feat(websockets): add ssl pinning

edusperoni · edusperoni · commit d62bb6d457f2 · 2025-04-29T10:46:42.000-03:00
diff --git a/packages/nativescript-websockets/bridge.android.ts b/packages/nativescript-websockets/bridge.android.ts
@@ -1,5 +1,5 @@
 import { HeaderType } from './common';
-import { NativeBridgeDefinition } from './websocket.definition';
+import { NativeBridgeDefinition, WebSocketBridgeConnectOptions } from './websocket.definition';
 
 interface ExtendedArrayBuffer extends ArrayBuffer {
   from?(nativeBuffer: java.nio.ByteBuffer): ArrayBuffer;
@@ -72,7 +72,7 @@ export class NativeBridge extends NativeBridgeDefinition {
   nativeWs!: okhttp3.WebSocket;
   startLooper?: android.os.Looper;
   handler?: android.os.Handler;
-  connect(url: string, protocols: string[], headers: HeaderType): void {
+  connect({ url, protocols, headers }: WebSocketBridgeConnectOptions): void {
     this.startLooper = android.os.Looper.myLooper();
     this.handler = new android.os.Handler(this.startLooper);
     protocols = protocols || [];
diff --git a/packages/nativescript-websockets/bridge.ios.ts b/packages/nativescript-websockets/bridge.ios.ts
@@ -9,7 +9,7 @@
  */
 
 import { HeaderType } from './common';
-import { NativeBridgeDefinition } from './websocket.definition';
+import { NativeBridgeDefinition, WebSocketBridgeConnectOptions } from './websocket.definition';
 
 @NativeClass
 class RCTSRWebSocketDelegateImpl extends NSObject implements RCTSRWebSocketDelegate {
@@ -41,7 +41,7 @@ export class NativeBridge extends NativeBridgeDefinition {
   // store the delegate so it isn't garbage collected
   // TODO: fix the iOS runtime so we don't need this
   delegate!: RCTSRWebSocketDelegateImpl;
-  connect(url: string, protocols: string[], headers: HeaderType) {
+  connect({ url, protocols, headers, pinnedCertificates }: WebSocketBridgeConnectOptions): void {
     const nativeUrl = NSURL.URLWithString(url);
     const request = NSMutableURLRequest.requestWithURL(nativeUrl);
     // NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:URL];
@@ -63,6 +63,24 @@ export class NativeBridge extends NativeBridgeDefinition {
     for (const k of Object.keys(headers.headers)) {
       request.addValueForHTTPHeaderField(`${headers.headers[k]}`, k);
     }
+    if (pinnedCertificates) {
+      const sslArray = NSMutableArray.new();
+
+      for (const c of pinnedCertificates) {
+        // convert from pem to der (base64)
+        const der = c
+          .replace(/-----BEGIN CERTIFICATE-----/g, '')
+          .replace(/-----END CERTIFICATE-----/g, '')
+          .replace(/\r?\n/g, '');
+        const cert = SecCertificateCreateWithData(null, NSData.alloc().initWithBase64EncodedStringOptions(der, NSDataBase64DecodingOptions.IgnoreUnknownCharacters));
+        if (cert) {
+          sslArray.addObject(cert);
+        } else {
+          console.warn('Unable to create certificate from pem');
+        }
+      }
+      request.RCTSR_SSLPinnedCertificates = sslArray;
+    }
 
     const webSocket = RCTSRWebSocket.alloc().initWithURLRequestProtocols(request, protocols);
     this.nativeSocket = webSocket;
diff --git a/packages/nativescript-websockets/types/objc!NativeScriptWebSockets.d.ts b/packages/nativescript-websockets/types/objc!NativeScriptWebSockets.d.ts
@@ -35,6 +35,10 @@ declare const enum RCTSRStatusCode {
 	CodeMessageTooBig = 1009
 }
 
+interface NSMutableURLRequest {
+	RCTSR_SSLPinnedCertificates: NSArray<any>;
+}
+
 declare class RCTSRWebSocket extends NSObject implements NSStreamDelegate {
 
 	static alloc(): RCTSRWebSocket; // inherited from NSObject
diff --git a/packages/nativescript-websockets/websocket.definition.ts b/packages/nativescript-websockets/websocket.definition.ts
@@ -7,10 +7,17 @@ export interface WebSocketPolyfill {
   _websocketFailed(message: string): void;
 }
 
