Added revoked evaluation server trust policy to check for revoked cer…

…tificates.
Alamofire · Jan 16, 2017 · 52fc15e · 52fc15e
1 parent 22fec47
commit 52fc15e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/Source/ServerTrustPolicy.swift b/Source/ServerTrustPolicy.swift
@@ -88,6 +88,13 @@ extension URLSession {
 ///                             validate the host in production environments to guarantee the validity of the server's
 ///                             certificate chain.
 ///
+/// - performRevokedEvaluation: Uses the default and revoked server trust evaluations allowing you to control whether to
+///                             validate the host provided by the challenge as well as specify the revocation flags for
+///                             testing for revoked certificates. Apple platforms did not start testing for revoked
+///                             certificates automatically until iOS 10.1, macOS 10.12 and tvOS 10.1 which is 
+///                             demonstrated in our TLS tests. Applications are encouraged to always validate the host 
+///                             in production environments to guarantee the validity of the server's certificate chain.
+///
 /// - pinCertificates:          Uses the pinned certificates to validate the server trust. The server trust is
 ///                             considered valid if one of the pinned certificates match one of the server certificates.
 ///                             By validating both the certificate chain and host, certificate pinning provides a very
@@ -107,6 +114,7 @@ extension URLSession {
 /// - customEvaluation:         Uses the associated closure to evaluate the validity of the server trust.
 public enum ServerTrustPolicy {
     case performDefaultEvaluation(validateHost: Bool)
+    case performRevokedEvaluation(validateHost: Bool, revocationFlags: CFOptionFlags)
     case pinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
     case pinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
     case disableEvaluation
@@ -171,6 +179,12 @@ public enum ServerTrustPolicy {
             let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
             SecTrustSetPolicies(serverTrust, policy)
 
+            serverTrustIsValid = trustIsValid(serverTrust)
+        case let .performRevokedEvaluation(validateHost, revocationFlags):
+            let defaultPolicy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
+            let revokedPolicy = SecPolicyCreateRevocation(revocationFlags)
+            SecTrustSetPolicies(serverTrust, [defaultPolicy, revokedPolicy] as CFTypeRef)
+
             serverTrustIsValid = trustIsValid(serverTrust)
         case let .pinCertificates(pinnedCertificates, validateCertificateChain, validateHost):
             if validateCertificateChain {