Certificate pinning for server trust verification

Pinning the following URLs against the bundled certificates

- cdn.optimizely.com
- logx.optimizely.com
- api.optimizely.com

Author: EliHini

OptimizelySDKCore/OptimizelySDKCore.xcodeproj/project.pbxproj

@@ -211,6 +211,9 @@
 		5E4C07F41DFF645C0042B1F8 /* UnsupportedVersionDatafile.json in Resources */ = {isa = PBXBuildFile; fileRef = 5E4C07F21DFF645C0042B1F8 /* UnsupportedVersionDatafile.json */; };
 		5E4C07FB1DFF66B00042B1F8 /* OPTLYNetworkServiceTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 5E4C07FA1DFF66B00042B1F8 /* OPTLYNetworkServiceTest.m */; };
 		5E4C07FC1DFF66B00042B1F8 /* OPTLYNetworkServiceTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 5E4C07FA1DFF66B00042B1F8 /* OPTLYNetworkServiceTest.m */; };
+		5E92F23522CDA35C00F12C87 /* cdnDump.cer in Resources */ = {isa = PBXBuildFile; fileRef = 5E92F23222CDA35B00F12C87 /* cdnDump.cer */; };
+		5E92F23622CDA35C00F12C87 /* apiDump.cer in Resources */ = {isa = PBXBuildFile; fileRef = 5E92F23322CDA35B00F12C87 /* apiDump.cer */; };
+		5E92F23722CDA35C00F12C87 /* logxDump.cer in Resources */ = {isa = PBXBuildFile; fileRef = 5E92F23422CDA35C00F12C87 /* logxDump.cer */; };
 		9084F7812150D4F700ACBA99 /* OPTLYEventTagUtil.h in Headers */ = {isa = PBXBuildFile; fileRef = 9084F77F2150D4F700ACBA99 /* OPTLYEventTagUtil.h */; };
 		9084F7822150D4F800ACBA99 /* OPTLYEventTagUtil.h in Headers */ = {isa = PBXBuildFile; fileRef = 9084F77F2150D4F700ACBA99 /* OPTLYEventTagUtil.h */; };
 		9084F7832150D4F800ACBA99 /* OPTLYEventTagUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 9084F7802150D4F700ACBA99 /* OPTLYEventTagUtil.m */; };
@@ -619,6 +622,9 @@
 		59B9E1E020E35C9E002F732E /* OPTLYProjectConfigSwiftTest.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = OPTLYProjectConfigSwiftTest.swift; sourceTree = "<group>"; };
 		5E4C07F21DFF645C0042B1F8 /* UnsupportedVersionDatafile.json */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.json; path = UnsupportedVersionDatafile.json; sourceTree = "<group>"; };
 		5E4C07FA1DFF66B00042B1F8 /* OPTLYNetworkServiceTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OPTLYNetworkServiceTest.m; sourceTree = "<group>"; };
+		5E92F23222CDA35B00F12C87 /* cdnDump.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = cdnDump.cer; sourceTree = "<group>"; };
+		5E92F23322CDA35B00F12C87 /* apiDump.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = apiDump.cer; sourceTree = "<group>"; };
+		5E92F23422CDA35C00F12C87 /* logxDump.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = logxDump.cer; sourceTree = "<group>"; };
 		8766E217ECD3BEA353B080F5 /* Pods_OptimizelySDKCoreiOSTests.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_OptimizelySDKCoreiOSTests.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		8B04E0101E180FAD8C9CA7A6 /* Pods_OptimizelySDKCoreiOS.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_OptimizelySDKCoreiOS.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		9084F77F2150D4F700ACBA99 /* OPTLYEventTagUtil.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = OPTLYEventTagUtil.h; sourceTree = "<group>"; };
@@ -997,6 +1003,16 @@
 			name = Notification;
 			sourceTree = "<group>";
 		};
+		5E92F23E22CDA41100F12C87 /* Resources */ = {
+			isa = PBXGroup;
+			children = (
+				5E92F23422CDA35C00F12C87 /* logxDump.cer */,
+				5E92F23322CDA35B00F12C87 /* apiDump.cer */,
+				5E92F23222CDA35B00F12C87 /* cdnDump.cer */,
+			);
+			path = Resources;
+			sourceTree = "<group>";
+		};
 		93BE4E5119FD429B5D9A3435 /* Pods */ = {
 			isa = PBXGroup;
 			children = (
@@ -1201,6 +1217,7 @@
 		EA3C67FB1DC1E66C00C578CA = {
 			isa = PBXGroup;
 			children = (
+				5E92F23E22CDA41100F12C87 /* Resources */,
 				3E858C5C1F42275700D53856 /* OPTLYJSONModel */,
 				3EA27B081F47AB0D00C0208F /* OPTLYJSONModelTests */,
 				EA3C68071DC1E66C00C578CA /* OptimizelySDKCore */,
@@ -1611,6 +1628,7 @@
 			developmentRegion = English;
 			hasScannedForEncodings = 0;
 			knownRegions = (
+				English,
 				en,
 			);
 			mainGroup = EA3C67FB1DC1E66C00C578CA;
@@ -1678,6 +1696,9 @@
 			buildActionMask = 2147483647;
 			files = (
 				3E858C601F42277B00D53856 /* LICENSE in Resources */,
+				5E92F23522CDA35C00F12C87 /* cdnDump.cer in Resources */,
+				5E92F23622CDA35C00F12C87 /* apiDump.cer in Resources */,
+				5E92F23722CDA35C00F12C87 /* logxDump.cer in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

