|
| 1 | +// |
| 2 | +// CertificatePinningDelegate.swift |
| 3 | +// NativeAppTemplate |
| 4 | +// |
| 5 | +// Created by Daisuke Adachi. |
| 6 | +// |
| 7 | + |
| 8 | +import CommonCrypto |
| 9 | +import Foundation |
| 10 | + |
| 11 | +final class CertificatePinningDelegate: NSObject, URLSessionDelegate { |
| 12 | + // SPKI SHA-256 hashes (base64-encoded) for api.nativeapptemplate.com |
| 13 | + // The server uses Google Trust Services certificates (Render hosting). |
| 14 | + // Pin the leaf public key and Google Trust Services intermediate CAs as backup. |
| 15 | + static let pinnedHashes: Set<String> = [ |
| 16 | + // Leaf certificate public key (api.nativeapptemplate.com) |
| 17 | + "54Il7gpV4QvX8fAyEKV+6fp8VGjgHqIAAqF5bLCfYNQ=", |
| 18 | + // Google Trust Services WE1 intermediate CA |
| 19 | + "kIdp6NNEd8wsugYyyIYFsi1ylMCED3hZbSR8ZFsa/A4=" |
| 20 | + ] |
| 21 | + |
| 22 | + static let pinnedDomain = String.domain |
| 23 | + |
| 24 | + // ASN.1 header for EC 256-bit public key (SPKI prefix) |
| 25 | + private static let ecDsaSecp256r1Asn1Header: [UInt8] = [ |
| 26 | + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, |
| 27 | + 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, |
| 28 | + 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, |
| 29 | + 0x42, 0x00 |
| 30 | + ] |
| 31 | + |
| 32 | + // ASN.1 header for RSA 2048-bit public key (SPKI prefix) |
| 33 | + private static let rsa2048Asn1Header: [UInt8] = [ |
| 34 | + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, |
| 35 | + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, |
| 36 | + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00 |
| 37 | + ] |
| 38 | + |
| 39 | + func urlSession( |
| 40 | + _ session: URLSession, |
| 41 | + didReceive challenge: URLAuthenticationChallenge, |
| 42 | + completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void |
| 43 | + ) { |
| 44 | + guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust, |
| 45 | + challenge.protectionSpace.host == Self.pinnedDomain, |
| 46 | + let serverTrust = challenge.protectionSpace.serverTrust |
| 47 | + else { |
| 48 | + completionHandler(.performDefaultHandling, nil) |
| 49 | + return |
| 50 | + } |
| 51 | + |
| 52 | + let certificateCount = SecTrustGetCertificateCount(serverTrust) |
| 53 | + var pinMatched = false |
| 54 | + |
| 55 | + for index in 0..<certificateCount { |
| 56 | + guard let certificate = SecTrustCopyCertificateChain(serverTrust) |
| 57 | + .map({ unsafeBitCast(CFArrayGetValueAtIndex($0, index), to: SecCertificate.self) }) |
| 58 | + else { continue } |
| 59 | + |
| 60 | + guard let publicKey = SecCertificateCopyKey(certificate) else { continue } |
| 61 | + |
| 62 | + var error: Unmanaged<CFError>? |
| 63 | + guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, &error) as Data? else { continue } |
| 64 | + |
| 65 | + let spkiHash = Self.sha256WithAsn1Header(for: publicKeyData) |
| 66 | + |
| 67 | + if Self.pinnedHashes.contains(spkiHash) { |
| 68 | + pinMatched = true |
| 69 | + break |
| 70 | + } |
| 71 | + } |
| 72 | + |
| 73 | + if pinMatched { |
| 74 | + completionHandler(.useCredential, URLCredential(trust: serverTrust)) |
| 75 | + } else { |
| 76 | + Failure.certificatePinning( |
| 77 | + from: Self.self, |
| 78 | + reason: "Pin mismatch for \(challenge.protectionSpace.host)" |
| 79 | + ).log() |
| 80 | + completionHandler(.cancelAuthenticationChallenge, nil) |
| 81 | + } |
| 82 | + } |
| 83 | + |
| 84 | + private static func sha256WithAsn1Header(for publicKeyData: Data) -> String { |
| 85 | + let header: [UInt8] = if publicKeyData.count == 65 { |
| 86 | + ecDsaSecp256r1Asn1Header |
| 87 | + } else { |
| 88 | + rsa2048Asn1Header |
| 89 | + } |
| 90 | + |
| 91 | + var spkiData = Data(header) |
| 92 | + spkiData.append(publicKeyData) |
| 93 | + |
| 94 | + var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH)) |
| 95 | + spkiData.withUnsafeBytes { buffer in |
| 96 | + _ = CC_SHA256(buffer.baseAddress, CC_LONG(spkiData.count), &hash) |
| 97 | + } |
| 98 | + |
| 99 | + return Data(hash).base64EncodedString() |
| 100 | + } |
| 101 | +} |
| 102 | + |
| 103 | +extension URLSession { |
| 104 | + private static let pinningDelegate = CertificatePinningDelegate() |
| 105 | + |
| 106 | + static let pinned: URLSession = { |
| 107 | + let configuration = URLSessionConfiguration.default |
| 108 | + return URLSession( |
| 109 | + configuration: configuration, |
| 110 | + delegate: pinningDelegate, |
| 111 | + delegateQueue: nil |
| 112 | + ) |
| 113 | + }() |
| 114 | +} |
0 commit comments