{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 狗以群分 的问题《Subclassing URLProtectionSpace》','https://www.manongdao.com/q-742805.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Aim:
Test SSL pinning by using URLProtocol.
Problem:
Cannot subclass URLProtectionSpace in the expected manner. The server trust property is never called and the alamofire auth callback only receives a URLProtectionSpace class type instead of my class even though the initializer of my custom class gets called.
Configuration: [using Alamofire]
let sessionConfiguration: URLSessionConfiguration = .default
sessionConfiguration.protocolClasses?.insert(BaseURLProtocol.self, at: 0)
let sessionManager = AlamofireSessionBuilderImpl(configuration: sessionConfiguration).default
// overriding the auth challenge in Alamofire in order to test what is being called
sessionManager.delegate.sessionDidReceiveChallengeWithCompletion = { session, challenge, completionHandler in
let protectionSpace = challenge.protectionSpace
guard protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
protectionSpace.host.contains("myDummyURL.com") else {
// otherwise it means a different challenge is encountered and we are only interested in certificate validation
completionHandler(.performDefaultHandling, nil)
return
}
guard let serverTrust = protectionSpace.serverTrust else {
completionHandler(.performDefaultHandling, nil)
return
}
guard let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) else {
return completionHandler(.cancelAuthenticationChallenge, nil)
}
let serverCertificateData = SecCertificateCopyData(serverCertificate) as Data
// cannot find the local certificate
guard let localCertPath = Bundle.main.path(forResource: "cert", ofType: "der"),
let localCertificateData = NSData(contentsOfFile: localCertPath) else {
return completionHandler(.cancelAuthenticationChallenge, nil)
}
guard localCertificateData.isEqual(to: serverCertificateData) else {
// the certificate received from the server is invalid
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
let credential = URLCredential(trust: serverTrust)
completionHandler(.useCredential, credential)
}
BaseURLProtocol definition:
class BaseURLProtocol: URLProtocol {
override class func canInit(with request: URLRequest) -> Bool {
return true
}
override class func canonicalRequest(for request: URLRequest) -> URLRequest {
return request
}
override func startLoading() {
debugPrint("--- request loading \(request)")
guard request.url?.host?.contains("myDummyURL.com") ?? false else {
debugPrint("--- caught untargetted request --- skipping ---host is \(request.url?.host)")
return
}
let protectionSpace = CertificatePinningMockURLProtectionSpace(host: "https://myDummyURL.com", port: 443, protocol: nil, realm: nil, authenticationMethod: NSURLAuthenticationMethodServerTrust)
let challenge = URLAuthenticationChallenge(protectionSpace: protectionSpace, proposedCredential: nil, previousFailureCount: 0, failureResponse: nil, error: nil, sender: self)
client?.urlProtocol(self, didReceive: challenge)
}
}
CertificatePinningMockURLProtectionSpace: [using Alamofire ServerTrustPolicy for getting the certs]
-- The serverTrust property never gets called. I've also overridden all other properties of URLProtectionSpace and nothing except for the init gets called.
class CertificatePinningMockURLProtectionSpace: URLProtectionSpace {
private static let expectedHost = "myDummyURL.com"
override init(host: String, port: Int, protocol: String?, realm: String?, authenticationMethod: String?) {
debugPrint("--- super init will be called")
super.init(host: host, port: port, protocol: `protocol`, realm: realm, authenticationMethod: authenticationMethod)
}
override var serverTrust: SecTrust? {
guard let certificate = ServerTrustPolicy.certificates(in: .main).first else {
return nil
}
let policy: SecPolicy = SecPolicyCreateSSL(true, CertificatePinningMockURLProtectionSpace.expectedHost as CFString)
var serverTrust: SecTrust?
SecTrustCreateWithCertificates(certificate, policy, &serverTrust)
return serverTrust
}
}
Test statement:
sessionManager.request("https://myDummyURL.com").responseString(completionHandler: { response in
debugPrint("--- response is \(response)")
done()
})
Can the URLProtectionSpace successfully be overridden and provided as a mock to the URLProtocolClient inside the URLProtocol?