From 0141f65e7be21b067957a8e8cb3474ab46e12b48 Mon Sep 17 00:00:00 2001
From: Randall Lee <randall.lee@mapbox.com>
Date: Mon, 7 May 2018 17:57:42 -0400
Subject: [iOS] - Update telemetry certificate pinning (#11845)

* Update telemetry certificate pinning

* Load both CN certificates

* [ios] Use China events endpoint with China API endpoint

* Update CHANGELOG.md
---
 platform/darwin/src/MGLNetworkConfiguration.h         |   6 ++++++
 platform/darwin/src/MGLNetworkConfiguration.m         |   3 +++
 platform/ios/CHANGELOG.md                             |   4 ++++
 platform/ios/ios.xcodeproj/project.pbxproj            |  12 ++++++++++++
 .../ios/resources/api_mapbox_cn-digicert_2018.der     | Bin 0 -> 1704 bytes
 .../ios/resources/api_mapbox_cn-geotrust_2018.der     | Bin 0 -> 1578 bytes
 platform/ios/src/MGLAPIClient.m                       |  18 +++++++++++++++++-
 7 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 platform/ios/resources/api_mapbox_cn-digicert_2018.der
 create mode 100644 platform/ios/resources/api_mapbox_cn-geotrust_2018.der

diff --git a/platform/darwin/src/MGLNetworkConfiguration.h b/platform/darwin/src/MGLNetworkConfiguration.h
index 644291ee13..f1fe7bab2c 100644
--- a/platform/darwin/src/MGLNetworkConfiguration.h
+++ b/platform/darwin/src/MGLNetworkConfiguration.h
@@ -2,6 +2,12 @@
 
 NS_ASSUME_NONNULL_BEGIN
 
+/// The default base URL for Mapbox APIs other than the telemetry API.
+extern NSString * const MGLDefaultMapboxAPIBaseURL;
+
+/// The PRC base URL for Mapbox APIs other than the telemetry API.
+extern NSString * const MGLChinaMapboxAPIBaseURL;
+
 /**
  The MGLNetworkConfiguration object provides a global way to set a base API URL for
  retrieval of map data, styles, and other resources.
diff --git a/platform/darwin/src/MGLNetworkConfiguration.m b/platform/darwin/src/MGLNetworkConfiguration.m
index 82d333dc99..d0ee01c5a2 100644
--- a/platform/darwin/src/MGLNetworkConfiguration.m
+++ b/platform/darwin/src/MGLNetworkConfiguration.m
@@ -1,5 +1,8 @@
 #import "MGLNetworkConfiguration.h"
 
+NSString * const MGLDefaultMapboxAPIBaseURL = @"https://api.mapbox.com";
+NSString * const MGLChinaMapboxAPIBaseURL = @"https://api.mapbox.cn";
+
 @implementation MGLNetworkConfiguration
 
 + (void)load {
diff --git a/platform/ios/CHANGELOG.md b/platform/ios/CHANGELOG.md
index 392df1d1ea..1b0806b689 100644
--- a/platform/ios/CHANGELOG.md
+++ b/platform/ios/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 Mapbox welcomes participation and contributions from everyone. Please read [CONTRIBUTING.md](../../CONTRIBUTING.md) to get started.
 
+## 3.7.8 - May 7, 2018
+
+* Improved compatibility with Mapbox China APIs. ([#11845](https://github.com/mapbox/mapbox-gl-native/pull/11845))
+
 ## 3.7.7 - May 3, 2018
 
 * Fixed a crash when removing an `MGLOfflinePack`. ([#11821](https://github.com/mapbox/mapbox-gl-native/issues/11821))
diff --git a/platform/ios/ios.xcodeproj/project.pbxproj b/platform/ios/ios.xcodeproj/project.pbxproj
index bbd4067534..2bc216ff1c 100644
--- a/platform/ios/ios.xcodeproj/project.pbxproj
+++ b/platform/ios/ios.xcodeproj/project.pbxproj
@@ -247,6 +247,10 @@
 		968F36B51E4D128D003A5522 /* MGLDistanceFormatter.h in Headers */ = {isa = PBXBuildFile; fileRef = 3557F7AE1E1D27D300CCA5E6 /* MGLDistanceFormatter.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		96E027231E57C76E004B8E66 /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 96E027251E57C76E004B8E66 /* Localizable.strings */; };
 		96F3F73C1F57124B003E2D2C /* MGLUserLocationHeadingIndicator.h in Headers */ = {isa = PBXBuildFile; fileRef = 96F3F73B1F5711F1003E2D2C /* MGLUserLocationHeadingIndicator.h */; };
+		AC0C15F3209D0E6900B65675 /* api_mapbox_cn-geotrust_2018.der in Resources */ = {isa = PBXBuildFile; fileRef = AC0C15F1209D0E3600B65675 /* api_mapbox_cn-geotrust_2018.der */; };
+		AC0C15F4209D0E7000B65675 /* api_mapbox_cn-geotrust_2018.der in Resources */ = {isa = PBXBuildFile; fileRef = AC0C15F1209D0E3600B65675 /* api_mapbox_cn-geotrust_2018.der */; };
+		AC0C15F5209D0E7200B65675 /* api_mapbox_cn-digicert_2018.der in Resources */ = {isa = PBXBuildFile; fileRef = AC0C15F2209D0E6000B65675 /* api_mapbox_cn-digicert_2018.der */; };
+		AC0C15F6209D0E7300B65675 /* api_mapbox_cn-digicert_2018.der in Resources */ = {isa = PBXBuildFile; fileRef = AC0C15F2209D0E6000B65675 /* api_mapbox_cn-digicert_2018.der */; };
 		AC518DFF201BB55A00EBC820 /* MGLTelemetryConfig.h in Headers */ = {isa = PBXBuildFile; fileRef = AC518DFD201BB55A00EBC820 /* MGLTelemetryConfig.h */; };
 		AC518E00201BB55A00EBC820 /* MGLTelemetryConfig.h in Headers */ = {isa = PBXBuildFile; fileRef = AC518DFD201BB55A00EBC820 /* MGLTelemetryConfig.h */; };
 		AC518E03201BB56000EBC820 /* MGLTelemetryConfig.m in Sources */ = {isa = PBXBuildFile; fileRef = AC518DFE201BB55A00EBC820 /* MGLTelemetryConfig.m */; };
@@ -756,6 +760,8 @@
 		96E0272D1E57C7E6004B8E66 /* vi */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = vi; path = vi.lproj/Localizable.strings; sourceTree = "<group>"; };
 		96E0272E1E57C7E7004B8E66 /* pt-BR */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = "pt-BR"; path = "pt-BR.lproj/Localizable.strings"; sourceTree = "<group>"; };
 		96F3F73B1F5711F1003E2D2C /* MGLUserLocationHeadingIndicator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MGLUserLocationHeadingIndicator.h; sourceTree = "<group>"; };
+		AC0C15F1209D0E3600B65675 /* api_mapbox_cn-geotrust_2018.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_cn-geotrust_2018.der"; sourceTree = "<group>"; };
+		AC0C15F2209D0E6000B65675 /* api_mapbox_cn-digicert_2018.der */ = {isa = PBXFileReference; lastKnownFileType = file; path = "api_mapbox_cn-digicert_2018.der"; sourceTree = "<group>"; };
 		AC518DFD201BB55A00EBC820 /* MGLTelemetryConfig.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MGLTelemetryConfig.h; sourceTree = "<group>"; };
 		AC518DFE201BB55A00EBC820 /* MGLTelemetryConfig.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MGLTelemetryConfig.m; sourceTree = "<group>"; };
 		CA55CD3E202C16AA00CE7095 /* MGLCameraChangeReason.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MGLCameraChangeReason.h; sourceTree = "<group>"; };
@@ -1479,6 +1485,8 @@
 				DAC49C5F1CD02BC9009E1AA3 /* Localizable.stringsdict */,
 				DA8933EF1CCD387900E68420 /* strip-frameworks.sh */,
 				40599F001DEE1B2400182B5D /* api_mapbox_staging.der */,
+				AC0C15F2209D0E6000B65675 /* api_mapbox_cn-digicert_2018.der */,
+				AC0C15F1209D0E3600B65675 /* api_mapbox_cn-geotrust_2018.der */,
 				40599F011DEE1B2400182B5D /* api_mapbox_com-digicert_2016.der */,
 				40599F021DEE1B2400182B5D /* api_mapbox_com-geotrust_2016.der */,
 				40EA6BBD1EF4598900FCCDA2 /* api_mapbox_com-digicert_2017.der */,
@@ -2225,12 +2233,14 @@
 			files = (
 				DA8933BC1CCD2CA100E68420 /* Foundation.strings in Resources */,
 				DA8933A31CCC95B000E68420 /* Localizable.strings in Resources */,
+				AC0C15F5209D0E7200B65675 /* api_mapbox_cn-digicert_2018.der in Resources */,
 				960D0C361ECF5AAF008E151F /* Images.xcassets in Resources */,
 				DA8933F01CCD387900E68420 /* strip-frameworks.sh in Resources */,
 				DAC49C5C1CD02BC9009E1AA3 /* Localizable.stringsdict in Resources */,
 				DA8933BF1CCD2CAD00E68420 /* Foundation.stringsdict in Resources */,
 				40EA6BC11EF4599600FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */,
 				408982E91DEE208200754016 /* api_mapbox_staging.der in Resources */,
+				AC0C15F3209D0E6900B65675 /* api_mapbox_cn-geotrust_2018.der in Resources */,
 				408982EA1DEE208B00754016 /* api_mapbox_com-digicert_2016.der in Resources */,
 				40EA6BC31EF4599D00FCCDA2 /* api_mapbox_com-geotrust_2017.der in Resources */,
 				408982EB1DEE209100754016 /* api_mapbox_com-geotrust_2016.der in Resources */,
@@ -2241,6 +2251,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				AC0C15F4209D0E7000B65675 /* api_mapbox_cn-geotrust_2018.der in Resources */,
 				DA8933E01CCD31DF00E68420 /* Localizable.strings in Resources */,
 				DA8933DB1CCD31D400E68420 /* Foundation.strings in Resources */,
 				960D0C371ECF5AAF008E151F /* Images.xcassets in Resources */,
@@ -2250,6 +2261,7 @@
 				40599F0C1DEE1B7600182B5D /* api_mapbox_staging.der in Resources */,
 				40599F0D1DEE1B7A00182B5D /* api_mapbox_com-digicert_2016.der in Resources */,
 				40599F0E1DEE1B7E00182B5D /* api_mapbox_com-geotrust_2016.der in Resources */,
+				AC0C15F6209D0E7300B65675 /* api_mapbox_cn-digicert_2018.der in Resources */,
 				40EA6BC21EF4599700FCCDA2 /* api_mapbox_com-digicert_2017.der in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
diff --git a/platform/ios/resources/api_mapbox_cn-digicert_2018.der b/platform/ios/resources/api_mapbox_cn-digicert_2018.der
new file mode 100644
index 0000000000..e458713337
Binary files /dev/null and b/platform/ios/resources/api_mapbox_cn-digicert_2018.der differ
diff --git a/platform/ios/resources/api_mapbox_cn-geotrust_2018.der b/platform/ios/resources/api_mapbox_cn-geotrust_2018.der
new file mode 100644
index 0000000000..e3d4b222ae
Binary files /dev/null and b/platform/ios/resources/api_mapbox_cn-geotrust_2018.der differ
diff --git a/platform/ios/src/MGLAPIClient.m b/platform/ios/src/MGLAPIClient.m
index 8a987d76d8..68e78835c3 100644
--- a/platform/ios/src/MGLAPIClient.m
+++ b/platform/ios/src/MGLAPIClient.m
@@ -2,9 +2,11 @@
 #import "NSBundle+MGLAdditions.h"
 #import "NSData+MGLAdditions.h"
 #import "MGLAccountManager.h"
+#import "MGLNetworkConfiguration.h"
 
