From ca8b9e79f75768a8d88ab5de6b703d7fec780cdc Mon Sep 17 00:00:00 2001
From: uroboro <uroboro845@gmail.com>
Date: Fri, 15 Mar 2024 15:18:40 +0100
Subject: [PATCH 1/2] Add Privacy Manifest

Fixes #319
---
 .gitignore                     |  1 +
 Package.swift                  |  3 ++-
 TrustKit.podspec               | 10 ++--------
 TrustKit/PrivacyInfo.xcprivacy | 17 +++++++++++++++++
 4 files changed, 22 insertions(+), 9 deletions(-)
 create mode 100644 TrustKit/PrivacyInfo.xcprivacy

diff --git a/.gitignore b/.gitignore
index b7da3677..8b07b0ea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,5 +39,6 @@ _site
 
 # Swift Package Manager
 .build
+.swiftpm/
 
 .DS_Store
diff --git a/Package.swift b/Package.swift
index 79260778..2038f58f 100644
--- a/Package.swift
+++ b/Package.swift
@@ -31,7 +31,8 @@ let package = Package(
         .target(
             name: "TrustKit",
             dependencies: [],
-            path: "TrustKit",            
+            path: "TrustKit",   
+            resources: [.copy("PrivacyInfo.xcprivacy")],
             publicHeadersPath: "public",
             cSettings: [.define("NS_BLOCK_ASSERTIONS", to: "1", .when(configuration: .release))]
         ),
diff --git a/TrustKit.podspec b/TrustKit.podspec
index 6f75dffb..3e8fc9c4 100644
--- a/TrustKit.podspec
+++ b/TrustKit.podspec
@@ -15,14 +15,8 @@ Pod::Spec.new do |s|
 
   s.pod_target_xcconfig = { 'DEFINES_MODULE' => 'YES' }
   s.source_files = ['TrustKit', 'TrustKit/**/*.{h,m,c}']
-  s.public_header_files = [
-    'TrustKit/public/TrustKit.h',
-    'TrustKit/public/TSKTrustKitConfig.h',
-    'TrustKit/public/TSKPinningValidator.h',
-    'TrustKit/public/TSKPinningValidatorCallback.h',
-    'TrustKit/public/TSKPinningValidatorResult.h',
-    'TrustKit/public/TSKTrustDecision.h',
-  ]
+  s.public_header_files = 'TrustKit/public/*.h'
+  s.resource_bundles = {"TrustKit" => "TrustKit/PrivacyInfo.xcprivacy"}
   s.frameworks = ['Foundation', 'Security']
   s.requires_arc = true
 end
diff --git a/TrustKit/PrivacyInfo.xcprivacy b/TrustKit/PrivacyInfo.xcprivacy
new file mode 100644
index 00000000..79bc9e28
--- /dev/null
+++ b/TrustKit/PrivacyInfo.xcprivacy
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array>
+		<dict>
+			<key>NSPrivacyAccessedAPIType</key>
+			<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
+			<key>NSPrivacyAccessedAPITypeReasons</key>
+			<array>
+				<string>CA92.1</string>
+			</array>
+		</dict>
+	</array>
+</dict>
+</plist>

From 542647ba1cb701756a1853fcb0dcbd32b5eda1db Mon Sep 17 00:00:00 2001
From: uroboro <uroboro845@gmail.com>
Date: Wed, 20 Mar 2024 16:08:36 +0100
Subject: [PATCH 2/2] Add missing entries to PrivacyInfo.xcprivacy

- Swap Cloudflare domain with Data Theorem for TSKEndToEndSwizzlingTests
- Add PrivacyInfo.xcprivacy to Xcode project for all targets
- Remove noop assign
---
 TrustKit.xcodeproj/project.pbxproj        | 10 ++++++++++
 TrustKit/Pinning/pinning_utils.m          |  1 -
 TrustKit/PrivacyInfo.xcprivacy            |  6 ++++++
 TrustKitTests/TSKEndToEndSwizzlingTests.m | 16 ++++++++--------
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/TrustKit.xcodeproj/project.pbxproj b/TrustKit.xcodeproj/project.pbxproj
index 51ea6e71..bd172997 100644
--- a/TrustKit.xcodeproj/project.pbxproj
+++ b/TrustKit.xcodeproj/project.pbxproj
@@ -257,6 +257,10 @@
 		B005E3F229B8C2F8007C3D84 /* pinning_utils.h in Headers */ = {isa = PBXBuildFile; fileRef = B005E3F029B85ED0007C3D84 /* pinning_utils.h */; };
 		B005E3F329B8C2F9007C3D84 /* pinning_utils.h in Headers */ = {isa = PBXBuildFile; fileRef = B005E3F029B85ED0007C3D84 /* pinning_utils.h */; };
 		B005E3F429B8C2FA007C3D84 /* pinning_utils.h in Headers */ = {isa = PBXBuildFile; fileRef = B005E3F029B85ED0007C3D84 /* pinning_utils.h */; };
+		DC6F28772BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */; };
+		DC6F28782BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */; };
+		DC6F28792BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */; };
+		DC6F287A2BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */; };
 		FC049B3A1EECD1B000FDC5F4 /* anchor-ca.cert.pem in Resources */ = {isa = PBXBuildFile; fileRef = FCC1DD051EECD19E00AB3D81 /* anchor-ca.cert.pem */; };
 		FC049B3B1EECD1B000FDC5F4 /* anchor-fake.yahoo.com.cert.pem in Resources */ = {isa = PBXBuildFile; fileRef = FCC1DD061EECD19E00AB3D81 /* anchor-fake.yahoo.com.cert.pem */; };
 		FC049B3C1EECD1B000FDC5F4 /* anchor-intermediate.cert.pem in Resources */ = {isa = PBXBuildFile; fileRef = FCC1DD071EECD19E00AB3D81 /* anchor-intermediate.cert.pem */; };
@@ -435,6 +439,7 @@
 		8CF27AA11F01BB7B009369B0 /* TSKLoggerTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = TSKLoggerTests.m; sourceTree = "<group>"; };
 		B005E3E729B85EBA007C3D84 /* pinning_utils.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = pinning_utils.m; path = Pinning/pinning_utils.m; sourceTree = "<group>"; };
 		B005E3F029B85ED0007C3D84 /* pinning_utils.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = pinning_utils.h; path = Pinning/pinning_utils.h; sourceTree = "<group>"; };
+		DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = PrivacyInfo.xcprivacy; sourceTree = "<group>"; };
 		FC1A08FF1E57A4BB0055B12C /* TSKPinningValidatorResult.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = TSKPinningValidatorResult.m; sourceTree = "<group>"; };
 		FC1A09081E57AC450055B12C /* TSKSPKIHashCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = TSKSPKIHashCache.h; path = Pinning/TSKSPKIHashCache.h; sourceTree = "<group>"; };
 		FC1A09091E57AC450055B12C /* TSKSPKIHashCache.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = TSKSPKIHashCache.m; path = Pinning/TSKSPKIHashCache.m; sourceTree = "<group>"; };
@@ -797,6 +802,7 @@
 			isa = PBXGroup;
 			children = (
 				FC23F68C1EE73BE600397646 /* TrustKit.podspec */,
+				DC6F28762BAB30A8001B604A /* PrivacyInfo.xcprivacy */,
 				FC23F68E1EE73BE600397646 /* README.md */,
 				FC23F68F1EE73BE600397646 /* ATTRIBUTIONS */,
 				FC23F6901EE73BE600397646 /* AUTHORS */,
@@ -1192,6 +1198,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				DC6F28772BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1217,6 +1224,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				DC6F28792BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1242,6 +1250,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				DC6F28782BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1267,6 +1276,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				DC6F287A2BAB30A8001B604A /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/TrustKit/Pinning/pinning_utils.m b/TrustKit/Pinning/pinning_utils.m
index 8d048f04..16e2fc12 100644
--- a/TrustKit/Pinning/pinning_utils.m
+++ b/TrustKit/Pinning/pinning_utils.m
@@ -21,7 +21,6 @@ void evaluateCertificateChainTrust(SecTrustRef serverTrust, SecTrustResultType *
