From 56ff497639904bfc666fbb1ec38f9b34991ae08e Mon Sep 17 00:00:00 2001
From: Kevin Hellemun <khellemun@bunq.com>
Date: Tue, 29 May 2018 10:50:37 +0200
Subject: [PATCH 1/5] Deleted old sandbox pinned key. (bunq/sdk_php#149)

---
 .../Certificate/sandbox.public.api.bunq.com.pubkey.pem   | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 src/Http/Certificate/sandbox.public.api.bunq.com.pubkey.pem

diff --git a/src/Http/Certificate/sandbox.public.api.bunq.com.pubkey.pem b/src/Http/Certificate/sandbox.public.api.bunq.com.pubkey.pem
deleted file mode 100644
index fa26328d..00000000
--- a/src/Http/Certificate/sandbox.public.api.bunq.com.pubkey.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0vsFAdvOK0v4NOLNCyYi
-iw06obUmRkTI9VfbDtuIjNLFFHQo5V1K8KztFQjzysgBpqKr9WCWS/Cknsjk95zw
-E0HsWbR7daoNwNcAyiqvC+4WKaxEXgpz9UPWCYfcJqUnmwhZBgrZPz9MXHOgtU7l
-mk5TJEy2/bhTuMmW0NfjBVl2bVSgPh8U0v5uYA69ypVPXDzFuGs3eyrgUroQOuja
-TiCVbWIyvQpyn5McBUO3uF14RAVOIYFqFOHQkxcgFMeFylsKE7hBHpdpKvRmB1LS
-2KsHB4oQ0XayLg4yV0KAyNvdt/XHrOvA2JFg5H7hDZbhsxWVQniF8CbEakgOiose
-iwIDAQAB
------END PUBLIC KEY-----

From acd56b61517a708de7bfb74e0c49fcf7e5a8c3be Mon Sep 17 00:00:00 2001
From: Kevin Hellemun <khellemun@bunq.com>
Date: Tue, 29 May 2018 10:51:55 +0200
Subject: [PATCH 2/5] Changed sandbox url. (bunq/sdk_php#149)

---
 src/Context/ApiContext.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Context/ApiContext.php b/src/Context/ApiContext.php
index 96d40d80..1e1bb01a 100644
--- a/src/Context/ApiContext.php
+++ b/src/Context/ApiContext.php
@@ -22,7 +22,7 @@ class ApiContext
      * Api environment urls.
      */
     const BASE_URL_PRODUCTION = 'https://api.bunq.com/v1/';
-    const BASE_URL_SANDBOX = 'https://sandbox.public.api.bunq.com/v1/';
+    const BASE_URL_SANDBOX = 'https://public-api.sandbox.bunq.com/v1/';
 
     /**
      * Error constants.

From 0ff2709056cf94f820e9c6a9a662c37fb482bb47 Mon Sep 17 00:00:00 2001
From: Kevin Hellemun <khellemun@bunq.com>
Date: Tue, 29 May 2018 10:54:45 +0200
Subject: [PATCH 3/5] Refactored ApiClient to not pinn key for sandbox.
 (bunq/sdk_php#149)

---
 src/Http/ApiClient.php | 56 ++++++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 19 deletions(-)

diff --git a/src/Http/ApiClient.php b/src/Http/ApiClient.php
index 76a1891e..5870b32a 100644
--- a/src/Http/ApiClient.php
+++ b/src/Http/ApiClient.php
@@ -21,6 +21,15 @@
  */
 class ApiClient
 {
+    /**
+     * Error constants.
+     */
+    const ERROR_ENVIRONMENT_TYPE_UNKNOWN = 'Unknown environmentType "%s"';
+    const ERROR_MAC_OS_CURL_VERSION = 'Your PHP seems to be linked to the MacOS provided curl binary. ' .
+    'This is incompatible with our SDK, please reinstall by running: "brew reinstall %s --with-homebrew-curl".%s';
+    const ERROR_SANDBOX_DOES_NOT_SUPPORT_PINNED_KEY =
+        'Sandbox does not support pinned key. See https://curl.haxx.se/docs/todo.html#Support_intermediate_root_pinn';
+
     /**
      * Endpoints not requiring active session for the request to succeed.
      */
@@ -35,13 +44,6 @@ class ApiClient
     const INSTALLATION_URL = 'installation';
     const SESSION_SERVER_URL = 'session-server';
 
