Pluggable, more flexible, security policies.

Extract @FredericJacobs' CertificateVerifier concept with @nlutsenko's SRSecurityOptions into a pluggable SRSecurityPolicy protocol This retains existing SSL configuration code paths, while allowing users more flexibility to specify their own security policy. It's intended that you're able to subclass an `AFSecurityPolicy` that conforms to the `<SRSecurityPolicy>` protocol to share policy between websocket and conventional requests. Inspired by original "Require TLS 1.2 & enable pinning" pull request by Frederic Jacobs (@FredericJacobs) at: https://github.com/facebook/SocketRocket/pull/274/files
facebookincubator · Jun 29, 2016 · 1af96bf · 1af96bf
1 parent fcd4828
commit 1af96bf
Show file tree

Hide file tree

Showing 9 changed files with 379 additions and 222 deletions.
diff --git a/SocketRocket.xcodeproj/project.pbxproj b/SocketRocket.xcodeproj/project.pbxproj
@@ -17,6 +17,18 @@
 		3345DC871C52ACD70083CCB8 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F6A12CD3145122FC00C1D980 /* Security.framework */; };
 		3345DC881C52ACD70083CCB8 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F6B208301450F597009315AF /* Foundation.framework */; };
 		3345DC8A1C52ACD70083CCB8 /* SRWebSocket.h in Headers */ = {isa = PBXBuildFile; fileRef = F6A12CCF145119B700C1D980 /* SRWebSocket.h */; settings = {ATTRIBUTES = (Public, ); }; };
+		454A02D51D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */; settings = {ATTRIBUTES = (Public, ); }; };
+		454A02D61D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */; };
+		454A02D71D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */; };
+		454A02D81D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */; };
+		45A5E7AF1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h in Headers */ = {isa = PBXBuildFile; fileRef = 45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */; };
+		45A5E7B01D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m in Sources */ = {isa = PBXBuildFile; fileRef = 45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */; };
+		45A5E7B11D234B5800C4EE5B /* SRSecurityPolicyBuilder.h in Headers */ = {isa = PBXBuildFile; fileRef = 45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */; };
+		45A5E7B21D234B5800C4EE5B /* SRSecurityPolicyBuilder.m in Sources */ = {isa = PBXBuildFile; fileRef = 45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */; };
+		45A5E7B31D234B5900C4EE5B /* SRSecurityPolicyBuilder.h in Headers */ = {isa = PBXBuildFile; fileRef = 45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */; };
+		45A5E7B41D234B5900C4EE5B /* SRSecurityPolicyBuilder.m in Sources */ = {isa = PBXBuildFile; fileRef = 45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */; };
+		45A5E7B51D234B5A00C4EE5B /* SRSecurityPolicyBuilder.h in Headers */ = {isa = PBXBuildFile; fileRef = 45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */; };
+		45A5E7B61D234B5A00C4EE5B /* SRSecurityPolicyBuilder.m in Sources */ = {isa = PBXBuildFile; fileRef = 45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */; };
 		4861E7751D022211002FAB1D /* SRProxyConnect.h in Headers */ = {isa = PBXBuildFile; fileRef = 4861E7731D022211002FAB1D /* SRProxyConnect.h */; };
 		4861E7761D022211002FAB1D /* SRProxyConnect.m in Sources */ = {isa = PBXBuildFile; fileRef = 4861E7741D022211002FAB1D /* SRProxyConnect.m */; };
 		555E0EB41C51E57A00E6BB92 /* SocketRocket.h in Headers */ = {isa = PBXBuildFile; fileRef = 555E0EB11C51E56D00E6BB92 /* SocketRocket.h */; settings = {ATTRIBUTES = (Public, ); }; };
@@ -50,14 +62,6 @@
 		8179958C1CE139700084DA37 /* SRDelegateController.m in Sources */ = {isa = PBXBuildFile; fileRef = 817995851CE139700084DA37 /* SRDelegateController.m */; };
