PublicKeyPinner.swift

final class PublicKeyPinner {
    /// Stored public key hashes
    private let hashes: [String]

    public init(hashes: [String]) {
        self.hashes = hashes
    }

    /// ASN1 header for our public key to re-create the subject public key info
    private let rsa2048Asn1Header: [UInt8] = [
        0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
        0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00
    ]

    /// Validates an object used to evaluate trust's certificate by comparing their's public key hashes to the known, trused key hashes stored in the app
    /// Configuration.
    /// - Parameter serverTrust: The object used to evaluate trust.
    public func validate(serverTrust: SecTrust, domain: String?) -> Bool {
        // Set SSL policies for domain name check, if needed
        if let domain = domain {
            let policies = NSMutableArray()
            policies.add(SecPolicyCreateSSL(true, domain as CFString))
            SecTrustSetPolicies(serverTrust, policies)
        }

        // Check if the trust is valid
        var secresult = SecTrustResultType.invalid
        let status = SecTrustEvaluate(serverTrust, &secresult)

        guard status == errSecSuccess else { return false }

        // For each certificate in the valid trust:
        for index in 0..<SecTrustGetCertificateCount(serverTrust) {
            // Get the public key data for the certificate at the current index of the loop.
            guard let certificate = SecTrustGetCertificateAtIndex(serverTrust, index),
                let publicKey = SecCertificateCopyPublicKey(certificate),
                let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) else {
                    return false
            }

            // Hash the key, and check it's validity.
            let keyHash = hash(data: (publicKeyData as NSData) as Data)
            if hashes.contains(keyHash) {
                // Success! This is our server!
                return true
            }
        }

        // If none of the calculated hashes match any of our stored hashes, the connection we tried to establish is untrusted.
        return false
    }

    /// Creates a hash from the received data using the `sha256` algorithm.
    /// `Returns` the `base64` encoded representation of the hash.
    ///
    /// To replicate the output of the `openssl dgst -sha256` command, an array of specific bytes need to be appended to
    /// the beginning of the data to be hashed.
    /// - Parameter data: The data to be hashed.
    private func hash(data: Data) -> String {
        // Add the missing ASN1 header for public keys to re-create the subject public key info
        var keyWithHeader = Data(rsa2048Asn1Header)
        keyWithHeader.append(data)

        // Using CryptoKit
        if #available(iOS 13, *) {
            return SHA256.hash(data: keyWithHeader).description
        } else {
            // Using CommonCrypto's CC_SHA256 method
//            var hash = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))
//            _ = keyWithHeader.withUnsafeBytes {
//                CC_SHA256($0.baseAddress!, CC_LONG(keyWithHeader.count), &hash)
//            }
//            return Data(hash).base64EncodedString()

            // Using CryptoSwift's Data.sha256() method
            return keyWithHeader.sha256().base64EncodedString()
        }
    }
}

line 66 must be return Data(SHA256.hash(data: keyWithHeader)).base64EncodedString() as mentioned in the article, if you use it as is ( return SHA256.hash(data: keyWithHeader).description ) it won't match with a public key generated using openssl in terminal like the following command:

openssl s_client -servername www.google.com -connect www.google.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

How to call the validate? Here is my code:

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {
    
    var success: Bool = false
    if let serverTrust = challenge.protectionSpace.serverTrust {
      
      if self.pinner.validate(serverTrust: serverTrust, domain: self.domain) {
        success = true
        completionHandler(.useCredential, URLCredential(trust:serverTrust))
      }

It's working if I validate through Info.plist. But it failed when I use your publicKey validate method. Don't know why?

I managed to solve the issue. My implementation is here.

@zhouhao27 The implementation is it working solution?. Even i struggling to find optimum solution.Kindly let me know if its working solution?

My solution is working for me. You can have a try t3chnogod ***@***.***>于2023年11月22日 周三下午1:21写道：

…

***@***.**** commented on this gist. ------------------------------ @zhouhao27 <https://github.com/zhouhao27> The implementation is it working solution. Even i struggling to find optimum solution.Kindly let me know if its working solution? — Reply to this email directly, view it on GitHub <https://gist.github.com/davidmtamas/00206ef0bcf746a6911d72e5bb93d3ed#gistcomment-4768948> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB5ZPE46R4PLY7TBJUBDTPLYFWDT7BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMRRGM3TAMZRU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .