renamed TrustedSSL constant to something more meaningful; added comments; also check the server URL against the expected one before trusting it
git-svn-id: https://svn.apache.org/repos/asf/chemistry/objectivecmis/trunk@1483738 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/ObjectiveCMIS/Common/CMISSessionParameters.h b/ObjectiveCMIS/Common/CMISSessionParameters.h
index 59a58bf..7df616f 100644
--- a/ObjectiveCMIS/Common/CMISSessionParameters.h
+++ b/ObjectiveCMIS/Common/CMISSessionParameters.h
@@ -41,8 +41,10 @@
// TODO: Temporary, must be extracted into separate project
extern NSString * const kCMISSessionParameterMode;
-
-extern NSString * const kCMISSessionTrustedSSLServerFlag;
+/**
+ This flag is used for SSL self certification and indicates, whether a server is trusted. Default value is NO.
+ */
+extern NSString * const kCMISSessionAllowUntrustedSSLCertificate;
@interface CMISSessionParameters : NSObject
diff --git a/ObjectiveCMIS/Common/CMISSessionParameters.m b/ObjectiveCMIS/Common/CMISSessionParameters.m
index 5ebe46c..6abe5b1 100644
--- a/ObjectiveCMIS/Common/CMISSessionParameters.m
+++ b/ObjectiveCMIS/Common/CMISSessionParameters.m
@@ -26,7 +26,7 @@
NSString * const kCMISSessionParameterMode = @"session_param_mode";
-NSString * const kCMISSessionTrustedSSLServerFlag = @"session_param_trusted_ssl_server_flag";
+NSString * const kCMISSessionAllowUntrustedSSLCertificate = @"session_param_trusted_ssl_server_flag";
@interface CMISSessionParameters ()
@property (nonatomic, assign, readwrite) CMISBindingType bindingType;
diff --git a/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m b/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
index ee4472e..1bbd4a9 100644
--- a/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
+++ b/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
@@ -63,7 +63,10 @@
}
}
-
+/**
+ This checks whether a request can be authenticated. It gets called from the CMISHttpRequest. For SSL servers we filter the call directly in HttpRequest.
+ So that when we reach this call, we know, the SSL server can be trusted.
+ */
- (BOOL)canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
// default implementation mimics default NSURLConnectionDelegate behavior
@@ -86,7 +89,10 @@
// nothing to do in the default implementation
}
-
+/**
+ This gets called from CMISHttpRequest. CMISHttpRequest also filters out any unauthorised calls to SSL server. We only get called here, if the SSL server
+ is actually trusted.
+ */
- (void)didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
if (challenge.previousFailureCount == 0) {
diff --git a/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m b/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m
index ff7d7fd..df345b5 100644
--- a/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m
+++ b/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m
@@ -46,13 +46,13 @@
session:session];
if (!cmisRequest.isCancelled)
{
- BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber numberWithBool:NO]] boolValue];
+ BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate defaultValue:[NSNumber numberWithBool:NO]] boolValue];
CMISHttpRequest* request = [CMISHttpRequest startRequest:urlRequest
httpMethod:httpRequestMethod
requestBody:body
headers:additionalHeaders
authenticationProvider:session.authenticationProvider
- trustedSSLServer:isTrusted
+ useTrustedSSLServer:useTrustedSSLServer
completionBlock:completionBlock];
if (request)
{
@@ -79,14 +79,14 @@
httpMethod:httpRequestMethod
session:session];
- BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber numberWithBool:NO]] boolValue];
+ BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate defaultValue:[NSNumber numberWithBool:NO]] boolValue];
CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
httpMethod:httpRequestMethod
inputStream:inputStream
headers:additionalHeaders
bytesExpected:0
authenticationProvider:session.authenticationProvider
- trustedSSLServer:isTrusted
+ useTrustedSSLServer:useTrustedSSLServer
completionBlock:completionBlock
progressBlock:nil];
if (request)
@@ -116,14 +116,14 @@
httpMethod:httpRequestMethod
session:session];
- BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber numberWithBool:NO]] boolValue];
+ BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate defaultValue:[NSNumber numberWithBool:NO]] boolValue];
CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
httpMethod:httpRequestMethod
inputStream:inputStream
headers:additionalHeaders
bytesExpected:bytesExpected
authenticationProvider:session.authenticationProvider
- trustedSSLServer:isTrusted
+ useTrustedSSLServer:useTrustedSSLServer
completionBlock:completionBlock
progressBlock:progressBlock];
if (request){
@@ -154,7 +154,7 @@
httpMethod:httpRequestMethod
session:session];
- BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber numberWithBool:NO]] boolValue];
+ BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate defaultValue:[NSNumber numberWithBool:NO]] boolValue];
CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
httpMethod:httpRequestMethod
inputStream:inputStream
@@ -163,7 +163,7 @@
authenticationProvider:session.authenticationProvider
cmisProperties:cmisProperties
mimeType:mimeType
- trustedSSLServer:isTrusted
+ useTrustedSSLServer:useTrustedSSLServer
completionBlock:completionBlock
progressBlock:progressBlock];
if (request){
@@ -192,13 +192,13 @@
httpMethod:HTTP_GET
session:session];
- BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber numberWithBool:NO]] boolValue];
+ BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate defaultValue:[NSNumber numberWithBool:NO]] boolValue];
CMISHttpDownloadRequest* request = [CMISHttpDownloadRequest startRequest:urlRequest
httpMethod:httpRequestMethod
outputStream:outputStream
bytesExpected:bytesExpected
authenticationProvider:session.authenticationProvider
