Merge pull request #14 from BranchMetrics/staging

Release certificate fix

Author: echo-branch

Branch.xcodeproj/project.pbxproj

@@ -1184,7 +1184,7 @@
 				CODE_SIGN_IDENTITY = "Mac Developer";
 				CODE_SIGN_STYLE = Automatic;
 				DEVELOPMENT_TEAM = "";
-				MARKETING_VERSION = 1.2.3;
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
@@ -1196,7 +1196,7 @@
 				CODE_SIGN_IDENTITY = "";
 				CODE_SIGN_STYLE = Automatic;
 				DEVELOPMENT_TEAM = "";
-				MARKETING_VERSION = 1.2.3;
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
@@ -1205,6 +1205,7 @@
 		4D67477120C74E81001639C5 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				SDKROOT = appletvos;
 			};
@@ -1213,6 +1214,7 @@
 		4D67477320C74E81001639C5 /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				SDKROOT = appletvos;
 			};
@@ -1300,7 +1302,7 @@
 				CODE_SIGN_IDENTITY = "";
 				CODE_SIGN_STYLE = Automatic;
 				DEVELOPMENT_TEAM = "";
-				MARKETING_VERSION = 1.2.3;
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
@@ -1328,6 +1330,7 @@
 		4DFB135720CCD96400AF3E47 /* UnitTests */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				MARKETING_VERSION = 1.2.4;
 				PRODUCT_BUNDLE_IDENTIFIER = io.branch.sdk.mac;
 				SDKROOT = appletvos;
 			};

Branch/BNCNetworkAPIService.m

@@ -71,14 +71,6 @@ - (instancetype) initWithConfiguration:(BranchConfiguration *)configuration {
     self.settings = self.configuration.settings;
     self.networkService = [configuration.networkServiceClass new];
     self.persistence = [[BNCPersistence alloc] initWithAppGroup:BNCApplication.currentApplication.bundleID];
-    if (self.configuration.useCertificatePinning) {
-        NSError*error = [self.networkService pinSessionToPublicSecKeyRefs:self.class.publicSecKeyRefs];
-        if (error) {
-            BNCLogError(@"Can't pin network certificates: %@.", error);
-            error = [NSError branchErrorWithCode:BNCInvalidNetworkPublicKeyError];
-            BNCLogError(@"Can't pin network certificates: %@.", error);
-        }
-    }
     self.operationQueue = [[NSOperationQueue alloc] init];
     self.operationQueue.qualityOfService = NSQualityOfServiceUserInitiated;
     self.operationQueue.name = @"io.branch.sdk.BNCNetworkAPIService";

Branch/BNCNetworkService.h

@@ -33,12 +33,10 @@ NS_ASSUME_NONNULL_BEGIN
 - (id<BNCNetworkOperationProtocol>) networkOperationWithURLRequest:(NSMutableURLRequest*)request
                 completion:(void (^)(id<BNCNetworkOperationProtocol>operation))completion;
 
-- (NSError*_Nullable) pinSessionToPublicSecKeyRefs:(NSArray/**<SecKeyRef>*/*_Nullable)publicKeys;
-
-/// An array of host domains that we will allow with a self-signed SSL cert.
-@property (atomic, strong, null_resettable) NSMutableSet<NSString*>* anySSLCertHosts;
 @property (atomic, assign) NSInteger maxConcurrentOperationCount;
+
 - (void) cancelAllOperations;
+
 @end
 
 NS_ASSUME_NONNULL_END

Branch/BNCNetworkService.m

@@ -27,8 +27,6 @@ @interface BNCNetworkOperation ()
 #pragma mark - BNCNetworkService
 
 @interface BNCNetworkService () <NSURLSessionDelegate> {
-    NSMutableArray*_pinnedPublicKeys;
-    NSMutableSet<NSString*>*_anySSLCertHosts;
     NSOperationQueue*_serviceQueue;
     NSURLSession*_session;
 }
@@ -117,19 +115,6 @@ - (NSInteger) maxConcurrentOperationCount {
     return self.serviceQueue.maxConcurrentOperationCount;
 }
 
