Merge pull request #336 from EthanArbuckle/SCAN-4624

check for isProtectedDataAvailable before writing to pinning cache
datatheorem · Oct 2, 2024 · 2adabbf · 2adabbf
2 parents e6f9f76 + 750bd66
commit 2adabbf
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/TrustKit.xcodeproj/project.pbxproj b/TrustKit.xcodeproj/project.pbxproj
@@ -1521,7 +1521,7 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ALWAYS_SEARCH_USER_PATHS = NO;
-				APPLICATION_EXTENSION_API_ONLY = YES;
+				APPLICATION_EXTENSION_API_ONLY = NO;
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
 				CLANG_CXX_LIBRARY = "libc++";
 				CLANG_ENABLE_MODULES = YES;
@@ -1595,7 +1595,7 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				ALWAYS_SEARCH_USER_PATHS = NO;
-				APPLICATION_EXTENSION_API_ONLY = YES;
+				APPLICATION_EXTENSION_API_ONLY = NO;
 				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
 				CLANG_CXX_LIBRARY = "libc++";
 				CLANG_ENABLE_MODULES = YES;

diff --git a/TrustKit/Pinning/TSKSPKIHashCache.m b/TrustKit/Pinning/TSKSPKIHashCache.m
@@ -9,6 +9,7 @@
  
  */
 
+#import <UIKit/UIKit.h>
 #import "TSKSPKIHashCache.h"
 #import "../TSKLog.h"
 #import <CommonCrypto/CommonDigest.h>
@@ -244,7 +245,7 @@ - (NSData *)hashSubjectPublicKeyInfoFromCertificate:(SecCertificateRef)certifica
     });
 
     // Update the cache on the filesystem
-    if (self.spkiCacheFilename.length > 0)
+    if (self.spkiCacheFilename.length > 0 && [[UIApplication sharedApplication] isProtectedDataAvailable])
     {
         NSData *serializedSpkiCache = [NSKeyedArchiver archivedDataWithRootObject:_spkiCache requiringSecureCoding:YES error:nil];
         if ([serializedSpkiCache writeToURL:[self SPKICachePath] atomically:YES] == NO)

diff --git a/TrustKitTests/TSKPinningValidatorTests.m b/TrustKitTests/TSKPinningValidatorTests.m
@@ -103,6 +103,12 @@ - (void)tearDown
 // Pin to any of CA, Intermediate CA and Leaf certificates public keys (all valid) and ensure it succeeds
 - (void)testVerifyAgainstAnyPublicKey
 {
+    id mockApplication = OCMClassMock([UIApplication class]);
+    OCMStub([mockApplication sharedApplication]).andReturn(mockApplication);
+
+    // Mock isProtectedDataAvailable to return YES
+    OCMStub([mockApplication isProtectedDataAvailable]).andReturn(YES);
+
     // Create a valid server trust
     SecCertificateRef certChainArray[1] = {_leafCertificate};
     SecCertificateRef trustStoreArray[1] = {_rootCertificate};
@@ -165,6 +171,9 @@ - (void)testVerifyAgainstAnyPublicKey
     XCTAssertEqual([fsCache count], 1UL, @"SPKI cache for RSA 4096 must be persisted to the file system");
 
     CFRelease(trust);
+
+    OCMVerify([mockApplication isProtectedDataAvailable]);
+    [mockApplication stopMocking];
 }