 static NSString * const MGLAPIClientUserAgentBase = @"MapboxEventsiOS";
 static NSString * const MGLAPIClientBaseURL = @"https://events.mapbox.com";
+static NSString * const MGLAPIClientChinaBaseURL = @"https://events.mapbox.cn";
 static NSString * const MGLAPIClientEventsPath = @"events/v2";
 
 static NSString * const MGLAPIClientHeaderFieldUserAgentKey = @"User-Agent";
@@ -21,6 +23,8 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
 @property (nonatomic, copy) NSData *geoTrustCert_2016;
 @property (nonatomic, copy) NSData *digicertCert_2017;
 @property (nonatomic, copy) NSData *geoTrustCert_2017;
+@property (nonatomic, copy) NSData *digicertCert_cn_2018;
+@property (nonatomic, copy) NSData *geoTrustCert_cn_2018;
 @property (nonatomic, copy) NSData *testServerCert;
 @property (nonatomic, copy) NSString *userAgent;
 @property (nonatomic) BOOL usesTestServer;
@@ -102,6 +106,8 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
     if (testServerURL && [testServerURL.scheme isEqualToString:@"https"]) {
         self.baseURL = testServerURL;
         self.usesTestServer = YES;
+    } else if ([[[NSBundle mainBundle] objectForInfoDictionaryKey:@"MGLMapboxAPIBaseURL"] isEqualToString:MGLChinaMapboxAPIBaseURL]) {
+        self.baseURL = [NSURL URLWithString:MGLAPIClientChinaBaseURL];
     } else {
         self.baseURL = [NSURL URLWithString:MGLAPIClientBaseURL];
     }
@@ -117,6 +123,10 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
     self.geoTrustCert_2017 = certificate;
     [self loadCertificate:&certificate withResource:@"api_mapbox_com-digicert_2017"];
     self.digicertCert_2017 = certificate;
+    [self loadCertificate:&certificate withResource:@"api_mapbox_cn-geotrust_2018"];
+    self.geoTrustCert_cn_2018 = certificate;
+    [self loadCertificate:&certificate withResource:@"api_mapbox_cn-digicert_2018"];
+    self.digicertCert_cn_2018 = certificate;
     [self loadCertificate:&certificate withResource:@"api_mapbox_staging"];
     self.testServerCert = certificate;
 }
@@ -174,17 +184,23 @@ static NSString * const MGLAPIClientHTTPMethodPost = @"POST";
             // Look for a pinned certificate in the server's certificate chain
             CFIndex numKeys = SecTrustGetCertificateCount(serverTrust);
             
-            // Check certs in the following order: digicert 2016, digicert 2017, geotrust 2016, geotrust 2017
+            // Check certs in the following order: digicert 2016, digicert 2017, digicert CN 2018, geotrust 2016, geotrust 2017, geotrust CN 2018
             found = [self evaluateCertificateWithCertificateData:self.digicertCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
             if (!found) {
                 found = [self evaluateCertificateWithCertificateData:self.digicertCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
             }
+            if (!found) {
+                found = [self evaluateCertificateWithCertificateData:self.digicertCert_cn_2018 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
+            }
             if (!found) {
                 found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2016 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
             }
             if (!found) {
                 found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_2017 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
             }
+            if (!found) {
+                found = [self evaluateCertificateWithCertificateData:self.geoTrustCert_cn_2018 keyCount:numKeys serverTrust:serverTrust challenge:challenge completionHandler:completionHandler];
+            }
             
             // If challenge can't be completed with any of the above certs, then try the test server if the app is configured to use the test server
             if (!found && _usesTestServer) {
-- 
cgit v1.2.1