Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] No longer working #321

Open
quaos opened this issue Jan 4, 2024 · 1 comment
Open

[Bug] No longer working #321

quaos opened this issue Jan 4, 2024 · 1 comment

Comments

@quaos
Copy link

quaos commented Jan 4, 2024
edited
Loading

Hi,

About 1-2 months ago, I had used this library through react-native-ssl-public-key-pinning to enforce SSL pinning in my company's app on a PoC branch, which worked as expected.

And just yesterday, I tried to install and apply the library again in a new branch, but now it does not block any request to pinned domain when using invalid keys.

I'm not sure if this was the issue with react-native-ssl-public-key-pinning or with the TrustKit, but the configuration used to initialize TrustKit looks supposedly correct. (I also opened an issue there)

Logs

(iOS to MacOS Console log)

=== TrustKit: Successfully initialized with configuration {
    TSKPinnedDomains =     {
        "some-service.tech" =         {
            TSKDisableDefaultReportUri = 1;
            TSKEnforcePinning = 1;
            TSKIncludeSubdomains = 1;
            TSKPublicKeyHashes = "{(\n    {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n    {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
            kSKExcludeSubdomainFromParentPolicy = 0;
        };
    };
    TSKSwizzleNetworkDelegates = 0;
}

Versions

TrustKit: 3.0.3
CocoaPods: 1.14.3
iOS: 16.2 (iPhone Simulator)

Thanks!
@quaos quaos mentioned this issue Jan 4, 2024
Open
@quaos
Copy link
Author

quaos commented Jan 26, 2024

UPDATE

I've created a test repo in attempt to reproduce the issue, but still can't:
test-expo-ssl-pinning-1

My latest investigation revealed that the execution does not enter TrustKit's [TSKPinningValidator handleChallenge:completionHandler:] at all, while in the test repo it reaches the endpoint and trigger TrustKit's evaluation.

Is there anything I might have missed here?
Thanks!

Test Repo (entering TrustKit methods ✅)

XCode Debug stack trace

Thread 47 Queue : com.facebook.react.NetworkingQueue (serial)
#0	0x0000000104953d00 in -[RCTHTTPRequestHandler sendRequest:withDelegate:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm:71
#1	0x0000000104960d7c in -[RCTNetworkTask start] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native/Libraries/Network/RCTNetworkTask.mm:75
...

Thread 48 Queue : com.facebook.react.NetworkingQueue (serial)
#0	0x0000000104c8d9e0 in verifyPublicKeyPin at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/Pinning/ssl_pin_verifier.m:24
#1	0x0000000104c94290 in -[TSKPinningValidator evaluateTrust:forHostname:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/TSKPinningValidator.m:126
#2	0x0000000104c94774 in -[TSKPinningValidator handleChallenge:completionHandler:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/ios/Pods/TrustKit/TrustKit/TSKPinningValidator.m:202
#3	0x0000000104d5dc38 in -[RCTHTTPRequestHandler(SslPublicKeyPinning) URLSession:task:didReceiveChallenge:completionHandler:] at /Users/chakrit/Projects/test-expo-ssl-pinning-1/node_modules/react-native-ssl-public-key-pinning/ios/SslPublicKeyPinning.mm:108
#4	0x0000000183e10bcc in ___lldb_unnamed_symbol2730 ()
#5	0x0000000180b9a8e8 in __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ ()
# ...
Enqueued from com.apple.NSURLSession-work (Thread 48) Queue : com.apple.NSURLSession-work (serial)

iOS -> MacOS console log

(hard to capture, it flows non-stop and won't pause)

