diff --git a/AFNetworking/AFSecurityPolicy.h b/AFNetworking/AFSecurityPolicy.h index 80df91d553..164fd48d0c 100644 --- a/AFNetworking/AFSecurityPolicy.h +++ b/AFNetworking/AFSecurityPolicy.h @@ -48,9 +48,9 @@ NS_ASSUME_NONNULL_BEGIN By default, this property is set to any (`.cer`) certificates included in the target compiling AFNetworking. Note that if you are using AFNetworking as embedded framework, no certificates will be pinned by default. Use `certificatesInBundle` to load certificates from your target, and then create a new policy by calling `policyWithPinningMode:withPinnedCertificates`. - Note that if you create an array with duplicate certificates, the duplicate certificates will be removed. Note that if pinning is enabled, `evaluateServerTrust:forDomain:` will return true if any pinned certificate matches. + Note that if pinning is enabled, `evaluateServerTrust:forDomain:` will return true if any pinned certificate matches. */ -@property (nonatomic, strong, nullable) NSArray *pinnedCertificates; +@property (nonatomic, strong, nullable) NSSet *pinnedCertificates; /** Whether or not to trust servers with an invalid or expired SSL certificates. Defaults to `NO`. @@ -71,7 +71,7 @@ NS_ASSUME_NONNULL_BEGIN @return The default security policy. */ -+ (NSArray *)certificatesInBundle:(NSBundle *)bundle; ++ (NSSet *)certificatesInBundle:(NSBundle *)bundle; ///----------------------------------------- /// @name Getting Specific Security Policies @@ -105,7 +105,7 @@ NS_ASSUME_NONNULL_BEGIN @return A new security policy. */ -+ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSArray *)pinnedCertificates; ++ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSSet *)pinnedCertificates; ///------------------------------ /// @name Evaluating Server Trust diff --git a/AFNetworking/AFSecurityPolicy.m b/AFNetworking/AFSecurityPolicy.m index d613220e18..ca15dbaff0 100644 --- a/AFNetworking/AFSecurityPolicy.m +++ b/AFNetworking/AFSecurityPolicy.m @@ -150,25 +150,25 @@ static BOOL AFServerTrustIsValid(SecTrustRef serverTrust) { @interface AFSecurityPolicy() @property (readwrite, nonatomic, assign) AFSSLPinningMode SSLPinningMode; -@property (readwrite, nonatomic, strong) NSArray *pinnedPublicKeys; +@property (readwrite, nonatomic, strong) NSSet *pinnedPublicKeys; @end @implementation AFSecurityPolicy -+ (NSArray *)certificatesInBundle:(NSBundle *)bundle { ++ (NSSet *)certificatesInBundle:(NSBundle *)bundle { NSArray *paths = [bundle pathsForResourcesOfType:@"cer" inDirectory:@"."]; - NSMutableArray *certificates = [NSMutableArray arrayWithCapacity:[paths count]]; + NSMutableSet *certificates = [NSMutableSet setWithCapacity:[paths count]]; for (NSString *path in paths) { NSData *certificateData = [NSData dataWithContentsOfFile:path]; [certificates addObject:certificateData]; } - return [[NSArray alloc] initWithArray:certificates]; + return [NSSet setWithSet:certificates]; } -+ (NSArray *)defaultPinnedCertificates { - static NSArray *_defaultPinnedCertificates = nil; ++ (NSSet *)defaultPinnedCertificates { + static NSSet *_defaultPinnedCertificates = nil; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ NSBundle *bundle = [NSBundle bundleForClass:[self class]]; @@ -189,7 +189,7 @@ + (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode { return [self policyWithPinningMode:pinningMode withPinnedCertificates:[self defaultPinnedCertificates]]; } -+ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSArray *)pinnedCertificates { ++ (instancetype)policyWithPinningMode:(AFSSLPinningMode)pinningMode withPinnedCertificates:(NSSet *)pinnedCertificates { AFSecurityPolicy *securityPolicy = [[self alloc] init]; securityPolicy.SSLPinningMode = pinningMode; @@ -209,11 +209,11 @@ - (instancetype)init { return self; } -- (void)setPinnedCertificates:(NSArray *)pinnedCertificates { - _pinnedCertificates = [[NSOrderedSet orderedSetWithArray:pinnedCertificates] array]; +- (void)setPinnedCertificates:(NSSet *)pinnedCertificates { + _pinnedCertificates = pinnedCertificates; if (self.pinnedCertificates) { - NSMutableArray *mutablePinnedPublicKeys = [NSMutableArray arrayWithCapacity:[self.pinnedCertificates count]]; + NSMutableSet *mutablePinnedPublicKeys = [NSMutableSet setWithCapacity:[self.pinnedCertificates count]]; for (NSData *certificate in self.pinnedCertificates) { id publicKey = AFPublicKeyForCertificate(certificate); if (!publicKey) { @@ -221,7 +221,7 @@ - (void)setPinnedCertificates:(NSArray *)pinnedCertificates { } [mutablePinnedPublicKeys addObject:publicKey]; } - self.pinnedPublicKeys = [NSArray arrayWithArray:mutablePinnedPublicKeys]; + self.pinnedPublicKeys = [NSSet setWithSet:mutablePinnedPublicKeys]; } else { self.pinnedPublicKeys = nil; } diff --git a/Tests/Tests/AFSecurityPolicyTests.m b/Tests/Tests/AFSecurityPolicyTests.m index 9590a34e7d..872927ea2b 100644 --- a/Tests/Tests/AFSecurityPolicyTests.m +++ b/Tests/Tests/AFSecurityPolicyTests.m @@ -223,11 +223,11 @@ - (void)testPolicyWithPublicKeyPinningModeHasHTTPBinOrgPinnedCertificate { SecCertificateRef cert = AFUTHTTPBinOrgCertificate(); NSData *certData = (__bridge NSData *)(SecCertificateCopyData(cert)); CFRelease(cert); - NSInteger index = [policy.pinnedCertificates indexOfObjectPassingTest:^BOOL(NSData *data, NSUInteger idx, BOOL *stop) { + NSSet *set = [policy.pinnedCertificates objectsPassingTest:^BOOL(NSData *data, BOOL *stop) { return [data isEqualToData:certData]; }]; - XCTAssertTrue(index!=NSNotFound, @"HTTPBin.org certificate not found in the default certificates"); + XCTAssertEqual(set.count, 1, @"HTTPBin.org certificate not found in the default certificates"); } #pragma mark Positive Server Trust Evaluation Tests @@ -235,7 +235,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgL AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -243,7 +243,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgI AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTCOMODORSADomainValidationSecureServerCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -251,7 +251,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgI AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTCOMODORSACertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -259,7 +259,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgR AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTAddTrustExternalRootCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -270,10 +270,10 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithEntireCerti SecCertificateRef intermedaite1Certificate = AFUTCOMODORSADomainValidationSecureServerCertificate(); SecCertificateRef intermedaite2Certificate = AFUTCOMODORSACertificate(); SecCertificateRef rootCertificate = AFUTAddTrustExternalRootCertificate(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite1Certificate), - (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite2Certificate), - (__bridge_transfer NSData *)SecCertificateCopyData(rootCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite1Certificate), + (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite2Certificate), + (__bridge_transfer NSData *)SecCertificateCopyData(rootCertificate), nil]]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow HTTPBinOrg server trust because at least one of the pinned certificates is valid"); } @@ -283,8 +283,8 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBirnOrgServerTrustWithHTTPbinOrg SecCertificateRef httpBinCertificate = AFUTHTTPBinOrgCertificate(); SecCertificateRef selfSignedCertificate = AFUTSelfSignedCertificateWithCommonNameDomain(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate), nil]]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow HTTPBinOrg server trust because at least one of the pinned certificates is valid"); } @@ -292,7 +292,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgL AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:@"httpbin.org"], @"Policy should allow server trust"); } @@ -300,7 +300,7 @@ - (void)testPolicyWithPublicKeyPinningAllowsHTTPBinOrgServerTrustWithHTTPBinOrgL - (void)testPolicyWithPublicKeyPinningAndNoPinnedCertificatesDoesNotAllowHTTPBinOrgServerTrust { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; - policy.pinnedCertificates = @[]; + policy.pinnedCertificates = [NSSet set]; XCTAssertFalse([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should not allow server trust