Home Explore Help
Sign In
mirror
/
Alamofire
mirror of https://github.com/Alamofire/Alamofire.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Added revoked evaluation server trust policy to check for revoked certificates.

WataruSuzuki 9 years ago
parent
22fec47388
commit
52fc15e1c9
1 changed files with 14 additions and 0 deletions
Split View Show Diff Stats
  1. 14 0
      Source/ServerTrustPolicy.swift

+ 14 - 0
Source/ServerTrustPolicy.swift
View File 

@@ -88,6 +88,13 @@ extension URLSession {
 
 ///                             validate the host in production environments to guarantee the validity of the server's
 
 ///                             certificate chain.
 
 ///
 
+/// - performRevokedEvaluation: Uses the default and revoked server trust evaluations allowing you to control whether to
 
+///                             validate the host provided by the challenge as well as specify the revocation flags for
 
+///                             testing for revoked certificates. Apple platforms did not start testing for revoked
 
+///                             certificates automatically until iOS 10.1, macOS 10.12 and tvOS 10.1 which is 
+///                             demonstrated in our TLS tests. Applications are encouraged to always validate the host 
+///                             in production environments to guarantee the validity of the server's certificate chain.
 
+///
 
 /// - pinCertificates:          Uses the pinned certificates to validate the server trust. The server trust is
 
 ///                             considered valid if one of the pinned certificates match one of the server certificates.
 
 ///                             By validating both the certificate chain and host, certificate pinning provides a very
 
@@ -107,6 +114,7 @@ extension URLSession {
 
 /// - customEvaluation:         Uses the associated closure to evaluate the validity of the server trust.
 
 public enum ServerTrustPolicy {
 
     case performDefaultEvaluation(validateHost: Bool)
 
+    case performRevokedEvaluation(validateHost: Bool, revocationFlags: CFOptionFlags)
 
     case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
 
     case pinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
 
     case disableEvaluation
 
@@ -171,6 +179,12 @@ public enum ServerTrustPolicy {
 
             let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
 
             SecTrustSetPolicies(serverTrust, policy)
 
 
+            serverTrustIsValid = trustIsValid(serverTrust)
 
+        case let .performRevokedEvaluation(validateHost, revocationFlags):
 
+            let defaultPolicy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
 
+            let revokedPolicy = SecPolicyCreateRevocation(revocationFlags)
 
+            SecTrustSetPolicies(serverTrust, [defaultPolicy, revokedPolicy] as CFTypeRef)
 
+
 
             serverTrustIsValid = trustIsValid(serverTrust)
 
         case let .pinCertificates(pinnedCertificates, validateCertificateChain, validateHost):
 
             if validateCertificateChain {