Domain Configuration Keys

A domain-specific configuration key (to defined for a domain under the kTSKPinnedDomains key) that can be set in the pinning policy.

An array of SSL pins, where each pin is the base64-encoded SHA-256 hash of a certificate’s Subject Public Key Info.

TrustKit will verify that at least one of the specified pins is found in the server’s evaluated certificate chain.

A boolean. If set to NO, TrustKit will not block SSL connections that caused a pin or certificate validation error; default value is YES.

When a pinning failure occurs, pin failure reports will always be sent to the configured report URIs regardless of the value of kTSKEnforcePinning.

A boolean. If set to YES, also pin all the subdomains of the specified domain; default value is NO.

A boolean. If set to YES, TrustKit will not pin this specific domain if kTSKIncludeSubdomains was set for this domain’s parent domain.

This allows excluding specific subdomains from a pinning policy that was applied to a parent domain.

An array of URLs to which pin validation failures should be reported.

To minimize the performance impact of sending reports on each validation failure, the reports are uploaded using the background transfer service and are also rate-limited to one per day and per type of failure. For HTTPS report URLs, the HTTPS connections will ignore the SSL pinning policy and use the default certificate validation mechanisms, in order to maximize the chance of the reports reaching the server. The format of the reports is similar to the one described in RFC 7469 for the HPKP specification:

{ app-bundle-id: com.datatheorem.testtrustkit2, app-version: 1, app-vendor-id: 599F9C00-92DC-4B5C-9464-7971F01F8370, app-platform: IOS, app-platform-version: 10.2.0, trustkit-version: 1.3.1, hostname: www.datatheorem.com, port: 0, noted-hostname: datatheorem.com, include-subdomains: true, enforce-pinning: true, validated-certificate-chain: [ pem1, … pemN ], known-pins: [ pin-sha256=\d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\, “pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\ ], validation-result:1 }

A boolean. If set to YES, the default report URL for sending pin failure reports will be disabled; default value is NO.

By default, pin failure reports are sent to a report server hosted by Data Theorem, for detecting potential CA compromises and man-in-the-middle attacks, as well as providing a free dashboard for developers; email info@datatheorem.com if you’d like a dashboard for your App. Only pin failure reports are sent, which contain the App’s bundle ID, the IDFV, and the server’s hostname and certificate chain that failed validation.

A string containing the date, in yyyy-MM-dd format, on which the domain’s configured SSL pins expire, thus disabling pinning validation. If the key is not set, then the pins do not expire.

Expiration helps prevent connectivity issues in Apps which do not get updates to their pin set, such as when the user disables App updates.