+export interface WebSocketBridgeConnectOptions {
+  url: string;
+  protocols: string[];
+  headers: HeaderType;
+  pinnedCertificates?: string[];
+}
+
 export abstract class NativeBridgeDefinition {
   public handleThreading = true;
   constructor(protected ws: WebSocketPolyfill) {}
-  abstract connect(url: string, protocols: string | string[], headers: HeaderType): void;
+  abstract connect(options: WebSocketBridgeConnectOptions): void;
   abstract send(data: string | ArrayBuffer | ArrayBufferView | Blob): void;
   abstract closeWithCodeReason(statusCode: number, closeReason: string): void;
   abstract sendPing(): void;
diff --git a/packages/nativescript-websockets/websocket.ts b/packages/nativescript-websockets/websocket.ts
@@ -37,6 +37,13 @@ const openWebsockets = new Set<WebSocketPolyfill>();
 //   websocketFailed: [{ id: number; message: string }];
 // };
 
+interface ExtraWebsocketOptions {
+  headers: { origin?: string; [key: string]: unknown };
+  nativescript: { handleThreading: boolean };
+  pinnedCertificates?: string[];
+  [key: string]: unknown;
+}
+
 /**
  * Browser-compatible WebSockets implementation.
  *
@@ -81,7 +88,7 @@ export class WebSocket implements WebSocketPolyfill {
     message: new Map(),
   };
 
-  constructor(url: string, protocols?: string | Array<string>, options?: { headers: { origin?: string; [key: string]: unknown }; nativescript: { handleThreading: boolean }; [key: string]: unknown }) {
+  constructor(url: string, protocols?: string | Array<string>, options?: ExtraWebsocketOptions) {
     this.nativeBridge = new NativeBridge(this);
     this.url = url;
     if (typeof protocols === 'string') {
@@ -91,7 +98,7 @@ export class WebSocket implements WebSocketPolyfill {
       protocols = [];
     }
 
-    const { headers = {}, nativescript = { handleThreading: true }, ...unrecognized } = options || ({} as { headers: { origin?: string; [key: string]: unknown }; nativescript: { handleThreading: boolean }; [key: string]: unknown });
+    const { headers = {}, nativescript = { handleThreading: true }, pinnedCertificates, ...unrecognized } = options || ({} as ExtraWebsocketOptions);
     this.nativeBridge.handleThreading = nativescript?.handleThreading ?? WebSocket.HANDLE_THREADING;
     this._binaryType = 'arraybuffer';
 
@@ -119,7 +126,7 @@ export class WebSocket implements WebSocketPolyfill {
     //    Platform.OS !== 'ios' ? null : NativeWebSocketModule,
     //  );
     this._registerEvents();
-    this.nativeBridge.connect(url, protocols, { headers });
+    this.nativeBridge.connect({ url, protocols, headers: { headers }, pinnedCertificates });
     openWebsockets.add(this);
     //  NativeWebSocketModule.connect(url, protocols, {headers}, this._socketId);
   }
diff --git a/references.d.ts b/references.d.ts
@@ -1,2 +1,3 @@
 /// <reference path="./node_modules/@nativescript/types-ios/index.d.ts" />
+/// <reference path="./node_modules/@nativescript/types-ios/lib/ios/objc-x86_64/objc!Security.d.ts" />
 /// <reference path="./node_modules/@nativescript/types-android/lib/android-29.d.ts" />

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,10 @@ declare const enum RCTSRStatusCode {`
`35`	`35`	`CodeMessageTooBig = 1009`
`36`	`36`	`}`
`37`	`37`
	`38`	`+interface NSMutableURLRequest {`
	`39`	`+ RCTSR_SSLPinnedCertificates: NSArray<any>;`
	`40`	`+}`
	`41`	`+`
`38`	`42`	`declare class RCTSRWebSocket extends NSObject implements NSStreamDelegate {`
`39`	`43`
`40`	`44`	`static alloc(): RCTSRWebSocket; // inherited from NSObject`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`/// <reference path="./node_modules/@nativescript/types-ios/index.d.ts" />`
	`2`	`+/// <reference path="./node_modules/@nativescript/types-ios/lib/ios/objc-x86_64/objc!Security.d.ts" />`
`2`	`3`	`/// <reference path="./node_modules/@nativescript/types-android/lib/android-29.d.ts" />`