OptimizelySDKCore/OptimizelySDKCore/OPTLYHTTPRequestManager.m

@@ -24,7 +24,7 @@
 static NSString * const kHTTPHeaderFieldContentType = @"Content-Type";
 static NSString * const kHTTPHeaderFieldValueApplicationJSON = @"application/json";
 
-@interface OPTLYHTTPRequestManager()
+@interface OPTLYHTTPRequestManager() <NSURLSessionDelegate>
 
 - (NSURLSession *)session;
 
@@ -41,7 +41,7 @@ - (NSURLSession *)session {
     NSURLSession *ephemeralSession = nil;
 
     @try {
-        ephemeralSession = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration]];
+        ephemeralSession = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration] delegate:self delegateQueue:nil];
         ephemeralSession.configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;
 
     }
@@ -453,3 +453,97 @@ - (NSURL *)buildQueryURL:(NSURL *)url
 }
 
 @end
+
+typedef enum : NSUInteger {
+    kOPTLY_Unknown,
+    kOPTLY_CDN,
+    kOPTLY_LOGX,
+    kOPTLY_API,
+} OPTLYEndpointHostType;
+
+NSString * const OPTLYDefaultEndpointHost = @"cdn.optimizely.com";
+NSString * const OPTLYLogEventEndpointHost = @"logx.optimizely.com";
+NSString * const OPTLYAPIEndpointHost = @"api.optimizely.com";
+
+@implementation OPTLYHTTPRequestManager (NSURLSessionDelegate)
+- (OPTLYEndpointHostType)hostTypeForChallenge:(NSURLAuthenticationChallenge*)challenge {
+    NSString *host = challenge.protectionSpace.host;
+    OPTLYEndpointHostType hostType = kOPTLY_Unknown;
+    if ([host isEqualToString:OPTLYDefaultEndpointHost]) {
+        hostType = kOPTLY_CDN;
+    } else if ([host isEqualToString:OPTLYLogEventEndpointHost]) {
+        hostType = kOPTLY_LOGX;
+    } else if ([host isEqualToString:OPTLYAPIEndpointHost]) {
+        hostType = kOPTLY_API;
+    }
+    return hostType;
+}
+
+- (NSString*)certificateFileNameForHostType:(OPTLYEndpointHostType)hostType {
+    NSString *fileName = nil;
+    switch (hostType) {
+        case kOPTLY_CDN:
+            fileName =  @"cdnDump";
+            break;
+        case kOPTLY_LOGX:
+            fileName = @"logxDump";
+            break;
+        case kOPTLY_API:
+            fileName = @"apiDump";
+            break;
+        default:
+            break;
+    }
+    return fileName;
+}
+
+- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
+ completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler {
+    BOOL allowConnection = NO;
+    SecTrustRef serverTrust = NULL;
+    
+    if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
+        OPTLYEndpointHostType hostType = [self hostTypeForChallenge:challenge];
+        NSString *bundleCertFileName = [self certificateFileNameForHostType:hostType];
+        if (bundleCertFileName != nil) {
+            serverTrust = challenge.protectionSpace.serverTrust;
+            SecTrustResultType sectTrustResult = kSecTrustResultInvalid;
+            if (serverTrust != nil && SecTrustEvaluate(serverTrust, &sectTrustResult) == errSecSuccess) {
+                NSString *bundledCertFilePath = [[NSBundle bundleForClass:[self class]] pathForResource:bundleCertFileName ofType:@"cer"];
+                if (bundledCertFilePath != nil) {
+                    CFIndex certCount = SecTrustGetCertificateCount(serverTrust);
+                    CFIndex certIndex;
+                    NSMutableArray* certificates = [NSMutableArray array];
+                    for (certIndex = 0; certIndex < certCount; certIndex++) {
+                        SecCertificateRef aServerCertificate = SecTrustGetCertificateAtIndex(serverTrust, certIndex);
+                        [certificates addObject:(__bridge id)aServerCertificate];
+                    }
+                    
+                    SecTrustRef newTrust = NULL;
+                    SecTrustResultType  newTrustResult;
+                    OSStatus err = SecTrustCreateWithCertificates((__bridge CFArrayRef) certificates, NULL, &newTrust);
+                    if (err == noErr) {
+                        err = SecTrustEvaluate(newTrust, &newTrustResult);
+                    }
+                    
+                    allowConnection = NO;
+                    
+                    if (err == noErr) {
+                        allowConnection = (newTrustResult == kSecTrustResultProceed) || (newTrustResult == kSecTrustResultUnspecified);
+                    }
+                    
+                    if (newTrust != NULL) {
+                        CFRelease(newTrust);
+                    }
+                }
+            }
+        }
+    }
+    
+    if (allowConnection) {
+        completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:serverTrust]);
+    } else {
+        completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
+    }
+}
+@end