From 8d2e81ddde33572f969dd60caaca125bf1f722d2 Mon Sep 17 00:00:00 2001
From: Niels Andriesse <andriesseniels@gmail.com>
Date: Thu, 1 Apr 2021 15:51:14 +1100
Subject: [PATCH] Trust only self-signed seed node certificates

---
 SessionUtilitiesKit/Networking/HTTP.swift | 27 ++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/SessionUtilitiesKit/Networking/HTTP.swift b/SessionUtilitiesKit/Networking/HTTP.swift
index 6c4d74205..ddabe8f9d 100644
--- a/SessionUtilitiesKit/Networking/HTTP.swift
+++ b/SessionUtilitiesKit/Networking/HTTP.swift
@@ -7,6 +7,22 @@ public enum HTTP {
     private static let snodeURLSession = URLSession(configuration: .ephemeral, delegate: snodeURLSessionDelegate, delegateQueue: nil)
     private static let snodeURLSessionDelegate = SnodeURLSessionDelegateImplementation()
 
+    // MARK: Certificates
+    private static let storageSeed1Cert: Data = {
+        let path = Bundle.main.path(forResource: "storage-seed-1", ofType: "crt")!
+        return try! Data(contentsOf: URL(string: path)!)
+    }()
+    
+    private static let storageSeed3Cert: Data = {
+        let path = Bundle.main.path(forResource: "storage-seed-3", ofType: "crt")!
+        return try! Data(contentsOf: URL(string: path)!)
+    }()
+    
+    private static let publicLokiFoundationCert: Data = {
+        let path = Bundle.main.path(forResource: "public-loki-foundation", ofType: "crt")!
+        return try! Data(contentsOf: URL(string: path)!)
+    }()
+    
     // MARK: Settings
     public static let timeout: TimeInterval = 10
 
@@ -14,11 +30,12 @@ public enum HTTP {
     private final class SeedNodeURLSessionDelegateImplementation : NSObject, URLSessionDelegate {
 
         func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
-            
-            // TODO: Implement
-            
-            // Snode to snode communication uses self-signed certificates but clients can safely ignore this
-            completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
+            guard let trust = challenge.protectionSpace.serverTrust, let certificate = SecTrustGetCertificateAtIndex(trust, 0) else { return completionHandler(.cancelAuthenticationChallenge, nil) }
+            let data = SecCertificateCopyData(certificate) as Data
+            if storageSeed1Cert == data { return completionHandler(.useCredential, URLCredential(trust: trust)) }
+            if storageSeed3Cert == data { return completionHandler(.useCredential, URLCredential(trust: trust)) }
+            if publicLokiFoundationCert == data { return completionHandler(.useCredential, URLCredential(trust: trust)) }
+            return completionHandler(.cancelAuthenticationChallenge, nil)
         }
     }