- trustedSSLServer:isTrusted
+ useTrustedSSLServer:useTrustedSSLServer
completionBlock:completionBlock
progressBlock:progressBlock];
if (request) {
diff --git a/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h b/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h
index 9a7081c..a3fab19 100644
--- a/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h
+++ b/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h
@@ -38,7 +38,7 @@
outputStream:(NSOutputStream*)outputStream
bytesExpected:(unsigned long long)bytesExpected
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesDownloaded, unsigned long long bytesTotal))progressBlock;
diff --git a/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m b/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m
index b2095aa..20bd5c2 100644
--- a/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m
+++ b/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m
@@ -40,7 +40,7 @@
outputStream:(NSOutputStream*)outputStream
bytesExpected:(unsigned long long)bytesExpected
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesDownloaded, unsigned long long bytesTotal))progressBlock
{
diff --git a/ObjectiveCMIS/Utils/CMISHttpRequest.h b/ObjectiveCMIS/Utils/CMISHttpRequest.h
index 0d15dca..13569d0 100644
--- a/ObjectiveCMIS/Utils/CMISHttpRequest.h
+++ b/ObjectiveCMIS/Utils/CMISHttpRequest.h
@@ -34,7 +34,7 @@
@property (nonatomic, strong) id<CMISAuthenticationProvider> authenticationProvider;
@property (nonatomic, assign) BOOL trustedSSLServer;
@property (nonatomic, copy) void (^completionBlock)(CMISHttpResponse *httpResponse, NSError *error);
-
+@property (nonatomic, strong) NSURL *requestURL;
/**
* starts a URL request for given HTTP method
* @param requestBody (optional)
@@ -47,7 +47,7 @@
requestBody:(NSData*)requestBody
headers:(NSDictionary*)additionalHeaders
authenticationProvider:(id<CMISAuthenticationProvider>)authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock;
/**
diff --git a/ObjectiveCMIS/Utils/CMISHttpRequest.m b/ObjectiveCMIS/Utils/CMISHttpRequest.m
index a0ec045..8c1525e 100644
--- a/ObjectiveCMIS/Utils/CMISHttpRequest.m
+++ b/ObjectiveCMIS/Utils/CMISHttpRequest.m
@@ -47,7 +47,7 @@
requestBody:(NSData*)requestBody
headers:(NSDictionary*)additionalHeaders
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
{
CMISHttpRequest *httpRequest = [[self alloc] initWithHttpMethod:httpRequestMethod
@@ -78,6 +78,7 @@
- (BOOL)startRequest:(NSMutableURLRequest*)urlRequest
{
+ self.requestURL = urlRequest.URL;
if (self.requestBody) {
if ([CMISLog sharedInstance].logLevel == CMISLogLevelTrace) {
CMISLogTrace(@"Request body: %@", [[NSString alloc] initWithData:self.requestBody encoding:NSUTF8StringEncoding]);
@@ -124,10 +125,15 @@
}
}
-
+/**
+ In case of SSL self certification: developers need to set the appropriate session parameter flag to mark the SSL server as trusted. If it is, and if the
+ host URL is what we expect, then we pass on the request to the authenticationProvider, which handles all authentication challenges. If not, we return NO.
+ For all other requests, we pass this on to the authenticationProvider
+ */
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
{
- if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] && !self.trustedSSLServer)
+ BOOL isTrusted = (self.trustedSSLServer && [[self.requestURL absoluteString] hasSuffix:protectionSpace.host]);
+ if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] && !isTrusted)
{
return NO;
}
@@ -143,10 +149,15 @@
[self.authenticationProvider didCancelAuthenticationChallenge:challenge];
}
-
+/**
+ this method gets called if the canAuthenticateAgainstProtectionSpace call has returned YES previously. For SSL server certificates, we check if the server is trusted
+ (a parameter that developers must set when creating a CMISSession) and the host URL matches the one we actually requested
+ If all this passes, we delegate the handling to the authenticationProvider
+ */
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
- if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] && !self.trustedSSLServer)
+ BOOL isTrusted = (self.trustedSSLServer && [[self.requestURL absoluteString] hasSuffix:challenge.protectionSpace.host]);
+ if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] && !isTrusted)
{
[challenge.sender cancelAuthenticationChallenge:challenge];
return;
diff --git a/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h b/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h
index 78763ce..60751ef 100644
--- a/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h
+++ b/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h
@@ -35,7 +35,7 @@
headers:(NSDictionary*)addionalHeaders
bytesExpected:(unsigned long long)bytesExpected
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock;
@@ -54,7 +54,7 @@
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
cmisProperties:(CMISProperties *)cmisProperties
mimeType:(NSString *)mimeType
- trustedSSLServer:(BOOL)trustedSSLServer
+useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock;
diff --git a/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m b/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m
index d7a69af..8acb211 100644
--- a/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m
+++ b/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m
@@ -116,7 +116,7 @@
headers:(NSDictionary*)additionalHeaders
bytesExpected:(unsigned long long)bytesExpected
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock
{
@@ -147,7 +147,7 @@
authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
cmisProperties:(CMISProperties *)cmisProperties
mimeType:(NSString *)mimeType
- trustedSSLServer:(BOOL)trustedSSLServer
+ useTrustedSSLServer:(BOOL)trustedSSLServer
completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock
{