certify with certificate Pin code, only allow to access trusted certificate
- pins are stored in a simple text file, so we can just write one up and place it in the required location
- If you are initializing a TrustManagerFactory with your own keystore file that contains the issuing certificate(s) of your server's SSL certificate, you are already using pinning
- It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.
Android pinning:
- before 4.2: comes from built-in pins
- after 4.2: reads pins from a file in the /data/misc/keychain directory
There are three important steps in the process:
- obtain a certificate for the desired host (preferably the whole certificate chain)
- make sure the certificate is in .bks format - this step is crucial in order for pinning to work properly across all devices
- use Apache HTTP client shipped with Android - initialize it to use the obtained .bks keystore for SSL connections A fully functioning example that demonstrates the solution that we're using can be found here.
STEP 1. Obtaining a .pem certificate for a site
openssl s_client -showcerts -connect api.github.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
STEP 2. Converting to a .bks keystore
wget http://repo2.maven.org/maven2/org/bouncycastle/bcprov-ext-jdk15on/1.46/bcprov-ext-jdk15on-1.46.jar
keytool -importcert -v -trustcacerts -file "mycertfile.pem" -alias ca -keystore "keystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testing
STEP 3. Place .kbs in res/raw folder(assets ?)
STEP 4. Pinning the certificate to DefaultHttpClient
//create keystore
InputStream in = resources.openRawResource(certificateRawResource);//file name of res/raw
keyStore = KeyStore.getInstance("BKS");
keyStore.load(resourceStream, password);
//pinning
HttpParams httpParams = new BasicHttpParams();
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keyStore), 443));
ThreadSafeClientConnManager clientMan = new ThreadSafeClientConnManager(httpParams, schemeRegistry);
httpClient = new DefaultHttpClient(clientMan, httpParams);
ALISON Certificates Pin code is a personal code that is added to protect your privacy and only allows people approved by you to see and validate your certificates on ALISON.
For example, if a potential employer wants to check the validity of your certificates, you can provide him or her with the Pin code in addition to the certificate validation link, and he or she will be able to check it online.