0

Aim: Unit test app's ssl pinning

Approximate implementation aimed for:

  1. subclass URLProtocol
  2. Insert custom URLProtocol into Session's configuration
  3. Use session with custom config when generating requests
  4. catch the request and generate response with local certificate
  5. expect that when the app receives the response it will detect the same certificate

Problem encountered:

There seems to be no authentication challenge method to subclass in the URLProtocol.

Question:

How to intercept auth challenge with URLProtocol?

Fawkes
  • 3,831
  • 3
  • 22
  • 37
  • Have you looked at creating an auth challenge and calling `urlProtocol(_, didReceive:)` on the protocol client? – Mats Sep 24 '18 at 15:17
  • @Mats not yet.. how would you envision using this? – Fawkes Sep 24 '18 at 15:23
  • The challenge with that approach seems to be the fact that I cannot provide the server trust ivar of the URLProtectionSpace which is basically needed to extract server certificate [to compare it with local one after]. – Fawkes Sep 24 '18 at 15:56
  • I haven’t tried it, but would subclassing URLProtectionSpace solve this? – Mats Sep 25 '18 at 12:06
  • @Mats can be something... will try today – Fawkes Sep 25 '18 at 13:42
  • Did try overriding URLProtectionSpace, but it seems like even though it's definitely my protection space data [like host and port being sent back with the auth challenge triggered by calling client.didreceive] the server trust is actually not passed and in the session delegate I get a nil server trust... – Fawkes Sep 26 '18 at 10:37
  • @Mats I have posted a question specifically about subclassing URLProtectionSpace. https://stackoverflow.com/questions/52517742/subclassing-urlprotectionspace – Fawkes Sep 26 '18 at 12:28
  • I'm having the same issue here. @Fawkes did you solve this in the end? – Michael Voong Jun 14 '19 at 10:24
  • @MichaelVoong unfortunately did not find a way so I've ended up putting that logic into a small utility class and mocking that one to see if it's called. – Fawkes Jun 27 '19 at 09:58

0 Answers0