public class TrustKit
extends java.lang.Object
It should be used to initialize the App's SSL pinning policy and to retrieve the
corresponding SSLSocketFactory
and X509TrustManager
, to be used to add SSL
pinning validation to the App's network connections.
TrustKit works by extending the Android N Network Security Configuration in two ways:
On devices before Android N, TrustKit supports the following XML tags defined in the Android N Network Security Configuration for deploying SSL pinning:
<domain-config>
.<domain>
and the includeSubdomains
attribute.<pin-set>
and the expiration
attribute.<pin>
and the digest
attribute.<debug-overrides>
.<trust-anchors>
, but only within a <debug-overrides>
tag. Hence, custom
trust anchors for specific domains cannot be set.<certificates>
and the overridePins
and src
attributes. Only raw
certificate files are supported for the src
attribute (user
and
system
values will be ignored).On Android N devices, the OS' implementation is used and all XML tags are supported.
TrustKit provides additional functionality to not enforce pinning validation and to allow reports to be sent by the App whenever a pinning validation failure occurred.
<trustkit-config>
The main tag for specifying additional TrustKit settings, to be defined within a
<domain-config>
entry. It supports the following attributes:
enforcePinning
: if set to false
, TrustKit will not block SSL
connections that caused a pinning validation error; default value is false
. When
a pinning failure occurs, pin failure reports will always be sent to the configured
report URIs regardless of the value of enforcePinning
. This behavior allows
deploying pinning validation without the risk of locking out users due to a
misconfiguration, while still receiving reports in order to assess how many users would
be affected by pinning.disableDefaultReportUri
: if set to true
, the default report URL for
sending pin failure reports will be disabled; default value is false
. By default,
pin failure reports are sent to a report server hosted by Data Theorem, for detecting
potential CA compromises and man-in-the-middle attacks, as well as providing a free
dashboard for developers; email
info@datatheorem.com if you'd like a dashboard
for your App. Only pin failure reports are sent, which contain the App's package name,
a randomly-generated ID, and the server's hostname and certificate chain that failed
validation.<report-uri>
<trustkit-config>
tag. The format of the reports is similar to the one described in
RFC 7469 for the HPKP
specification. A sample TrustKit report is available
in the project's repository
.
The following configuration will pin the www.datatheorem.com domain without enforcing pinning validation, and will send pinning failure reports to report.datatheorem.com. It also defines a debug overrides to add a debug certificate authority to the App's trust store for easier debugging of the App's network traffic.
<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<!-- Pin the domain www.datatheorem.com -->
<!-- Official Android N API -->
<domain-config>
<domain>www.datatheorem.com</domain>
<pin-set>
<pin digest="SHA-256">k3XnEYQCK79AtL9GYnT/nyhsabas03V+bhRQYHQbpXU=</pin>
<pin digest="SHA-256">2kOi4HdYYsvTR1sTIR7RHwlf2SescTrpza9ZrWy7poQ=</pin>
</pin-set>
<!-- TrustKit Android API -->
<!-- Do not enforce pinning validation -->
<trustkit-config enforcePinning="false">
<!-- Add a reporting URL for pin validation reports -->
<report-uri>http://report.datatheorem.com/log_report</report-uri>
</trustkit-config>
</domain-config>
<debug-overrides>
<trust-anchors>
<!-- For debugging purposes, add a debug CA and override pins -->
<certificates overridePins="true" src="@raw/debugca" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Modifier and Type | Method and Description |
---|---|
com.datatheorem.android.trustkit.config.TrustKitConfiguration |
getConfiguration()
Retrieve the current TrustKit configuration.
|
static TrustKit |
getInstance()
Retrieve the initialized instance of TrustKit.
|
javax.net.ssl.SSLSocketFactory |
getSSLSocketFactory(java.lang.String serverHostname)
Retrieve an
SSLSSocketFactory that implements SSL pinning validation based on the
current TrustKit configuration for the specified serverHostname. |
javax.net.ssl.X509TrustManager |
getTrustManager(java.lang.String serverHostname)
Retrieve an
X509TrustManager that implements SSL pinning validation based on the
current TrustKit configuration for the supplied hostname. |
static TrustKit |
initializeWithNetworkSecurityConfiguration(android.content.Context context)
Initialize TrustKit with the Network Security Configuration file at the default location
res/xml/network_security_config.xml.
|
static TrustKit |
initializeWithNetworkSecurityConfiguration(android.content.Context context,
int configurationResourceId)
Initialize TrustKit with the Network Security Configuration file with the specified
resource ID.
|
@NonNull public static TrustKit initializeWithNetworkSecurityConfiguration(@NonNull android.content.Context context)
context
- the application's context.com.datatheorem.android.trustkit.config.ConfigurationException
- if the policy could not be parsed or contained errors.@NonNull public static TrustKit initializeWithNetworkSecurityConfiguration(@NonNull android.content.Context context, int configurationResourceId)
context
- the application's context.configurationResourceId
- the resource ID for the Network Security Configuration file to
use.com.datatheorem.android.trustkit.config.ConfigurationException
- if the policy could not be parsed or contained errors.@NonNull public static TrustKit getInstance()
java.lang.IllegalStateException
- if TrustKit has not been initialized.@NonNull public com.datatheorem.android.trustkit.config.TrustKitConfiguration getConfiguration()
@NonNull public javax.net.ssl.SSLSocketFactory getSSLSocketFactory(@NonNull java.lang.String serverHostname)
SSLSSocketFactory
that implements SSL pinning validation based on the
current TrustKit configuration for the specified serverHostname. It can be used with most
network APIs (such as HttpsUrlConnection
) to add SSL pinning validation to the
connections.
The SSLSocketFactory
is configured for the supplied serverHostname, and will
enforce this domain's pinning policy even if a redirection to a different domain occurs
during the connection. Hence validation will always fail in the case of a redirection to
a different domain.
However, pinning validation is only meant to be used on the App's API server(s), and
redirections to other domains should not happen in this scenario.
serverHostname
- the server's hostname that the SSLSocketFactory
will be used to
connect to. This hostname will be used to retrieve the pinning policy
from the current TrustKit configuration.@NonNull public javax.net.ssl.X509TrustManager getTrustManager(@NonNull java.lang.String serverHostname)
X509TrustManager
that implements SSL pinning validation based on the
current TrustKit configuration for the supplied hostname. It can be used with some network
APIs that let developers supply a trust manager to customize SSL validation.
The X509TrustManager
is configured for the supplied serverHostname, and will
enforce this domain's pinning policy even if a redirection to a different domain occurs
during the connection. Hence validation will always fail in the case of a redirection to
a different domain.
However, pinning validation is only meant to be used on the App's API server(s), and
redirections to other domains should not happen in this scenario.
serverHostname
- the server's hostname that the X509TrustManager
will be used to
connect to. This hostname will be used to retrieve the pinning policy
from the current TrustKit configuration.