Using TrustKit with RestKit for multi-tenant REST API

[nejra]

I want to use TrustKit along with RestKit and I need to support SSL pinning for multiple domains that are unknown during TrustKit initialization process (same certificate, different URLs based on tenant ID). Domain is determined dynamically based on user's input tenant ID. Is it possible to define generic pinning URL or to append new URLs in order to support multi-tenant architectures?

Another question is related to pinning validation failure case. How can I handle this error if using RestKit ?

[nabla-c0d3]

Hello,

Regarding your first question, you could either pin all the subdomains of a given domain (if your URLs are something like tenant-name.yourdomain.com) using kTSKIncludeSubdomains, or you could set the TrustKit configuration within your App only after the final tenant-specific domain has been discovered.
Once a pinning configuration is set, there is no way to change it.

For RestKit, I am not familiar with this library so I don't know exactly error handling would work there.
Hope this helps!

[nejra]

Thanks, I'll try this. Also, can you please tell me what's appropriate way to generate SPKI hash ? For example, how did you manage to generate "lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=" for www.datatheorem.com. Do I need a private key for this ?

[nejra]

Another question... Is the only way to include SSL pinning with UIWebView by using NSURLSessionDataTask to ping server and check certificate and then loading web view data with i.e. loadRequest ? I saw this in your demo project and couldn't find more examples on this topic.

[nabla-c0d3]

To generate the SPKI hashes, you can use the get_pin_from_certificate.py script within the repo.

For your UIWebView idea, you should not implement what you described because it would not add any security (it wouldn't be pinning). The pinning check needs to happen on every connection, otherwise an attacker could selectively target the specific (UIWebView) connections that do not do the SSL pinning check.

[nejra]

Thanks, I had some issues with HTTP cookies leftovers, that is why I wasn't able to do SSL pinning correctly. Everything is fine now.

[nejra]

I'm currently left with handling preview of remote documents inside a UIWebView. By far, I didn't manage to find any way to enable SSL pinning for these cases. Can I accomplish this with NSURLSessionDataTask? Sorry to bother you like this, tell me if there's more suitable way.

[nabla-c0d3]

It is difficult to do pinning in a UIWebView and WKWebView provides better APIs for this. There's a specific section about that in the "Getting Started" guide (http://datatheorem.github.io/TrustKit/getting-started.html); look at "Pinning in Webviews".
Good luck!