Search code examples
iossslpublic-keypinning

Setting up TrustKit

I am working on an application that quickly needs to include https for network communication. Our concern over this came about when we noticed we are sending all of our user credentials over the URL. This isn't good because then our usernames and passwords are out there in the open. After a lot of research it seems that pinning the public key of the server's SSL certificate is the way to go. I have decided to use TrustKit to pin the public key of the certificate so we do not have to pin the entire certificate in the application. That way we do not have to keep replacing the certificate overtime it expires, thus not having to build a new IPA or submit to Apple. In order to get this up and running, I need a few questions answered.

So I understand there are three main things I need to get started with TrustKit.

1. I need to know the domains that we are going to be using and include them in our info.plist.

  • QUESTION: Does the server at this domain need to do any preparation in order to get TrustKit what it needs to handle everything?

2. I need 2 public key hashes that also need to be included in the info.plist.

  • QUESTION: How do I extract the public key hashes from the certificate? From where do I get these hashes?

3. I need to know what public key algorithm to use.

  • QUESTION: What is this? And how do I find out which one to use?

Once all of this is in place, is there anything else I need to do appwise to be able to make sure TrustKit does it's job longterm?

Solution

    1. The server itself does not need to do anything special but your ops/infrastructure team does; see 2. and the backup pin.

    2. TrustKit provides a Python script to generate the hash and algorithm you're looking for : https://github.com/datatheorem/TrustKit/blob/master/get_pin_from_certificate.py . You need use the script on your domain's CA certificate (this will be the first hash), and then on another CA certificate, from which you bought a backup certificate for your domain. This backup pin is needed in case you need to quickly rotate the (first) certificate on your server, without bricking your App. This is explained in more details here: https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ .

    3. The script described in 2. also returns the algorithm. It is the algorithm (RSA, ECDSA) of the public key that's embedded in the server certificate. This is needed by TrustKit because iOS does not provide the APIs to automatically detect the certificate's algorithm.