From 854595bf7c9025e7ba77d310331a39e8cc2dc271 Mon Sep 17 00:00:00 2001
From: Giom Foret <giom@matrix.org>
Date: Wed, 19 Jul 2017 18:32:34 +0200
Subject: [PATCH] Bug Fix: Avatars (and probably other media) do not display
 with account on a self-signed server.

The MXMediaLoader adds now all the allowed certificates to the chain of trust at the time of preparing the SSL negotiation.

https://github.com/vector-im/riot-ios/issues/816
---
 MatrixSDK/Utils/MXAllowedCertificates.h |  7 ++++++-
 MatrixSDK/Utils/MXAllowedCertificates.m |  1 +
 MatrixSDK/Utils/Media/MXMediaLoader.m   | 21 +++++++++++++++------
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/MatrixSDK/Utils/MXAllowedCertificates.h b/MatrixSDK/Utils/MXAllowedCertificates.h
index c17fb7e18a..e6e648271d 100644
--- a/MatrixSDK/Utils/MXAllowedCertificates.h
+++ b/MatrixSDK/Utils/MXAllowedCertificates.h
@@ -25,7 +25,7 @@
 /**
  The `MXAllowedCertificates` singleton.
  */
-+ (id)sharedInstance;
++ (instancetype)sharedInstance;
 
 /**
  Add a certificate in the allowed list.
@@ -47,4 +47,9 @@
  */
 - (void)reset;
 
+/**
+ The current list of allowed certificates.
+ */
+@property (readonly) NSSet<NSData*> *certificates;
+
 @end
diff --git a/MatrixSDK/Utils/MXAllowedCertificates.m b/MatrixSDK/Utils/MXAllowedCertificates.m
index c1479e206d..a23e31ffd8 100644
--- a/MatrixSDK/Utils/MXAllowedCertificates.m
+++ b/MatrixSDK/Utils/MXAllowedCertificates.m
@@ -24,6 +24,7 @@ @interface MXAllowedCertificates ()
 @end
 
 @implementation MXAllowedCertificates
+@synthesize certificates;
 
 + (MXAllowedCertificates *)sharedInstance
 {
diff --git a/MatrixSDK/Utils/Media/MXMediaLoader.m b/MatrixSDK/Utils/Media/MXMediaLoader.m
index 8333879ce8..5ebe86391b 100644
--- a/MatrixSDK/Utils/Media/MXMediaLoader.m
+++ b/MatrixSDK/Utils/Media/MXMediaLoader.m
@@ -233,16 +233,25 @@ - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticatio
     NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
     if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
     {
+        // List all the allowed certificates to pin against.
+        NSMutableArray *pinnedCertificates = [NSMutableArray array];
+        
         NSSet <NSData *> *certificates = [AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]];
-        if (certificates && certificates.count > 0)
+        for (NSData *certificateData in certificates)
+        {
+            [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
+        }
+        certificates = [MXAllowedCertificates sharedInstance].certificates;
+        for (NSData *certificateData in certificates)
+        {
+            [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
+        }
+        
+        if (pinnedCertificates.count > 0)
         {
-            NSMutableArray *pinnedCertificates = [NSMutableArray array];
-            for (NSData *certificateData in certificates)
-            {
-                [pinnedCertificates addObject:(__bridge_transfer id)SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certificateData)];
-            }
             SecTrustSetAnchorCertificates(protectionSpace.serverTrust, (__bridge CFArrayRef)pinnedCertificates);
         }
+        
         SecTrustRef trust = [protectionSpace serverTrust];
 
         // Re-evaluate the trust policy