 		8179958D1CE139700084DA37 /* SRDelegateController.m in Sources */ = {isa = PBXBuildFile; fileRef = 817995851CE139700084DA37 /* SRDelegateController.m */; };
 		817996801CE184F40084DA37 /* SRAutobahnUtilities.m in Sources */ = {isa = PBXBuildFile; fileRef = 8179967F1CE184F40084DA37 /* SRAutobahnUtilities.m */; };
-		8186892F1D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */ = {isa = PBXBuildFile; fileRef = 8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */; };
-		818689301D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */ = {isa = PBXBuildFile; fileRef = 8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */; };
-		818689311D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */ = {isa = PBXBuildFile; fileRef = 8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */; };
-		818689321D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */ = {isa = PBXBuildFile; fileRef = 8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */; };
-		818689331D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */ = {isa = PBXBuildFile; fileRef = 8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */; };
-		818689341D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */ = {isa = PBXBuildFile; fileRef = 8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */; };
-		818689351D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */ = {isa = PBXBuildFile; fileRef = 8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */; };
-		818689361D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */ = {isa = PBXBuildFile; fileRef = 8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */; };
 		81900A4C1D18C9CC0015A290 /* SRLog.h in Headers */ = {isa = PBXBuildFile; fileRef = 81900A4A1D18C9CC0015A290 /* SRLog.h */; };
 		81900A4D1D18C9CC0015A290 /* SRLog.h in Headers */ = {isa = PBXBuildFile; fileRef = 81900A4A1D18C9CC0015A290 /* SRLog.h */; };
 		81900A4E1D18C9CC0015A290 /* SRLog.h in Headers */ = {isa = PBXBuildFile; fileRef = 81900A4A1D18C9CC0015A290 /* SRLog.h */; };
@@ -190,6 +194,9 @@
 /* Begin PBXFileReference section */
 		2D4227621BB4358C000C1A6C /* SocketRocket.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = SocketRocket.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		3345DC901C52ACD70083CCB8 /* SocketRocket.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = SocketRocket.framework; sourceTree = BUILT_PRODUCTS_DIR; };
+		454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SRSecurityPolicy.h; path = SocketRocket/SRSecurityPolicy.h; sourceTree = SOURCE_ROOT; };
+		45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRSecurityPolicyBuilder.h; sourceTree = "<group>"; };
+		45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRSecurityPolicyBuilder.m; sourceTree = "<group>"; };
 		4861E7731D022211002FAB1D /* SRProxyConnect.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRProxyConnect.h; sourceTree = "<group>"; };
 		4861E7741D022211002FAB1D /* SRProxyConnect.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRProxyConnect.m; sourceTree = "<group>"; };
 		555E0EB11C51E56D00E6BB92 /* SocketRocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SocketRocket.h; sourceTree = "<group>"; };
@@ -207,8 +214,6 @@
 		817995851CE139700084DA37 /* SRDelegateController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRDelegateController.m; sourceTree = "<group>"; };
 		8179967E1CE184F40084DA37 /* SRAutobahnUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRAutobahnUtilities.h; sourceTree = "<group>"; };
 		8179967F1CE184F40084DA37 /* SRAutobahnUtilities.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRAutobahnUtilities.m; sourceTree = "<group>"; };
