search

datatheorem / TrustKit

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
MIT License
2.01k stars 362 forks source link

Seems not working #253

Closed jonathanroze closed 3 years ago

jonathanroze commented 3 years ago

Hi,

I implement TrustKit in my IOS Application (using React-Native that use underling NSUrlSession).

When I check request using Charles Proxy with SSL Proxying activated I can saw requests content.

Here can that I use

AppDelegate.h

#import <React/RCTBridgeDelegate.h>
#import <UIKit/UIKit.h>

@interface AppDelegate : UIResponder <UIApplicationDelegate, RCTBridgeDelegate>

@property (nonatomic, strong) UIWindow *window;
@property (nonatomic, readonly) NSDictionary *trustKitConfig;

@end

And code that I add in AppDelegate.m

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
  // Override TrustKit's logger method
   void (^loggerBlock)(NSString *) = ^void(NSString *message)
   {
       NSLog(@"TrustKit log: %@", message);

   };
   [TrustKit setLoggerBlock:loggerBlock];

     // Initialize TrustKit
    _trustKitConfig =
     @{
       // Do not auto-swizzle NSURLSession delegates
       kTSKSwizzleNetworkDelegates: @YES,

       kTSKPinnedDomains: @{

               // Pin invalid SPKI hashes to *.yahoo.com to demonstrate pinning failures
               @"api.domain.tld": @{
                       kTSKEnforcePinning: @YES,
                       kTSKIncludeSubdomains: @NO,
                       // Wrong SPKI hashes to demonstrate pinning failure
                       kTSKPublicKeyHashes: @[
                               @"key1",
                               @"key2",
                               @"key3",
                               @"key4",
                               @"key5",
                               ],

                       // Send reports for pinning failures
                       // Email info@datatheorem.com if you need a free dashboard to see your App's reports
                       kTSKReportUris: @[@"https://overmind.datatheorem.com/trustkit/report"]
                       },

              }};

     [TrustKit initSharedInstanceWithConfiguration:_trustKitConfig];

     // Demonstrate how to receive pin validation notifications (only useful for performance/metrics)
     [TrustKit sharedInstance].pinningValidatorCallbackQueue = dispatch_get_main_queue();
     [TrustKit sharedInstance].pinningValidatorCallback = ^(TSKPinningValidatorResult *result, NSString *notedHostname, TKSDomainPinningPolicy *policy) {
         NSLog(@"Received pinning validation notification:\n\tDuration: %0.4f\n\tDecision: %ld\n\tResult: %ld\n\tHostname: %@",
               result.validationDuration,
               (long)result.finalTrustDecision,
               (long)result.evaluationResult,
               result.serverHostname);
     };

...

  return YES;
}

- (void)URLSession:(NSURLSession *)session
              task:(NSURLSessionTask *)task
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
{
    TSKPinningValidator *pinningValidator = [[TrustKit sharedInstance] pinningValidator];
    // Pass the authentication challenge to the validator; if the validation fails, the connection will be blocked
    if (![pinningValidator handleChallenge:challenge completionHandler:completionHandler])
    {
        // TrustKit did not handle this challenge: perhaps it was not for server trust
        // or the domain was not pinned. Fall back to the default behavior
        completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
    }
}}

My API is hosted on AWS (certificates generated by Certificate Manager) I don't know if it's useful.

Thanks

jonathanroze commented 3 years ago

Ok i figure tout why it wasn't working.

I forget to remove configuration in Info.Plist.

This library works pretty well ! Thanks

anishtr4 commented 3 years ago

@jonathanroze Would you mind sharing your AppDelegate.m and AppDelegate.m over here, for me even though the trust kit validating the urls, the connections is not getting blocked if we are using a url which is not set in the config with public key.

vegerot12 commented 1 year ago

@anishtr4 i too face the same issue, it is not blocking urls that does not match with the public key . Have you figured out the issue or solution. if so please share