Fix brave/brave-ios#5543: Relax SSL Certificate Validation to match a…

…ll other browsers (brave/brave-ios#7588) Relax SSL validation. Use Chromium validation over Apple's validation. If Chromium returns a value indicating that the system should handle it, then we use Apple's validation. However, we disable X509 validation and only validate it for SSL. Signed-off-by: Brandon T <[email protected]>
brave · Jun 13, 2023 · e66e15c · e66e15c
1 parent dc45078
commit e66e15c
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 6 deletions.
diff --git a/Sources/Brave/Frontend/Browser/BrowserViewController.swift b/Sources/Brave/Frontend/Browser/BrowserViewController.swift
@@ -1722,17 +1722,45 @@ public class BrowserViewController: UIViewController {
         break
       }
 
-      let host = tab.webView?.url?.host
+      guard let scheme = tab.webView?.url?.scheme,
+            let host = tab.webView?.url?.host else {
+        tab.secureContentState = .insecure
+        self.updateURLBar()
+        return
+      }
 
-      Task {
+      let port: Int
+      if let urlPort = tab.webView?.url?.port {
+        port = urlPort
+      } else if scheme == "https" {
+        port = 443
+      } else {
+        port = 80
+      }
+
+      Task.detached {
         do {
-          try await BraveCertificateUtils.evaluateTrust(serverTrust, for: host)
-          tab.secureContentState = .secure
+          let result = BraveCertificateUtility.verifyTrust(serverTrust,
+                                                           host: host,
+                                                           port: port)
+          // Cert is valid!
+          if result == 0 {
+            tab.secureContentState = .secure
+          } else if result == Int32.min {
+            // Cert is valid but should be validated by the system
+            // Let the system handle it and we'll show an error if the system cannot validate it
+            try await BraveCertificateUtils.evaluateTrust(serverTrust, for: host)
+            tab.secureContentState = .secure
+          } else {
+            tab.secureContentState = .insecure
+          }
         } catch {
           tab.secureContentState = .insecure
         }
 
-        self.updateURLBar()
+        Task { @MainActor in
+          self.updateURLBar()
+        }
       }
     case ._sampledPageTopColor:
       updateStatusBarOverlayColor()

diff --git a/Sources/CertificateUtilities/BraveCertificateUtils.swift b/Sources/CertificateUtilities/BraveCertificateUtils.swift
@@ -206,7 +206,6 @@ public extension BraveCertificateUtils {
 
   static func evaluateTrust(_ trust: SecTrust, for host: String?) async throws {
     let policies = [
-      SecPolicyCreateBasicX509(),
       SecPolicyCreateSSL(true, host as CFString?),
     ]