         if (error != NULL) {
             if (status != errSecSuccess)
             {
-                certificateEvaluationSucceeded = false;
                 NSString *errDescription = [NSString stringWithFormat:@"got status %d", (int)status];
                 *error = [[NSError alloc] initWithDomain:@"com.datatheorem.trustkit" code:1 userInfo:@{NSLocalizedDescriptionKey:errDescription}];
             }
diff --git a/TrustKit/PrivacyInfo.xcprivacy b/TrustKit/PrivacyInfo.xcprivacy
index 79bc9e28..0a95d093 100644
--- a/TrustKit/PrivacyInfo.xcprivacy
+++ b/TrustKit/PrivacyInfo.xcprivacy
@@ -13,5 +13,11 @@
 			</array>
 		</dict>
 	</array>
+	<key>NSPrivacyCollectedDataTypes</key>
+	<array/>
+	<key>NSPrivacyTracking</key>
+	<false/>
+	<key>NSPrivacyTrackingDomains</key>
+	<array/>
 </dict>
 </plist>
diff --git a/TrustKitTests/TSKEndToEndSwizzlingTests.m b/TrustKitTests/TSKEndToEndSwizzlingTests.m
index 4dc8439a..ca7a1346 100644
--- a/TrustKitTests/TSKEndToEndSwizzlingTests.m
+++ b/TrustKitTests/TSKEndToEndSwizzlingTests.m
@@ -77,7 +77,7 @@ - (void)URLSession:(NSURLSession * _Nonnull)session
     {
         _completedConnectionToFacebook = YES;
     }
-    else if ([task.originalRequest.URL.host isEqualToString:@"www.cloudflare.com"])
+    else if ([task.originalRequest.URL.host isEqualToString:@"www.datatheorem.com"])
     {
         _completedConnectionToCloudflare = YES;
     }
@@ -97,7 +97,7 @@ - (void)URLSession:(NSURLSession * _Nonnull)session
     {
         _completedConnectionToFacebook = YES;
     }
-    else if ([dataTask.originalRequest.URL.host isEqualToString:@"www.cloudflare.com"])
+    else if ([dataTask.originalRequest.URL.host isEqualToString:@"www.datatheorem.com"])
     {
         _completedConnectionToCloudflare = YES;
     }
@@ -116,7 +116,7 @@ - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task willPer
     {
         _completedConnectionToFacebook = YES;
     }
-    else if ([task.originalRequest.URL.host isEqualToString:@"www.cloudflare.com"])
+    else if ([task.originalRequest.URL.host isEqualToString:@"www.datatheorem.com"])
     {
         _completedConnectionToCloudflare = YES;
     }
@@ -165,9 +165,9 @@ - (void)test
       kTSKPinnedDomains :
           @{
               // Valid pinning configuration
-              @"www.cloudflare.com" : @{
+              @"www.datatheorem.com" : @{
                       kTSKEnforcePinning : @YES,
-                      kTSKPublicKeyHashes : @[@"FEzVOUp4dF3gI0ZVPRJhFbSJVXR+uQmMH65xhs1glH4=", // CA key
+                      kTSKPublicKeyHashes : @[@"F6jTih9VkkYZS8yuYqeU/4DUGehJ+niBGkkQ1yg8H3U=", // CA key
                                               @"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" // Fake key
                                               ]},
               // Invalid pinning configuration
@@ -197,13 +197,13 @@ - (void)test
             XCTAssertEqualObjects(notedHostname, @"www.facebook.com");
             XCTAssertNotNil(notedHostnamePinningPolicy);
         }
-        else if ([result.serverHostname isEqualToString:@"www.cloudflare.com"])
+        else if ([result.serverHostname isEqualToString:@"www.datatheorem.com"])
         {
             receivedCallForCloudflare = YES;
             XCTAssertEqual(result.finalTrustDecision, TSKTrustDecisionShouldAllowConnection);
             XCTAssertEqual(result.evaluationResult, TSKTrustEvaluationSuccess);
             
-            XCTAssertEqualObjects(result.serverHostname,  @"www.cloudflare.com");
+            XCTAssertEqualObjects(result.serverHostname,  @"www.datatheorem.com");
             XCTAssertGreaterThan([result.certificateChain count], (unsigned long)1);
             XCTAssertGreaterThan(result.validationDuration, 0);
             
@@ -230,7 +230,7 @@ - (void)test
     [task resume];
     
     // One should succeed
-    NSURLSessionDataTask *task2 = [session dataTaskWithURL:[NSURL URLWithString:@"https://www.cloudflare.com/"]];
+    NSURLSessionDataTask *task2 = [session dataTaskWithURL:[NSURL URLWithString:@"https://www.datatheorem.com/"]];
     [task2 resume];
     
     // Wait for the connection to succeed and ensure a notification was posted