add expiration date to certificate listing

noodlewerk · Jan 22, 2015 · 911d456 · 911d456
1 parent 6bf99f4
commit 911d456
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 3 deletions.
diff --git a/CHANGLOG.md b/CHANGLOG.md
@@ -3,6 +3,9 @@ Change Log
 
 ### master (unreleased)
 
+* Add certificate expiration date to listing
+* Add expiration and revocation error message
+
 ### 0.6.2 (2015-01-15)
 
 * Add underlying error reason code

diff --git a/Classes/NWSSLConnection.m b/Classes/NWSSLConnection.m
@@ -140,6 +140,8 @@ - (BOOL)handshakeSSLWithError:(NSError *__autoreleasing *)error
         case errSSLXCertChainInvalid: return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakeXCertChainInvalid error:error];
         case errSSLClientCertRequested: return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakeClientCertRequested error:error];
         case errSSLServerAuthCompleted: return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakeServerAuthCompleted error:error];
+        case errSSLPeerCertExpired: return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakePeerCertExpired error:error];
+        case errSSLPeerCertRevoked: return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakePeerCertRevoked error:error];
     }
     return [NWErrorUtil noWithErrorCode:kNWErrorSSLHandshakeFail reason:status error:error];
 }

diff --git a/Classes/NWSecTools.h b/Classes/NWSecTools.h
@@ -58,4 +58,12 @@
 /** Composes a dictionary describing the characteristics of the identity. */
 + (NSDictionary *)inspectIdentity:(NWIdentityRef)identity;
 
+#if !TARGET_OS_IPHONE
+/** Extracts the expiration date. */
++ (NSDate *)expirationWithCertificate:(NWCertificateRef)certificate;
+
+/** Extracts given properties of certificate, see `SecCertificateOIDs.h`, use `nil` to get all. */
++ (NSDictionary *)valuesWithCertificate:(NWCertificateRef)certificate keys:(NSArray *)keys error:(NSError **)error;
+#endif
+
 @end
diff --git a/Classes/NWSecTools.m b/Classes/NWSecTools.m
@@ -270,6 +270,24 @@ + (NWIdentityRef)keychainIdentityWithCertificate:(NWCertificateRef)certificate e
     }
     return identity;
 }
+
++ (NSDate *)expirationWithCertificate:(NWCertificateRef)certificate
+{
+    return [self valueWithCertificate:certificate key:(__bridge id)kSecOIDInvalidityDate];
+}
+
++ (id)valueWithCertificate:(NWCertificateRef)certificate key:(id)key
+{
+    return [self valuesWithCertificate:certificate keys:@[key] error:nil][key][(__bridge id)kSecPropertyKeyValue];
+}
+
++ (NSDictionary *)valuesWithCertificate:(NWCertificateRef)certificate keys:(NSArray *)keys error:(NSError **)error
+{
+    CFErrorRef e = NULL;
+    NSDictionary *result = CFBridgingRelease(SecCertificateCopyValues((__bridge SecCertificateRef)certificate, (__bridge CFArrayRef)keys, &e));
+    if (error) *error = CFBridgingRelease(e);
+    return result;
+}
 #endif
 
 @end
diff --git a/Classes/NWType.h b/Classes/NWType.h
@@ -97,14 +97,18 @@ typedef NS_ENUM(NSInteger, NWError) {
     kNWErrorSSLHandshakeUnknownRootCert        = -223,
     /** SSL handshake chain not verifiable to root. */
     kNWErrorSSLHandshakeNoRootCert             = -224,
-    /** SSL handshake chain has expired certificates. */
+    /** SSL handshake expired certificates. */
     kNWErrorSSLHandshakeCertExpired            = -225,
     /** SSL handshake invalid certificate chain. */
     kNWErrorSSLHandshakeXCertChainInvalid      = -226,
     /** SSL handshake expecting client cert. */
     kNWErrorSSLHandshakeClientCertRequested    = -227,
     /** SSL handshake auth interrupted. */
     kNWErrorSSLHandshakeServerAuthCompleted    = -228,
+    /** SSL handshake certificate expired. */
+    kNWErrorSSLHandshakePeerCertExpired        = -229,
+    /** SSL handshake certificate revoked. */
+    kNWErrorSSLHandshakePeerCertRevoked        = -230,
     /** SSL handshake timeout. */
     kNWErrorSSLHandshakeTimeout                = -218,
 

diff --git a/Classes/NWType.m b/Classes/NWType.m
@@ -51,10 +51,12 @@ + (NSString *)stringWithCode:(NWError)code
         case kNWErrorSSLHandshakeFail                  : return @"SSL handshake failed";
         case kNWErrorSSLHandshakeUnknownRootCert       : return @"SSL handshake root not a known anchor";
         case kNWErrorSSLHandshakeNoRootCert            : return @"SSL handshake chain not verifiable to root";
-        case kNWErrorSSLHandshakeCertExpired           : return @"SSL handshake chain has expired certificates";
+        case kNWErrorSSLHandshakeCertExpired           : return @"SSL handshake expired certificates";
         case kNWErrorSSLHandshakeXCertChainInvalid     : return @"SSL handshake invalid certificate chain";
         case kNWErrorSSLHandshakeClientCertRequested   : return @"SSL handshake expecting client cert";
         case kNWErrorSSLHandshakeServerAuthCompleted   : return @"SSL handshake auth interrupted";
+        case kNWErrorSSLHandshakePeerCertExpired       : return @"SSL handshake certificate expired";
+        case kNWErrorSSLHandshakePeerCertRevoked       : return @"SSL handshake certificate revoked";
         case kNWErrorSSLHandshakeTimeout               : return @"SSL handshake timeout";
 
         case kNWErrorReadDroppedByServer               : return @"Read connection dropped by server";

diff --git a/Mac/NWAppDelegate.m b/Mac/NWAppDelegate.m
@@ -159,13 +159,18 @@ - (void)updateCertificatePopup
     NSMutableString *suffix = @" ".mutableCopy;
     [_certificatePopup removeAllItems];
     [_certificatePopup addItemWithTitle:@"Select Push Certificate"];
+    NSDateFormatter* formatter = [[NSDateFormatter alloc] init];
+    [formatter setDateStyle:NSDateFormatterShortStyle];
+    [formatter setTimeStyle:NSDateFormatterShortStyle];
     for (NSArray *pair in _certificateIdentityPairs) {
         NWCertificateRef certificate = pair[0];
         BOOL hasIdentity = (pair[1] != NSNull.null);
         BOOL sandbox = [NWSecTools isSandboxCertificate:certificate];
         NSString *summary = [NWSecTools summaryWithCertificate:certificate];
+        NSDate *date = [NWSecTools expirationWithCertificate:certificate];
+        NSString *expire = [NSString stringWithFormat:@"  [%@]", date ? [formatter stringFromDate:date] : @"expired"];
         // summary = @"com.example.app";
-        [_certificatePopup addItemWithTitle:[NSString stringWithFormat:@"%@%@%@%@", hasIdentity ? @"imported: " : @"", summary, sandbox ? @" (sandbox)" : @"", suffix]];
+        [_certificatePopup addItemWithTitle:[NSString stringWithFormat:@"%@%@%@%@%@", hasIdentity ? @"imported: " : @"", summary, sandbox ? @" (sandbox)" : @"", expire, suffix]];
         [suffix appendString:@" "];
     }
     [_certificatePopup addItemWithTitle:@"Import PKCS #12 file (.p12)..."];