From a30533e7b593a6a7c8a3e9e0d0f4e5ce888590c3 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 09:52:04 -0400 Subject: [PATCH] Add GTSGIAG3 to censorship circumvention trust store openssl x509 -outform der -in GIAG3.pem -out GIAG3.crt // FREEBIE --- Podfile.lock | 2 +- Signal.xcodeproj/project.pbxproj | 1 + SignalServiceKit.podspec | 3 +- .../src/Network/OWSSignalService.m | 67 +++++++++++++----- .../Security/PinningCertificate/GTSGIAG3.crt | Bin 0 -> 1120 bytes 5 files changed, 52 insertions(+), 21 deletions(-) create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt diff --git a/Podfile.lock b/Podfile.lock index 3ae641b9b..05cec605f 100644 --- a/Podfile.lock +++ b/Podfile.lock @@ -168,7 +168,7 @@ SPEC CHECKSUMS: PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96 SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c - SignalServiceKit: bfac5572f3a1ff8a853ead9b5413274a075f3cb4 + SignalServiceKit: 1594ae26a08129175c6ca91690602aa47898f24c SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559 TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c diff --git a/Signal.xcodeproj/project.pbxproj b/Signal.xcodeproj/project.pbxproj index 324703f87..5a1e56b02 100644 --- a/Signal.xcodeproj/project.pbxproj +++ b/Signal.xcodeproj/project.pbxproj @@ -2090,6 +2090,7 @@ "${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt", ); name = "[CP] Copy Pods Resources"; outputPaths = ( diff --git a/SignalServiceKit.podspec b/SignalServiceKit.podspec index b71357df1..5c2cf8eae 100644 --- a/SignalServiceKit.podspec +++ b/SignalServiceKit.podspec @@ -28,7 +28,8 @@ An Objective-C library for communicating with the Signal messaging service. s.source_files = 'SignalServiceKit/src/**/*.{h,m,mm}' s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer', - 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt'] + 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt'] s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h' s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' } diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index 037ab126c..90fee8fb0 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -5,6 +5,7 @@ #import "OWSSignalService.h" #import "NSNotificationCenter+OWS.h" #import "OWSCensorshipConfiguration.h" +#import "OWSError.h" #import "OWSHTTPSecurityPolicy.h" #import "TSAccountManager.h" #import "TSConstants.h" @@ -259,35 +260,63 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = #pragma mark - Google Pinning Policy ++ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error +{ + if (!name.length) { + OWSFail(@"%@ expected name with length > 0", self.tag); + *error = OWSErrorMakeAssertionError(); + return nil; + } + + NSString *path = [NSBundle.mainBundle pathForResource:name ofType:@"crt"]; + if (![[NSFileManager defaultManager] fileExistsAtPath:path]) { + OWSFail(@"%@ Missing certificate for name: %@", self.tag, name); + *error = OWSErrorMakeAssertionError(); + return nil; + } + + NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error]; + + if (*error != nil) { + OWSFail(@"%@ Failed to read cert file with path: %@", self.tag, path); + return nil; + } + + if (certData.length == 0) { + OWSFail(@"%@ empty certData for name: %@", self.tag, name); + return