Refactored `allowInvalidCertificates` to `validateCertificateChain` for public key pinning.

Source/ServerTrustPolicy.swift

@@ -31,8 +31,7 @@ public class ServerTrustPolicyManager {
         self.policies = policies
     }
 
-    // TODO: DocStrings
-    public func serverTrustPolicyForHost(host: String) -> ServerTrustPolicy? {
+    func serverTrustPolicyForHost(host: String) -> ServerTrustPolicy? {
         return self.policies[host]
     }
 }
@@ -60,7 +59,7 @@ extension NSURLSession {
 public enum ServerTrustPolicy {
     case PerformDefaultEvaluation(validateHost: Bool)
     case PinCertificates(certificates: [SecCertificate], validateHost: Bool)
-    case PinPublicKeys(publicKeys: [SecKey], validateHost: Bool, allowInvalidCertificates: Bool)
+    case PinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
     case DisableEvaluation
     case CustomEvaluation((serverTrust: SecTrust, host: String) -> Bool)
 
@@ -115,10 +114,10 @@ public enum ServerTrustPolicy {
             SecTrustSetAnchorCertificatesOnly(serverTrust, 1)
 
             serverTrustIsValid = trustIsValid(serverTrust)
-        case let .PinPublicKeys(pinnedPublicKeys, validateHost, allowInvalidCertificates):
+        case let .PinPublicKeys(pinnedPublicKeys, validateCertificateChain, validateHost):
             var certificateChainEvaluationPassed = true
 
-            if !allowInvalidCertificates {
+            if validateCertificateChain {
                 let policy = validateHost ? SecPolicyCreateSSL(1, host as CFString) : SecPolicyCreateBasicX509()
                 SecTrustSetPolicies(serverTrust, [policy.takeRetainedValue()])
 

Tests/ServerTrustPolicyTests.swift

@@ -780,7 +780,7 @@ class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {
 
 class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
 
-    // MARK: Require Valid Certificate Chain Without Host Validation
+    // MARK: Validate Certificate Chain Without Validating Host
 
     func testThatPinningLeafKeyPassesEvaluationWithoutHostValidation() {
         // Given
@@ -789,8 +789,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
         )
 
         // When
@@ -808,8 +808,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.IntermediateCA2]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
         )
 
         // When
@@ -827,8 +827,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.RootCA]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
         )
 
         // When
@@ -846,8 +846,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafSignedByCA2]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
         )
 
         // When
@@ -865,8 +865,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: false
         )
 
         // When
@@ -877,7 +877,7 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    // MARK: Require Valid Certificate Chain With Host Validation
+    // MARK: Validate Certificate Chain and Host
 
     func testThatPinningLeafKeyPassesEvaluationWithHostValidation() {
         // Given
@@ -886,8 +886,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
         )
 
         // When
@@ -905,8 +905,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.IntermediateCA2]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
         )
 
         // When
@@ -924,8 +924,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.RootCA]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
         )
 
         // When
@@ -943,8 +943,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafSignedByCA2]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
         )
 
         // When
@@ -962,8 +962,8 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: true,
-            allowInvalidCertificates: false
+            validateCertificateChain: true,
+            validateHost: true
         )
 
         // When
@@ -974,17 +974,17 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    // MARK: Allow Invalid Certificate Chain
+    // MARK: Do NOT Validate Certificate Chain or Host
 
-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithMissingIntermediateCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithMissingIntermediateCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
         let publicKeys = [TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When
@@ -995,15 +995,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    func testThatPinningRootKeyWhileAllowingInvalidCertificatesFailsEvaluationWithMissingIntermediateCertificate() {
+    func testThatPinningRootKeyWithoutCertificateChainValidationFailsEvaluationWithMissingIntermediateCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
         let publicKeys = [TestPublicKeys.RootCA]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When
@@ -1014,15 +1014,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
     }
 
-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithIncorrectIntermediateCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithIncorrectIntermediateCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafValidDNSNameWithIncorrectIntermediate.trust
         let publicKeys = [TestPublicKeys.LeafValidDNSName]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When
@@ -1033,15 +1033,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningLeafKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafExpired.trust
         let publicKeys = [TestPublicKeys.LeafExpired]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When
@@ -1052,15 +1052,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    func testThatPinningIntermediateKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningIntermediateKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafExpired.trust
         let publicKeys = [TestPublicKeys.IntermediateCA2]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When
@@ -1071,15 +1071,15 @@ class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {
         XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
     }
 
-    func testThatPinningRootKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
+    func testThatPinningRootKeyWithoutCertificateChainValidationPassesEvaluationWithExpiredLeafCertificate() {
         // Given
         let host = "test.alamofire.org"
         let serverTrust = TestTrusts.LeafExpired.trust
         let publicKeys = [TestPublicKeys.RootCA]
         let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
             publicKeys: publicKeys,
-            validateHost: false,
-            allowInvalidCertificates: true
+            validateCertificateChain: false,
+            validateHost: false
         )
 
         // When

Tests/TLSEvaluationTests.swift

@@ -177,11 +177,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
 
     // MARK: Server Trust Policy - Public Key Pinning Tests
 
-    func testThatExpiredCertificateRequestFailsWhenPinningLeafPublicKeyWhileNotAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestFailsWhenPinningLeafPublicKeyWithCertificateChainValidation() {
         // Given
         let publicKeys = [TestPublicKeys.Leaf]
         let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: false)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: true, validateHost: true)
         ]
 
         let manager = Manager(
@@ -206,11 +206,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
         XCTAssertEqual(error?.code ?? -1, NSURLErrorCancelled, "error should be NSURLErrorCancelled")
     }
 
-    func testThatExpiredCertificateRequestSucceedsWhenPinningLeafPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningLeafPublicKeyWithoutCertificateChainValidation() {
         // Given
         let publicKeys = [TestPublicKeys.Leaf]
         let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
         ]
 
         let manager = Manager(
@@ -234,11 +234,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
         XCTAssertNil(error, "error should be nil")
     }
 
-    func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCAPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningIntermediateCAPublicKeyWithoutCertificateChainValidation() {
         // Given
         let publicKeys = [TestPublicKeys.IntermediateCA]
         let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
         ]
 
         let manager = Manager(
@@ -262,11 +262,11 @@ class TLSEvaluationExpiredLeafCertificateTestCase: BaseTestCase {
         XCTAssertNil(error, "error should be nil")
     }
 
-    func testThatExpiredCertificateRequestSucceedsWhenPinningRootCAPublicKeyAndAllowingInvalidCertificates() {
+    func testThatExpiredCertificateRequestSucceedsWhenPinningRootCAPublicKeyWithoutCertificateChainValidation() {
         // Given
         let publicKeys = [TestPublicKeys.RootCA]
         let policies: [String: ServerTrustPolicy] = [
-            self.host: .PinPublicKeys(publicKeys: publicKeys, validateHost: true, allowInvalidCertificates: true)
+            self.host: .PinPublicKeys(publicKeys: publicKeys, validateCertificateChain: false, validateHost: true)
         ]
 
         let manager = Manager(