by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Trung
    @trungth1406
    Ok. Got it . Thank you for your help once again !
    Roman Štrobl
    @romanstrobl
    No problem
    PaholykS
    @riko105
    Hey guys! Just downloaded the ssl-pinning-ios library. How can I use it with Alomofire? Or library performs certificate related trusting work under the hood(URLSession level?).
    Thanks!
    Juraj Ďurech
    @hvge
    Hi PaholykS
    Petr Dvořák
    @petrdvorak
    Hello @riko105, thank you very much for your question. The SSL pinning library does not really do the pinning work itself - it is only responsible for the dynamic certificate / public key fingerprint exchange. As a result, the usual workflow is like this:
    1) You initialize the Dynamic SSL Pinning SDK.
    2) You fetch / update the list of current fingerprints that is created with our Java tool.
    3) You use the certificate / public key fingerprint from the store in whatever facility / library you use in your apps.
    PaholykS
    @riko105
    @petrdvorak Thanks, clear for me now!
    PaholykS
    @riko105
    One more question. How I can to retrieve certificates from CertStore, that I can use it further in my implementation?
    Petr Dvořák
    @petrdvorak
    Generally, there should be no need to retrieve the certificates - you only need to validate that the used SSL certificate matches the certificate in CertStore: https://github.com/wultra/ssl-pinning-ios#fingerprint-validation
    PaholykS
    @riko105
    Ok, understand, thanks. But how I can get the data (certData or fingerprint), to perform validation?
    Petr Dvořák
    @petrdvorak
    You need to generate them with the tool.
    And host them on some URL.
    The overall idea is the following:
    PaholykS
    @riko105
    Exact! Thanks for advice, just missed-up that service url already contains fingerprint. 🙃
    Petr Dvořák
    @petrdvorak
    • You generate a list of the signed certificate or public key fingerprints.
    • Then you host the list somewhere.
    Ah, OK - no worries! :)
    PaholykS
    @riko105
    🙌🏼
    PaholykS
    @riko105
    Is there some requirements in context, that what encoding should be when passing fingerprint as Data to validate(commonName: String, fingerprint: Data)? Actually, I did not found the specification of encoding in manual.
    I suppose .utf8 would be good.
    Juraj Ďurech
    @hvge
    I’m out of my computer, but I guess it’s result of SHA256 in bytes. E.g 32 bytes
    Some implementations calculates Sha256 to hexadecimal string, but that’s not our case. It has to be raw bytes from that function.
    PaholykS
    @riko105
    if just raw data then it's cool, thanks for response @hvge
    PaholykS
    @riko105
    NB: encoded fingerprint string by .utf8 works
    Juraj Ďurech
    @hvge
    That should not work. You're doing something wrong :) If you look at the library source code, the function directly compares fingerprint you provide against one stored in the cert store
    Basically, If you look closely at how all that validate() functions works, then you'll understand that encoding with .utf8 makes no sense. For example, validate(challenge:) gets a raw certificate bytes, encoded in DER format. The format is not important. The important thing is that it's just a sequence of bytes. Then we'll calculate hash from that sequence in valiadte(commonName: certificateData:) and then it falls at the bottom, to the function you're asking for.
    Juraj Ďurech
    @hvge
    There's no utf8encoding at all
    You can look at library's unit tests, to understand what's behind the scene. For example, run and debug following test in Xcode and try to understand what's going on :) https://github.com/wultra/ssl-pinning-ios/blob/develop/Tests/CertStoreTests_Network.swift
    Oleg Semen
    @semenoh
    HI
    is it possible to exclude some names from pinning ?
    or specify the only names should be pinned ?
    In my case images are stored on AWS and they do not appear on UI as they are under amazon certificate.
    I'm talking about ssl pinning on android https://github.com/wultra/ssl-pinning-android
    Petr Dvořák
    @petrdvorak
    We do not determine what URLs are pinned - this is your code that does that. We only provide you an updatable store of certificate fingerprints.
    Therefore, your code should look something like:
    if (pinnedUrlSet.contains(currentRequest.getUrl()) {
        // CertStore.validate(...)  
    }
    // super.validateUsingDefaultSystemValidations()
    Oleg Semen
    @semenoh
    Thanks
    PaholykS
    @riko105
    Hi there!
    Does the library support self-signed fingerprints chain validation?
    @hvge Thanks for specification. Already got it, works with auth challange validation)
    I noticed that ASCII format works when we need to convert String fallback fingerprint representation into raw Data
    Juraj Ďurech
    @hvge
    Well, it basically doesn't matter. What we do is simply find certificate hash in locally cached database. If it's a hash of self signed certificate, then yes, it does. I would not recommend you to do this, unless it's certificate of non-production server (like dev servers, test servers, etc...)
    Juraj Ďurech
    @hvge

    About that conversion... In our example, that fallback data and ASCII works, because we expects a JSON formatted sequence of bytes (with no UTF-8 chars at all). If I remember that correctly, then what you have asked before was a conversion to data required for a certificate validation. I'm not sure whether ASCII will work either. That's a complete different situation.

    Put an example code snippet here (I prefer a link to gist.github.com) and then we can talk about details.

    The certificate is typically in DER format (I'm pretty sure that on both platforms). It's a binary format but what's important, we don't care about that. We just calculate a hash from that data and that suppose to be in the database, manager by our library. (DER format https://en.wikipedia.org/wiki/X.690#DER_encoding)
    PaholykS
    @riko105
    @hvge according to encoding, yes I was talked in a different context, my fault )
    Returning to question about the self-signed comparison. I was pretty sure that you just compare the data of fingerprint, so the "authority" didn't take part in the data comparison.
    So I'm sure smth. like authority whitelist in framework is absent, if answer on my previous question is yes
    Juraj Ďurech
    @hvge
    @riko105 SSL certificate pinning is simply only about checking whether the certificate, received during the TLS handshake, is expected and known. We don't provide "authority", or any additional analysis of that certificate data. That's usually function provided by the operating system. So, our library is doing just what's promised in the description - It simply manages list of known hashes in secure way (e.g. it's difficult to inject attacker's hash) and allows your application to ask that database, whether the certificate is known or not.
    Juraj Ďurech
    @hvge
    Typically, if our library says - it's expected - then you should continue with TLS handshake as usual and operating system will do the rest of validation for you. If you're validating self-signed certificate in this way, then you have to tell OS, that "It's OK, I trust this certificate". As I said before, you should not use this technique on production servers.
    That's how it works on iOS. I'm not an Android expert, but I guess that it works like this in a very similar way.