Go to file
Amos Joshua e3a11e01d9 lower deployment versions, fix misc warnings 2023-04-27 14:39:49 +02:00
TrustKit lower deployment versions, fix misc warnings 2023-04-27 14:39:49 +02:00
TrustKit.xcodeproj restore iOS 12, tvOS 12, watchOS 4, macOS 10.13 support 2023-04-03 10:04:31 +02:00
TrustKitDemo bump version, update podspec, update Xcode demo app 2023-03-15 16:30:47 +01:00
TrustKitTests enable multipath service type handover on iOS for all NSURLSessions 2023-03-31 11:11:52 +02:00
docs Add Swift Package Manager to the installation instructions 2020-09-13 14:07:54 +02:00
.gitignore Fix framework to package /Modules files when built 2020-06-09 12:08:41 -04:00
.gitmodules Remove fishhook as a submodule 2015-06-06 11:54:08 -07:00
.jazzy.yaml Remove public key algorithm constants from the documentation 2018-07-09 12:48:16 -07:00
ATTRIBUTIONS remove references to thirdparty lib "fishhook" as it appears unused at this pooint 2015-10-18 13:58:10 -04:00
AUTHORS Tweak authors file 2015-08-02 12:31:26 -07:00
LICENSE Add license and attributions files 2015-05-21 16:58:22 +02:00
Package.swift restore earlier OS versions in package manager 2023-04-05 16:59:14 +02:00
README.md restore iOS 12, tvOS 12, watchOS 4, macOS 10.13 support 2023-04-03 10:04:31 +02:00
TrustKit.podspec lower deployment versions, fix misc warnings 2023-04-27 14:39:49 +02:00
generate_test_certificates.py Add script for generating test certificates 2019-11-05 15:44:45 -08:00
get_pin_from_certificate.py Remove key algorithm constants from script and add support for Python 3 2018-07-09 12:48:48 -07:00

README.md

TrustKit

Build Status Carthage compatible Version Status Platform License MIT Gitter chat

TrustKit is an open source framework that makes it easy to deploy SSL public key pinning and reporting in any iOS 12+, macOS 10.13+, tvOS 12+ or watchOS 4+ App; it supports both Swift and Objective-C Apps.

If you need SSL pinning/reporting in your Android App. we have also released TrustKit for Android at https://github.com/datatheorem/TrustKit-Android.

Overview

TrustKit provides the following features:

  • Simple API to configure an SSL pinning policy and enforce it within an App. The policy settings are heavily based on the HTTP Public Key Pinning specification.
  • Sane implementation by pinning the certificate's Subject Public Key Info, as opposed to the certificate itself or the public key bits.
  • Reporting mechanism to notify a server about pinning validation failures happening within the App, when an unexpected certificate chain is detected. This is similar to the report-uri directive described in the HPKP specification. The reporting mechanism can also be customized within the App by leveraging pin validation notifications sent by TrustKit.
  • Auto-pinning functionality by swizzling the App's NSURLConnection and NSURLSession delegates in order to automatically add pinning validation to the App's HTTPS connections; this allows deploying TrustKit without even modifying the App's source code.

Getting Started

Sample Usage

Deploying SSL pinning in the App requires initializing TrustKit with a pinning policy (domains, Subject Public Key Info hashes, and additional settings).

The policy can be configured within the App's Info.plist:

Info.plist policy

Alternatively, the pinning policy can be set programmatically:

    NSDictionary *trustKitConfig =
  @{
    kTSKSwizzleNetworkDelegates: @NO,
    kTSKPinnedDomains : @{
            @"www.datatheorem.com" : @{
                    kTSKExpirationDate: @"2017-12-01",
                    kTSKPublicKeyHashes : @[
                            @"HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
                            @"0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
                            ],
                    kTSKEnforcePinning : @NO,
                    },
            @"yahoo.com" : @{
                    kTSKPublicKeyHashes : @[
                            @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
                            @"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=",
                            ],
                    kTSKIncludeSubdomains : @YES
                    }
            }};
    
    [TrustKit initSharedInstanceWithConfiguration:trustKitConfig];

The policy can also be set programmatically in Swift Apps:

        let trustKitConfig = [
            kTSKSwizzleNetworkDelegates: false,
            kTSKPinnedDomains: [
                "yahoo.com": [
                    kTSKExpirationDate: "2017-12-01",
                    kTSKPublicKeyHashes: [
                        "JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=",
                        "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="
                    ],]]] as [String : Any]
        
        TrustKit.initSharedInstance(withConfiguration:trustKitConfig)

After TrustKit has been initialized, a TSKPinningValidator instance can be retrieved from the TrustKit singleton, and can be used to perform SSL pinning validation in the App's network delegates. For example in an NSURLSessionDelegate:

- (void)URLSession:(NSURLSession *)session 
              task:(NSURLSessionTask *)task 
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge 
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential))completionHandler {
{
    TSKPinningValidator *pinningValidator = [[TrustKit sharedInstance] pinningValidator];
    // Pass the authentication challenge to the validator; if the validation fails, the connection will be blocked
    if (![pinningValidator handleChallenge:challenge completionHandler:completionHandler])
    {
        // TrustKit did not handle this challenge: perhaps it was not for server trust
        // or the domain was not pinned. Fall back to the default behavior
        completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
    }
}

For more information, see the Getting Started guide.

Credits

TrustKit is a joint-effort between the mobile teams at Data Theorem and Yahoo. See AUTHORS for details.

License

TrustKit is released under the MIT license. See LICENSE for details.