Refactored `allowInvalidCertificates` to `validateCertificateChain` for public key pinning.

3ba55168 · Christian Noon · 5a0c11b3 · 3ba55168 · 3ba55168 · 3ba55168
Showing with 53 addition and 54 deletion

Source/ServerTrustPolicy.swift Source/ServerTrustPolicy.swift +4 -5

Tests/ServerTrustPolicyTests.swift Tests/ServerTrustPolicyTests.swift +41 -41

Tests/TLSEvaluationTests.swift Tests/TLSEvaluationTests.swift +8 -8

未找到文件。
--- a/Source/ServerTrustPolicy.swift
+++ b/Source/ServerTrustPolicy.swift
@@ -31,8 +31,7 @@ public class ServerTrustPolicyManager {
        self.policies = policies
    }

-    // TODO: DocStrings
-    public func serverTrustPolicyForHost(host: String) -> ServerTrustPolicy? {
+    func serverTrustPolicyForHost(host: String) -> ServerTrustPolicy? {
        return self.policies[host]
    }
 }
@@ -60,7 +59,7 @@ extension NSURLSession {
 public enum ServerTrustPolicy {
    case PerformDefaultEvaluation(validateHost: Bool)
    case PinCertificates(certificates: [SecCertificate], validateHost: Bool)
-    case PinPublicKeys(publicKeys: [SecKey], validateHost: Bool, allowInvalidCertificates: Bool)
+    case PinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
    case DisableEvaluation
    case CustomEvaluation((serverTrust: SecTrust, host: String) -> Bool)

@@ -115,10 +114,10 @@ public enum ServerTrustPolicy {
            SecTrustSetAnchorCertificatesOnly(serverTrust, 1)

            serverTrustIsValid = trustIsValid(serverTrust)
-        case let .PinPublicKeys(pinnedPublicKeys, validateHost, allowInvalidCertificates):
+        case let .PinPublicKeys(pinnedPublicKeys, validateCertificateChain, validateHost):
            var certificateChainEvaluationPassed = true

-            if !allowInvalidCertificates {
+            if validateCertificateChain {
                let policy = validateHost ? SecPolicyCreateSSL(1, host as CFString) : SecPolicyCreateBasicX509()
                SecTrustSetPolicies(serverTrust, [policy.takeRetainedValue()])


--- a/Tests/ServerTrustPolicyTests.swift
+++ b/Tests/ServerTrustPolicyTests.swift
@@ -780,7 +780,7 @@ class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {

 class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {

-    // MARK: Require Valid Certificate Chain Without Host Validation
+    // MARK: Validate Certificate Chain Without Validating Host

    func testThatPinningLeafKeyPassesEvaluationWithoutHostValidation() {
        // Given
@@ -789,8 +789,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
        )

        // When
@@ -808,8 +808,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
        )

        // When
@@ -827,8 +827,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
        )

        // When
@@ -846,8 +846,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
        )

        // When
@@ -865,8 +865,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
        )

        // When
@@ -877,7 +877,7 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    // MARK: Require Valid Certificate Chain With Host Validation
+    // MARK: Validate Certificate Chain and Host

    func testThatPinningLeafKeyPassesEvaluationWithHostValidation() {
        // Given
@@ -886,8 +886,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
        )

        // When
@@ -905,8 +905,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
        )

        // When
@@ -924,8 +924,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
        )

        // When
@@ -943,8 +943,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
        )

        // When
@@ -962,8 +962,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
        )

        // When
@@ -974,17 +974,17 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    // MARK: Allow Invalid Certificate Chain
+    // MARK: Do NOT Validate Certificate Chain or Host

-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithMissingIntermediateCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithMissingIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When
@@ -995,15 +995,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    func testThatPinningRootKeyWhileAllowingInvalidCertificatesFailsEvaluationWithMissingIntermediateCertificate() {
+    func testThatPinningRootKeyWithoutCertificateChainValidationFailsEvaluationWithMissingIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When
@@ -1014,15 +1014,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithIncorrectIntermediateCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithIncorrectIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameWithIncorrectIntermediate.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When
@@ -1033,15 +1033,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.LeafExpired]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When
@@ -1052,15 +1052,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    func testThatPinningIntermediateKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningIntermediateKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When
@@ -1071,15 +1071,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

-    func testThatPinningRootKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningRootKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
        )

        // When

--- a/Tests/TLSEvaluationTests.swift
+++ b/Tests/TLSEvaluationTests.swift
@@ -177,11 +177,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {

    // MARK: Server Trust Policy - Public Key Pinning Tests

-    func testThatExpiredCertificateRequestFailsWhenPinningLeafPublicKeyWhileNotAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestFailsWhenPinningLeafPublicKeyWithCertificateChainValidation() {
        // Given
        let publicKeys = [TestPublicKeys.Leaf]
        let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: false)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: true, validateHost: true)
        ]

        let manager = Manager(
@@ -206,11 +206,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
        XCTAssertEqual(error?.code ?? -1, NSURLErrorCancelled, "error should be NSURLErrorCancelled")
    }

-    func testThatExpiredCertificateRequestSucceedsWhenPinningLeafPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningLeafPublicKeyWithoutCertificateChainValidation() {
        // Given
        let publicKeys = [TestPublicKeys.Leaf]
        let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
        ]

        let manager = Manager(
@@ -234,11 +234,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
        XCTAssertNil(error, "error should be nil")
    }

-    func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCAPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCAPublicKeyWithoutCertificateChainValidation() {
        // Given
        let publicKeys = [TestPublicKeys.IntermediateCA]
        let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
        ]

        let manager = Manager(
@@ -262,11 +262,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
        XCTAssertNil(error, "error should be nil")
    }

-    func testThatExpiredCertificateRequestSucceedsWhenPinningRootCAPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningRootCAPublicKeyWithoutCertificateChainValidation() {
        // Given
        let publicKeys = [TestPublicKeys.RootCA]
        let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
        ]

        let manager = Manager(