3

I have been trying to implement a way to do public key pinning in my iOS 8+ app using NSURLSession.

What I do is just implement the delegate method didReceiveChallenge and get the challenge.protectionSpace.authenticationMethod and check if it is equal to NSURLAuthenticationMethodServerTrust.

If it is equal to NSURLAuthenticationMethodServerTrust i check the certificate and compare it with my local copy.

This works fine on iOS 8 but on iOS 9 I don't receive an authentication method equal to NSURLAuthenticationMethodServerTrust. I receive NSURLAuthenticationMethodClientCertificate so I can not access the challenge.protectionSpace.serverTrust property.

Any ideas? 

public func URLSession(session: NSURLSession, didReceiveChallenge challenge: NSURLAuthenticationChallenge, completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential!) -> Void)
{


      if(challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust)
        {
            // Verify the identity of the server
                    println("Trusted")
                    return challenge.sender.performDefaultHandlingForAuthenticationChallenge!(challenge)

        }
        println("Not trusted")
        return challenge.sender.cancelAuthenticationChallenge(challenge)
    }
}
VíctorVarLed
  • 148
  • 1
  • 8
  • Check http://stackoverflow.com/questions/33542003/client-certificate-authentication-in-swift2/34014653#34014653 link. It might be helpful. – Karlos Dec 01 '15 at 07:22
  • Hi Karlos, It's not work to me. :-( I have the same problem that Victor. – lûr Dec 03 '15 at 10:17

1 Answers1

3

Your callback can be called multiple times for different protection spaces. What's happening here is that the order of those calls has changed, and the server trust protection space call is apparently not happening first for some reason in iOS 9.

The problem is that you are canceling the first challenge, which effectively terminates the connection. Don't do that. Instead, use "perform default handling".

You also presumably don't want to perform default handling for the server trust case, because that's equivalent to not writing the custom handler at all. Instead, check the key, and perform the default handling only if it is the key you want, else cancel the authentication challenge.

Or maybe I'm misreading your code. It looks like there is some code missing. It may be that you aren't handling the non-server-trust case at all, in which case that's the problem. If you don't call something for every challenge, the connection will simply sit there forever, waiting for you to do so.

dgatwood
  • 10,129
  • 1
  • 28
  • 49
  • 1
    Thanks @dgatwood. You saved my day :) Apparently is iOS 9 the ClientCertificateChallenge is called first so I just added: ... else if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate) { completionHandler(NSURLSessionAuthChallengeDisposition.PerformDefaultHandling, nil); } – VíctorVarLed Dec 09 '15 at 07:50
  • FYI, what I said was actually subtly wrong. Default handling for server trust is fine. It's telling it to use the cert without checking it that would be bad. :-) – dgatwood Sep 17 '16 at 05:52