Include root certs from pki.goog

// FREEBIE

Podfile.lock

@@ -168,7 +168,7 @@ SPEC CHECKSUMS:
   PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd
   Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96
   SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c
-  SignalServiceKit: 1594ae26a08129175c6ca91690602aa47898f24c
+  SignalServiceKit: b84d80de0bfd5f863994a1ce1f5b742b91c46cb5
   SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e
   SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559
   TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c

Signal.xcodeproj/project.pbxproj

@@ -2090,7 +2090,12 @@
 				"${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle",
 				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer",
 				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt",
-				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR2.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR4.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt",
 			);
 			name = "[CP] Copy Pods Resources";
 			outputPaths = (

SignalServiceKit.podspec

@@ -29,7 +29,13 @@ An Objective-C library for communicating with the Signal messaging service.
 
   s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer',
                  'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt',
-                 'SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt']
+                 'SignalServiceKit/src/Security/PinningCertificate/GSR2.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GSR4.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt']
+
   s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h'
   s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' }
 

SignalServiceKit/src/Network/OWSSignalService.m

@@ -305,23 +305,31 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
     static AFSecurityPolicy *securityPolicy = nil;
     static dispatch_once_t onceToken;
     dispatch_once(&onceToken, ^{
-        NSError *error;
-        NSData *GIAG2CertData = [self certificateDataWithName:@"GIAG2" error:&error];
-        if (error) {
-            DDLogError(@"%@ Failed to get GIAG2 certificate data with error: %@", self.tag, error);
-            @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
-                                           reason:error.description
-                                         userInfo:nil];
-        }
-        NSData *GTSGIAG3CertData = [self certificateDataWithName:@"GTSGIAG3" error:&error];
-        if (error) {
-            DDLogError(@"%@ Failed to get GIAG3 certificate data with error: %@", self.tag, error);
-            @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
-                                           reason:error.description
-                                         userInfo:nil];
+
+        NSMutableSet<NSData *> *certificates = [NSMutableSet new];
+
+        // GIAG2 cert plus root certs from pki.goog
+        NSArray<NSString *> *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ];
+
+        for (NSString *certName in certNames) {
+            NSError *error;
+            NSData *certData = [self certificateDataWithName:certName error:&error];
+            if (error) {
+                DDLogError(@"%@ Failed to get %@ certificate data with error: %@", self.tag, certName, error);
+                @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+                                               reason:error.description
+                                             userInfo:nil];
+            }
+
+            if (!certData) {
+                DDLogError(@"%@ No data for certificate: %@", self.tag, certName);
+                @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+                                               reason:error.description
+                                             userInfo:nil];
+            }
+            [certificates addObject:certData];
         }
 
-        NSSet<NSData *> *certificates = [NSSet setWithArray:@[ GIAG2CertData, GTSGIAG3CertData ]];
         securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates];
     });
     return securityPolicy;