-		8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRSecurityOptions.h; sourceTree = "<group>"; };
-		8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRSecurityOptions.m; sourceTree = "<group>"; };
 		81900A4A1D18C9CC0015A290 /* SRLog.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRLog.h; sourceTree = "<group>"; };
 		81900A4B1D18C9CC0015A290 /* SRLog.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SRLog.m; sourceTree = "<group>"; };
 		81B22EC31CE42D7E0073C636 /* SRError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SRError.h; sourceTree = "<group>"; };
@@ -401,8 +406,8 @@
 		8186892C1D08EF3C004F94C8 /* Security */ = {
 			isa = PBXGroup;
 			children = (
-				8186892D1D08EF3C004F94C8 /* SRSecurityOptions.h */,
-				8186892E1D08EF3C004F94C8 /* SRSecurityOptions.m */,
+				45A5E7AD1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h */,
+				45A5E7AE1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m */,
 			);
 			path = Security;
 			sourceTree = "<group>";
@@ -554,6 +559,7 @@
 			children = (
 				81B31C0D1CDC404100D86D43 /* Internal */,
 				555E0EB11C51E56D00E6BB92 /* SocketRocket.h */,
+				454A02D41D0FAD010060DFB2 /* SRSecurityPolicy.h */,
 				F6A12CCF145119B700C1D980 /* SRWebSocket.h */,
 				F6A12CD0145119B700C1D980 /* SRWebSocket.m */,
 				81CD05D51CEEC47300497F47 /* NSURLRequest+SRWebSocket.h */,
@@ -575,11 +581,12 @@
 				81B22EE51CE43ECC0073C636 /* SRURLUtilities.h in Headers */,
 				81B31C151CDC404100D86D43 /* SRIOConsumer.h in Headers */,
 				81CD05FE1CEEC65D00497F47 /* NSRunLoop+SRWebSocket.h in Headers */,
+				454A02D61D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */,
 				81CD05D81CEEC47300497F47 /* NSURLRequest+SRWebSocket.h in Headers */,
 				81900A4D1D18C9CC0015A290 /* SRLog.h in Headers */,
 				81B31C1D1CDC404100D86D43 /* SRIOConsumerPool.h in Headers */,
 				813364001D091E170062E28D /* SRProxyConnect.h in Headers */,
-				818689301D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */,
+				45A5E7B11D234B5800C4EE5B /* SRSecurityPolicyBuilder.h in Headers */,
 				2D42277F1BB4365C000C1A6C /* SRWebSocket.h in Headers */,
 				81B31C2E1CDC406B00D86D43 /* SRHash.h in Headers */,
 				811934BE1CDAF725003AB243 /* SocketRocket.h in Headers */,
@@ -599,11 +606,12 @@
 				81B22EE71CE43ECC0073C636 /* SRURLUtilities.h in Headers */,
 				81B31C171CDC404100D86D43 /* SRIOConsumer.h in Headers */,
 				81CD06001CEEC65D00497F47 /* NSRunLoop+SRWebSocket.h in Headers */,
+				454A02D81D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */,
 				81CD05DA1CEEC47300497F47 /* NSURLRequest+SRWebSocket.h in Headers */,
 				81900A4F1D18C9CC0015A290 /* SRLog.h in Headers */,
 				81B31C1F1CDC404100D86D43 /* SRIOConsumerPool.h in Headers */,
 				813364081D091E180062E28D /* SRProxyConnect.h in Headers */,
-				818689321D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */,
+				45A5E7B51D234B5A00C4EE5B /* SRSecurityPolicyBuilder.h in Headers */,
 				3345DC8A1C52ACD70083CCB8 /* SRWebSocket.h in Headers */,
 				81B31C301CDC406B00D86D43 /* SRHash.h in Headers */,
 				811934C01CDAF726003AB243 /* SocketRocket.h in Headers */,
@@ -623,11 +631,12 @@
 				81B22EE61CE43ECC0073C636 /* SRURLUtilities.h in Headers */,
 				81B31C161CDC404100D86D43 /* SRIOConsumer.h in Headers */,
 				81CD05FF1CEEC65D00497F47 /* NSRunLoop+SRWebSocket.h in Headers */,
+				454A02D71D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */,
 				81CD05D91CEEC47300497F47 /* NSURLRequest+SRWebSocket.h in Headers */,
 				81900A4E1D18C9CC0015A290 /* SRLog.h in Headers */,
 				81B31C1E1CDC404100D86D43 /* SRIOConsumerPool.h in Headers */,
 				813364041D091E170062E28D /* SRProxyConnect.h in Headers */,
