Merge branch 'ios9'

datatheorem · Oct 21, 2015 · bb1a981 · bb1a981
2 parents dc04b24 + d57dfb9
commit bb1a981
Show file tree

Hide file tree

Showing 69 changed files with 4,092 additions and 1,678 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,10 +1,10 @@
 language: objective-c
+osx_image: xcode7
 env:
   matrix: 
-    - TEST_SDK=macosx10.9
-    - TEST_SDK=macosx10.10
-    - TEST_SDK=iphonesimulator8.1
-    - TEST_SDK=iphonesimulator7.0
+    - TEST_SDK=macosx10.11 TEST_SCHEME="TrustKit OS X"
+    - TEST_SDK=iphonesimulator9.0 TEST_SCHEME=TrustKit
+    - TEST_SDK=iphonesimulator9.0 TEST_SCHEME=TrustKit_Static
 script:
-  - xcodebuild clean -project TrustKit.xcodeproj -scheme TrustKit -configuration Release CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk $TEST_SDK
-  - xcodebuild build test -project TrustKit.xcodeproj -scheme TrustKit -configuration Release CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk $TEST_SDK
+  - xcodebuild clean -project TrustKit.xcodeproj -scheme "$TEST_SCHEME" -configuration Release CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk $TEST_SDK
+  - xcodebuild build test -project TrustKit.xcodeproj -scheme "$TEST_SCHEME" -configuration Release CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk $TEST_SDK
diff --git a/ATTRIBUTIONS b/ATTRIBUTIONS
@@ -1,30 +1,3 @@
-fishhook - https://github.com/facebook/fishhook
------------------------------------------------
-
-// Copyright (c) 2013, Facebook, Inc.
-// All rights reserved.
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//   * Redistributions of source code must retain the above copyright notice,
-//     this list of conditions and the following disclaimer.
-//   * Redistributions in binary form must reproduce the above copyright notice,
-//     this list of conditions and the following disclaimer in the documentation
-//     and/or other materials provided with the distribution.
-//   * Neither the name Facebook nor the names of its contributors may be used to
-//     endorse or promote products derived from this software without specific
-//     prior written permission.
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
 domain-registry-provider - https://code.google.com/p/domain-registry-provider/
 ------------------------------------------------------------------------------
 
@@ -41,3 +14,27 @@ domain-registry-provider - https://code.google.com/p/domain-registry-provider/
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+
+RSSwizzle - https://github.com/rabovik/RSSwizzle
+------------------------------------------------
+
+Copyright (c) 2013 Yan Rabovik
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/README.md b/README.md
@@ -1,71 +1,30 @@
 TrustKit
 ========
 
-[![Build Status](https://travis-ci.org/datatheorem/TrustKit.svg)](https://travis-ci.org/datatheorem/TrustKit) [![Version Status](https://img.shields.io/cocoapods/v/TrustKit.svg?style=flat)](https://cocoapods.org/pods/TrustKit) [![Platform](http://img.shields.io/cocoapods/p/TrustKit.svg?style=flat)](https://cocoapods.org/pods/TrustKit) [![License MIT](https://img.shields.io/github/license/datatheorem/trustkit.svg?style=flat)](https://en.wikipedia.org/wiki/MIT_License)
+[![Build Status](https://travis-ci.org/datatheorem/TrustKit.svg)](https://travis-ci.org/datatheorem/TrustKit) [![Version Status](https://img.shields.io/cocoapods/v/TrustKit.svg?style=flat)](https://cocoapods.org/pods/TrustKit) [![Platform](https://img.shields.io/cocoapods/p/TrustKit.svg?style=flat)](https://cocoapods.org/pods/TrustKit) [![License MIT](https://img.shields.io/cocoapods/l/TrustKit.svg?style=flat)](https://en.wikipedia.org/wiki/MIT_License)
 
-**TrustKit** is an open source framework that makes it easy to deploy SSL public key
-pinning in any iOS or OS X App.
-
-
-iOS 9 FAQ
----------
-
-### Does **TrustKit** work on iOS 9?
-
-* Explicit pinning validation using the `TSKPinningValidator` class in your
-authentication handlers will work fine.
-* Implicit pinning validation, where **TrustKit** automatically "hooks" and 
-validates the App's 'outgoing SSL connections does not work with the current
-version (1.1.3) on iOS 9, on some devices (including the iPhone 6). This 
-means that the App will still work fine but the pinning validation will not 
-be performed automatically.
-
-
-### What should I do?
-
-For pinning to work right now on iOS 9 devices, you can use the 
-`TSKPinningValidator` class to manually check the server's certificate chain 
-against your App's pinning policy.
-
-Apple has made changes in how function calls happen within and across Apple 
-frameworks, which break the technique we used in **TrustKit** to intercept outgoing
-SSL connections. The next release of **TrustKit** (1.2.0) will address this as much 
-as technically possible, and a blog post with technical details on what has changed 
-will be available shortly.
+**TrustKit** is an open source framework that makes it easy to deploy SSL public key pinning in any iOS or OS X App; it supports both Swift and Objective-C Apps.
 
