Initalizing TrustKit

TrustKit is the main class for configuring an SSL pinning policy within an App.

For most Apps, TrustKit should be used as a singleton, where a global SSL pinning policy is configured for the App. In singleton mode, the policy can be set either:

• By adding it to the App’s Info.plist under the TSKConfiguration key, or
• By programmatically supplying it using the +initSharedInstanceWithConfiguration: method.

In singleton mode, TrustKit can only be initialized once so only one of the two techniques should be used.

For more complex Apps where multiple SSL pinning policies need to be used independently (for example within different frameworks), TrustKit can be used in multi-instance mode by leveraging the -initWithConfiguration: method described at the end of this page.

A TrustKit pinning policy is a dictionary which contains some global, App-wide settings (of type TSKGlobalConfigurationKey) as well as domain-specific configuration keys (of type TSKDomainConfigurationKey) to be defined under the kTSKPinnedDomains entry. The following table shows the keys and the types of the corresponding values, and uses indentation to indicate structure:

| Key                                          | Type       |
|----------------------------------------------|------------|
| TSKSwizzleNetworkDelegates                   | Boolean    |
| TSKIgnorePinningForUserDefinedTrustAnchors   | Boolean    |
| TSKPinnedDomains                             | Dictionary |
| __ <domain-name-to-pin-as-string>            | Dictionary |
| ____ TSKPublicKeyHashes                      | Array      |
| ____ TSKIncludeSubdomains                    | Boolean    |
| ____ TSKExcludeSubdomainFromParentPolicy     | Boolean    |
| ____ TSKEnforcePinning                       | Boolean    |
| ____ TSKReportUris                           | Array      |
| ____ TSKDisableDefaultReportUri              | Boolean    |

When setting the pinning policy programmatically, it has to be supplied to the initSharedInstanceWithConfiguration: method as a dictionary in order to initialize TrustKit. For example:

   NSDictionary *trustKitConfig =
 @{
   kTSKPinnedDomains : @{
           @"www.datatheorem.com" : @{
                   kTSKExpirationDate: @"2017-12-01",
                   kTSKPublicKeyHashes : @[
                           @"HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
                           @"0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
                           ],
                   kTSKEnforcePinning : @NO,
                   kTSKReportUris : @[@"http://report.datatheorem.com/log_report"],
                   },
           @"yahoo.com" : @{
                   kTSKPublicKeyHashes : @[
                           @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
                           @"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=",
                           ],
                   kTSKIncludeSubdomains : @YES
                   }
           }};

   [TrustKit initSharedInstanceWithConfiguration:trustKitConfig];
   trustKit = [TrustKit sharedInstance];

Similarly, the TrustKit singleton can be initialized in Swift:

       let trustKitConfig = [
           kTSKSwizzleNetworkDelegates: false,
           kTSKPinnedDomains: [
               "yahoo.com": [
                   kTSKExpirationDate: "2017-12-01",
                   kTSKPublicKeyHashes: [
                       "JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=",
                       "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="
                   ],]]] as [String : Any]

       TrustKit.initSharedInstance(withConfiguration:trustKitConfig)

After initialization, the TrustKit instance’s pinningValidator should be used to implement pinning validation within the App’s network authentication handlers.