Implementation of the intermediate certificate pinning feature. Added…

MASFoundation/Classes/_private_/models/MASSecurityConfiguration+MASPrivate.h

@@ -18,7 +18,6 @@
 - (NSArray *)convertCertificatesToData;
 
 
-
 /**
  Converts MASSecurityConfiguration's array of certificate array into array of SecCertificateRef
 

MASFoundation/Classes/_private_/models/MASSecurityConfiguration+MASPrivate.m

@@ -47,6 +47,7 @@ - (NSArray *)convertCertificatesToData
 }
 
 
+
 - (NSArray *)convertCertificatesToSecCertificateRef
 {
     NSMutableArray *certAsData = [[self convertCertificatesToData] mutableCopy];

MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m

@@ -77,7 +77,7 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo
     //
     //  If trustPublicPKI is set to NO, and there is no pinning information defined, reject connection
     //
-    else if (!securityConfiguration.trustPublicPKI && ((([securityConfiguration.certificates isKindOfClass:[NSArray class]] && [securityConfiguration.certificates count] == 0) || securityConfiguration.certificates == nil) && (([securityConfiguration.publicKeyHashes isKindOfClass:[NSArray class]] && [securityConfiguration.publicKeyHashes count] == 0) || securityConfiguration.publicKeyHashes == nil)))
+    else if (!securityConfiguration.trustPublicPKI && (((([securityConfiguration.certificates isKindOfClass:[NSArray class]] && [securityConfiguration.certificates count] == 0)  || securityConfiguration.certificates == nil) && (([securityConfiguration.publicKeyHashes isKindOfClass:[NSArray class]] && [securityConfiguration.publicKeyHashes count] == 0) || securityConfiguration.publicKeyHashes == nil))))
     {
         return NO;
     }
@@ -88,30 +88,43 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo
     BOOL isPinningVerified = YES;
     NSArray *certificateChain = [self extractCertificateDataFromServerTrust:serverTrust];
 
+    switch (securityConfiguration.pinningMode) {
+        case MASSecuritySSLPinningModeCertificate:
+        {
+            isPinningVerified = [self validateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain];
+        }
+            break;
+        case MASSecuritySSLPinningModeIntermediateCertifcate:
+        {
+            isPinningVerified = [self validateIntermediateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain];
+        }
+            break;
+        case MASSecuritySSLPinningModePublicKeyHash:
+        {
+            isPinningVerified = [self validatePublicKeyHash:serverTrust configuration:securityConfiguration];
+        }
+            break;
+
+    }
+
+    return isPinningVerified;
+}
+
+
+- (BOOL)validateCertPinning:(SecTrustRef)serverTrust configuration:(MASSecurityConfiguration *)securityConfiguration certChain:(NSArray *)certificateChain
+{
     //
     //  pinning with certificates
     //
     if (securityConfiguration.certificates != nil && [securityConfiguration.certificates isKindOfClass:[NSArray class]] && [securityConfiguration.certificates count] > 0)
     {
-        //
-        //  Set anchor cert with pinned certificates
-        //
-        NSMutableArray *pinnedCertificates = [NSMutableArray array];
         NSMutableArray *pinnedCertificatesData = [[securityConfiguration convertCertificatesToData] mutableCopy];
-        for (NSData *certificateData in pinnedCertificatesData)
-        {
-            [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
-        }
-        SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);
-
-        //
-        //  Stop proceeding if validation of server trust against anchor (pinned) certificates
-        //
-        if (![self validateServerTrust:serverTrust])
+        if(![self validateAnchorTrust:serverTrust pinnedCerts:pinnedCertificatesData])
         {
             return NO;
         }
 
+
         //
         //  As of this point, if the configuration forces to validate the entire chain, validate entire chain of certificates
         //
@@ -137,6 +150,67 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo
         }
     }
 
+    return YES;
+}
+
+
+//Validate the intermediate certificate pinning
+
+- (BOOL)validateIntermediateCertPinning:(SecTrustRef)serverTrust configuration:(MASSecurityConfiguration *)securityConfiguration certChain:(NSArray *)certificateChain
+{
+    if (securityConfiguration.certificates != nil && [securityConfiguration.certificates isKindOfClass:[NSArray class]] && [securityConfiguration.certificates count] > 0)
+    {
+        NSMutableArray *pinnedCertificatesData = [[securityConfiguration convertCertificatesToData] mutableCopy];
+        if(![self validateAnchorTrust:serverTrust pinnedCerts:pinnedCertificatesData])
+        {
+            return NO;
+        }
+
+        //
+        // Since this part is only pinning intermediate certificates no need to validate the entire chain. Only make sure if the intermediate certs are part of the CertificateChain that server presented
+        //
+        for (NSData *pinnedCertData in pinnedCertificatesData)
+        {
+            if (![certificateChain containsObject:pinnedCertData])
+            {
+                return NO;
+            }
+        }
+
+    }
+
+    return YES;
+}
+
+
+//Validate server anchor trust based on the certificates that are pinned
+- (BOOL)validateAnchorTrust:(SecTrustRef)serverTrust pinnedCerts:(NSArray *)pinnedCertificatesData
+{
+    //
+    //  Set anchor cert with pinned certificates
+    //
+    NSMutableArray *pinnedCertificates = [NSMutableArray array];
+
+    for (NSData *certificateData in pinnedCertificatesData)
+    {
+        [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
+    }
+    SecTrustSetAnchorCertificates(serverTrust, (__bridge CFArrayRef)pinnedCertificates);
+
+    //
+    //  Stop proceeding if validation of server trust against anchor (pinned) certificates
+    //
+    if (![self validateServerTrust:serverTrust])
+    {
+        return NO;
+    }
+
+    return YES;
+}
+
+//Pinning based on public key hash
+- (BOOL)validatePublicKeyHash:(SecTrustRef)serverTrust configuration:(MASSecurityConfiguration *)securityConfiguration
+{
     //
     //  pinning with public key hashes
     //
@@ -201,8 +275,10 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo
         }
     }
 
