBUG=1", - "$(inherited)", - ); - GCC_SYMBOLS_PRIVATE_EXTERN = NO; - GCC_WARN_64_TO_32_BIT_CONVERSION = YES; - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES; - GCC_WARN_UNUSED_FUNCTION = YES; - GCC_WARN_UNUSED_VARIABLE = YES; - IPHONEOS_DEPLOYMENT_TARGET = 7.0; - ONLY_ACTIVE_ARCH = YES; - SDKROOT = iphoneos; - }; - name = Debug; - }; - 8C40DA5A188600A600A231CD /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_MODULES = YES; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - COPY_PHASE_STRIP = YES; - ENABLE_NS_ASSERTIONS = NO; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_WARN_64_TO_32_BIT_CONVERSION = YES; - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES; - GCC_WARN_UNUSED_FUNCTION = YES; - GCC_WARN_UNUSED_VARIABLE = YES; - IPHONEOS_DEPLOYMENT_TARGET = 7.0; - SDKROOT = iphoneos; - VALIDATE_PRODUCT = YES; - }; - name = Release; - }; - 8C40DA5C188600A600A231CD /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - DSTROOT = /tmp/SSLCertificatePinning.dst; - GCC_PRECOMPILE_PREFIX_HEADER = YES; - GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; - OTHER_LDFLAGS = "-ObjC"; - PRODUCT_NAME = "$(TARGET_NAME)"; - SKIP_INSTALL = YES; - }; - name = Debug; - }; - 8C40DA5D188600A600A231CD /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - DSTROOT = /tmp/SSLCertificatePinning.dst; - GCC_PRECOMPILE_PREFIX_HEADER = YES; - GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; - OTHER_LDFLAGS = "-ObjC"; - PRODUCT_NAME = "$(TARGET_NAME)"; - SKIP_INSTALL = YES; - }; - name = Release; - }; - 8C40DA5F188600A600A231CD /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; - FRAMEWORK_SEARCH_PATHS = ( - "$(SDKROOT)/Developer/Library/Frameworks", - "$(inherited)", - "$(DEVELOPER_FRAMEWORKS_DIR)", - ); - GCC_PRECOMPILE_PREFIX_HEADER = YES; - GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; - GCC_PREPROCESSOR_DEFINITIONS = ( - "DEBUG=1", - "$(inherited)", - ); - INFOPLIST_FILE = "SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist"; - PRODUCT_NAME = "$(TARGET_NAME)"; - WRAPPER_EXTENSION = xctest; - }; - name = Debug; - }; - 8C40DA60188600A600A231CD /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - ARCHS = "$(ARCHS_STANDARD_INCLUDING_64_BIT)"; - FRAMEWORK_SEARCH_PATHS = ( - "$(SDKROOT)/Developer/Library/Frameworks", - "$(inherited)", - "$(DEVELOPER_FRAMEWORKS_DIR)", - ); - GCC_PRECOMPILE_PREFIX_HEADER = YES; - GCC_PREFIX_HEADER = "SSLCertificatePinning/SSLCertificatePinning-Prefix.pch"; - INFOPLIST_FILE = "SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist"; - PRODUCT_NAME = "$(TARGET_NAME)"; - WRAPPER_EXTENSION = xctest; - }; - name = Release; - }; -/* End XCBuildConfiguration section */ - -/* Begin XCConfigurationList section */ - 8C40DA33188600A600A231CD /* Build configuration list for PBXProject "SSLCertificatePinning" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 8C40DA59188600A600A231CD /* Debug */, - 8C40DA5A188600A600A231CD /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; - 8C40DA5B188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinning" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 8C40DA5C188600A600A231CD /* Debug */, - 8C40DA5D188600A600A231CD /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; - 8C40DA5E188600A600A231CD /* Build configuration list for PBXNativeTarget "SSLCertificatePinningTests" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 8C40DA5F188600A600A231CD /* Debug */, - 8C40DA60188600A600A231CD /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; -/* End XCConfigurationList section */ - }; - rootObject = 8C40DA30188600A600A231CD /* Project object */; -} diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h deleted file mode 100644 index fddc504e2..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.h +++ /dev/null @@ -1,62 +0,0 @@ -// -// ISPCertificatePinning.h -// SSLCertificatePinning v3 -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - - -/** This class implements certificate pinning utility functions. - - First, the certificates and domains to pin should be loaded using - setupSSLPinsUsingDictionnary:. This method will store them in - "~/Library/SSLPins.plist". - - Then, the verifyPinnedCertificateForTrust:andDomain: method can be - used to validate that at least one the certificates pinned to a - specific domain is in the server's certificate chain when connecting to - it. This method should be used for example in the - connection:willSendRequestForAuthenticationChallenge: method of the - NSURLConnectionDelegate object that is used to perform the connection. - - Alternatively, the ISPPinnedNSURLSessionDelegate or - ISPPinnedNSURLConnectionDelegate classes can be directly used - to create a delegate class performing certificate pinning. - - */ -@interface ISPCertificatePinning : NSObject - - -/** - Certificate pinning loading method - - This method takes a dictionary with domain names as keys and arrays of DER- - encoded certificates as values, and stores them in a pre-defined location on - the filesystem. The ability to specify multiple certificates for a single - domain is useful when transitioning from an expiring certificate to a new one. - - @param certificates a dictionnary with domain names as keys and arrays of DER-encoded certificates as values - @return BOOL successfully loaded the public keys and domains - - */ -+ (BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates; - - -/** - Certificate pinning validation method - - This method accesses the certificates previously loaded using the - setupSSLPinsUsingDictionnary: method and inspects the trust object's - certificate chain in order to find at least one certificate pinned to the - given domain. SecTrustEvaluate() should always be called before this method to - ensure that the certificate chain is valid. - - @param trust the trust object whose certificate chain must contain the certificate previously pinned to the given domain - @param domain the domain we're trying to connect to - @return BOOL found the domain's pinned certificate in the trust object's certificate chain - - */ -+ (BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain; - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m deleted file mode 100644 index 584b974ff..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPCertificatePinning.m +++ /dev/null @@ -1,112 +0,0 @@ -// -// ISPCertificatePinning.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import "ISPCertificatePinning.h" - - -// All the pinned certificate are stored in this plist on the filesystem -#define PINNED_KEYS_FILE_PATH "~/Library/SSLPins.plist" - - -@implementation ISPCertificatePinning - - - -+ (BOOL)setupSSLPinsUsingDictionnary:(NSDictionary*)domainsAndCertificates { - if (domainsAndCertificates == nil) { - return NO; - } - - // Serialize the dictionary to a plist - NSError *error; - NSData *plistData = [NSPropertyListSerialization dataWithPropertyList:domainsAndCertificates - format:NSPropertyListXMLFormat_v1_0 - options:0 - error:&error]; - if (plistData == nil) { - NSLog(@"Error serializing plist: %@", error); - return NO; - } - - // Write the plist to a pre-defined location on the filesystem - NSError *writeError; - if ([plistData writeToFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath] - options:NSDataWritingAtomic - error:&writeError] == NO) { - NSLog(@"Error saving plist to the filesystem: %@", writeError); - return NO; - } - - return YES; -} - - -+ (BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString*)domain { - if ((trust == NULL) || (domain == nil)) { - return NO; - } - - // Deserialize the plist that contains our SSL pins - NSDictionary *SSLPinsDict = [NSDictionary dictionaryWithContentsOfFile:[@PINNED_KEYS_FILE_PATH stringByExpandingTildeInPath]]; - if (SSLPinsDict == nil) { - NSLog(@"Error accessing the SSL Pins plist at %@", @PINNED_KEYS_FILE_PATH); - return NO; - } - - // Do we have certificates pinned for this domain ? - NSArray *trustedCertificates = [SSLPinsDict objectForKey:domain]; - if ((trustedCertificates == nil) || ([trustedCertificates count] < 1)) { - return NO; - } - - // For each pinned certificate, check if it is part of the server's cert trust chain - // We only need one of the pinned certificates to be in the server's trust chain - for (NSData *pinnedCertificate in trustedCertificates) { - - // Check each certificate in the server's trust chain (the trust object) - // Unfortunately the anchor/CA certificate cannot be accessed this way - CFIndex certsNb = SecTrustGetCertificateCount(trust); - for(int i=0;i<certsNb;i++) { - - // Extract the certificate - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, i); - NSData* DERCertificate = (__bridge NSData*) SecCertificateCopyData(certificate); - - // Compare the two certificates - if ([pinnedCertificate isEqualToData:DERCertificate]) { - return YES; - } - } - - // Check the anchor/CA certificate separately - SecCertificateRef anchorCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(pinnedCertificate)); - if (anchorCertificate == NULL) { - break; - } - - NSArray *anchorArray = [NSArray arrayWithObject:(__bridge id)(anchorCertificate)]; - if (SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)(anchorArray)) != 0) { - CFRelease(anchorCertificate); - break; - } - - SecTrustResultType trustResult; - SecTrustEvaluate(trust, &trustResult); - if (trustResult == kSecTrustResultUnspecified) { - // The anchor certificate was pinned - CFRelease(anchorCertificate); - return YES; - } - CFRelease(anchorCertificate); - } - - // If we get here, we didn't find any matching certificate in the chain - return NO; -} - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.h deleted file mode 100644 index 13537455c..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.h +++ /dev/null @@ -1,23 +0,0 @@ -// -// ISPPinnedNSURLConnectionDelegate.h -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - - -/** Convenience class to automatically perform certificate pinning for NSURLConnection. - - ISPPinnedNSURLConnectionDelegate is designed to be subclassed in order to - implement an NSURLConnectionDelegate class. The - connection:willSendRequestForAuthenticationChallenge: method it implements - will automatically validate that at least one the certificates pinned to the domain the - connection is accessing is part of the server's certificate chain. - - */ -@interface ISPPinnedNSURLConnectionDelegate : NSObject - -- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge; - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.m deleted file mode 100644 index c67a8d0c6..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLConnectionDelegate.m +++ /dev/null @@ -1,49 +0,0 @@ -// -// ISPPinnedNSURLConnectionDelegate.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import "ISPPinnedNSURLConnectionDelegate.h" -#import "ISPCertificatePinning.h" - - -@implementation ISPPinnedNSURLConnectionDelegate - - -- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { - - if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - - SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; - NSString *domain = [[challenge protectionSpace] host]; - SecTrustResultType trustResult; - - // Validate the certificate chain with the device's trust store anyway - // This *might* give use revocation checking - SecTrustEvaluate(serverTrust, &trustResult); - if (trustResult == kSecTrustResultUnspecified) { - - // Look for a pinned certificate in the server's certificate chain - if ([ISPCertificatePinning verifyPinnedCertificateForTrust:serverTrust andDomain:domain]) { - - // Found the certificate; continue connecting - [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] - forAuthenticationChallenge:challenge]; - } - else { - // The certificate wasn't found in the certificate chain; cancel the connection - [[challenge sender] cancelAuthenticationChallenge: challenge]; - } - } - else { - // Certificate chain validation failed; cancel the connection - [[challenge sender] cancelAuthenticationChallenge: challenge]; - } - } -} - - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.h deleted file mode 100644 index 1fb3a292d..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.h +++ /dev/null @@ -1,23 +0,0 @@ -// -// ISPPinnedNSURLSessionDelegate.h -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - - -/** Convenience class to automatically perform certificate pinning for NSURLSession. - - ISPPinnedNSURLSessionDelegate is designed to be subclassed in order to - implement an NSURLSession class. The - URLSession:didReceiveChallenge:completionHandler: method it implements - will automatically validate that at least one the certificates pinned to the domain the - connection is accessing is part of the server's certificate chain. - - */ -@interface ISPPinnedNSURLSessionDelegate : NSObject - -- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler; - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.m deleted file mode 100644 index 601af6abd..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/ISPPinnedNSURLSessionDelegate.m +++ /dev/null @@ -1,47 +0,0 @@ -// -// ISPPinnedNSURLSessionDelegate.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// -#import <Foundation/NSURLSession.h> - -#import "ISPPinnedNSURLSessionDelegate.h" -#import "ISPCertificatePinning.h" - - -@implementation ISPPinnedNSURLSessionDelegate - -- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler { - - if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - - SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; - NSString *domain = [[challenge protectionSpace] host]; - SecTrustResultType trustResult; - - // Validate the certificate chain with the device's trust store anyway - // This *might* give use revocation checking - SecTrustEvaluate(serverTrust, &trustResult); - if (trustResult == kSecTrustResultUnspecified) { - - // Look for a pinned certificate in the server's certificate chain - if ([ISPCertificatePinning verifyPinnedCertificateForTrust:serverTrust andDomain:domain]) { - - // Found the certificate; continue connecting - completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - } - else { - // The certificate wasn't found in the certificate chain; cancel the connection - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - } - } - else { - // Certificate chain validation failed; cancel the connection - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - } - } -} - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch deleted file mode 100644 index eb2007ecd..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinning/SSLCertificatePinning-Prefix.pch +++ /dev/null @@ -1,9 +0,0 @@ -// -// Prefix header -// -// The contents of this file are implicitly included at the beginning of every source file. -// - -#ifdef __OBJC__ - #import <Foundation/Foundation.h> -#endif diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m deleted file mode 100644 index 53d860785..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLConnectionTests.m +++ /dev/null @@ -1,154 +0,0 @@ -// -// NSURLConnectionTests.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import <XCTest/XCTest.h> - -#import "ISPPinnedNSURLConnectionDelegate.h" -#import "ISPCertificatePinning.h" -#import "SSLPinsTestUtility.h" - - -// Delegate we'll use for our tests -@interface NSURLConnectionDelegateTest : ISPPinnedNSURLConnectionDelegate <NSURLConnectionDelegate> - @property BOOL connectionFinished; - @property BOOL connectionSucceeded; -@end - - - -@interface NSURLConnectionTests : XCTestCase - -@end - - -@implementation NSURLConnectionTests - - -- (void)setUp -{ - [super setUp]; -} - -- (void)tearDown -{ - [super tearDown]; -} - -#pragma mark SSL pinning test - - -// This is sample code to demonstrate how to implement certificate pinning with NSURLConnection -- (void)testNSURLConnectionSSLPinning -{ - - // Create our SSL pins dictionnary for Twitter, iSEC and NCC - NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary]; - if (domainsToPin == nil) { - NSLog(@"Failed to pin a certificate"); - } - - - // Save the SSL pins so that our connection delegates automatically use them - if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) { - NSLog(@"Failed to pin the certificates"); - } - - // Connect to Twitter - NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://twitter.com/"]]; - NSURLConnectionDelegateTest *connectionDelegate = [[NSURLConnectionDelegateTest alloc] init]; - NSURLConnection *connection=[[NSURLConnection alloc] initWithRequest:request delegate:connectionDelegate]; - [connection start]; - - // Connect to iSEC - NSURLRequest *request2 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"]]; - NSURLConnectionDelegateTest *connectionDelegate2 = [[NSURLConnectionDelegateTest alloc] init]; - NSURLConnection *connection2 = [[NSURLConnection alloc] initWithRequest:request2 delegate:connectionDelegate2]; - [connection2 start]; - - // Connect to NCC Group => will fail because we pinned a wrong certificate - NSURLRequest *request3 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"]]; - NSURLConnectionDelegateTest *connectionDelegate3 = [[NSURLConnectionDelegateTest alloc] init]; - NSURLConnection *connection3 = [[NSURLConnection alloc] initWithRequest:request3 delegate:connectionDelegate3]; - [connection3 start]; - - - // Do some polling to wait for the connections to complete -#define POLL_INTERVAL 0.2 // 200ms -#define N_SEC_TO_POLL 3.0 // poll for 3s -#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL - - NSUInteger pollCount = 0; - while (!(connectionDelegate.connectionFinished && connectionDelegate2.connectionFinished && connectionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) { - NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL]; - [[NSRunLoop currentRunLoop] runUntilDate:untilDate]; - pollCount++; - } - - if (pollCount == MAX_POLL_COUNT) { - XCTFail(@"Could not connect in time"); - } - - - // The first two connections should succeed - XCTAssertTrue(connectionDelegate.connectionSucceeded, @"Connection to Twitter failed"); - XCTAssertTrue(connectionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed"); - - // The last connection should fail - XCTAssertFalse(connectionDelegate3.connectionSucceeded, @"Connection to NCC succeeded"); -} - - -@end - - -#pragma mark Delegate class - -@implementation NSURLConnectionDelegateTest - -@synthesize connectionSucceeded; -@synthesize connectionFinished; - --(instancetype) init { - if (self = [super init]) - { - self.connectionSucceeded = NO; - self.connectionFinished = NO; - } - return self; -} - - -- (void)connectionDidFinishLoading:(NSURLConnection *)connection { - self.connectionSucceeded = YES; - self.connectionFinished = YES; -} - -- (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error { - self.connectionSucceeded = NO; - self.connectionFinished = YES; -} - -- (void)connection:(NSURLConnection *)connection didReceiveData:(NSData *)data { - self.connectionSucceeded = YES; - self.connectionFinished = YES; -} - -- (NSCachedURLResponse *)connection:(NSURLConnection *)connection willCacheResponse:(NSCachedURLResponse *)cachedResponse { - return cachedResponse; -} - -- (void)connection:(NSURLConnection *)connection didReceiveResponse:(NSURLResponse *)response { - self.connectionSucceeded = YES; - self.connectionFinished = YES; -} - -- (NSURLRequest *)connection:(NSURLConnection *)connection willSendRequest:(NSURLRequest *)request redirectResponse:(NSURLResponse *)redirectResponse { - return request; -} - -@end
\ No newline at end of file diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m deleted file mode 100644 index 5f1da51ba..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/NSURLSessionTests.m +++ /dev/null @@ -1,145 +0,0 @@ -// -// NSURLSessionTests.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 1/14/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import <XCTest/XCTest.h> - -#import "ISPPinnedNSURLSessionDelegate.h" -#import "ISPCertificatePinning.h" -#import "SSLPinsTestUtility.h" - - -// Delegate we'll use for our tests -@interface NSURLSessionTaskDelegateTest : ISPPinnedNSURLSessionDelegate <NSURLSessionTaskDelegate, NSURLSessionDataDelegate> -@property BOOL connectionFinished; -@property BOOL connectionSucceeded; -@end - - -@interface NSURLSessionTests : XCTestCase - -@end - -@implementation NSURLSessionTests - -- (void)setUp -{ - [super setUp]; -} - -- (void)tearDown -{ - [super tearDown]; -} - - -#pragma mark SSL pinning test -- (void)testNSURLSessionSSLPinning -{ - - // Create our SSL pins dictionnary for Twitter, iSEC and NCC - NSDictionary *domainsToPin = [SSLPinsTestUtility setupTestSSLPinsDictionnary]; - if (domainsToPin == nil) { - NSLog(@"Failed to pin a certificate"); - } - - // Save the SSL pins so that our session delegates automatically use them - if ([ISPCertificatePinning setupSSLPinsUsingDictionnary:domainsToPin] != YES) { - NSLog(@"Failed to pin the certificates"); - } - - - // Connect to Twitter - NSURLSessionTaskDelegateTest *sessionDelegate1 = [[NSURLSessionTaskDelegateTest alloc] init]; - NSURLSession *session1 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate1 delegateQueue:nil]; - - NSURLSessionDataTask *dataTask1 = [session1 dataTaskWithURL:[NSURL URLWithString:@"https://twitter.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { - - sessionDelegate1.connectionFinished = YES; - if (!error) { - sessionDelegate1.connectionSucceeded = YES; - } - }]; - [dataTask1 resume]; - - - // Connect to iSEC - NSURLSessionTaskDelegateTest *sessionDelegate2 = [[NSURLSessionTaskDelegateTest alloc] init]; - NSURLSession *session2 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate2 delegateQueue:nil]; - - NSURLSessionDataTask *dataTask2 = [session2 dataTaskWithURL:[NSURL URLWithString:@"https://www.isecpartners.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { - - sessionDelegate2.connectionFinished = YES; - if (!error) { - sessionDelegate2.connectionSucceeded = YES; - } - }]; - [dataTask2 resume]; - - - // Connect to NCC Group => will fail because we pinned a wrong certificate - NSURLSessionTaskDelegateTest *sessionDelegate3 = [[NSURLSessionTaskDelegateTest alloc] init]; - NSURLSession *session3 = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:sessionDelegate3 delegateQueue:nil]; - - NSURLSessionDataTask *dataTask3 = [session3 dataTaskWithURL:[NSURL URLWithString:@"https://www.nccgroup.com/"] completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { - - sessionDelegate3.connectionFinished = YES; - if (!error) { - sessionDelegate3.connectionSucceeded = YES; - } - }]; - [dataTask3 resume]; - - - // Do some polling to wait for the connections to complete -#define POLL_INTERVAL 0.2 // 200ms -#define N_SEC_TO_POLL 3.0 // poll for 3s -#define MAX_POLL_COUNT N_SEC_TO_POLL / POLL_INTERVAL - - NSUInteger pollCount = 0; - while (!(sessionDelegate1.connectionFinished && sessionDelegate2.connectionFinished && sessionDelegate3.connectionFinished) && (pollCount < MAX_POLL_COUNT)) { - NSDate* untilDate = [NSDate dateWithTimeIntervalSinceNow:POLL_INTERVAL]; - [[NSRunLoop currentRunLoop] runUntilDate:untilDate]; - pollCount++; - } - - if (pollCount == MAX_POLL_COUNT) { - XCTFail(@"Could not connect in time"); - } - - - // The first two connections should succeed - XCTAssertTrue(sessionDelegate1.connectionSucceeded, @"Connection to Twitter failed"); - XCTAssertTrue(sessionDelegate2.connectionSucceeded, @"Connection to iSEC Partners failed"); - - // The last connection should fail - XCTAssertFalse(sessionDelegate3.connectionSucceeded, @"Connection to NCC succeeded"); -} - - -@end - - - - -#pragma mark Delegate class - -@implementation NSURLSessionTaskDelegateTest - - @synthesize connectionSucceeded; - @synthesize connectionFinished; - - -(instancetype) init { - if (self = [super init]) - { - self.connectionSucceeded = NO; - self.connectionFinished = NO; - } - return self; - } - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist deleted file mode 100644 index ccba61f8e..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLCertificatePinningTests-Info.plist +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>CFBundleDevelopmentRegion</key> - <string>en</string> - <key>CFBundleExecutable</key> - <string>${EXECUTABLE_NAME}</string> - <key>CFBundleIdentifier</key> - <string>com.isecpartners.