Merge pull request #55 from GoodRequest/feature/ssl-pinning

feat: Authenticate with custom SSL/TLS certificate

Author: plajdo

Sources/GoodNetworking/Models/Certificate.swift

@@ -0,0 +1,118 @@
+//
+//  Certificate.swift
+//  GoodNetworking
+//
+//  Created by te075262 on 30/10/2025.
+//
+
+import Foundation
+
+/// Describes how a server certificate should be handled during trust evaluation.
+///
+/// Returned by `Certificate.certificateDisposition(using:)` to instruct the library
+/// on whether to use custom certificates, system trust, or deny the connection.
+///
+/// Typical use cases:
+/// - SSL pinning by validating certificates or public keys
+/// - Trusting self-signed certificates
+/// - Fallback to system trust evaluation
+public enum CertificateDisposition {
+
+    /// Evaluate trust using the provided certificate(s).
+    ///
+    /// The library will:
+    /// 1. Restrict the trust evaluation to these certificates as anchors.
+    /// 2. Evaluate the server trust using `SecTrustEvaluateWithError`.
+    /// 3. Proceed only if the evaluation succeeds.
+    ///
+    /// - Parameter certificates: One or more certificates to use for trust evaluation.
+    ///
+    /// Use this when:
+    /// - Implementing certificate or public-key pinning
+    /// - Using self-signed or non-system certificates
+    case evaluate(certificates: [SecCertificate])
+
+    /// Defer to system trust evaluation.
+    ///
+    /// The library will perform the default trust evaluation and ignore any
+    /// custom certificate logic from this protocol implementation.
+    ///
+    /// Use this when:
+    /// - No custom validation is required
+    /// - You want to rely on the system trust store
+    case useSystemTrustEvaluation
+
+    /// Deny the authentication challenge.
+    ///
+    /// The library will reject the connection immediately.
+    ///
+    /// - Parameter reason: Optional description of why the connection is denied, useful for logging or debugging.
+    ///
+    /// Use this when:
+    /// - Validation fails (e.g., pin mismatch, expired certificate)
+    /// - Security policy mandates refusal
+    case deny(reason: String? = nil)
+
+}
+
+/// Provides a strategy for validating server certificates.
+///
+/// Implementers may perform asynchronous operations (e.g., loading a certificate
+/// from disk or network) and decide whether to:
+/// - Evaluate using custom certificates
+/// - Use system trust
+/// - Deny the connection
+public protocol Certificate: Sendable {
+
+    /// Determines how the server trust should be handled for a connection.
+    ///
+    /// - Parameter serverTrust: The `SecTrust` object provided by the system.
+    ///   Implementations may inspect it to perform pinning or other validations.
+    ///
+    /// - Returns: A `CertificateDisposition` indicating the desired action:
+    ///   `.evaluate(certificates:)` to perform custom evaluation,
+    ///   `.useSystemTrustEvaluation` to defer to system handling,
+    ///   `.deny(reason:)` to reject the connection.
+    ///
+    /// - Throws: If an unrecoverable error occurs (e.g., certificate failed to load),
+    ///   implementations may throw to fail the authentication challenge.
+    ///
+    /// ### Example Implementations
+    ///
+    /// **Pinned certificate from bundle**
+    /// ```swift
+    /// func certificateDisposition(using serverTrust: SecTrust) async throws -> CertificateDisposition {
+    ///     let certificate = try loadPinnedCertificate()
+    ///     return .evaluate(certificates: [certificate])
+    /// }
+    /// ```
+    ///
+    /// **Public key pinning with fallback**
+    /// ```swift
+    /// func certificateDisposition(using serverTrust: SecTrust) async throws -> CertificateDisposition {
+    ///     guard publicKeyMatches(serverTrust) else { return .deny(reason: "Public key mismatch") }
+    ///     return .useSystemTrustEvaluation
+    /// }
+    /// ```
+    ///
+    /// **Load certificate remotely**
+    /// ```swift
+    /// func certificateDisposition(using serverTrust: SecTrust) async throws -> CertificateDisposition {
+    ///     let cert = try await downloadCertificate()
+    ///     return .evaluate(certificates: [cert])
+    /// }
+    /// ```
+    func certificateDisposition(using serverTrust: SecTrust) async throws -> CertificateDisposition
+
+}
+
+/// Default implementation with no specific behaviour
+public struct NoPinnedCertificate: Certificate {
+
+    public init() {}
+
+    public func certificateDisposition(using serverTrust: SecTrust) async throws -> CertificateDisposition {
+        return .useSystemTrustEvaluation
+    }
+
+}

Sources/GoodNetworking/Models/JSON.swift

@@ -76,8 +76,12 @@ import Foundation
     ///   - data: Raw `Data` of JSON object
     ///   - options: Optional serialization options
     public init(data: Data, options: JSONSerialization.ReadingOptions = .allowFragments) throws {
-        let object = try JSONSerialization.jsonObject(with: data, options: options)
-        self = JSON(object)
+        if data.isEmpty {
+            self = JSON.null
+        } else {
+            let object = try JSONSerialization.jsonObject(with: data, options: options)
+            self = JSON(object)
+        }
     }
 
     /// Create JSON from an encodable model, for example to be sent between

Sources/GoodNetworking/Session/NetworkSession.swift

@@ -29,6 +29,7 @@ import Foundation
     private let sessionHeaders: HTTPHeaders
     private let interceptor: any Interceptor
     private let logger: any NetworkLogger
+    private let certificate: any Certificate
 
     private let configuration: URLSessionConfiguration
     private let delegateQueue: OperationQueue
@@ -49,6 +50,7 @@ import Foundation
         baseHeaders: HTTPHeaders = [],
         interceptor: any Interceptor = DefaultInterceptor(),
         logger: any NetworkLogger = PrintNetworkLogger(),
+        certificate: any Certificate = NoPinnedCertificate(),
         name: String? = nil
     ) {
         self.name = name ?? "NetworkSession"
@@ -57,6 +59,7 @@ import Foundation
         self.sessionHeaders = baseHeaders
         self.interceptor = interceptor
         self.logger = logger
+        self.certificate = certificate
 
         let operationQueue = OperationQueue()
         operationQueue.name = "NetworkActorSerialExecutorOperationQueue"
@@ -90,6 +93,14 @@ internal extension NetworkSession {
         self.activeTasks.removeValue(forKey: task.taskIdentifier)
     }
 
+    func getPinnedCertificate() -> any Certificate {
+        self.certificate
+    }
+
+    func getLogger() -> any NetworkLogger {
+        self.logger
+    }
+
 }
 
 // MARK: - Network session delegate
@@ -106,37 +117,89 @@ final class NetworkSessionDelegate: NSObject {
 
 extension NetworkSessionDelegate: URLSessionDelegate {
 
+    /// SSL Pinning: Compare server certificate with local (pinned) certificate
+    /// https://developer.apple.com/documentation/foundation/performing-manual-server-trust-authentication
     public func urlSession(
         _ session: URLSession,
         didReceive challenge: URLAuthenticationChallenge,
         completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
     ) {
-//        // SSL Pinning: Compare server certificate with local (pinned) certificate
-//        guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
-//              let serverTrust = challenge.protectionSpace.serverTrust,
-//              let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0),
-//              let pinnedCertificateData = Self.pinnedCertificateData()
-//        else {
-//            completionHandler(.cancelAuthenticationChallenge, nil)
-//            return
-//        }
-//
-//        // Extract server certificate data
-//        let serverCertificateData = SecCertificateCopyData(serverCertificate) as Data
-//
-//        if serverCertificateData == pinnedCertificateData {
-//            let credential = URLCredential(trust: serverTrust)
-//            completionHandler(.useCredential, credential)
-//        } else {
-//            completionHandler(.cancelAuthenticationChallenge, nil)
-//        }
-        
-        #warning("TODO: Enable SSL pinning")
-        // https://developer.apple.com/documentation/foundation/performing-manual-server-trust-authentication
-        
-        // remove
-        completionHandler(.performDefaultHandling, nil)
+        /// Mark completionHandler as isolated to ``NetworkActor``.
+        ///
+        /// This delegate function is always called on NetworkActor's operation queue, but is marked as `nonisolated`. Completion handler
+        /// would usually be called on the same thread.
+        ///
+        /// NetworkSessionDelegate cannot conform to `URLSessionDelegate` on `@NetworkActor` because of erroneous
+        /// `Sendable Self` requirement preventing marking the conformance .
+        typealias YesActor = @NetworkActor (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+        typealias NoActor = (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+        let completionHandler = unsafeBitCast(completionHandler as NoActor, to: YesActor.self)
+
+        Task { @NetworkActor in
+            // Evaluate only SSL/TLS certificates
+            guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust else {
+                completionHandler(.performDefaultHandling, nil)
+                return
+            }
+
+            guard let serverTrust = challenge.protectionSpace.serverTrust else {
+                completionHandler(.performDefaultHandling, nil)
+                return
+            }
+
+            // Load and validate local certificate
+            let error: (any Error)?
+            let certificateDisposition: CertificateDisposition?
+            do {
+                certificateDisposition = try await networkSession.getPinnedCertificate()
+                    .certificateDisposition(using: serverTrust)
+                error = nil
+            } catch let certificateError {
+                certificateDisposition = nil
+                error = certificateError
+            }
+
+            switch certificateDisposition {
+            case .evaluate(let certificates):
+                // Set local certificate as serverTrust anchor
+                SecTrustSetAnchorCertificates(serverTrust, certificates as CFArray)
+                SecTrustSetAnchorCertificatesOnly(serverTrust, true)
+
+                // Evaluate certificate chain manually
+                var error: CFError?
+                let trusted = SecTrustEvaluateWithError(serverTrust, &error)
+                if trusted {
+                    let credential = URLCredential(trust: serverTrust)
+                    completionHandler(.useCredential, credential)
+                } else {
+                    completionHandler(.cancelAuthenticationChallenge, nil)
+                }
+
+            case .useSystemTrustEvaluation:
+                completionHandler(.performDefaultHandling, nil)
+
+            case .deny(let reason):
+                networkSession.getLogger().logNetworkEvent(
+                    message: reason,
+                    level: .error,
+                    file: #file,
+                    line: #line
+                )
+
+                completionHandler(.cancelAuthenticationChallenge, nil)
+
+            // call throws
+            case .none:
+                networkSession.getLogger().logNetworkEvent(
+                    message: error?.localizedDescription ?? "nil",
+                    level: .error,
+                    file: #file,
+                    line: #line
+                )
+            }
+        }
     }
+
 }
 
 extension NetworkSessionDelegate: URLSessionTaskDelegate {