Solution for NSIncludesSubdomains to support multiple subdomains like wang.greenhub.example.org ?

Apple team I tried to implement the ssl pinning in iOS through info.plist using Pinned Domains Identity Pinning as found in the official apple blog: How to configure server certificates for your app https://developer.apple.com/news/?id=g9ejcf8y%C2%A0news. As of now i have done the following changes something similar in info.plist :

And in code i have used simple URLSession as shown:

  "https://wang.greenhub.example.org/sites/......./logo.png") else {
    return
}
        
// URL session that doesn't cache.
let urlSession = URLSession(configuration: URLSessionConfiguration.ephemeral)
        
let task = urlSession.dataTask(with: imageUrl) { imageData, response, error in
    DispatchQueue.main.async {
        // Handle client errors
        if let error = error {
           self.HandleClientConnectionError(error: error)
           return
        }
                
        // Handle server errors
        guard let httpResponse = response as? HTTPURLResponse,
              (200...299).contains(httpResponse.statusCode) else {
            self.HandleServerError(response: response!)
        return
        }
                
        self.AddImageToView(imageData: imageData!)
    }
}
        
task.resume()

FYI we have api with multiple subdomains and thus according to the

NSIncludesSubdomains documentation here says:

it doesn’t apply to the subdomains advanced.math.example.com or ancient.history.example.com because those subdomains have two additional path components.

Also it prohibits the use of wild cards so even if i tried to use *.example.org overall the SSL pinning does not seems to work in case of multiple subdomains scenario like mine even if i replace the SHA256-BASE64 pin with wrong ones.

Can anyone from apple suggest a solution for this or tell how can we use NSIncludesSubdomains find a solution for pinning against multiple subdomains

Up vote post of AlexBingo Down vote post of AlexBingo
295 views
Posted by
AlexBingo
Reply
Add a Comment

Accepted Reply

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

As mentioned, if they are issued from the same CA, pin to the CA.

Regarding:

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

Each subdomain I'm presuming contains a different leaf identity, so how would this work? If you have different public keys at each subdomain you cannot hash them to one parent domain hash. That simply would not work. The way to do this is by using the CA if all subdomains are issuing a leaf from the same CA.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Replies

Can anyone from apple suggest a solution for this or tell how can we use NSIncludesSubdomains find a solution for pinning against multiple subdomains

I would recommend one of two routes here, if each certificate is issued from the same CA then try to pin against the CA. If this is not the case then I would recommend pinning against the certificate for each domain even though it inherits from the same top level domain.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Post not yet marked as solved Up vote reply of meaton Down vote reply of meaton

  • Thanks @meaton So basically it means i must follow up with traditional certificate pinning rather than this info.plist methodology of SSL pinning?

    AlexBingo
Add a Comment

Thanks Mark Eaton @meaton, I have the following queries on these

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

it doesn’t apply to the subdomains advanced.math.example.com or ancient.history.example.com because those subdomains have two additional path components.

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

B) And also in such case of multiple subdomains do we need to move back for traditional certificate pinning but AFAIK this method is dependent on certificate expiry date i.e on each certificate expiry we must upload a new build to AppStore with new certificate.

Please kindly reply

Thanks and regards, Alex

Posted by
AlexBingo
Up vote reply of AlexBingo Down vote reply of AlexBingo
Add a Comment

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

As mentioned, if they are issued from the same CA, pin to the CA.

Regarding:

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

Each subdomain I'm presuming contains a different leaf identity, so how would this work? If you have different public keys at each subdomain you cannot hash them to one parent domain hash. That simply would not work. The way to do this is by using the CA if all subdomains are issuing a leaf from the same CA.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment