From e035f675c4cad93d22180bb95db4ad88669e4fd5 Mon Sep 17 00:00:00 2001 From: Jesse Bounds Date: Fri, 16 Jun 2017 09:11:32 -1000 Subject: [PATCH 1/2] [ios] Update telemetry cert pinning --- platform/ios/ios.xcodeproj/project.pbxproj | 36 ++++-- ...t.der => api_mapbox_com-digicert_2016.der} | Bin .../api_mapbox_com-digicert_2017.der | Bin 0 -> 2030 bytes ...t.der => api_mapbox_com-geotrust_2016.der} | Bin .../api_mapbox_com-geotrust_2017.der | Bin 0 -> 1758 bytes platform/ios/src/MGLAPIClient.m | 114 ++++++++---------- 6 files changed, 73 insertions(+), 77 deletions(-) rename platform/ios/resources/{api_mapbox_com-digicert.der => api_mapbox_com-digicert_2016.der} (100%) create mode 100644 platform/ios/resources/api_mapbox_com-digicert_2017.der rename platform/ios/resources/{api_mapbox_com-geotrust.der => api_mapbox_com-geotrust_2016.der} (100%) create mode 100644 platform/ios/resources/api_mapbox_com-geotrust_2017.der diff --git a/platform/ios/ios.xcodeproj/project.pbxproj b/platform/ios/ios.xcodeproj/project.pbxproj index b6d422d0fc0..5120d63f20a 100644 --- a/platform/ios/ios.xcodeproj/project.pbxproj +++ b/platform/ios/ios.xcodeproj/project.pbxproj @@ -163,12 +163,12 @@ 404C26E71D89C55D000AA13D /* MGLTileSource_Private.h in Headers */ = {isa = PBXBuildFile; fileRef = 404C26E61D89C515000AA13D /* MGLTileSource_Private.h */; }; 404C26E81D89C55D000AA13D /* MGLTileSource_Private.h in Headers */ = {isa = PBXBuildFile; fileRef = 404C26E61D89C515000AA13D /* MGLTileSource_Private.h */; }; 40599F0C1DEE1B7600182B5D /* api_mapbox_staging.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F001DEE1B2400182B5D /* api_mapbox_staging.der */; }; - 40599F0D1DEE1B7A00182B5D /* api_mapbox_com-digicert.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert.der */; }; - 40599F0E1DEE1B7E00182B5D /* api_mapbox_com-geotrust.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust.der */; }; + 40599F0D1DEE1B7A00182B5D /* api_mapbox_com-digicert_2016.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert_2016.der */; }; + 40599F0E1DEE1B7E00182B5D /* api_mapbox_com-geotrust_2016.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust_2016.der */; }; 4085AF091D933DEA00F11B22 /* MGLTileSetTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 4085AF081D933DEA00F11B22 /* MGLTileSetTests.mm */; }; 408982E91DEE208200754016 /* api_mapbox_staging.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F001DEE1B2400182B5D /* api_mapbox_staging.der */; }; - 408982EA1DEE208B00754016 /* api_mapbox_com-digicert.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert.der */; }; - 408982EB1DEE209100754016 /* api_mapbox_com-geotrust.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust.der */; }; + 408982EA1DEE208B00754016 /* api_mapbox_com-digicert_2016.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert_2016.der */; }; + 408982EB1DEE209100754016 /* api_mapbox_com-geotrust_2016.der in Resources */ = {isa = PBXBuildFile; fileRef = 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust_2016.der */; }; 408AA8571DAEDA1700022900 /* NSDictionary+MGLAdditions.h in Headers */ = {isa = PBXBuildFile; fileRef = 408AA8551DAEDA0800022900 /* NSDictionary+MGLAdditions.h */; }; 408AA8581DAEDA1E00022900 /* NSDictionary+MGLAdditions.mm in Sources */ = {isa = PBXBuildFile; fileRef = 408AA8561DAEDA0800022900 /* NSDictionary+MGLAdditions.mm */; }; 408AA8591DAEDA1E00022900 /* NSDictionary+MGLAdditions.mm in Sources */ = {isa = PBXBuildFile; fileRef = 408AA8561DAEDA0800022900 /* NSDictionary+MGLAdditions.mm */; }; @@ -176,6 +176,10 @@ 409F43FD1E9E781C0048729D /* MGLMapViewDelegateIntegrationTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 409F43FC1E9E781C0048729D /* MGLMapViewDelegateIntegrationTests.swift */; }; 40CF6DBB1DAC3C6600A4D18B /* MGLShape_Private.h in Headers */ = {isa = PBXBuildFile; fileRef = 40CF6DBA1DAC3C1800A4D18B /* MGLShape_Private.h */; }; 40CFA6511D7875BB008103BD /* MGLShapeSourceTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 40CFA6501D787579008103BD /* MGLShapeSourceTests.mm */; }; + 40EA6BC11EF4599600FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */ = {isa = PBXBuildFile; fileRef = 40EA6BBD1EF4598900FCCDA2 /* api_mapbox_com-digicert_2017.der */; }; + 40EA6BC21EF4599700FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */ = {isa = PBXBuildFile; fileRef = 40EA6BBD1EF4598900FCCDA2 /* api_mapbox_com-digicert_2017.der */; }; + 40EA6BC31EF4599D00FCCDA2 /* api_mapbox_com-geotrust_2017.der in Resources */ = {isa = PBXBuildFile; fileRef = 40EA6BBE1EF4598900FCCDA2 /* api_mapbox_com-geotrust_2017.der */; }; + 40EA6BC41EF4599D00FCCDA2 /* api_mapbox_com-geotrust_2017.der in Resources */ = {isa = PBXBuildFile; fileRef = 40EA6BBE1EF4598900FCCDA2 /* api_mapbox_com-geotrust_2017.der */; }; 40EDA1C01CFE0E0200D9EA68 /* MGLAnnotationContainerView.h in Headers */ = {isa = PBXBuildFile; fileRef = 40EDA1BD1CFE0D4A00D9EA68 /* MGLAnnotationContainerView.h */; }; 40EDA1C11CFE0E0500D9EA68 /* MGLAnnotationContainerView.m in Sources */ = {isa = PBXBuildFile; fileRef = 40EDA1BE1CFE0D4A00D9EA68 /* MGLAnnotationContainerView.m */; }; 40EDA1C21CFE0E0500D9EA68 /* MGLAnnotationContainerView.m in Sources */ = {isa = PBXBuildFile; fileRef = 40EDA1BE1CFE0D4A00D9EA68 /* MGLAnnotationContainerView.m */; }; @@ -635,8 +639,8 @@ 404C26E11D89B877000AA13D /* MGLTileSource.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = MGLTileSource.mm; sourceTree = ""; }; 404C26E61D89C515000AA13D /* MGLTileSource_Private.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MGLTileSource_Private.h; sourceTree = ""; }; 40599F001DEE1B2400182B5D /* api_mapbox_staging.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = api_mapbox_staging.der; sourceTree = ""; }; - 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-digicert.der"; sourceTree = ""; }; - 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-geotrust.der"; sourceTree = ""; }; + 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert_2016.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-digicert_2016.der"; sourceTree = ""; }; + 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust_2016.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-geotrust_2016.der"; sourceTree = ""; }; 4085AF081D933DEA00F11B22 /* MGLTileSetTests.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = MGLTileSetTests.mm; path = ../../darwin/test/MGLTileSetTests.mm; sourceTree = ""; }; 408AA8551DAEDA0800022900 /* NSDictionary+MGLAdditions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "NSDictionary+MGLAdditions.h"; sourceTree = ""; }; 408AA8561DAEDA0800022900 /* NSDictionary+MGLAdditions.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = "NSDictionary+MGLAdditions.mm"; sourceTree = ""; }; @@ -644,6 +648,8 @@ 409F43FC1E9E781C0048729D /* MGLMapViewDelegateIntegrationTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = MGLMapViewDelegateIntegrationTests.swift; sourceTree = ""; }; 40CF6DBA1DAC3C1800A4D18B /* MGLShape_Private.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MGLShape_Private.h; sourceTree = ""; }; 40CFA6501D787579008103BD /* MGLShapeSourceTests.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; name = MGLShapeSourceTests.mm; path = ../../darwin/test/MGLShapeSourceTests.mm; sourceTree = ""; }; + 40EA6BBD1EF4598900FCCDA2 /* api_mapbox_com-digicert_2017.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-digicert_2017.der"; sourceTree = ""; }; + 40EA6BBE1EF4598900FCCDA2 /* api_mapbox_com-geotrust_2017.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_com-geotrust_2017.der"; sourceTree = ""; }; 40EDA1BD1CFE0D4A00D9EA68 /* MGLAnnotationContainerView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MGLAnnotationContainerView.h; sourceTree = ""; }; 40EDA1BE1CFE0D4A00D9EA68 /* MGLAnnotationContainerView.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MGLAnnotationContainerView.m; sourceTree = ""; }; 40F8876F1D7A1DB8008ECB67 /* MGLShapeSource_Private.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MGLShapeSource_Private.h; sourceTree = ""; }; @@ -1347,8 +1353,10 @@ DAC49C5F1CD02BC9009E1AA3 /* Localizable.stringsdict */, DA8933EF1CCD387900E68420 /* strip-frameworks.sh */, 40599F001DEE1B2400182B5D /* api_mapbox_staging.der */, - 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert.der */, - 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust.der */, + 40599F011DEE1B2400182B5D /* api_mapbox_com-digicert_2016.der */, + 40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust_2016.der */, + 40EA6BBD1EF4598900FCCDA2 /* api_mapbox_com-digicert_2017.der */, + 40EA6BBE1EF4598900FCCDA2 /* api_mapbox_com-geotrust_2017.der */, ); name = "Kit Resources"; path = resources; @@ -2069,9 +2077,11 @@ DA8933F01CCD387900E68420 /* strip-frameworks.sh in Resources */, DAC49C5C1CD02BC9009E1AA3 /* Localizable.stringsdict in Resources */, DA8933BF1CCD2CAD00E68420 /* Foundation.stringsdict in Resources */, + 40EA6BC11EF4599600FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */, 408982E91DEE208200754016 /* api_mapbox_staging.der in Resources */, - 408982EA1DEE208B00754016 /* api_mapbox_com-digicert.der in Resources */, - 408982EB1DEE209100754016 /* api_mapbox_com-geotrust.der in Resources */, + 408982EA1DEE208B00754016 /* api_mapbox_com-digicert_2016.der in Resources */, + 40EA6BC31EF4599D00FCCDA2 /* api_mapbox_com-geotrust_2017.der in Resources */, + 408982EB1DEE209100754016 /* api_mapbox_com-geotrust_2016.der in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -2083,10 +2093,12 @@ DA8933DB1CCD31D400E68420 /* Foundation.strings in Resources */, 960D0C371ECF5AAF008E151F /* Images.xcassets in Resources */, DA8933DC1CCD31D400E68420 /* Foundation.stringsdict in Resources */, + 40EA6BC41EF4599D00FCCDA2 /* api_mapbox_com-geotrust_2017.der in Resources */, DAC49C5D1CD02BC9009E1AA3 /* Localizable.stringsdict in Resources */, 40599F0C1DEE1B7600182B5D /* api_mapbox_staging.der in Resources */, - 40599F0D1DEE1B7A00182B5D /* api_mapbox_com-digicert.der in Resources */, - 40599F0E1DEE1B7E00182B5D /* api_mapbox_com-geotrust.der in Resources */, + 40599F0D1DEE1B7A00182B5D /* api_mapbox_com-digicert_2016.der in Resources */, + 40599F0E1DEE1B7E00182B5D /* api_mapbox_com-geotrust_2016.der in Resources */, + 40EA6BC21EF4599700FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/platform/ios/resources/api_mapbox_com-digicert.der b/platform/ios/resources/api_mapbox_com-digicert_2016.der similarity index 100% rename from platform/ios/resources/api_mapbox_com-digicert.der rename to platform/ios/resources/api_mapbox_com-digicert_2016.der diff --git a/platform/ios/resources/api_mapbox_com-digicert_2017.der b/platform/ios/resources/api_mapbox_com-digicert_2017.der new file mode 100644 index 0000000000000000000000000000000000000000..4a190085abc17a1755a03953327b27ba9398e3eb GIT binary patch literal 2030 zcma)7dsGu=7N5xrNJv5$!~h}ze6+YE-|(hBR^F&UBSBzoP(v6)DkPYM1VN<+jD=dB z1?}#kV%uuEB4(sNuypjvkZ#ns*YW9OVXXYTX&`|fw| z9iX>(1oX5)Bbfw~NH(;(j+1qTYlUOZdqC-*%hv)X&C0_NX?V(nVFncfnJ5ET(a5_f zG=#KEgsuPxAG&zQNs62JQe`^o1H1?m8QJhU zLKGR~#S6>QV2Tthg%>YLlcz{Da;1VN!cWz94 z@@{bKSJW9e5sBH>c0!e0E74%Q_f;~9LY}>p3q=5j#@IlEDX`vu6A30S(IHl>B(}*5-&W~0-+~J)TwfXOrunwcEFZMNJkja zl8j_!7Ex3_>Ik@mmW*&PEvC?@`RPkWqO3pyS` z^lNtXedpAXxX*327eFnx1R<6P@lceeEy%P z9Rw_o5(1$rTzkpjgxOlg|0ya8kFtC{J%#Q9AXA zwZ)QAT)#EuX~97f4=z)NxtRy^rQNj9h&ka=U1@XaqrvGaQFo{9ILrDlq=Vw^XulWS z>-@*vC*y6Q7q{F9*IsM=oFne|`Lolzh70a|{}Q*OdI>iYgyXn1#v{5*PJ7CKFwI`< zAB_KUWwlA%I->1elM5&PaouA-+~raCEH7&&;wK-t(<6$$t#ZLUlbC2BpAIUV434kR zd*Z<69c@=LZ|!Rt50<+$jeoKKEc@u*3#$8hP*+YtcK!3dm%yF3-T*F4lLhMP-z%Rw z%&b}|2s-o0)Ls?_fTy*s2+&cpY_ZIkATGk=+ z>wn|m8(WT7+Vt&%R+qwqm&-qMKh;>46A_S5L2rtkaxAG#@he(AaQxMYD_&Qcm#AMn zUO7AuoeT2g)+Sa+zwaMy66N21Sj{i!8M-Ilh2xsPKC`xZW@CofNfqGw@E7j5F4w*F zD--tszuse^Rf)a15Ak0Yz7Jt2ftghuojKNto*b>~bN$qPQn<4?N;17E+JEB76|GO8 z*#@^dx$~F1UxJe%%6K2|{dZoT4!>}P90-h{GFq44Wh!UvC z#sHQ%Fx44ED%n#Y*&vIRD=_bv2nGuSb9H_k)neMedJ`59uoiQ3#g<^6-+;LmWY$vP z#Nq(`6Qnhrbtc=9E>7G{~ z)k7;YjDKBtFPnXE6(Ya%w#}yei0PA@#v5BJ?P|K!Y4^gK^BvdN$^MNhEisu$vrCLTR6jB!^Qy9&V?~aZL z*IkCrh>(ea>a;EzLsca}bsVU&2s8ClH)0DDfNCH3mSCW@@%R}CZ0@Lok!x|3N+m-m zkSKIBug8)J? z`|&4{%h*3{gp18G zjF$FwWzv&wnTq>z|FU%-N)QY5iagdkxAfcmOG( z(x#c2b+pZ}THcWgm-YU&yiOun z)p+7u!NVs0gui{!+HS81B1803W1Ti+YB=Ao$GP`@q)S(4zq|kW+y$>ZqCYV2<_})~ zpkciBgkqs#pGys~9ow2UJdt&!=J<}2#z|qdvhEb9FanK6X2gRZ!2Ev|mj;&(J-tEjYj z{_Ec3a6naf=?R$B6%*R9H^*1OU2JyV^(eb$L%zReo}W*u7p+q|SoMDMxHKvyVGHGb z^~7VRgPGfo*?B9@_^eGS>tGpdamw_v4L=mj7e@^|RNh{a%xlIDhsNi1uvN}DT3lAP X`ziZzd_%ivn5ZGFE)pcbVYYt*fl7FM literal 0 HcmV?d00001 diff --git a/platform/ios/src/MGLAPIClient.m b/platform/ios/src/MGLAPIClient.m index 124d4361975..63f038e5e3b 100644 --- a/platform/ios/src/MGLAPIClient.m +++ b/platform/ios/src/MGLAPIClient.m @@ -17,8 +17,10 @@ @interface MGLAPIClient () @property (nonatomic, copy) NSURLSession *session; @property (nonatomic, copy) NSURL *baseURL; -@property (nonatomic, copy) NSData *digicertCert; -@property (nonatomic, copy) NSData *geoTrustCert; +@property (nonatomic, copy) NSData *digicertCert_2016; +@property (nonatomic, copy) NSData *geoTrustCert_2016; +@property (nonatomic, copy) NSData *digicertCert_2017; +@property (nonatomic, copy) NSData *geoTrustCert_2017; @property (nonatomic, copy) NSData *testServerCert; @property (nonatomic, copy) NSString *userAgent; @property (nonatomic) BOOL usesTestServer; @@ -107,10 +109,14 @@ - (void)setupBaseURL { - (void)loadCertificates { NSData *certificate; - [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust"]; - self.geoTrustCert = certificate; - [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert"]; - self.digicertCert = certificate; + [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust_2016"]; + self.geoTrustCert_2016 = certificate; + [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert_2016"]; + self.digicertCert_2016 = certificate; + [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust_2017"]; + self.geoTrustCert_2017 = certificate; + [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert_2017"]; + self.digicertCert_2017 = certificate; [self loadCertificate:&certificate withResource:@"api_mapbox_staging"]; self.testServerCert = certificate; } @@ -141,75 +147,53 @@ - (NSData *)serializedDataForEvents:(NS_ARRAY_OF(MGLMapboxEventAttributes *) *)e #pragma mark NSURLSessionDelegate +- (BOOL)evaluateCertificateWithCertificateData:(NSData *)certificateData keyCount:(CFIndex)keyCount serverTrust:(SecTrustRef)serverTrust challenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^) (NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler { + for (int lc = 0; lc < keyCount; lc++) { + SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc); + NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); + if ([remoteCertificateData isEqualToData:certificateData]) { + completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); + return YES; + } + } + return NO; +} + - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^) (NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler { + if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; SecTrustResultType trustResult; - - // Validate the certificate chain with the device's trust store anyway - // This *might* give use revocation checking + + // Validate the certificate chain with the device's trust store anyway this *might* give use revocation checking SecTrustEvaluate(serverTrust, &trustResult); - if (trustResult == kSecTrustResultUnspecified) - { + + BOOL found = NO; // For clarity; we start in a state where the challange has not been completed and