Solution for NSIncludesSubdomains to support multiple subdomains like wang.greenhub.example.org ?

Programming Languages Swift
AlexBingo OP
Created Apr ’22
Replies 3
Boosts 0
Views 1.7k
Participants 2

Apple team I tried to implement the ssl pinning in iOS through info.plist using Pinned Domains Identity Pinning as found in the official apple blog: How to configure server certificates for your app https://developer.apple.com/news/?id=g9ejcf8y%C2%A0news. As of now i have done the following changes something similar in info.plist :

And in code i have used simple URLSession as shown:

  "https://wang.greenhub.example.org/sites/......./logo.png") else {
    return
}
        
// URL session that doesn't cache.
let urlSession = URLSession(configuration: URLSessionConfiguration.ephemeral)
        
let task = urlSession.dataTask(with: imageUrl) { imageData, response, error in
    DispatchQueue.main.async {
        // Handle client errors
        if let error = error {
           self.HandleClientConnectionError(error: error)
           return
        }
                
        // Handle server errors
        guard let httpResponse = response as? HTTPURLResponse,
              (200...299).contains(httpResponse.statusCode) else {
            self.HandleServerError(response: response!)
        return
        }
                
        self.AddImageToView(imageData: imageData!)
    }
}
        
task.resume()

FYI we have api with multiple subdomains and thus according to the

NSIncludesSubdomains documentation here says:

it doesn’t apply to the subdomains advanced.math.example.com or ancient.history.example.com because those subdomains have two additional path components.

Also it prohibits the use of wild cards so even if i tried to use *.example.org overall the SSL pinning does not seems to work in case of multiple subdomains scenario like mine even if i replace the SHA256-BASE64 pin with wrong ones.

Can anyone from apple suggest a solution for this or tell how can we use NSIncludesSubdomains find a solution for pinning against multiple subdomains

Answered by Systems Engineer in 711933022

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

As mentioned, if they are issued from the same CA, pin to the CA.

Regarding:

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

Each subdomain I'm presuming contains a different leaf identity, so how would this work? If you have different public keys at each subdomain you cannot hash them to one parent domain hash. That simply would not work. The way to do this is by using the CA if all subdomains are issuing a leaf from the same CA.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  3
Boosts  0
Views  1.7k
Participants  2
Systems Engineer OP
Apple
Apr ’22

Can anyone from apple suggest a solution for this or tell how can we use NSIncludesSubdomains find a solution for pinning against multiple subdomains

I would recommend one of two routes here, if each certificate is issued from the same CA then try to pin against the CA. If this is not the case then I would recommend pinning against the certificate for each domain even though it inherits from the same top level domain.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
AlexBingo OP
Apr ’22

Thanks Mark Eaton @meaton, I have the following queries on these

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

it doesn’t apply to the subdomains advanced.math.example.com or ancient.history.example.com because those subdomains have two additional path components.

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

B) And also in such case of multiple subdomains do we need to move back for traditional certificate pinning but AFAIK this method is dependent on certificate expiry date i.e on each certificate expiry we must upload a new build to AppStore with new certificate.

Please kindly reply

Thanks and regards, Alex

0
Systems Engineer OP
Apple
Apr ’22
Accepted Answer

A) Does SSL pinning using NSIncludesSubdomains support multiple subdomains like wang.greenhub.example.org by any other way, because as per official documents

As mentioned, if they are issued from the same CA, pin to the CA.

Regarding:

Is Apple planning to work on this in future or some way is there to make NSIncludesSubdomains work with multiple subdomains? I tried using wildcard *.example.org but it does not seem to work

Each subdomain I'm presuming contains a different leaf identity, so how would this work? If you have different public keys at each subdomain you cannot hash them to one parent domain hash. That simply would not work. The way to do this is by using the CA if all subdomains are issuing a leaf from the same CA.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
Solution for NSIncludesSubdomains to support multiple subdomains like wang.greenhub.example.org ?
First post date Last post date
 
 
Q