-    /**
-     * Error constants.
-     */
-    const ERROR_ENVIRONMENT_TYPE_UNKNOWN = 'Unknown environmentType "%s"';
-    const ERROR_MAC_OS_CURL_VERSION = 'Your PHP seems to be linked to the MacOS provided curl binary. ' .
-        'This is incompatible with our SDK, please reinstall by running: "brew reinstall %s --with-homebrew-curl".%s';
-
     /**
      * Public key locations.
      */
@@ -240,18 +242,18 @@ private function initializeHttpClient()
             $middleware = $this->determineMiddleware();
 
             $this->httpClient = new Client(
-                [
-                    self::OPTION_DEFAULTS => [
-                        self::OPTION_ALLOW_REDIRECTS => false,
-                        self::OPTION_EXCEPTIONS => false,
-                    ],
-                    self::OPTION_HANDLER => $middleware,
-                    self::OPTION_VERIFY => true,
-                    self::OPTION_CURL => [
-                        CURLOPT_PINNEDPUBLICKEY => $this->determinePinnedServerPublicKey(),
+                array_merge(
+                    [
+                        self::OPTION_DEFAULTS => [
+                            self::OPTION_ALLOW_REDIRECTS => false,
+                            self::OPTION_EXCEPTIONS => false,
+                        ],
+                        self::OPTION_HANDLER => $middleware,
+                        self::OPTION_VERIFY => true,
+                        self::OPTION_PROXY => $this->apiContext->getProxy(),
                     ],
-                    self::OPTION_PROXY => $this->apiContext->getProxy(),
-                ]
+                    $this->determinePinnedKeySetting()
+                )
             );
         }
     }
@@ -286,6 +288,22 @@ private function determineMiddleware(): HandlerStack
         return $handlerStack;
     }
 
+    /**
+     * @return string[]
+     */
+    private function determinePinnedKeySetting(): array
+    {
+        if ($this->apiContext->getEnvironmentType()->equals(BunqEnumApiEnvironmentType::SANDBOX())) {
+            return [];
+        } else {
+            return [
+                self::OPTION_CURL => [
+                    CURLOPT_PINNEDPUBLICKEY => $this->determinePinnedServerPublicKey(),
+                ],
+            ];
+        }
+    }
+
     /**
      * @return string
      * @throws BunqException when the environment type is unknown.
@@ -295,7 +313,7 @@ private function determinePinnedServerPublicKey(): string
         $environmentType = $this->apiContext->getEnvironmentType();
 
         if ($environmentType->equals(BunqEnumApiEnvironmentType::SANDBOX())) {
-            return __DIR__ . self::FILE_PUBLIC_KEY_ENVIRONMENT_SANDBOX;
+            throw new BunqException(self::ERROR_SANDBOX_DOES_NOT_SUPPORT_PINNED_KEY);
         } elseif ($environmentType->equals(BunqEnumApiEnvironmentType::PRODUCTION())) {
             return __DIR__ . self::FILE_PUBLIC_KEY_ENVIRONMENT_PRODUCTION;
         } else {

From 171c2d06bef26d4a7e8f21919a1318b339ea5f5c Mon Sep 17 00:00:00 2001
From: Kevin Hellemun <khellemun@bunq.com>
Date: Tue, 29 May 2018 11:17:12 +0200
Subject: [PATCH 4/5] Updated error message for root pinning.
 (bunq/sdk_php#149)

