Skip to content

Add SPKI certificate pinning support#910

Open
o-nnerb wants to merge 40 commits into
swift-server:mainfrom
o-nnerb:main
Open

Add SPKI certificate pinning support#910
o-nnerb wants to merge 40 commits into
swift-server:mainfrom
o-nnerb:main

Conversation

@o-nnerb

@o-nnerb o-nnerb commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

This PR introduces SPKI-based certificate pinning to AsyncHTTPClient to mitigate MITM attacks and compromised CAs.

Highlights:

  • Implements .strict and .audit modes with multi-algorithm hashing (SHA-256/384/512) and constant-time comparison.
  • Aligned with OWASP/NIST security standards, featuring rotation safety warnings and explicit error handling.
  • Requirement: Requires OpenSSL/BoringSSL backend (Network.framework connections ignore pinning configuration).

o-nnerb and others added 30 commits February 1, 2026 18:37
@o-nnerb
Implemented SPKIPinningConfiguration
9ce1b9e
@o-nnerb
Added Hashable conformance
eeb3726
@o-nnerb
Fix tlsPinning usage
8c6e782
@o-nnerb
Fix hash digestion
5f1dfd9
@o-nnerb
Lint code
a224e7e
@o-nnerb
Provide support for various algorithms for comparing SPKI
32a4100
@o-nnerb
Improved properties names and applications
26675d1
@o-nnerb
Implemented tests
6c585a6
@o-nnerb
Added back removed code
8c673f6
@o-nnerb
Add SPKI pinning with runtime safety checks and explicit TLS requirement
1e56600
@o-nnerb
Included length difference in the diff
c5c0198
@o-nnerb
Merge branch 'main' into main
b71085f
@o-nnerb
Removed Executor, fix constantTimeAnyMatch(_:_:) and update context…
51b3015 
… get handler logic
@o-nnerb
Updated SPKIPinningPolicy and adjust documentation
87fd63f
@o-nnerb
Merge branch 'main' into main
885a2bd
@o-nnerb
Merge branch 'main' into main
e3d0b27
@o-nnerb
Merge branch 'main' into main
d8d9767
@o-nnerb
Applied swift format
e0baecb
@o-nnerb
Merge branch 'main' into main
6cb7f2c
@o-nnerb
Added new init for HTTPHandler and undo some changes
39f6b77
@o-nnerb
Revert the modifications made to the method documentation
8d6ec8a
@o-nnerb
Added support for the old version of Swift Package configuration
c599656
@o-nnerb
Revert the modifications made to the method documentation
362dc7d
@o-nnerb
Added a new initializer for HTTPHandler that accepts a String url and…
b73d62a 
… tlsPinning
@o-nnerb
Merge branch 'main' into main
3fd423f
@o-nnerb
Change code to import FoundationEssentials
9ffdfd7
@o-nnerb
Merge branch 'main' into main
30f8807
@o-nnerb
Adds missing license header
d8c153a
@o-nnerb
Merge branch 'main' into main
89ab903
@o-nnerb
Disable all traits to prevent linking Foundation for swift-crypto
b573359
@o-nnerb

o-nnerb commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@czechboy0 @FranzBusch can you review this?

@FranzBusch FranzBusch requested review from Lukasa and glbrntt June 23, 2026 12:41
glbrntt
glbrntt requested changes Jun 24, 2026
View reviewed changes

@glbrntt glbrntt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This mostly looks good but I left some feedback inline which needs addressing.

Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
Comment thread Sources/AsyncHTTPClient/AsyncAwait/HTTPClientRequest.swift
Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift
Comment thread Tests/AsyncHTTPClientTests/AsyncAwaitEndToEndTests.swift Outdated
Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
Comment thread Tests/AsyncHTTPClientTests/SPKIHashTests.swift Outdated
Comment thread Tests/AsyncHTTPClientTests/AsyncAwaitEndToEndTests.swift Outdated
Comment thread Tests/AsyncHTTPClientTests/SPKIPinningTests.swift Outdated
@o-nnerb o-nnerb requested a review from glbrntt June 24, 2026 19:30
glbrntt
glbrntt reviewed Jun 25, 2026
View reviewed changes

@glbrntt glbrntt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good, just a couple of small things left. The e2e tests are much better now as well 👍

Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
Comment thread Sources/AsyncHTTPClient/ConnectionPool/ChannelHandler/SPKIPinningHandler.swift Outdated
@glbrntt glbrntt added the 🆕 semver/minor Adds new public API. label Jun 25, 2026
@o-nnerb o-nnerb requested a review from glbrntt June 25, 2026 11:00
glbrntt
glbrntt approved these changes Jun 25, 2026
View reviewed changes

@glbrntt glbrntt left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks great! I would like @Lukasa to have a look before this is merged though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@glbrntt glbrntt glbrntt approved these changes
@Lukasa Lukasa Awaiting requested review from Lukasa

Assignees

No one assigned

Labels

🆕 semver/minor Adds new public API.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@o-nnerb @glbrntt