I have an XPC connection that I want to know if I should trust using the following code. Does this look like a workable secure approach?
func connectionIsValid(connection: NSXPCConnection) -> Bool {
let checker = CodesignChecker()
var localCertificates: [SecCertificate] = []
var remoteCertificates: [SecCertificate] = []
let pid = connection.processIdentifier
do {
localCertificates = try checker.getCertificatesSelf()
remoteCertificates = try checker.getCertificates(forPID: pid)
} catch let error as CodesignCheckerError {
NSLog(CodesignCheckerError.handle(error: error))
} catch let error {
NSLog("Something unexpected happened: \(error.localizedDescription)")
}
NSLog("Local certificates: \(localCertificates)")
NSLog("Remote certificates: \(remoteCertificates)")
let remoteApp = NSRunningApplication.init(processIdentifier: pid)
if remoteApp != nil && !remoteCertificates.isEmpty {
let policy = SecPolicyCreateBasicX509()
var optionalTrust: SecTrust?
let status = SecTrustCreateWithCertificates(remoteCertificates as AnyObject,
policy,
&optionalTrust)
guard status == errSecSuccess else {
NSLog("failed evaluating trust")
return false
}
let trust = optionalTrust!
var secResult = SecTrustResultType.invalid
SecTrustGetTrustResult(trust, &secResult)
if(secResult == .proceed || secResult == .unspecified) {
let names = remoteCertificates.map { commonName(cert:$0) }
let validCert1 = ["Apple Development: john.doe(at)example.com (XY12XY12X)", "Apple Worldwide Developer Relations Certification Authority", "Apple Root CA"]
if(names == validCert1) {
NSLog("Found a valid client (fingerprint #1)")
return true
}
let validCert2 = ["Developer ID Application: John Doe (XY13XY13X)", "Developer ID Certification Authority", "Apple Root CA"]
if(names == validCert2) {
NSLog("Found a valid client (fingerprint #2)")
return true
}
return false
} else {
NSLog("Got invalid secResult: \(secResult.rawValue)")
}
return false
}
func commonName(cert: SecCertificate) -> String {
var commonName: CFString?
SecCertificateCopyCommonName(cert, &commonName)
return commonName as String? ?? ""
}