5

I'm working with the OWASP sample for Certificate and Public Key Pinning. The sample uses random.org, and random.org recently got a new certificate. That means connection:didReceiveAuthenticationChallenge: is failing. That is expected and good :)

However, the failure is displayed as "NSURLErrorDomain", with a code of -1012. That's not very helpful, and a user will not be able to do anything meaningful with it:

enter image description here

It would be much better to supply a message with text similar to "Warning: the public key identifying the website has changed...".

Another little nit: in connection:didFailWithError:, I cannot tell if the -1012 is due to the pinning failure or another network error. So I would like to supply the message only for the certificate failure, and not other -1012 errors.

How does one supply "rich error information" to the call of [[challenge sender] cancelAuthenticationChallenge: challenge] (which is called when connection:didReceiveAuthenticationChallenge: fails). NSURLConnectionDelegate Protocol Reference and NSURLAuthenticationChallengeSender Protocol Reference do not mention how to do so.

jww
  • 97,681
  • 90
  • 411
  • 885
  • Very good question, some time ago I had exactly the same problem but wasn't really able to retrieve more info than -1012. I settled for the generic message telling user that the certificate didn't match. – lawicko Feb 26 '13 at 16:47
  • Hi lawicko. I was thinking about trying to throw an exception with the rich error information. As I understand it, Objective C exceptions are not like other language exceptions. Have you tried an Objective C exception in this case? – jww Apr 27 '13 at 04:47
  • To my understanding, the problem here is how to get additional information about the error, not how to process it afterwards. So, you only get the cursed -1012 without really knowing what is the underlaying cause, based on that you cannot really tell if it was due to the certificate failure or some other problem, or at least I was not able to retrieve that info. I don't exactly understand how throwing an exception at that point would help with the original issue? – lawicko Apr 29 '13 at 11:51
  • Jeff, did you ever find a way to differentiate `cancelAuthenticateChallenge` errors from other types of -1012 NSURLErrorDomain errors in `connection:didFailWithError`? I'm at a loss here. – Nate Cook Jun 23 '13 at 16:25
  • Nate - no, I have not tried yet (busy with other things). Let me put it on the TODO list. – jww Jun 24 '13 at 21:55
  • In Cocoa, it is very strongly recommended that you throw exceptions only for programmer errors. This here is not a programming error; you couldn't change your code to avoid the error. Exceptions are usually not caught except by the run loop, where they are logged and the application is terminated. When you get an exception, you fix the code. – gnasher729 Mar 18 '14 at 13:21

1 Answers1

0

Try to use 

NSString * alertMessage = [challenge.error localizedFailureReason];

to get human readable error information.

See documentation for NSError and NSURLAuthenticationChallenge.

IvanRublev
  • 784
  • 9
  • 10