Moya: How to handle certificate pinning in a URLAuthenticationChallenge?

Created on 24 Apr 2017  路  3Comments  路  Source: Moya/Moya

Hello,

I've got a question about certificate pinning with Moya.

Currently I'm handling certificate pinning through the URLConnection and URLSession delegate methods (e.g. connection(NSURLConnection, willSendRequestFor: URLAuthenticationChallenge)).
Using this delegate method I extract the received certificate's hash which I can then compare to existing hashes in my app.

I'm not that great with SSL and certificates, but I've checked how Moya does the pinning. But sadly it depends on having the certificate in the app's bundle (which I don't have).

How can I depend on the delegate methods in Moya?

I'm using Moya version 8.0.3

question
Source
picture geraldeersteling

Most helpful comment

Hi @sunshinejr, no problem.

I had already worked my problem out by overriding the delegate's taskDidReceiveChallenge closure of the default Alamofire SessionManager. I wrapped the closure in a lazy var which makes it only execute once (as that is more logical for pinning in this case/context).
The above looks like:

class SomeNetworkingClass {
    /// Configures AlamoFire for our certificate pinning;
    /// subsequent calls will (and should) not execute this code again
    lazy var configureAlamofireForSSL: Void = {
        /* < Handle the certificate pinning here > */
    }()
}

Now calling let _ = SomeNetworkingClass().configureAlamofireForSSL sets up SSL for the default manager. After this I could just assign the Sessionmanager.default to the MoyaProvider and it works as expected.

I don't think there's an easier way of doing this, much less find a generic way to implement this in Moya. 馃槃

picture geraldeersteling on 24 May 2017
👍2

All 3 comments

Hi @geraldeersteling, sorry for the late response. Moya depends on Alamofire in terms of pinning, more on the matter you can see here. After the manager setup you have to assign correct SessionManager to the MoyaProvider initializer.

Apart from that we have some methods you might be interested in, in Plugin type. If there is nothing you are interested of, maybe you have an idea how to add it to Moya? If yes, please let us know, maybe we can work something out.

Cheers!

sunshinejr picture sunshinejr on 23 May 2017

Hi @sunshinejr, no problem.

I had already worked my problem out by overriding the delegate's taskDidReceiveChallenge closure of the default Alamofire SessionManager. I wrapped the closure in a lazy var which makes it only execute once (as that is more logical for pinning in this case/context).
The above looks like:

class SomeNetworkingClass {
    /// Configures AlamoFire for our certificate pinning;
    /// subsequent calls will (and should) not execute this code again
    lazy var configureAlamofireForSSL: Void = {
        /* < Handle the certificate pinning here > */
    }()
}

Now calling let _ = SomeNetworkingClass().configureAlamofireForSSL sets up SSL for the default manager. After this I could just assign the Sessionmanager.default to the MoyaProvider and it works as expected.

I don't think there's an easier way of doing this, much less find a generic way to implement this in Moya. 馃槃

geraldeersteling picture geraldeersteling on 24 May 2017
👍2

Wow, thank you for detailed explanation, @geraldeersteling. Glad you figured it out. Good job! 馃挭

sunshinejr picture sunshinejr on 24 May 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jimmy0251 picture jimmy0251  路  24Comments
pete183 picture pete183  路  25Comments
AndrewSB picture AndrewSB  路  39Comments
justinmakaila picture justinmakaila  路  26Comments
rlam3 picture rlam3  路  28Comments