no certificate has been found + + if (trustResult == kSecTrustResultUnspecified) { // Look for a pinned certificate in the server's certificate chain - long numKeys = SecTrustGetCertificateCount(serverTrust); - - BOOL found = NO; - // Try GeoTrust Cert First - for (int lc = 0; lc < numKeys; lc++) { - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc); - NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); - - // Compare Remote Key With Local Version - if ([remoteCertificateData isEqualToData:_geoTrustCert]) { - // Found the certificate; continue connecting - completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - found = YES; - break; - } + CFIndex numKeys = SecTrustGetCertificateCount(serverTrust); + + // Check certs in the following order: digicert 2016, digicert 2017, geotrust 2016, geotrust 2017 + found = [self evaluateCertificateWithCertificateData:self.digicertCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler]; + if (!found) { + found = [self evaluateCertificateWithCertificateData:self.digicertCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler]; } - if (!found) { - // Fallback to Digicert Cert - for (int lc = 0; lc < numKeys; lc++) { - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc); - NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); - - // Compare Remote Key With Local Version - if ([remoteCertificateData isEqualToData:_digicertCert]) { - // Found the certificate; continue connecting - completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - found = YES; - break; - } - } - - if (!found && _usesTestServer) { - // See if this is test server - for (int lc = 0; lc < numKeys; lc++) { - SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc); - NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate)); - - // Compare Remote Key With Local Version - if ([remoteCertificateData isEqualToData:_testServerCert]) { - // Found the certificate; continue connecting - completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - found = YES; - break; - } - } - } - - if (!found) { - // The certificate wasn't found in GeoTrust nor Digicert. Cancel the connection. - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); - } + found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler]; + } + if (!found) { + found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler]; + } + + // If challenge can't be completed with any of the above certs, then try the test server if the app is configured to use the test server + if (!found && _usesTestServer) { + found = [self evaluateCertificateWithCertificateData:self.testServerCert keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler]; } } - else - { - // Certificate chain validation failed; cancel the connection + + if (!found) { + // No certificate was found so cancel the connection. completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]); } } From 428b131b7f364ac2a968ce824fa43c00fc96206d Mon Sep 17 00:00:00 2001 From: Jesse Bounds Date: Mon, 19 Jun 2017 07:38:58 -1000 Subject: [PATCH 2/2] Fix typo --- platform/ios/src/MGLAPIClient.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/ios/src/MGLAPIClient.m b/platform/ios/src/MGLAPIClient.m index 63f038e5e3b..8a987d76d88 100644 --- a/platform/ios/src/MGLAPIClient.m +++ b/platform/ios/src/MGLAPIClient.m @@ -165,7 +165,7 @@ - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticat SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; SecTrustResultType trustResult; - // Validate the certificate chain with the device's trust store anyway this *might* give use revocation checking + // Validate the certificate chain with the device's trust store anyway this *might* use revocation checking SecTrustEvaluate(serverTrust, &trustResult); BOOL found = NO; // For clarity; we start in a state where the challange has not been completed and no certificate has been found