From 6a2a8f79b53df9a9f4ef87deceec814e5a367c07 Mon Sep 17 00:00:00 2001 From: Mahendra Nimishakavi Date: Thu, 25 Jul 2019 12:46:29 +0530 Subject: [PATCH 1/2] added backward compatibility support for public key hash pinning --- .../services/network/internal/MASSecurityPolicy.m | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m b/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m index 0318cd0f..6b1ac2f0 100644 --- a/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m +++ b/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m @@ -91,7 +91,18 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo switch (securityConfiguration.pinningMode) { case MASSecuritySSLPinningModeCertificate: { - isPinningVerified = [self validateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain]; + BOOL isPublicKeyHashVerified = NO; + + if (securityConfiguration.publicKeyHashes != nil && [securityConfiguration.publicKeyHashes isKindOfClass:[NSArray class]] && [securityConfiguration.publicKeyHashes count] > 0) + { + isPublicKeyHashVerified = [self validatePublicKeyHash:serverTrust configuration:securityConfiguration]; + } + else + { + isPublicKeyHashVerified = YES; + } + + isPinningVerified = ([self validateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain]) && isPublicKeyHashVerified; } break; case MASSecuritySSLPinningModeIntermediateCertifcate: From a62ab4dd1ce393132c6849c6770dfe0c5481a2a7 Mon Sep 17 00:00:00 2001 From: Mahendra Nimishakavi Date: Thu, 25 Jul 2019 15:02:54 +0530 Subject: [PATCH 2/2] some more changes related to backwards compatibility --- .../services/network/internal/MASSecurityPolicy.m | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m b/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m index 6b1ac2f0..4a7abe4f 100644 --- a/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m +++ b/MASFoundation/Classes/_private_/services/network/internal/MASSecurityPolicy.m @@ -102,9 +102,10 @@ - (BOOL)evaluateSecurityConfigurationsForServerTrust:(SecTrustRef)serverTrust fo isPublicKeyHashVerified = YES; } - isPinningVerified = ([self validateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain]) && isPublicKeyHashVerified; + isPinningVerified = ([self validateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain]) || isPublicKeyHashVerified; } break; + case MASSecuritySSLPinningModeIntermediateCertifcate: { isPinningVerified = [self validateIntermediateCertPinning:serverTrust configuration:securityConfiguration certChain:certificateChain]; @@ -162,7 +163,7 @@ - (BOOL)validateCertPinning:(SecTrustRef)serverTrust configuration:(MASSecurityC } } - return YES; + return NO; } @@ -191,7 +192,7 @@ - (BOOL)validateIntermediateCertPinning:(SecTrustRef)serverTrust configuration:( } - return YES; + return NO; } @@ -287,7 +288,7 @@ - (BOOL)validatePublicKeyHash:(SecTrustRef)serverTrust configuration:(MASSecurit } } - return YES; + return NO; }