Skip to content

Instantly share code, notes, and snippets.

@fdwills
Last active August 29, 2015 14:01
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save fdwills/7543305a364067584d26 to your computer and use it in GitHub Desktop.
ssl pinning

what

certify with certificate Pin code, only allow to access trusted certificate

why

  • pins are stored in a simple text file, so we can just write one up and place it in the required location
  • If you are initializing a TrustManagerFactory with your own keystore file that contains the issuing certificate(s) of your server's SSL certificate, you are already using pinning
  • It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.

Android pinning:

  • before 4.2: comes from built-in pins
  • after 4.2: reads pins from a file in the /data/misc/keychain directory

how

There are three important steps in the process:

  • obtain a certificate for the desired host (preferably the whole certificate chain)
  • make sure the certificate is in .bks format - this step is crucial in order for pinning to work properly across all devices
  • use Apache HTTP client shipped with Android - initialize it to use the obtained .bks keystore for SSL connections A fully functioning example that demonstrates the solution that we're using can be found here.

sample

details

STEP 1. Obtaining a .pem certificate for a site

    openssl s_client -showcerts -connect api.github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem

STEP 2. Converting to a .bks keystore

    wget http://repo2.maven.org/maven2/org/bouncycastle/bcprov-ext-jdk15on/1.46/bcprov-ext-jdk15on-1.46.jar
    keytool -importcert -v -trustcacerts -file "mycertfile.pem" -alias ca -keystore "keystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testing

STEP 3. Place .kbs in res/raw folder(assets ?)

STEP 4. Pinning the certificate to DefaultHttpClient

    //create keystore
    InputStream in = resources.openRawResource(certificateRawResource);//file name of res/raw
    keyStore = KeyStore.getInstance("BKS");
    keyStore.load(resourceStream, password);
     //pinning
     HttpParams httpParams = new BasicHttpParams();
     SchemeRegistry schemeRegistry = new SchemeRegistry();
     schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keyStore), 443));
     ThreadSafeClientConnManager clientMan = new ThreadSafeClientConnManager(httpParams, schemeRegistry);
     httpClient = new DefaultHttpClient(clientMan, httpParams);

concepts

Certificates Pin code

ALISON Certificates Pin code is a personal code that is added to protect your privacy and only allows people approved by you to see and validate your certificates on ALISON.

For example, if a potential employer wants to check the validity of your certificates, you can provide him or her with the Pin code in addition to the certificate validation link, and he or she will be able to check it online.

links

libs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment