Alamofire: Any way to pin using the SHA256 hash?

This doesn't seem like a good idea, as any API call you make before pinning the public key could be intercepted and an malicious hash returned.

I will start getting the string once the existing in-app certificates near expiry. The key is meant as a backup. In short, the existing pinning is with certificates, but once they near expiry, backend will start sending me a backup key again which I will then pin.

Should I be able to use TrustKit with Alamofire. Since TrustKit allows SHA256 pinning, I can pin using TrustKit and the use the default SessionManager from Alamofire to make the request. Any thoughts?

I got the web service response changed from a SHA256 to a String. I was then able to convert it to a certificate and save for later pinning use. You can close this question.

I'd be very careful here @sagarpatkar with this type of approach as @jshier mentioned. Accepting new certificates from the server to use for future request pinning is a pretty big security risk, even when cert pinning that original request.

With that said, you should be able to use TrustKit with Alamofire if you override the challenge closure and evaluate the certificate chain using TrustKit. This would allow you to evaluate the cert chain returned by the server against an HPKP pre-generated hash even though we don't directly support that in Alamofire.

Cheers. 🍻

@sagarpatkar Hi, If you resolved the issue, let me know your solution, please share it with me