${PRODUCT_NAME:rfc1034identifier}</string> - <key>CFBundleInfoDictionaryVersion</key> - <string>6.0</string> - <key>CFBundlePackageType</key> - <string>BNDL</string> - <key>CFBundleShortVersionString</key> - <string>1.0</string> - <key>CFBundleSignature</key> - <string>????</string> - <key>CFBundleVersion</key> - <string>1</string> -</dict> -</plist> diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h deleted file mode 100644 index 56dde1ac7..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.h +++ /dev/null @@ -1,15 +0,0 @@ -// -// SSLPinsTestUtility.h -// SSLCertificatePinning -// -// Created by Alban Diquet on 2/2/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import <Foundation/Foundation.h> - -@interface SSLPinsTestUtility : NSObject - -+ (NSDictionary*) setupTestSSLPinsDictionnary; - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m deleted file mode 100644 index 7a5eb22c5..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/SSLPinsTestUtility.m +++ /dev/null @@ -1,57 +0,0 @@ -// -// SSLPinsTestUtility.m -// SSLCertificatePinning -// -// Created by Alban Diquet on 2/2/14. -// Copyright (c) 2014 iSEC Partners. All rights reserved. -// - -#import "SSLPinsTestUtility.h" -#import "ISPCertificatePinning.h" - -@implementation SSLPinsTestUtility - - -+ (NSData*)loadCertificateFromFile:(NSString*)fileName { - NSString *certPath = [[NSBundle bundleForClass:[self class]] pathForResource:fileName ofType:@"der"]; - NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath]; - return certData; -} - - -+ (NSDictionary*) setupTestSSLPinsDictionnary { - // Build our dictionnary of domain => certificates - NSMutableDictionary *domainsToPin = [[NSMutableDictionary alloc] init]; - - - // For Twitter, we pin the anchor/CA certificate - NSData *twitterCertData = [SSLPinsTestUtility loadCertificateFromFile:@"VeriSignClass3PublicPrimaryCertificationAuthority-G5"]; - if (twitterCertData == nil) { - NSLog(@"Failed to load a certificate"); - return nil; - } - NSArray *twitterTrustedCerts = [NSArray arrayWithObject:twitterCertData]; - [domainsToPin setObject:twitterTrustedCerts forKey:@"twitter.com"]; - - - // For iSEC, we pin the server/leaf certificate - NSData *isecCertData = [SSLPinsTestUtility loadCertificateFromFile:@"www.isecpartners.com"]; - if (isecCertData == nil) { - NSLog(@"Failed to load a certificate"); - return nil; - } - // We also pin Twitter's CA cert just to show that you can pin multiple certs to a single domain - // This is useful when transitioning between two certificates on the server - // The connection will be succesful if at least one of the pinned certs is found in the server's certificate trust chain - NSArray *iSECTrustedCerts = [NSArray arrayWithObjects:isecCertData, twitterCertData, nil]; - [domainsToPin setObject:iSECTrustedCerts forKey:@"www.isecpartners.com"]; - - - // For NCC group, we pin an invalid certificate (Twitter's) - NSArray *NCCTrustedCerts = [NSArray arrayWithObject:twitterCertData]; - [domainsToPin setObject:NCCTrustedCerts forKey:@"www.nccgroup.com"]; - - return domainsToPin; -} - -@end diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der Binary files differdeleted file mode 100644 index 9818d19d0..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/VeriSignClass3PublicPrimaryCertificationAuthority-G5.der +++ /dev/null diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings deleted file mode 100644 index 477b28ff8..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/en.lproj/InfoPlist.strings +++ /dev/null @@ -1,2 +0,0 @@ -/* Localized versions of Info.plist keys */ - diff --git a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der b/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der Binary files differdeleted file mode 100644 index 886cf483e..000000000 --- a/web/server/h2o/libh2o/deps/ssl-conservatory/ios/SSLCertificatePinning/SSLCertificatePinningTests/www.isecpartners.com.der +++ /dev/null |