quaos
commented
5 months ago UPDATE
I've created a test repo in attempt to reproduce the issue, but still can't: test-expo-ssl-pinning-1
My latest investigation revealed that the execution does not enter TrustKit's [TSKPinningValidator handleChallenge:completionHandler:] at all, while in the test repo it reaches the endpoint and trigger TrustKit's evaluation.
Is there anything I might have missed here? Thanks!
Test Repo (entering TrustKit methods ✅)
XCode Debug stack trace
Thread 47 Queue : com.facebook.react.NetworkingQueue (serial)
#0 0x0000000104953d00 in -[RCTHTTPRequestHandler sendRequest:withDelegate:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm:71
#1 0x0000000104960d7c in -[RCTNetworkTask start] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native/Libraries/Network/RCTNetworkTask.mm:75
...
Thread 48 Queue : com.facebook.react.NetworkingQueue (serial)
#0 0x0000000104c8d9e0 in verifyPublicKeyPin at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/Pinning/ssl_pin_verifier.m:24
#1 0x0000000104c94290 in -[TSKPinningValidator evaluateTrust:forHostname:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/TSKPinningValidator.m:126
#2 0x0000000104c94774 in -[TSKPinningValidator handleChallenge:completionHandler:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/TSKPinningValidator.m:202
#3 0x0000000104d5dc38 in -[RCTHTTPRequestHandler(SslPublicKeyPinning) URLSession:task:didReceiveChallenge:completionHandler:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native-ssl-public-key-pinning/ios/SslPublicKeyPinning.mm:108
#4 0x0000000183e10bcc in ___lldb_unnamed_symbol2730 ()
#5 0x0000000180b9a8e8 in __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ ()
# ...
Enqueued from com.apple.NSURLSession-work (Thread 48) Queue : com.apple.NSURLSession-work (serial)iOS -> MacOS console log
(hard to capture, it flows non-stop and won't pause)
default 15:02:39.277090+0700 testexposslpinning1 === TrustKit: Loaded 6 SPKI cache entries from the filesystem
default 15:31:35.878371+0700 testexposslpinning1 === TrustKit: Successfully initialized with configuration {
TSKPinnedDomains = {
"firebaseremoteconfig.googleapis.com" = {
// ...
};
"google.com" = {
// ...
};
"quaos-portfolio.netlify.app" = {
TSKDisableDefaultReportUri = 1;
TSKEnforcePinning = 1;
TSKIncludeSubdomains = 1;
TSKPublicKeyHashes = "{(\n {length = 32, bytes = 0xaff98890 6dde1295 5d9bebbf 928fdcc3 ... 1c8941ca 26e20391 },\n {length = 32, bytes = 0x59e738e6 74221702 af1edb87 c5200c1a ... 265124c6 1bd83c79 }\n)}";
kSKExcludeSubdomainFromParentPolicy = 0;
};
};
TSKSwizzleNetworkDelegates = 0;
}
default 15:44:34.968784+0700 testexposslpinning1 boringssl_context_evaluate_trust_async(1635) [C37.1.1.3:2][0x1503151b0] Performing external trust evaluation
default 15:44:34.969041+0700 testexposslpinning1 boringssl_context_evaluate_trust_async_external(1620) [C37.1.1.3:2][0x1503151b0] Asyncing for external verify block
default 15:45:08.189121+0700 testexposslpinning1 === TrustKit: Testing SSL Pin {length = 32, bytes = 0x59e738e6 74221702 af1edb87 c5200c1a ... 265124c6 1bd83c79 }
default 15:45:08.189281+0700 testexposslpinning1 === TrustKit: SSL Pin found for quaos-portfolio.netlify.app
default 15:45:08.189379+0700 testexposslpinning1 === TrustKit: Pin validation succeeded for quaos-portfolio.netlify.app
default 15:45:08.204597+0700 testexposslpinning1 boringssl_context_evaluate_trust_async_external_block_invoke(1608) [0x0] Cancelled during verify blockOriginal Repo (not entering TrustKit methods ❌)
XCode Debug stack trace
Thread 91 Queue : com.facebook.react.NetworkingQueue (serial)
#0 0x0000000103718d64 in -[RCTHTTPRequestHandler sendRequest:withDelegate:] at /Users/chakrit/Projects/myapp/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm:71
#1 0x0000000103725de0 in -[RCTNetworkTask start] at /Users/chakrit/Projects/myapp/node_modules/react-native/Libraries/Network/RCTNetworkTask.mm:75
...iOS -> MacOS console log
(hard to capture, it flows non-stop and won't pause)
default 16:08:30.082662+0700 myapp === TrustKit: Loaded 0 SPKI cache entries from the filesystem
default 16:08:57.250258+0700 myapp === TrustKit: Successfully initialized with configuration {
TSKPinnedDomains = {
"some-service.tech" = {
TSKDisableDefaultReportUri = 1;
TSKEnforcePinning = 1;
TSKIncludeSubdomains = 1;
TSKPublicKeyHashes = "{(\n {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
kSKExcludeSubdomainFromParentPolicy = 0;
};
};
TSKSwizzleNetworkDelegates = 0;
}
default 16:17:39.503190+0700 myapp boringssl_context_evaluate_trust_async(1635) [C255.1.2.1:2][0x15b241600] Performing external trust evaluation
default 16:17:39.503268+0700 myapp boringssl_context_evaluate_trust_async_external(1620) [C255.1.2.1:2][0x15b241600] Asyncing for external verify block
default 16:17:39.520363+0700 myapp boringssl_context_evaluate_trust_async_external_block_invoke_3(1576) [C255.1.2.1:2][0x15b241600] Returning from external verify block with result: true
default 16:17:39.520441+0700 myapp boringssl_context_certificate_verify_callback(1797) [C255.1.2.1:2][0x15b241600] Certificate verification result: OK
Hi,
About 1-2 months ago, I had used this library through react-native-ssl-public-key-pinning to enforce SSL pinning in my company's app on a PoC branch, which worked as expected.
And just yesterday, I tried to install and apply the library again in a new branch, but now it does not block any request to pinned domain when using invalid keys.
I'm not sure if this was the issue with
react-native-ssl-public-key-pinningor with the TrustKit, but the configuration used to initialize TrustKit looks supposedly correct. (I also opened an issue there)Logs
(iOS to MacOS Console log)
Versions
TrustKit: 3.0.3 CocoaPods: 1.14.3 iOS: 16.2 (iPhone Simulator)
Thanks!