Home Explore Help
Sign In
Steven
/
Kulexiu
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 82099eff35
Branches Tags
Kulexiu
/
KulexiuForStudent
/
Pods
/
SocketRocket
/
SocketRocket
/
SRSecurityPolicy.m

SRSecurityPolicy.m 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. //
    2. 

  2. // Copyright (c) 2016-present, Facebook, Inc.
    3. 

  3. // All rights reserved.
    4. 

  4. //
    5. 

  5. // This source code is licensed under the BSD-style license found in the
    6. 

  6. // LICENSE file in the root directory of this source tree. An additional grant
    7. 

  7. // of patent rights can be found in the PATENTS file in the same directory.
    8. 

  8. //
    9. 

  9. 

  10. #import "SRSecurityPolicy.h"
    11. 

  11. #import "SRPinningSecurityPolicy.h"
    12. 

  12. 

  13. NS_ASSUME_NONNULL_BEGIN
    14. 

  14. 

  15. @interface SRSecurityPolicy ()
    16. 

  16. 

  17. @property (nonatomic, assign, readonly) BOOL certificateChainValidationEnabled;
    18. 

  18. 

  19. @end
    20. 

  20. 

  21. @implementation SRSecurityPolicy
    22. 

  22. 

  23. + (instancetype)defaultPolicy
    24. 

  24. {
    25. 

  25.     return [self new];
    26. 

  26. }
    27. 

  27. 

  28. + (instancetype)pinnningPolicyWithCertificates:(NSArray *)pinnedCertificates
    29. 

  29. {
    30. 

  30.     [NSException raise:NSInvalidArgumentException
    31. 

  31.                 format:@"Using pinned certificates is neither secure nor supported in SocketRocket, "
    32. 

  32.                         "and leads to security issues. Please use a proper, trust chain validated certificate."];
    33. 

  33. 

  34.     return nil;
    35. 

  35. }
    36. 

  36. 

  37. - (instancetype)initWithCertificateChainValidationEnabled:(BOOL)enabled
    38. 

  38. {
    39. 

  39.     self = [super init];
    40. 

  40.     if (!self) { return self; }
    41. 

  41. 

  42.     _certificateChainValidationEnabled = enabled;
    43. 

  43. 

  44.     return self;
    45. 

  45. }
    46. 

  46. 

  47. - (instancetype)init
    48. 

  48. {
    49. 

  49. #pragma clang diagnostic push
    50. 

  50. #pragma clang diagnostic ignored "-Wdeprecated"
    51. 

  51. 

  52.     return [self initWithCertificateChainValidationEnabled:YES];
    53. 

  53. 

  54. #pragma clang diagnostic pop
    55. 

  55. }
    56. 

  56. 

  57. - (void)updateSecurityOptionsInStream:(NSStream *)stream
    58. 

  58. {
    59. 

  59.     // Enforce TLS 1.2
    60. 

  60.     [stream setProperty:(__bridge id)CFSTR("kCFStreamSocketSecurityLevelTLSv1_2") forKey:(__bridge id)kCFStreamPropertySocketSecurityLevel];
    61. 

  61. 

  62.     // Validate certificate chain for this stream if enabled.
    63. 

  63.     NSDictionary<NSString *, id> *sslOptions = @{ (__bridge NSString *)kCFStreamSSLValidatesCertificateChain : @(self.certificateChainValidationEnabled) };
    64. 

  64.     [stream setProperty:sslOptions forKey:(__bridge NSString *)kCFStreamPropertySSLSettings];
    65. 

  65. }
    66. 

  66. 

  67. - (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust forDomain:(NSString *)domain
    68. 

  68. {
    69. 

  69.     // No further evaluation happens in the default policy.
    70. 

  70.     return YES;
    71. 

  71. }
    72. 

  72. 

  73. @end
    74. 

  74. 

  75. NS_ASSUME_NONNULL_END
    76.