-- (NSMutableSet<NSString*>*) anySSLCertHosts {
-    @synchronized(self) {
-        if (!_anySSLCertHosts) _anySSLCertHosts = [NSMutableSet new];
-        return _anySSLCertHosts;
-    }
-}
-
-- (void) setAnySSLCertHosts:(NSMutableSet<NSString*>*)anySSLCertHosts_ {
-    @synchronized(self) {
-        _anySSLCertHosts = [anySSLCertHosts_ copy];
-    }
-}
-
 - (id<BNCNetworkOperationProtocol>) networkOperationWithURLRequest:(NSMutableURLRequest*)request
                 completion:(void (^)(id<BNCNetworkOperationProtocol>operation))completion {
     BNCNetworkOperation *operation = [BNCNetworkOperation new];
@@ -187,104 +172,6 @@ - (void) startOperation:(BNCNetworkOperation*)operation {
     [operation.sessionTask resume];
 }
 
-#pragma mark - Transport Security
-
-- (NSError*_Nullable) pinSessionToPublicSecKeyRefs:(NSArray/**<SecKeyRef>*/*)publicKeys {
-    @synchronized (self) {
-        NSError*error = nil;
-        _pinnedPublicKeys = [NSMutableArray array];
-        for (id secKey in publicKeys) {
-            if (CFGetTypeID((SecKeyRef)secKey) == SecKeyGetTypeID())
-                [_pinnedPublicKeys addObject:secKey];
-            else {
-                error = [NSError errorWithDomain:NSNetServicesErrorDomain
-                    code:NSNetServicesBadArgumentError userInfo:nil];
-            }
-        }
-        return error;
-    }
-}
-
-- (NSArray*) pinnedPublicKeys {
-    @synchronized (self) {
-        return _pinnedPublicKeys;
-    }
-}
-
-- (void) URLSession:(NSURLSession *)session
-               task:(NSURLSessionTask *)task
-didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
-  completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition,
-        NSURLCredential *credential))completionHandler {
-
-    BOOL trusted = NO;
-    SecTrustResultType trustResult = 0;
-    OSStatus err = 0;
-
-    // Keep a local copy in case they mutate.
-    NSArray *localPinnedKeys = [self.pinnedPublicKeys copy];
-    NSSet<NSString*>*localAllowedHosts = [self.anySSLCertHosts copy];
-    
-    // Release these:
-    SecKeyRef key = nil;
-    SecPolicyRef hostPolicy = nil;
-
-    // Get remote certificate
-    SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
-    @synchronized ((__bridge id<NSObject, OS_dispatch_semaphore>)serverTrust) {
-
-        // Set SSL policies for domain name check
-        hostPolicy = SecPolicyCreateSSL(true, (__bridge CFStringRef)challenge.protectionSpace.host);
-        if (!hostPolicy) goto exit;
-        SecTrustSetPolicies(serverTrust, (__bridge CFTypeRef _Nonnull)(@[ (__bridge id)hostPolicy ]));
-
-        // Evaluate server certificate
-        SecTrustEvaluate(serverTrust, &trustResult);
-        switch (trustResult) {
-        case kSecTrustResultRecoverableTrustFailure:
-            if ([localAllowedHosts containsObject:challenge.protectionSpace.host])
-                break;
-            else
-                goto exit;
-        case kSecTrustResultUnspecified:
-        case kSecTrustResultProceed:
-            break;
-        default:
-            goto exit;
-        }
-
-        if (localPinnedKeys == nil) {
-            trusted = YES;
-            goto exit;
-        }
-
-        key = SecTrustCopyPublicKey(serverTrust);
-        if (!key) goto exit;
-    }
-
-    for (id<NSObject> pinnedKey in localPinnedKeys) {
-        if ([pinnedKey isEqual:(__bridge id<NSObject>)key]) {
-            trusted = YES;
-            goto exit;
-        }
-    }
-
-exit:
-    if (err) {
-        NSError *error = [NSError errorWithDomain:NSOSStatusErrorDomain code:err userInfo:nil];
-        BNCLogError(@"Error while validating cert: %@.", error);
-    }
-    if (key) CFRelease(key);
-    if (hostPolicy) CFRelease(hostPolicy);
-
-    if (trusted) {
-        NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
-        completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
-    } else {
-        completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, NULL);
-    }
-}
-
 - (void) cancelAllOperations {
     @synchronized(self) {
         [self.session invalidateAndCancel];

