Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Troubleshooting steps #220

Closed
erasmuswill opened this issue Dec 28, 2023 · 5 comments
Closed

Troubleshooting steps #220

erasmuswill opened this issue Dec 28, 2023 · 5 comments
Labels
repro-needed

Comments

@erasmuswill
Copy link

Hi.

I'm having some trouble using this library and I am not quite sure where to start debugging. I have created a minimal app setup and this library works perfectly. However, in a bigger project, I am having some trouble being able to block domains that should fail validation.

I've tried the exact code as per the testing section of the README and I am now trying to run it against my own domain which is not used anywhere else in the app to avoid any caching issues.

This is the code I am using to test. I am using expo-router and the file containing this code is the very first import in the root layout folder:

import { initializeSslPinning, isSslPinningAvailable } from 'react-native-ssl-public-key-pinning';


const options = {
    'erasmuswill.dev': {
        publicKeyHashes: [
            'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
            'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
        ],
    },
};

if (isSslPinningAvailable())
    initializeSslPinning(options)
        .then(() => {
            setTimeout(
                () =>
                    fetch('https://erasmuswill.dev')
                        .then(console.log)
                        .catch(console.error),
                1000
            );
        })
        .catch(console.error);
else {
    console.warn('SSL Pinning Native Module Unavailable');
}

The above code fetches and does not return a certificate error as expected. Xcode log shows the following, which I take to mean that setup has been completed successfully.

=== TrustKit: Successfully initialized with configuration {
TSKPinnedDomains = {
"erasmuswill.dev" = {
TSKDisableDefaultReportUri = 1;
TSKEnforcePinning = 1;
TSKIncludeSubdomains = 0;
TSKPublicKeyHashes = "{(\n {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
kSKExcludeSubdomainFromParentPolicy = 0;
};
};
TSKSwizzleNetworkDelegates = 0;
}
@frw
Copy link
Owner

frw commented Jan 10, 2024
edited
Loading

Hey @erasmuswill,

Apologies for the late reply. Did you make sure to initialize the pinning before any network requests have been made? You might be running into this particular known issue:

On iOS, SSL/TLS sessions are cached. If a connection to your site previously succeeded, setting a pinning configuration that should fail the following request would not actually fail it since the previous session is used. You will need to restart your app to clear out this cache.

If this is not the issue you're facing, could you list out the versions you're using for React Native, Expo, and react-native-ssl-public-key-pinning?

@erasmuswill
Copy link
Author

Hi @frw

No worries. Hope you had a good festive season!

Initialisation is the first thing done in the root app layout (using Expo Router) but I am not awaiting it since it is in the top level. For the testing that is falsely succeeding I am making a request to a domain that is not used anywhere else in the app, so caching should not be affecting it.

React Native: 0.72.6
Expo: 49.0.21
react-native-ssl-public-key-pinning: 1.1.3

@frw
Copy link
Owner

frw commented Jan 10, 2024

@erasmuswill

Gotcha, then it probably seems like a deeper issue related to your setup. Are you by chance using any libraries that replace the fetch implementation, or another library that also uses react-native-ssl-pinning to implement SSL pinning?

I just tried plugging in the code you provided into a useEffect in the example App, and it seems to work as expected:

image

An error is logged when the fetch is attempted.

I know you mentioned that it works in a minimal setup but fails in a larger project, but unfortunately I'm not quite sure where the issue could be without a reproducible example. Perhaps you could try setting a breakpoint on the didReceiveChallenge hook in the react-native-ssl-public-key-pinning library, run your app in debug mode, and see if TrustKit's handleChallenge is getting triggered properly

You can also set further breakpoints in handleChallenge to see if the pinning decision is correctly determined.

Hope that helps, let me know if there are any issues you encounter.

@frw frw mentioned this issue Jan 11, 2024
Open
@frw
Copy link
Owner

frw commented Feb 6, 2024

@erasmuswill If you're using expo-dev-client, it might also be an issue with the way it is intercepting network requests and thus not allowing the pinning to take place.

Check out this comment: #223 (comment)

@frw frw closed this as not planned Won't fix, can't repro, duplicate, stale Feb 20, 2024
@erasmuswill
Copy link
Author

Thanks @frw
I think that may well be it! All good now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
repro-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frw @erasmuswill