|
@@ -88,6 +88,13 @@ extension URLSession {
|
|
|
/// validate the host in production environments to guarantee the validity of the server's
|
|
/// validate the host in production environments to guarantee the validity of the server's
|
|
|
/// certificate chain.
|
|
/// certificate chain.
|
|
|
///
|
|
///
|
|
|
|
|
+/// - performRevokedEvaluation: Uses the default and revoked server trust evaluations allowing you to control whether to
|
|
|
|
|
+/// validate the host provided by the challenge as well as specify the revocation flags for
|
|
|
|
|
+/// testing for revoked certificates. Apple platforms did not start testing for revoked
|
|
|
|
|
+/// certificates automatically until iOS 10.1, macOS 10.12 and tvOS 10.1 which is
|
|
|
|
|
+/// demonstrated in our TLS tests. Applications are encouraged to always validate the host
|
|
|
|
|
+/// in production environments to guarantee the validity of the server's certificate chain.
|
|
|
|
|
+///
|
|
|
/// - pinCertificates: Uses the pinned certificates to validate the server trust. The server trust is
|
|
/// - pinCertificates: Uses the pinned certificates to validate the server trust. The server trust is
|
|
|
/// considered valid if one of the pinned certificates match one of the server certificates.
|
|
/// considered valid if one of the pinned certificates match one of the server certificates.
|
|
|
/// By validating both the certificate chain and host, certificate pinning provides a very
|
|
/// By validating both the certificate chain and host, certificate pinning provides a very
|
|
@@ -107,6 +114,7 @@ extension URLSession {
|
|
|
/// - customEvaluation: Uses the associated closure to evaluate the validity of the server trust.
|
|
/// - customEvaluation: Uses the associated closure to evaluate the validity of the server trust.
|
|
|
public enum ServerTrustPolicy {
|
|
public enum ServerTrustPolicy {
|
|
|
case performDefaultEvaluation(validateHost: Bool)
|
|
case performDefaultEvaluation(validateHost: Bool)
|
|
|
|
|
+ case performRevokedEvaluation(validateHost: Bool, revocationFlags: CFOptionFlags)
|
|
|
case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
|
|
case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
|
|
|
case pinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
|
|
case pinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
|
|
|
case disableEvaluation
|
|
case disableEvaluation
|
|
@@ -171,6 +179,12 @@ public enum ServerTrustPolicy {
|
|
|
let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
|
|
let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
|
|
|
SecTrustSetPolicies(serverTrust, policy)
|
|
SecTrustSetPolicies(serverTrust, policy)
|
|
|
|
|
|
|
|
|
|
+ serverTrustIsValid = trustIsValid(serverTrust)
|
|
|
|
|
+ case let .performRevokedEvaluation(validateHost, revocationFlags):
|
|
|
|
|
+ let defaultPolicy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
|
|
|
|
|
+ let revokedPolicy = SecPolicyCreateRevocation(revocationFlags)
|
|
|
|
|
+ SecTrustSetPolicies(serverTrust, [defaultPolicy, revokedPolicy] as CFTypeRef)
|
|
|
|
|
+
|
|
|
serverTrustIsValid = trustIsValid(serverTrust)
|
|
serverTrustIsValid = trustIsValid(serverTrust)
|
|
|
case let .pinCertificates(pinnedCertificates, validateCertificateChain, validateHost):
|
|
case let .pinCertificates(pinnedCertificates, validateCertificateChain, validateHost):
|
|
|
if validateCertificateChain {
|
|
if validateCertificateChain {
|
WataruSuzuki