Certificate pinning in Alamofire

ios swift alamofire pinning
Mark Tickner picture Mark Tickner · Jan 5, 2016 · Viewed 14.2k times · Source

I am creating an iPad app that accesses HTTPS web services. I want to implement pinning, but am having issues.

This class creates the Alamofire Manager (mostly taken from documentation):

class NetworkManager {

    var manager: Manager?

    init() {
        let serverTrustPolicies: [String: ServerTrustPolicy] = [
            "www.google.co.uk": .PinCertificates(
                certificates: ServerTrustPolicy.certificatesInBundle(),
                validateCertificateChain: true,
                validateHost: true
            ),
            "insecure.expired-apis.com": .DisableEvaluation
        ]

        manager = Alamofire.Manager(
            configuration: NSURLSessionConfiguration.defaultSessionConfiguration(),
            serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
        )
    }
}

This function makes the call:

static let networkManager = NetworkManager()

public static func testPinning() {
    networkManager.manager!.request(.GET, "https://www.google.co.uk").response { response in
        if response.1 != nil {
            print("Success")
            print(response.1)
            print(response.1?.statusCode)
        } else {
            print("Error")
            print(response.3)
        }
    }
}

The certificate is saved in the project and shows under 'Targets > Build Phases > Copy Bundle Resources'.

I am currently receiving the following error every time I make the request (from the else block in testPinning()):

Optional(Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLKey=https://www.google.co.uk/, NSLocalizedDescription=cancelled, NSErrorFailingURLStringKey=https://www.google.co.uk/})

Answer

jcaron picture jcaron · Jan 5, 2016

So, the issue was that the certificate was saved in the wrong format.

ServerTrustPolicy.certificatesInBundle() finds all certificates in the bundle based on a list of extensions, then tries to load them using SecCertificateCreateWithData. Per its documentation, this function:

Returns NULL if the data passed in the data parameter is not a valid DER-encoded X.509 certificate

When you export a certificate in Firefox, you have a "format" pop-up at the bottom of the file browser. Select "X.509 Certificate (DER)", and you should get a certificate in the right format for this purpose.

Related questions

How to parse JSON response from Alamofire API in Swift?

Following code I have written and I am getting response in JSON also but the type of JSON is "AnyObject" and I am not able to convert that into Array so that I can use that. Alamofire.request(.POST, "MY …

Read More
POST request with a simple string in body with Alamofire

how is it possible to send a POST request with a simple string in the HTTP body with Alamofire in my iOS app? As default Alamofire needs parameters for a request: Alamofire.request(.POST, "http://mywebsite.com/post-request", parameters: ["foo": "…

Read More
Send POST parameters with MultipartFormData using Alamofire, in iOS Swift

I am using Alamofire, very first time. I am using the latest version Alamofire 1.3.1. I want to send one image , one video and some POST parameters in one API call. I am using multipart form data. The mutipart module is …

Read More