search

BottleRocketStudios / iOS-Hyperspace

An extremely lightweight wrapper around URLSession to make working with APIs a breeze.
Apache License 2.0
47 stars 17 forks source link

SSL certificate pinning #84

Closed wmcginty closed 5 years ago

wmcginty commented 5 years ago

Looking to solicit feedback as I continue to build this feature out.

wmcginty commented 5 years ago

This is moving right along. I think everything but the new TrustValidatingNetworkService has been tested and I updated the example as well. @tylermilner @rmirabelli let me know your thoughts!

codecov-io commented 5 years ago

Codecov Report

Merging #84 into master will decrease coverage by 1.11%. The diff coverage is 91.31%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #84      +/-   ##
==========================================
- Coverage   95.73%   94.61%   -1.12%     
==========================================
  Files          38       46       +8     
  Lines        1055     1412     +357     
==========================================
+ Hits         1010     1336     +326     
- Misses         45       76      +31
Impacted Files Coverage Δ
Tests/NetworkServiceTests.swift 100% <ø> (ø) :arrow_up:
...ficate Pinning/TrustValidatingNetworkService.swift 0% <0%> (ø)
...urces/Certificate Pinning/TrustConfiguration.swift 100% <100%> (ø)
.../Certificate Pinning/AuthenticationChallenge.swift 100% <100%> (ø)
...ources/Certificate Pinning/CertificateHasher.swift 100% <100%> (ø)
Tests/Helper/Trusts.swift 100% <100%> (ø)
Tests/CertificateHashTests.swift 96.15% <96.15%> (ø)
Sources/Certificate Pinning/TrustValidator.swift 96.87% <96.87%> (ø)
Tests/PinningTests.swift 97.23% <97.23%> (ø)
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update f3bbdce...93ddead. Read the comment docs.

wmcginty commented 5 years ago

We should be good to go @tylermilner. We were not evaluating there in some tests (we still need to create pinning hashes for untrusted/expired certificates). The explicit call to validation is made in TrustValidator.evaluate(_:forHost:date:), line 73 to ensure that any SecTrust objects as part of authentication challenges are trusted by the OS, but this does not affect our ability to test.

wmcginty commented 5 years ago

@earlgaspard Let me know if you still want to take a look and I'll hold off merging.

earlgaspard commented 5 years ago

@wmcginty I still want to give it a look.

wmcginty commented 5 years ago

@earlgaspard Changes have been made.