Disable pinning for specific subdomains?

[omerlh]

Hey,
I want to enable pinning for all our domain, but disable it for a specific subdomain. So I tried it with something like that:

let trustConfig: [String : Any] = [
            kTSKSwizzleNetworkDelegates:true,
            kTSKPinnedDomains: [
                "mydomain.com" :[
                    kTSKEnforcePinning: true,
                    kTSKPublicKeyAlgorithms: [kTSKAlgorithmRsa2048],
                    kTSKPublicKeyHashes:
                        [],
                    kTSKIncludeSubdomains: true
                ],
                "dontpin.mydomain.com" :[
                    kTSKEnforcePinning: false,
                    kTSKPublicKeyAlgorithms: [kTSKAlgorithmRsa2048],
                    kTSKPublicKeyHashes:
                        []
                ]

            ]
        ]

Is this the only way? I had to set kTSKPublicKeyAlgorithms and `kTSKPublicKeyHashes' although I want to disable pinning as they mandatory.

Thanks,
Omer

[adamkaplan]

That will work, but clearly it is not ideal from a syntactic or logical perspective. Perhaps the two keys should be optional if 'enforce' is false?

[nabla-c0d3]

Yeah, right now there is no clean way to do what you're trying to do. I am thinking about adding the option to not pin a domain (nor specify pins) but still get the reports.

[omerlh]

I am not sure in such case I would be interested in the reports. Anyway, if that helps, I might be able to create a PR that will enforce those keys if pinning is disabled.

[nabla-c0d3]

What prevents you from listing the domains you want to pin (instead of the other way around)?

[omerlh]

We have one endpoint in our domain that is served by Cloudflare, and all other domains (>20) are served from our servers. So it is easier (especially looking forward) to disable pinning for that domain, and not enabling it for all of the other domains.