 
 Overview
 --------
 
-At a high level, **TrustKit** intercepts all outgoing SSL connections initiated by
-SecureTransport in order to perform additional validation against the server's
-certificate chain, based on an App-wide SSL pinning policy. This novel approach
-to SSL pinning gives us the following benefits:
-
-* Easy to use: **TrustKit** can be deployed in minutes in any App. For iOS8+ and OS
-X Apps, **TrustKit** can be used without even modifying the App's source code.
-* API-independent pinning by directly hooking Apple's SecureTransport: **TrustKit**
-works on `NSURLSession`, `UIWebView`, `NSStream`, etc. all the way down to BSD
-sockets.
-
-Additionally, **TrustKit** provides the following features:
+**TrustKit** provides the following features:
 
-* Subject Public Key Info pinning, [as opposed to certificate pinning or pinning
-the public key bits](https://www.imperialviolet.org/2011/05/04/pinning.html).
-* Mechanism to report pinning failures, which allows Apps to send reports
-when an unexpected certificate chain is detected, similarly to the _report-uri_
-directive described in the [HTTP Public Key Pinning
-specification](https://tools.ietf.org/html/rfc7469).
+* Simple API to configure an SSL pinning policy and enforce it within an App. The policy settings are heavily based on the [HTTP Public Key Pinning specification](https://tools.ietf.org/html/rfc7469).
+* Auto-pinning functionality by swizzling the App's _NSURLConnection_ and _NSURLSession_ delegates in order to automatically add pinning validation to the App's HTTPS connections; this allows deploying **TrustKit** without even modifying the App's source code.
+* Sane implementation by pinning the certificate's Subject Public Key Info, [as opposed to the certificate itself or the public key bits](https://www.imperialviolet.org/2011/05/04/pinning.html).
+* Reporting mechanism to notify a server about pinning validation failures happening within the App, when an unexpected certificate chain is detected. This is similar to the _report-uri_ directive described in the HPKP specification.
 
 **TrustKit** was open-sourced at [Black Hat 2015 USA][bh2015-conf].
 
 
 Getting Started
 ---------------
 
-* Have a look at the Black Hat USA 2015 [presentation][bh2015-pdf].
 * Read the [Getting Started][getting-started] guide.
 * Check out the [API documentation][api-doc].
+* Have a look at the [Black Hat USA 2015 presentation][bh2015-pdf] and the [significant changes][ios9-post] that subsequently happened with iOS 9.
 
 
 Sample Usage
@@ -83,7 +42,7 @@ Then run:
 $ pod install
 ```
 
-Then, enabling SSL pinning globally in the App only requires initializing **TrustKit** 
+Then, the deploying SSL pinning in the App requires initializing **TrustKit** 
 with a pinning policy (domains, Subject Public Key Info hashes, and additional settings).
 
 The policy can be configured within the App's `Info.plist`:
@@ -93,43 +52,58 @@ The policy can be configured within the App's `Info.plist`:
 Alternatively, the pinning policy can be set programmatically:
 
 ```objc
-NSDictionary *trustKitConfig;
-trustKitConfig = @{
-                   @"www.datatheorem.com" : @{
-                           kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa2048],
-                           kTSKPublicKeyHashes : @[
-                                   @"HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
-                                   @"0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
-                                   ],
-                           kTSKEnforcePinning : @NO,
-                           kTSKReportUris : @[@"http://report.datatheorem.com/log_report"],
-                           },
-                   @"yahoo.com" : @{
-                           kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa4096],
-                           kTSKPublicKeyHashes : @[
-                                   @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
-                                   @"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=",
-                                   ],
-                           kTSKIncludeSubdomains : @YES
-                           }
-                   };
+NSDictionary *trustKitConfig =
+@{
+  kTSKSwizzleNetworkDelegates: @YES,
+  kTSKPinnedDomains : @{
+          @"www.datatheorem.com" : @{
+                  kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa2048],
+                  kTSKPublicKeyHashes : @[
+                          @"HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
+                          @"0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
+                          ],
+                  kTSKEnforcePinning : @NO,
+                  kTSKReportUris : @[@"http://report.datatheorem.com/log_report"],
+                  },
+          @"yahoo.com" : @{
+                  kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa4096],
+                  kTSKPublicKeyHashes : @[
+                          @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
+                          @"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=",
+                          ],
+                  kTSKIncludeSubdomains : @YES
+                  }
+          }};
 
 [TrustKit initializeWithConfiguration:trustKitConfig];
 ```
 
-Once **TrustKit** has been initialized, all SSL connections initiated by Apple
-frameworks within the App will verify the server' certificate chains against the
-supplied pinning policy. If report URIs have been configured, the App will also
-send reports to the specified URIs whenever a pin validation failure occurred.
+The policy can also be set programmatically in Swift Apps:
+ 
+```swift
+let trustKitConfig = [
+   kTSKPinnedDomains: [
+       "yahoo.com": [
+           kTSKPublicKeyAlgorithms: [kTSKAlgorithmRsa2048],
+           kTSKPublicKeyHashes: [
+               "JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=",
+               "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="
+             ],]]]
+  
+TrustKit.initializeWithConfiguration(config)
+```
+
+Once **TrustKit** has been initialized, it will by default swizzle the App's _NSURLSession_ and _NSURLConnection_ delegates to verify the server's certificate against the configured pinning policy, whenever an HTTPS connection is initiated. If report URIs have been configured, the App will also send reports to the specified URIs whenever a pin validation failure occurred.
+
+The swizzling behavior can be disabled via the `kTSKSwizzleNetworkDelegates` setting, and a server's certificate chain can easily be checked against the App's SSL pinning policy using the `TSKPinningValidator` class, for example to implement an authentication handler.
 
 For more information, see the [Getting Started][getting-started] guide.
 
 
 Credits
 -------
 
-**TrustKit** is a joint-effort between the security teams at Data Theorem and Yahoo.
-See `AUTHORS` for details.
+**TrustKit** is a joint-effort between the security teams at Data Theorem and Yahoo. See `AUTHORS` for details.
 
 
 License
@@ -141,3 +115,4 @@ License
 [bh2015-pdf]: https://datatheorem.github.io/TrustKit/files/TrustKit-BH2015.pdf
 [bh2015-conf]: https://www.blackhat.com/us-15/briefings.html#trustkit-code-injection-on-ios-8-for-the-greater-good
 [api-doc]: https://datatheorem.github.io/TrustKit/documentation
+[ios9-post]: https://datatheorem.github.io/ios/2015/10/17/trustkit-ios-9-shared-cache/
diff --git a/TrustKit.podspec b/TrustKit.podspec
@@ -1,6 +1,6 @@
 Pod::Spec.new do |s|
   s.name         = "TrustKit"
-  s.version      = "1.1.3"
+  s.version      = "1.2.0"
   s.summary      = 'TrustKit is an open source framework that makes it easy to deploy SSL pinning in any iOS or OS X App.'
   s.homepage     = "https://datatheorem.github.io/TrustKit"
   s.documentation_url = 'https://datatheorem.github.io/TrustKit/documentation/'
@@ -9,9 +9,10 @@ Pod::Spec.new do |s|
   s.source       = { :git => "https://github.com/datatheorem/TrustKit.git", :tag => "#{s.version}" }
   s.ios.deployment_target = '7.0'
   s.osx.deployment_target = '10.9'
-  s.source_files = 'TrustKit', 'TrustKit/**/*.{h,m}', 'TrustKit/Dependencies/fishhook/*.{h,c}'
+  s.source_files = 'TrustKit', 'TrustKit/**/*.{h,m}'
   s.public_header_files = 'TrustKit/TrustKit.h', 'TrustKit/Pinning/TSKPinningValidator.h'
   s.frameworks = 'Foundation', 'Security'
-  s.vendored_libraries = 'TrustKit/Dependencies/domain_registry/*.a'
+  s.ios.vendored_libraries = 'TrustKit/Dependencies/domain_registry/ios/*.a'
+  s.osx.vendored_libraries = 'TrustKit/Dependencies/domain_registry/osx/*.a'
   s.requires_arc = true
 end