Post

Replies

Boosts

Views

Activity

Reply to SSL Pinning: Article "Identity Pinning: How to configure server certificates for your app"
Hi Matt, unless I am mistaken, that is not quite what I am looking at. I am intentionally using the wrong key to provoke an SSL error. r/333mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= does not match the RootCA public key hash for www.apple.com. Why does the request succeed? I even tried dGVzdAo= (Base64 for "test"). Same result: Requests fail for some subdomains (expected behaviour) but I get a valid response for www.apple.com – which is unexpected. Similar behaviour for some other domains (I don't want to post them here). Thanks, Lars
Topic: App & System Services SubTopic: Core OS Tags:
Mar ’21
Reply to SSL Pinning: Article "Identity Pinning: How to configure server certificates for your app"
@Matt: I was able to produce a failing connection (wrong SPKI-SHA256-BASE64) with a certificate error trying to load https://apple.com. But downloading https://www.apple.com still works – even though NSIncludesSubdomains is true. Testing more, I found that some subdomains are pinned correctly, some are not. This is also the case for the sub domains I was originally trying to pin in my project. Info.plist section: <key>NSAppTransportSecurity</key> <dict> <key>NSPinnedDomains</key> <dict> <key>apple.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSPinnedCAIdentities</key> <array> <dict> <key>SPKI-SHA256-BASE64</key> <string>r/333mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=</string> </dict> </array> </dict> </dict> </dict> Code: class ViewController: UIViewController { &#9;&#9; &#9;&#9;private lazy var urlSession: URLSession = &#9;&#9;{ &#9;&#9;&#9;&#9;URLSession(configuration: URLSessionConfiguration.default, delegate: nil, delegateQueue: .main) &#9;&#9;}() &#9;&#9; &#9;&#9;override func viewDidLoad() &#9;&#9;{ &#9;&#9;&#9;&#9;super.viewDidLoad() &#9;&#9;&#9;&#9; &#9;&#9;&#9;&#9;[ &#9;&#9;&#9;&#9;&#9;&#9;"apple.com", &#9;&#9;&#9;&#9;&#9;&#9;"www.apple.com", &#9;&#9;&#9;&#9;&#9;&#9;"images.apple.com", &#9;&#9;&#9;&#9;&#9;&#9;"store.apple.com", &#9;&#9;&#9;&#9;] &#9;&#9;&#9;&#9;.map { URL(string: "https://\($0)")! } /* intentional crash on failure */ &#9;&#9;&#9;&#9;.forEach &#9;&#9;&#9;&#9;{ url in &#9;&#9;&#9;&#9;&#9;&#9;var urlRequest = URLRequest(url: url) &#9;&#9;&#9;&#9;&#9;&#9;urlRequest.httpMethod = "GET" &#9;&#9;&#9;&#9;&#9;&#9;let task = self.urlSession.dataTask(with: urlRequest) &#9;&#9;&#9;&#9;&#9;&#9;{ (data, response, error) in &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;var text: String? &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;if let data = data &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;{ &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;text = String(data: data, encoding: .ascii)? &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;.trimmingCharacters(in: .whitespacesAndNewlines) &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9; &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;let result = "\(text ?? data?.debugDescription ?? error.debugDescription)".prefix(100) &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;print("URL: \(url): result: \(result)") &#9;&#9;&#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;&#9;&#9; &#9;&#9;&#9;&#9;&#9;&#9;task.resume() &#9;&#9;&#9;&#9;} &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9; &#9;&#9;} &#9;&#9; } Output (filtered) URL: https://apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m URL: https://images.apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m URL: https://www.apple.com: result: <!DOCTYPE html> URL: https://store.apple.com: result: Optional(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You m Thanks Lars
Topic: App & System Services SubTopic: Core OS Tags:
Apr ’21