-				818689311D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */,
+				45A5E7B31D234B5900C4EE5B /* SRSecurityPolicyBuilder.h in Headers */,
 				F668C8AA153E92F90044DBAC /* SRWebSocket.h in Headers */,
 				81B31C2F1CDC406B00D86D43 /* SRHash.h in Headers */,
 				811934BC1CDAF725003AB243 /* SocketRocket.h in Headers */,
@@ -646,11 +655,12 @@
 			files = (
 				81B22EE41CE43ECC0073C636 /* SRURLUtilities.h in Headers */,
 				81B31C141CDC404100D86D43 /* SRIOConsumer.h in Headers */,
+				454A02D51D0FAD010060DFB2 /* SRSecurityPolicy.h in Headers */,
 				81CD05FD1CEEC65D00497F47 /* NSRunLoop+SRWebSocket.h in Headers */,
 				81CD05D71CEEC47300497F47 /* NSURLRequest+SRWebSocket.h in Headers */,
 				81900A4C1D18C9CC0015A290 /* SRLog.h in Headers */,
-				8186892F1D08EF3C004F94C8 /* SRSecurityOptions.h in Headers */,
 				81B31C1C1CDC404100D86D43 /* SRIOConsumerPool.h in Headers */,
+				45A5E7AF1D234B4C00C4EE5B /* SRSecurityPolicyBuilder.h in Headers */,
 				F6A12CD1145119B700C1D980 /* SRWebSocket.h in Headers */,
 				81B31C2D1CDC406B00D86D43 /* SRHash.h in Headers */,
 				4861E7751D022211002FAB1D /* SRProxyConnect.h in Headers */,
@@ -852,9 +862,9 @@
 			buildActionMask = 2147483647;
 			files = (
 				81CD05DC1CEEC47300497F47 /* NSURLRequest+SRWebSocket.m in Sources */,
+				45A5E7B21D234B5800C4EE5B /* SRSecurityPolicyBuilder.m in Sources */,
 				81B22ECA1CE42D7E0073C636 /* SRError.m in Sources */,
 				81B31C191CDC404100D86D43 /* SRIOConsumer.m in Sources */,
-				818689341D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */,
 				81C22BC71D124168007BFDDF /* SRHTTPConnectMessage.m in Sources */,
 				81CD06021CEEC65D00497F47 /* NSRunLoop+SRWebSocket.m in Sources */,
 				2D4227851BB43734000C1A6C /* SRWebSocket.m in Sources */,
@@ -875,9 +885,9 @@
 			buildActionMask = 2147483647;
 			files = (
 				81CD05DE1CEEC47300497F47 /* NSURLRequest+SRWebSocket.m in Sources */,
+				45A5E7B61D234B5A00C4EE5B /* SRSecurityPolicyBuilder.m in Sources */,
 				81B22ECC1CE42D7E0073C636 /* SRError.m in Sources */,
 				81B31C1B1CDC404100D86D43 /* SRIOConsumer.m in Sources */,
-				818689361D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */,
 				81C22BC91D124168007BFDDF /* SRHTTPConnectMessage.m in Sources */,
 				81CD06041CEEC65D00497F47 /* NSRunLoop+SRWebSocket.m in Sources */,
 				3345DC841C52ACD70083CCB8 /* SRWebSocket.m in Sources */,
@@ -909,9 +919,9 @@
 			buildActionMask = 2147483647;
 			files = (
 				81CD05DD1CEEC47300497F47 /* NSURLRequest+SRWebSocket.m in Sources */,
+				45A5E7B41D234B5900C4EE5B /* SRSecurityPolicyBuilder.m in Sources */,
 				81B22ECB1CE42D7E0073C636 /* SRError.m in Sources */,
 				81B31C1A1CDC404100D86D43 /* SRIOConsumer.m in Sources */,
-				818689351D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */,
 				81C22BC81D124168007BFDDF /* SRHTTPConnectMessage.m in Sources */,
 				81CD06031CEEC65D00497F47 /* NSRunLoop+SRWebSocket.m in Sources */,
 				F6396B86153E67EC00345B5E /* SRWebSocket.m in Sources */,
@@ -932,7 +942,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				4861E7761D022211002FAB1D /* SRProxyConnect.m in Sources */,
-				818689331D08EF3C004F94C8 /* SRSecurityOptions.m in Sources */,
+				45A5E7B01D234B4C00C4EE5B /* SRSecurityPolicyBuilder.m in Sources */,
 				81CD05DB1CEEC47300497F47 /* NSURLRequest+SRWebSocket.m in Sources */,
 				81B22EC91CE42D7E0073C636 /* SRError.m in Sources */,
 				81C22BC61D124168007BFDDF /* SRHTTPConnectMessage.m in Sources */,

diff --git a/SocketRocket/Internal/Security/SRSecurityOptions.h b/SocketRocket/Internal/Security/SRSecurityOptions.h
diff --git a/SocketRocket/Internal/Security/SRSecurityOptions.m b/SocketRocket/Internal/Security/SRSecurityOptions.m