search

datatheorem / TrustKit

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
MIT License
2.01k stars 362 forks source link

Pin validation not invoked #57

Closed hexploitable closed 8 years ago

hexploitable commented 8 years ago

I have tried this on both iOS 9.3 Simulator + device iOS 10. Installed via pods, latest version (i.e. pod 'TrustKit').

I also tried adding breakpoints in the Trust Kit pin validation routines and they are never hit and as you'll see below, no logs either.

Just to see what happens, I left the default programmatic config in for my domain, with another domain's hashes (yahoo.com's hashes):

    NSDictionary *trustKitConfig =
  @{
    kTSKSwizzleNetworkDelegates: @YES,
    kTSKPinnedDomains : @{
            @"MYDOMAIN" : @{
                    kTSKIncludeSubdomains:@YES,
                    kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa4096],
                    kTSKPublicKeyHashes : @[
                            @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
                            @"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
                            ],
                    kTSKEnforcePinning : @YES,
                    }
            }};

    [TrustKit initializeWithConfiguration:trustKitConfig];

When I run the app, it actually connects to the domain anyway, despite pinning enforced, and the logs show this:

2016-07-06 20:37:23.451972 TK-Example[2792:869181] === TrustKit: Configuration passed via explicit call to initializeWithConfiguration:
2016-07-06 20:37:23.453288 TK-Example[2792:869181] *** -[NSKeyedUnarchiver initForReadingWithData:]: data is NULL
2016-07-06 20:37:23.453385 TK-Example[2792:869181] === TrustKit: Loaded 0 SPKI cache entries from the filesystem
2016-07-06 20:37:23.507451 TK-Example[2792:869181] === TrustKit: Successfully initialized with configuration {
    TSKPinnedDomains =     {
        "MYDOMAIN" =         {
            TSKDisableDefaultReportUri = 0;
            TSKEnforcePinning = 1;
            TSKIncludeSubdomains = 1;
            TSKPublicKeyAlgorithms =             (
                1
            );
            TSKPublicKeyHashes = "{(\n    <ac58dcdf 01bb9536 5ee37cde 613bcfab c938c5d0 c4bad0a6 22123976 7e2809e1>,\n    <4d012d74 c6e6c058 185227cc e0b0c5fb 1804b5dd 33ebd98f 1a6929d3 5e1de996>\n)}";
        };
    };
    TSKSwizzleNetworkDelegates = 1;
}
2016-07-06 20:37:23.968416 TK-Example[2792:869243] Response: <NSHTTPURLResponse: 0x17002e920> { URL: https://MYDOMAIN/ } { status code: 200, headers {
    "Cache-Control" = "public, max-age=0";
    Connection = "Keep-Alive";
    "Content-Encoding" = gzip;
    "Content-Type" = "text/html; charset=utf-8";
    Date = "Wed, 06 Jul 2016 19:37:23 GMT";
    Etag = "W/\"44a5-ScJW2rB+srCBlitpEpvKUA\"";
    "Keep-Alive" = "timeout=5, max=100";
    Server = "Apache/2.4.18 (Ubuntu)";
    "Strict-Transport-Security" = "max-age=63072000; includeSubDomains";
    "Transfer-Encoding" = Identity;
    Vary = "Accept-Encoding";
    Via = "1.1 MYDOMAIN";
    "X-Powered-By" = Express;
} }

Any ideas what I might be doing wrong? Will try the Info.plist config route when I get the chance to see if I observe the same behaviour.

nabla-c0d3 commented 8 years ago

Hi, Thanks for the report. I can see that you are using kTSKSwizzleNetworkDelegates; how are you opening the connection (which API)? The best way to use TrustKit is to manually call into TSKPinningValidator instead of relying on kTSKSwizzleNetworkDelegates. Thanks,

hexploitable commented 8 years ago

Hey, not got the source on me right now but i was using NSURLSession and just making a basic connection to a site via HTTPS.

Tonight i'll confirm if the behaviour is the same for the config approach + also see if I have better luck using TSKPinningValidator.

nabla-c0d3 commented 8 years ago

I just tried myself on an iOS 10 device and didn't see any problems. Please re-open this issue if it's still an issue.

mina-kleid commented 7 years ago

@hexploitable any feedback on this ? i have the same problem, also no notifications is posted (kTSKValidationCompletedNotification)

nabla-c0d3 commented 7 years ago

Are you using swizzling or not?

mina-kleid commented 7 years ago

@nabla-c0d3 yes i do. the problem was i gave the domain with the protocol "https://mydomain.com" instead of "mydomain.com"

brainiumSumita commented 7 years ago

@nabla-c0d3 How do I verify that pinning is working fine? I recently Implemented Trustkit for ios but unable to understand if I need to store the SSL certificate in my app bundle or not? Please reply quick. I have a delivery today. Another question is does trust kit support API calling? or I have to use Afnetworking to call API?

saeedtkh commented 2 years ago

any updates?