0

everyone I want to implement dynamic SSL pinning.So as to implement it through publicKey,I have to update the publicKey when certificate against it expires. I have checked third party library like wultra/SSL pinning ios,but it is little complicated as there is no mention of how to extract publicKey or serviceUrl.The other two libraries being provided is written in Java,which is hard to understand.Is there a way to implement dynamic SSL pinning without third party. In Android it is possible using httpClient.No library similar to this is there in ios swift.

I Have tried TrustKit.But as much as I know we can pass in it multiple keys,so if one expires it checks for other.So I do have a doubt as well does public Key change with renewal of SSL certificate or not.

Ankit Kumar Gupta
  • 1

1 Answers1

2

So "dynamic SSL pinning" is not really a standard that is well defined, and Wultra's understanding / implementation is one way to define it:

The solution to this problem is the dynamic SSL pinning, where the list of certificate fingerprints are securely downloaded from the remote server.

Another definition comes from IETF / Google:

Clients remember the most-recently-seen set of pins for max-age seconds after it was most recently seen. Clients drop TLS connections for which the set of SPKIs in the chain does not intersect with the set of remembered pins!

As you notice a common pattern here: you receive a key / hash from a trusted source (which is not a client /iOS device itself). So whichever way you go, you have to have a server side that collaborates with you on providing your client with the valid key. Generating a key on the client and trusting it afterwards is pointless, you may as well skip pinning altogether.

That brings you to the workflow, that is essentially the same as any other certificate pinning workflow on iOS:

Step 1: You get a set of valid certs / public keys / hashes. You obtain this set either by hard-coding it in your app, or by contacting a trusted source, or by remembering previously served ones.

Step 2: You implement a normal didReceive challenge: URLAuthenticationChallenge event of a URL session, which is well described in this guide.

Step 3: Inside that method, you check a validity of the certs / public keys / hashes, as explained in this guide.

A nice boilerplate code for this event can be found here. It includes information on how to compare cert, key, and hash.

timbre timbre
  • 12,648
  • 10
  • 46
  • 77
  • 1
    How can I get updated certificates securely?Do I need to have a new api for this? – Ankit Kumar Gupta Mar 23 '23 at 04:44
  • 1
    If you go with Wultra-like solution - yes, you need new server endpoint and API. If you go with google-like solution, the site you are interacting with needs to support this sort of model – timbre timbre Mar 23 '23 at 13:56