-    return isPinningVerified;
+    return YES;
 }
+
+
 
 
 - (BOOL)validateServerTrust:(SecTrustRef)serverTrust

MASFoundation/Classes/models/MASSecurityConfiguration.h

@@ -21,6 +21,27 @@
 @interface MASSecurityConfiguration : MASObject
 
 
+/**
+ * Different SSL pinning modes that can be opted.
+ */
+typedef NS_ENUM(NSUInteger, MASSecuritySSLPinningMode) {
+    /**
+     * SSL pinning based on Public Key Hash.
+     */
+    MASSecuritySSLPinningModePublicKeyHash,
+
+    /**
+     * SSL pinning based on Leaf Certificate.
+     */
+    MASSecuritySSLPinningModeCertificate,
+
+    /**
+     * SSL pinning based on Intermediate Certificate.
+     */
+    MASSecuritySSLPinningModeIntermediateCertifcate,
+};
+
+
 ///--------------------------------------
 /// @name Properties
 ///--------------------------------------
@@ -45,6 +66,12 @@
  */
 @property (assign) BOOL trustPublicPKI;
 
+/**
+ enum value that determines the SSL pinning mode. The Certifcates array needs to be set accordingly with the certificates that needs to be pinned. If MASSecuritySSLPinningModeIntermediateCertifcate is chosen, then the certificates array should contain intermediate certificate.
+ @see certificates
+ */
+@property (assign) MASSecuritySSLPinningMode pinningMode;
+
 
 /**
  NSArray value of pinned certificates.  Certificates must be in PEM encoded CRT; each line should be an item of the certificate array.

MASFoundation/Classes/models/MASSecurityConfiguration.m

@@ -40,6 +40,7 @@ - (instancetype)initWithURL:(NSURL *)url
         self.trustPublicPKI = NO;
         self.validateCertificateChain = NO;
         self.validateDomainName = YES;
+        self.pinningMode = MASSecuritySSLPinningModeCertificate;
     }
 
     return self;
@@ -99,6 +100,11 @@ - (void)setValuesWithConfiguration:(NSDictionary *)configuration
         self.trustPublicPKI = [[configuration objectForKey:@"trustPublicPKI"] boolValue];
     }
 
+    if ([configuration.allKeys containsObject:@"pinningMode"])
+    {
+        self.pinningMode = [MASSecurityConfiguration praseStringToPinningMode:[configuration objectForKey:@"pinningMode"]];
+    }
+
     if ([configuration.allKeys containsObject:@"certificates"] && [[configuration objectForKey:@"certificates"] isKindOfClass:[NSArray class]])
     {
         self.certificates = [configuration objectForKey:@"certificates"];
@@ -111,6 +117,27 @@ - (void)setValuesWithConfiguration:(NSDictionary *)configuration
 }
 
 
++ (MASSecuritySSLPinningMode)praseStringToPinningMode:(NSString *)pinningMode
+{
+    MASSecuritySSLPinningMode pinningModeValue = MASSecuritySSLPinningModeCertificate;
+
+    if ([pinningMode isEqualToString:MASSecurityConfigurationPinningModeCertificate])
+    {
+        pinningModeValue = MASSecuritySSLPinningModeCertificate;
+    }
+//    else if ([pinningMode isEqualToString:MASSecurityConfigurationPinningModePublicKey])
+//    {
+//        pinningModeValue = MASSecuritySSLPinningModePublicKey;
+//    }
+    else if ([pinningMode isEqualToString:MASSecurityConfigurationPinningModePublicKeyHash])
+    {
+        pinningModeValue = MASSecuritySSLPinningModePublicKeyHash;
+    }
+
+    return pinningModeValue;
+}
+
+
 - (NSString *)debugDescription
 {
     return [NSString stringWithFormat:@"(%@) for %@\n\nisPublic: %@\nvalidateDomainName: %@\ntrustPublicPKI: %@\ncertificates: %@\npublicKeyHashes: %@\n", [self class], [[self host] absoluteString], self.isPublic ? @"YES":@"NO", self.validateDomainName ? @"YES":@"NO", self.trustPublicPKI ? @"YES":@"NO", self.certificates, self.publicKeyHashes];