nil; + } + + DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.tag, name, (unsigned long)certData.length); + return certData; +} + /** * We use the Google Pinning Policy when connecting to our censorship circumventing reflector, * which is hosted on Google. */ -+ (AFSecurityPolicy *)googlePinningPolicy { ++ (AFSecurityPolicy *)googlePinningPolicy +{ static AFSecurityPolicy *securityPolicy = nil; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ NSError *error; - NSString *path = [NSBundle.mainBundle pathForResource:@"GIAG2" ofType:@"crt"]; - - if (![[NSFileManager defaultManager] fileExistsAtPath:path]) { - @throw [NSException - exceptionWithName:@"Missing server certificate" - reason:[NSString stringWithFormat:@"Missing signing certificate for service googlePinningPolicy"] - userInfo:nil]; + NSData *GIAG2CertData = [self certificateDataWithName:@"GIAG2" error:&error]; + if (error) { + DDLogError(@"%@ Failed to get GIAG2 certificate data with error: %@", self.tag, error); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; } - - NSData *googleCertData = [NSData dataWithContentsOfFile:path options:0 error:&error]; - if (!googleCertData) { - if (error) { - @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:@"Couln't read google pinning cert" userInfo:nil]; - } else { - NSString *reason = [NSString stringWithFormat:@"Reading google pinning cert faile with error: %@", error]; - @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:reason userInfo:nil]; - } + NSData *GTSGIAG3CertData = [self certificateDataWithName:@"GTSGIAG3" error:&error]; + if (error) { + DDLogError(@"%@ Failed to get GIAG3 certificate data with error: %@", self.tag, error); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; } - - NSSet *certificates = [NSSet setWithObject:googleCertData]; + + NSSet *certificates = [NSSet setWithArray:@[ GIAG2CertData, GTSGIAG3CertData ]]; securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates]; }); return securityPolicy; diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt new file mode 100644 index 0000000000000000000000000000000000000000..ffb1a0ff9ae57f1cd25324a04d5bf82fe7937c23 GIT binary patch literal 1120 zcmXqLVu>+mVs=@;%*4pV#LM`2rGd6II z*qB3ExP`^tbMliCbAmI|^Av*e^Gg(*9TjvHf{YA>4Fo|dxP-Y7Dqw=l$btrP;=G3D z24;q)20&n96eZ4UWN2sv=Ng0fHT%r)1 zT2z*qoLX$CYM=~~XBL)$%6sOOq!#6+mMA!umSp4?WtLPbxEmWZF)AT@i;n7 zny>veMLHU|`z_=evLtF`_fEI2sCD%;^LISE=s{VyO@?7*%E`RzfpTew7p3S_9(bO5 zIIJZ&$~pJ+EGC6Z@1-&?ZkSuV=z&&3YJlPS-<$RK3wAi@ZS@r3=gPY?{nvh-`K*@Q z5h3f@roA}Y$0)XEg_N)3(a94R$t~>u^zUGYisxc?@1w$ucbA6?WhQCA{-^Lh^S9N~ z4|SUF-cA$yzEOU`lL@L1jG34j85kEgF@i!$-+&Joq_X^sjQ?3!fa#;nKo-PTWf3zF zVdKzdV`ODzXJ&-6m<)tK(!wC+90qJaiiwc{qJ@t|j76mU(2jsv>1Aabbq}>&XkJja ztZtXLfjmfyGK++PScAyyN9^J0GI9s9*zQGcnWcOGj%1sjfho*y+K(8P>Q!gEuH1yMpi;N76K<3J`Xd3|aEKpsb+@=Usn_QHGsuZkV z4=8M457MK+VqsurV8X_h-pB*Y5e8ZY8ZaA~7{z2jrW6CMgxgk>T999yS(0B=sgInn zfcXWOuoxL+ws%f@68v`eo7*dl80YIOKAXGNNvM4Dj%O#CgAx>~!_|)oZnaP6ov9NY zbxMir?!4Xd-X8Y-Ot#&MEv~Y;U;nSk=scV9=-Rb7heLf@-`|T|He2Fg@YP6EbW+*x zx_QB`4we0}T-)(4ZIaqcnIjfwJ%2g3e~7&n=G%C^{^Oy$8+`vA*2=4ypBM8s$!X@p z?`H2rdUO;XyG@TOXFjmtm{-SN2c`C+D2Z2dmL8Ad=y}4rq;_YEX?&+y7@vc!(2L!s zMQ_)0g!ygQt+#Uali#v-+{q_qdrx#p3qK&TW!i^3I^p&~ENiE(s`b6_iD&*ChZomE Vi+9=FpKzKXT2V0l&|4$9djL9mhAIF6 literal 0 HcmV?d00001