summaryrefslogtreecommitdiff
path: root/platform/ios/src/MGLAPIClient.m
diff options
context:
space:
mode:
Diffstat (limited to 'platform/ios/src/MGLAPIClient.m')
-rw-r--r--platform/ios/src/MGLAPIClient.m114
1 files changed, 49 insertions, 65 deletions
diff --git a/platform/ios/src/MGLAPIClient.m b/platform/ios/src/MGLAPIClient.m
index 124d436197..8a987d76d8 100644
--- a/platform/ios/src/MGLAPIClient.m
+++ b/platform/ios/src/MGLAPIClient.m
@@ -17,8 +17,10 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
@property (nonatomic, copy) NSURLSession *session;
@property (nonatomic, copy) NSURL *baseURL;
-@property (nonatomic, copy) NSData *digicertCert;
-@property (nonatomic, copy) NSData *geoTrustCert;
+@property (nonatomic, copy) NSData *digicertCert_2016;
+@property (nonatomic, copy) NSData *geoTrustCert_2016;
+@property (nonatomic, copy) NSData *digicertCert_2017;
+@property (nonatomic, copy) NSData *geoTrustCert_2017;
@property (nonatomic, copy) NSData *testServerCert;
@property (nonatomic, copy) NSString *userAgent;
@property (nonatomic) BOOL usesTestServer;
@@ -107,10 +109,14 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
- (void)loadCertificates {
NSData *certificate;
- [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust"];
- self.geoTrustCert = certificate;
- [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert"];
- self.digicertCert = certificate;
+ [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust_2016"];
+ self.geoTrustCert_2016 = certificate;
+ [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert_2016"];
+ self.digicertCert_2016 = certificate;
+ [self loadCertificate:&certificate withResource:@"api_mapbox_com-geotrust_2017"];
+ self.geoTrustCert_2017 = certificate;
+ [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert_2017"];
+ self.digicertCert_2017 = certificate;
[self loadCertificate:&certificate withResource:@"api_mapbox_staging"];
self.testServerCert = certificate;
}
@@ -141,75 +147,53 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
#pragma mark NSURLSessionDelegate
+- (BOOL)evaluateCertificateWithCertificateData:(NSData *)certificateData keyCount:(CFIndex)keyCount serverTrust:(SecTrustRef)serverTrust challenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^) (NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
+ for (int lc = 0; lc < keyCount; lc++) {
+ SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc);
+ NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
+ if ([remoteCertificateData isEqualToData:certificateData]) {
+ completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+ return YES;
+ }
+ }
+ return NO;
+}
+
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^) (NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
+
if([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
-
SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust];
SecTrustResultType trustResult;
-
- // Validate the certificate chain with the device's trust store anyway
- // This *might* give use revocation checking
+
+ // Validate the certificate chain with the device's trust store anyway this *might* use revocation checking
SecTrustEvaluate(serverTrust, &trustResult);
- if (trustResult == kSecTrustResultUnspecified)
- {
+
+ BOOL found = NO; // For clarity; we start in a state where the challange has not been completed and no certificate has been found
+
+ if (trustResult == kSecTrustResultUnspecified) {
// Look for a pinned certificate in the server's certificate chain
- long numKeys = SecTrustGetCertificateCount(serverTrust);
-
- BOOL found = NO;
- // Try GeoTrust Cert First
- for (int lc = 0; lc < numKeys; lc++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc);
- NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
-
- // Compare Remote Key With Local Version
- if ([remoteCertificateData isEqualToData:_geoTrustCert]) {
- // Found the certificate; continue connecting
- completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
- found = YES;
- break;
- }
+ CFIndex numKeys = SecTrustGetCertificateCount(serverTrust);
+
+ // Check certs in the following order: digicert 2016, digicert 2017, geotrust 2016, geotrust 2017
+ found = [self evaluateCertificateWithCertificateData:self.digicertCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
+ if (!found) {
+ found = [self evaluateCertificateWithCertificateData:self.digicertCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
}
-
if (!found) {
- // Fallback to Digicert Cert
- for (int lc = 0; lc < numKeys; lc++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc);
- NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
-
- // Compare Remote Key With Local Version
- if ([remoteCertificateData isEqualToData:_digicertCert]) {
- // Found the certificate; continue connecting
- completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
- found = YES;
- break;
- }
- }
-
- if (!found && _usesTestServer) {
- // See if this is test server
- for (int lc = 0; lc < numKeys; lc++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, lc);
- NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
-
- // Compare Remote Key With Local Version
- if ([remoteCertificateData isEqualToData:_testServerCert]) {
- // Found the certificate; continue connecting
- completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
- found = YES;
- break;
- }
- }
- }
-
- if (!found) {
- // The certificate wasn't found in GeoTrust nor Digicert. Cancel the connection.
- completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
- }
+ found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
+ }
+ if (!found) {
+ found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
+ }
+
+ // If challenge can't be completed with any of the above certs, then try the test server if the app is configured to use the test server
+ if (!found && _usesTestServer) {
+ found = [self evaluateCertificateWithCertificateData:self.testServerCert keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
}
}
- else
- {
- // Certificate chain validation failed; cancel the connection
+
+ if (!found) {
+ // No certificate was found so cancel the connection.
completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}
}
View Lorry Controller Status