Branch/BranchMainClass.h

@@ -31,13 +31,10 @@ NS_ASSUME_NONNULL_BEGIN
 - (instancetype) initWithKey:(NSString*)key NS_DESIGNATED_INITIALIZER;
 
 /** Your Branch key. */
-@property (atomic, strong) NSString*key;
-
-/** Use certificate pinning for extra security. The default is to use certificate pinning. */
-@property (atomic, assign) BOOL useCertificatePinning;
+@property (atomic, strong) NSString *key;
 
 /** The URL to the Branch API servers. */
-@property (atomic, copy)   NSString*branchAPIServiceURL;
+@property (atomic, copy)   NSString *branchAPIServiceURL;
 
 /**
  This is `Class` for the network service. If you want to use your own underlying network service,

Branch/BranchMainClass.m

@@ -46,7 +46,7 @@ - (instancetype) init {
 - (instancetype) initWithKey:(NSString *)key {
     self = [super init];
     self.key = [key copy];
-    self.useCertificatePinning = YES;
+
     self.branchAPIServiceURL = @"https://api.branch.io";
     self.networkServiceClass = [BNCNetworkService class];
     self.blackListURLRegex = [NSArray new];
@@ -55,7 +55,6 @@ - (instancetype) initWithKey:(NSString *)key {
 
 - (instancetype) copyWithZone:(NSZone*)zone {
     BranchConfiguration* configuration = [[BranchConfiguration alloc] initWithKey:self.key];
-    configuration.useCertificatePinning = self.useCertificatePinning;
     configuration.branchAPIServiceURL = [self.branchAPIServiceURL copy];
     configuration.networkServiceClass = self.networkServiceClass;
     configuration.blackListURLRegex = [self.blackListURLRegex copy];

Branch/BranchNetworkServiceProtocol.h

@@ -91,10 +91,6 @@ NS_ASSUME_NONNULL_BEGIN
 - (id<BNCNetworkOperationProtocol>) networkOperationWithURLRequest:(NSMutableURLRequest*)request
                 completion:(void (^)(id<BNCNetworkOperationProtocol>operation))completion;
 
-/// Pins the session to the array of public keys.
-@optional
-- (NSError*_Nullable) pinSessionToPublicSecKeyRefs:(NSArray/* <SecKeyRef> */*_Nullable)publicKeys;
-
 @end
 
 NS_ASSUME_NONNULL_END

CHANGELOG.md

@@ -1,5 +1,8 @@
 Branch Mac SDK Change Log
 
+## v1.2.4 - June 17, 2020
+* Remove certificate pinning
+
 ## v1.2.3 - May 13, 2020
 * Fix control param location in request payload
 

Examples/TestBed-macOS/TestBed-macOS/APPAppDelegate.m

@@ -53,22 +53,10 @@ - (void)applicationWillFinishLaunching:(NSNotification *)aNotification {
         name:BranchDidOpenURLWithSessionNotification
         object:nil];
 
-    BranchConfiguration*configuration =
-        [[BranchConfiguration alloc] initWithKey:@"key_live_ait5BYsDbZKRajyPlkzzTancDAp41guC"];
-
-#if 0
-    configuration.useCertificatePinning = NO;
-    configuration.branchAPIServiceURL = @"http://esmith.api.beta.branch.io";
-    configuration.key = @"key_live_ait5BYsDbZKRajyPlkzzTancDAp41guC";
-#elif 0
-    configuration.useCertificatePinning = NO;
-    configuration.branchAPIServiceURL = @"http://cjones.api.beta.branch.io";
-    configuration.key = @"key_live_ocyWSee4dsA1EUPxxMvFchefuqdjuxyW";
-#else
-    configuration.useCertificatePinning = YES;
+    BranchConfiguration *configuration = [[BranchConfiguration alloc] initWithKey:@"key_live_ait5BYsDbZKRajyPlkzzTancDAp41guC"];
+
     configuration.branchAPIServiceURL = @"https://api.branch.io";
     configuration.key = @"key_live_glvYEcNtDkb7wNgLWwni2jofEwpCeQ3N";
-#endif
 
     [[Branch sharedInstance] startWithConfiguration:configuration];
 }