default	15:02:39.277090+0700	testexposslpinning1	=== TrustKit: Loaded 6 SPKI cache entries from the filesystem
default	15:31:35.878371+0700	testexposslpinning1	=== TrustKit: Successfully initialized with configuration {
    TSKPinnedDomains =     {
        "firebaseremoteconfig.googleapis.com" =         {
          // ...
        };
        "google.com" =         {
          // ...
        };
        "quaos-portfolio.netlify.app" =         {
            TSKDisableDefaultReportUri = 1;
            TSKEnforcePinning = 1;
            TSKIncludeSubdomains = 1;
            TSKPublicKeyHashes = "{(\n    {length = 32, bytes = 0xaff98890 6dde1295 5d9bebbf 928fdcc3 ... 1c8941ca 26e20391 },\n    {length = 32, bytes = 0x59e738e6 74221702 af1edb87 c5200c1a ... 265124c6 1bd83c79 }\n)}";
            kSKExcludeSubdomainFromParentPolicy = 0;
        };
    };
    TSKSwizzleNetworkDelegates = 0;
}

default	15:44:34.968784+0700	testexposslpinning1	boringssl_context_evaluate_trust_async(1635) [C37.1.1.3:2][0x1503151b0] Performing external trust evaluation
default	15:44:34.969041+0700	testexposslpinning1	boringssl_context_evaluate_trust_async_external(1620) [C37.1.1.3:2][0x1503151b0] Asyncing for external verify block
default	15:45:08.189121+0700	testexposslpinning1	=== TrustKit: Testing SSL Pin {length = 32, bytes = 0x59e738e6 74221702 af1edb87 c5200c1a ... 265124c6 1bd83c79 }
default	15:45:08.189281+0700	testexposslpinning1	=== TrustKit: SSL Pin found for quaos-portfolio.netlify.app
default	15:45:08.189379+0700	testexposslpinning1	=== TrustKit: Pin validation succeeded for quaos-portfolio.netlify.app
default	15:45:08.204597+0700	testexposslpinning1	boringssl_context_evaluate_trust_async_external_block_invoke(1608) [0x0] Cancelled during verify block

Original Repo (not entering TrustKit methods ❌)

XCode Debug stack trace

Thread 91 Queue : com.facebook.react.NetworkingQueue (serial)
#0	0x0000000103718d64 in -[RCTHTTPRequestHandler sendRequest:withDelegate:] at /Users/chakrit/Projects/myapp/node_modules/react-native/Libraries/Network/RCTHTTPRequestHandler.mm:71
#1	0x0000000103725de0 in -[RCTNetworkTask start] at /Users/chakrit/Projects/myapp/node_modules/react-native/Libraries/Network/RCTNetworkTask.mm:75
...

iOS -> MacOS console log

(hard to capture, it flows non-stop and won't pause)

default	16:08:30.082662+0700	myapp	=== TrustKit: Loaded 0 SPKI cache entries from the filesystem
default	16:08:57.250258+0700	myapp	=== TrustKit: Successfully initialized with configuration {
    TSKPinnedDomains =     {
        "some-service.tech" =         {
            TSKDisableDefaultReportUri = 1;
            TSKEnforcePinning = 1;
            TSKIncludeSubdomains = 1;
            TSKPublicKeyHashes = "{(\n    {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n    {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
            kSKExcludeSubdomainFromParentPolicy = 0;
        };
    };
    TSKSwizzleNetworkDelegates = 0;
}


default	16:17:39.503190+0700	myapp	boringssl_context_evaluate_trust_async(1635) [C255.1.2.1:2][0x15b241600] Performing external trust evaluation
default	16:17:39.503268+0700	myapp	boringssl_context_evaluate_trust_async_external(1620) [C255.1.2.1:2][0x15b241600] Asyncing for external verify block
default	16:17:39.520363+0700	myapp	boringssl_context_evaluate_trust_async_external_block_invoke_3(1576) [C255.1.2.1:2][0x15b241600] Returning from external verify block with result: true
default	16:17:39.520441+0700	myapp	boringssl_context_certificate_verify_callback(1797) [C255.1.2.1:2][0x15b241600] Certificate verification result: OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@quaos