because the policy is set to public key pinning and it does not contain any pinned certificates."); } @@ -308,7 +308,7 @@ - (void)testPolicyWithPublicKeyPinningDoesNotAllowADNServerTrustWithHTTPBinOrgPi AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertFalse([policy evaluateServerTrust:AFUTADNNetServerTrust() forDomain:nil], @"Policy should not allow ADN server trust for pinned HTTPBin.org certificate"); } @@ -316,7 +316,7 @@ - (void)testPolicyWithPublicKeyPinningDoesNotAllowHTTPBinOrgServerTrustWithHTTPB AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertFalse([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:@"invaliddomainname.com"], @"Policy should not allow server trust"); } @@ -325,8 +325,8 @@ - (void)testPolicyWithPublicKeyPinningDoesNotAllowADNServerTrustWithMultipleInva SecCertificateRef httpBinCertificate = AFUTHTTPBinOrgCertificate(); SecCertificateRef selfSignedCertificate = AFUTSelfSignedCertificateWithCommonNameDomain(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate), nil]]; XCTAssertFalse([policy evaluateServerTrust:AFUTADNNetServerTrust() forDomain:nil], @"Policy should not allow ADN server trust because there are no matching pinned certificates"); } @@ -345,11 +345,11 @@ - (void)testPolicyWithCertificatePinningModeHasHTTPBinOrgPinnedCertificate { SecCertificateRef cert = AFUTHTTPBinOrgCertificate(); NSData *certData = (__bridge NSData *)(SecCertificateCopyData(cert)); CFRelease(cert); - NSInteger index = [policy.pinnedCertificates indexOfObjectPassingTest:^BOOL(NSData *data, NSUInteger idx, BOOL *stop) { + NSSet *set = [policy.pinnedCertificates objectsPassingTest:^BOOL(NSData *data, BOOL *stop) { return [data isEqualToData:certData]; }]; - XCTAssertTrue(index!=NSNotFound, @"HTTPBin.org certificate not found in the default certificates"); + XCTAssertEqual(set.count, 1, @"HTTPBin.org certificate not found in the default certificates"); } #pragma mark Positive Server Trust Evaluation Tests @@ -357,7 +357,7 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithHTTPBinOr AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -365,7 +365,7 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithHTTPBinOr AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTCOMODORSADomainValidationSecureServerCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -373,7 +373,7 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithHTTPBinOr AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTCOMODORSACertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -381,7 +381,7 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithHTTPBinOr AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTAddTrustExternalRootCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow server trust"); } @@ -392,10 +392,10 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithEntireCer SecCertificateRef intermedaite1Certificate = AFUTCOMODORSADomainValidationSecureServerCertificate(); SecCertificateRef intermedaite2Certificate = AFUTCOMODORSACertificate(); SecCertificateRef rootCertificate = AFUTAddTrustExternalRootCertificate(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite1Certificate), - (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite2Certificate), - (__bridge_transfer NSData *)SecCertificateCopyData(rootCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite1Certificate), + (__bridge_transfer NSData *)SecCertificateCopyData(intermedaite2Certificate), + (__bridge_transfer NSData *)SecCertificateCopyData(rootCertificate), nil]]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow HTTPBinOrg server trust because at least one of the pinned certificates is valid"); } @@ -405,8 +405,8 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBirnOrgServerTrustWithHTTPbinO SecCertificateRef httpBinCertificate = AFUTHTTPBinOrgCertificate(); SecCertificateRef selfSignedCertificate = AFUTSelfSignedCertificateWithCommonNameDomain(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate), nil]]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should allow HTTPBinOrg server trust because at least one of the pinned certificates is valid"); } @@ -414,7 +414,7 @@ - (void)testPolicyWithCertificatePinningAllowsHTTPBinOrgServerTrustWithHTTPBinOr AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:@"httpbin.org"], @"Policy should allow server trust"); } @@ -437,13 +437,13 @@ - (void)testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChai // certification path 1 SecCertificateRef certificate = AFUTGoogleComGeoTrustGlobalCARootCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath1() forDomain:@"google.com"], @"Policy should allow server trust"); // certification path 2 certificate = AFUTGoogleComEquifaxSecureCARootCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath2() forDomain:@"google.com"], @"Policy should allow server trust"); } @@ -452,7 +452,7 @@ - (void)testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChai - (void)testPolicyWithCertificatePinningAndNoPinnedCertificatesDoesNotAllowHTTPBinOrgServerTrust { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; - policy.pinnedCertificates = @[]; + policy.pinnedCertificates = [NSSet set]; XCTAssertFalse([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:nil], @"Policy should not allow server trust because the policy does not contain any pinned certificates."); } @@ -460,7 +460,7 @@ - (void)testPolicyWithCertificatePinningDoesNotAllowADNServerTrustWithHTTPBinOrg AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertFalse([policy evaluateServerTrust:AFUTADNNetServerTrust() forDomain:nil], @"Policy should not allow ADN server trust for pinned HTTPBin.org certificate"); } @@ -468,7 +468,7 @@ - (void)testPolicyWithCertificatePinningDoesNotAllowHTTPBinOrgServerTrustWithHTT AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; SecCertificateRef certificate = AFUTHTTPBinOrgCertificate(); - policy.pinnedCertificates = @[ (__bridge_transfer id)SecCertificateCopyData(certificate)]; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)]; XCTAssertFalse([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:@"invaliddomainname.com"], @"Policy should not allow server trust"); } @@ -477,8 +477,8 @@ - (void)testPolicyWithCertificatePinningDoesNotAllowADNServerTrustWithMultipleIn SecCertificateRef httpBinCertificate = AFUTHTTPBinOrgCertificate(); SecCertificateRef selfSignedCertificate = AFUTSelfSignedCertificateWithCommonNameDomain(); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), - (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate)]]; + [policy setPinnedCertificates:[NSSet setWithObjects:(__bridge_transfer NSData *)SecCertificateCopyData(httpBinCertificate), + (__bridge_transfer NSData *)SecCertificateCopyData(selfSignedCertificate), nil]]; XCTAssertFalse([policy evaluateServerTrust:AFUTADNNetServerTrust() forDomain:nil], @"Policy should not allow ADN server trust because there are no matching pinned certificates"); } @@ -501,7 +501,7 @@ - (void)testThatPolicyWithDomainNameValidationAndSelfSignedCommonNameCertificate SecCertificateRef certificate = AFUTSelfSignedCertificateWithCommonNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; + [policy setPinnedCertificates:[NSSet setWithObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; [policy setAllowInvalidCertificates:YES]; XCTAssertTrue([policy evaluateServerTrust:trust forDomain:@"foobar.com"], @"Policy should allow server trust"); @@ -512,7 +512,7 @@ - (void)testThatPolicyWithDomainNameValidationAndSelfSignedDNSCertificateAllowsS SecCertificateRef certificate = AFUTSelfSignedCertificateWithDNSNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; + [policy setPinnedCertificates:[NSSet setWithObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; [policy setAllowInvalidCertificates:YES]; XCTAssertTrue([policy evaluateServerTrust:trust forDomain:@"foobar.com"], @"Policy should allow server trust"); @@ -530,7 +530,7 @@ - (void)testThatPolicyWithDomainNameValidationAndSelfSignedNoDomainCertificateDo SecCertificateRef certificate = AFUTSelfSignedCertificateWithoutDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; + [policy setPinnedCertificates:[NSSet setWithObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; [policy setAllowInvalidCertificates:YES]; XCTAssertFalse([policy evaluateServerTrust:trust forDomain:@"foobar.com"], @"Policy should not allow server trust"); @@ -554,7 +554,7 @@ - (void)testThatPolicyWithInvalidCertificatesAllowedAndValidPinnedCertificatesDo [policy setAllowInvalidCertificates:YES]; SecCertificateRef certificate = AFUTSelfSignedCertificateWithDNSNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; + [policy setPinnedCertificates:[NSSet setWithObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; XCTAssertTrue([policy evaluateServerTrust:trust forDomain:@"foobar.com"], @"Policy should allow server trust because invalid certificates are allowed"); } @@ -584,7 +584,7 @@ - (void)testThatPolicyWithInvalidCertificatesDisabledDoesNotAllowSelfSignedServe - (void)testThatPolicyWithInvalidCertificatesAllowedAndNoPinnedCertificatesAndPublicKeyPinningModeDoesNotAllowSelfSignedServerTrustForValidDomainName { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; [policy setAllowInvalidCertificates:YES]; - [policy setPinnedCertificates:@[]]; + [policy setPinnedCertificates:[NSSet set]]; SecCertificateRef certificate = AFUTSelfSignedCertificateWithDNSNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); @@ -596,7 +596,7 @@ - (void)testThatPolicyWithInvalidCertificatesAllowedAndValidPinnedCertificatesAn [policy setAllowInvalidCertificates:YES]; SecCertificateRef certificate = AFUTSelfSignedCertificateWithDNSNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); - [policy setPinnedCertificates:@[(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; + [policy setPinnedCertificates:[NSSet setWithObject:(__bridge_transfer NSData *)SecCertificateCopyData(certificate)]]; XCTAssertFalse([policy evaluateServerTrust:trust forDomain:@"foobar.com"], @"Policy should not allow server trust because invalid certificates are allowed but there are no pinned certificates"); } @@ -604,7 +604,7 @@ - (void)testThatPolicyWithInvalidCertificatesAllowedAndValidPinnedCertificatesAn - (void)testThatPolicyWithInvalidCertificatesAllowedAndNoValidPinnedCertificatesAndNoPinningModeAndDomainValidationDoesNotAllowSelfSignedServerTrustForValidDomainName { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone]; [policy setAllowInvalidCertificates:YES]; - [policy setPinnedCertificates:@[]]; + [policy setPinnedCertificates:[NSSet set]]; SecCertificateRef certificate = AFUTSelfSignedCertificateWithDNSNameDomain(); SecTrustRef trust = AFUTTrustWithCertificate(certificate); @@ -617,20 +617,21 @@ - (void)testThatPolicyCanBeCopied { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; policy.allowInvalidCertificates = YES; policy.validatesDomainName = NO; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(AFUTHTTPBinOrgCertificate())]; AFSecurityPolicy *copiedPolicy = [policy copy]; XCTAssertNotEqual(copiedPolicy, policy); XCTAssertEqual(copiedPolicy.allowInvalidCertificates, policy.allowInvalidCertificates); XCTAssertEqual(copiedPolicy.validatesDomainName, policy.validatesDomainName); XCTAssertEqual(copiedPolicy.SSLPinningMode, policy.SSLPinningMode); - XCTAssertNotEqual(copiedPolicy.pinnedCertificates, policy.pinnedCertificates); - XCTAssertTrue([copiedPolicy.pinnedCertificates isEqualToArray:policy.pinnedCertificates]); + XCTAssertTrue([copiedPolicy.pinnedCertificates isEqualToSet:policy.pinnedCertificates]); } - (void)testThatPolicyCanBeEncodedAndDecoded { AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate]; policy.allowInvalidCertificates = YES; policy.validatesDomainName = NO; + policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(AFUTHTTPBinOrgCertificate())]; NSMutableData *archiveData = [NSMutableData new]; NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:archiveData]; @@ -644,8 +645,7 @@ - (void)testThatPolicyCanBeEncodedAndDecoded { XCTAssertEqual(unarchivedPolicy.allowInvalidCertificates, policy.allowInvalidCertificates); XCTAssertEqual(unarchivedPolicy.validatesDomainName, policy.validatesDomainName); XCTAssertEqual(unarchivedPolicy.SSLPinningMode, policy.SSLPinningMode); - XCTAssertNotEqual(unarchivedPolicy.pinnedCertificates, policy.pinnedCertificates); - XCTAssertTrue([unarchivedPolicy.pinnedCertificates isEqualToArray:policy.pinnedCertificates]); + XCTAssertTrue([unarchivedPolicy.pinnedCertificates isEqualToSet:policy.pinnedCertificates]); } @end