---
 src/Http/ApiClient.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Http/ApiClient.php b/src/Http/ApiClient.php
index 5870b32a..b3617b25 100644
--- a/src/Http/ApiClient.php
+++ b/src/Http/ApiClient.php
@@ -27,8 +27,8 @@ class ApiClient
     const ERROR_ENVIRONMENT_TYPE_UNKNOWN = 'Unknown environmentType "%s"';
     const ERROR_MAC_OS_CURL_VERSION = 'Your PHP seems to be linked to the MacOS provided curl binary. ' .
     'This is incompatible with our SDK, please reinstall by running: "brew reinstall %s --with-homebrew-curl".%s';
-    const ERROR_SANDBOX_DOES_NOT_SUPPORT_PINNED_KEY =
-        'Sandbox does not support pinned key. See https://curl.haxx.se/docs/todo.html#Support_intermediate_root_pinn';
+    const ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CA_PINNING =
+        'Curl does not support root CA pinning. See https://curl.haxx.se/docs/todo.html#Support_intermediate_root_pinn';
 
     /**
      * Endpoints not requiring active session for the request to succeed.
@@ -313,7 +313,7 @@ private function determinePinnedServerPublicKey(): string
         $environmentType = $this->apiContext->getEnvironmentType();
 
         if ($environmentType->equals(BunqEnumApiEnvironmentType::SANDBOX())) {
-            throw new BunqException(self::ERROR_SANDBOX_DOES_NOT_SUPPORT_PINNED_KEY);
+            throw new BunqException(self::ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CA_PINNING);
         } elseif ($environmentType->equals(BunqEnumApiEnvironmentType::PRODUCTION())) {
             return __DIR__ . self::FILE_PUBLIC_KEY_ENVIRONMENT_PRODUCTION;
         } else {

From e3f0769cfbb2555aba5e837466101c17d9d61672 Mon Sep 17 00:00:00 2001
From: Kevin Hellemun <khellemun@bunq.com>
Date: Tue, 29 May 2018 11:29:56 +0200
Subject: [PATCH 5/5] Certificate instead of CA. (bunq/sdk_php#149)

---
 src/Http/ApiClient.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Http/ApiClient.php b/src/Http/ApiClient.php
index b3617b25..d02de7a3 100644
--- a/src/Http/ApiClient.php
+++ b/src/Http/ApiClient.php
@@ -27,8 +27,9 @@ class ApiClient
     const ERROR_ENVIRONMENT_TYPE_UNKNOWN = 'Unknown environmentType "%s"';
     const ERROR_MAC_OS_CURL_VERSION = 'Your PHP seems to be linked to the MacOS provided curl binary. ' .
     'This is incompatible with our SDK, please reinstall by running: "brew reinstall %s --with-homebrew-curl".%s';
-    const ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CA_PINNING =
-        'Curl does not support root CA pinning. See https://curl.haxx.se/docs/todo.html#Support_intermediate_root_pinn';
+    const ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CERTIFICATE_PINNING =
+        //@codingStandardsIgnoreLine
+        'Curl does not support root certificate pinning. See https://curl.haxx.se/docs/todo.html#Support_intermediate_root_pinn';
 
     /**
      * Endpoints not requiring active session for the request to succeed.
@@ -313,7 +314,7 @@ private function determinePinnedServerPublicKey(): string
         $environmentType = $this->apiContext->getEnvironmentType();
 
         if ($environmentType->equals(BunqEnumApiEnvironmentType::SANDBOX())) {
-            throw new BunqException(self::ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CA_PINNING);
+            throw new BunqException(self::ERROR_CURL_DOES_NOT_SUPPORT_ROOT_CERTIFICATE_PINNING);
         } elseif ($environmentType->equals(BunqEnumApiEnvironmentType::PRODUCTION())) {
             return __DIR__ . self::FILE_PUBLIC_KEY_ENVIRONMENT_PRODUCTION;
         } else {