Closed yonicsurny closed 3 years ago
Hello and thanks for the report.
The code you pointed out does not use the result of the validation at all: SecTrustEvaluate() is only called to initialize the trust object so we can call SecTrustCopyPublicKey() on it.
We do use SecTrustEvaluate() to "check the result of the evaluation" in https://github.com/datatheorem/TrustKit/blob/3c953558d61fdd9b136d981764e3242bd92b2648/TrustKit/Pinning/ssl_pin_verifier.m#L50 , which follows a similar flow as the suggested remediation.
Hello, shouldn't the result of the call to SecTrustEvaluate be validated?
https://github.com/datatheorem/TrustKit/blob/3c953558d61fdd9b136d981764e3242bd92b2648/TrustKit/Pinning/TSKSPKIHashCache.m#L264
My team uses a code analyser tool which is reporting that this piece of code "fails to check the result of the evaluation".
Suggested remediation is as follow:
What do you think?