Skip to content

Commit

Permalink
update certificate pinning logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@t0thkr1s
t0thkr1s committed May 1, 2021
1 parent 784efed commit e731401
Showing 1 changed file with 52 additions and 7 deletions.
59 changes: 52 additions & 7 deletions app/src/main/java/infosecadventures/allsafe/challenges/CertificatePinning.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
import org.jetbrains.annotations.NotNull;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;

import infosecadventures.allsafe.R;
Expand All @@ -27,21 +29,28 @@

public class CertificatePinning extends Fragment {

private static final String INVALID_HASH = "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";

@Override
public View onCreateView(@NonNull LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
View view = inflater.inflate(R.layout.fragment_certificate_pinning, container, false);
setHasOptionsMenu(true);

// make an intentional request with broken config
// to get the actual peer certificate chain public key hashes from okhttp exception
List<String> hashes = extractPeerCertificateChain();

Button test = view.findViewById(R.id.execute);
test.setOnClickListener(v -> {
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("httpbin.org",
"sha256/J0dKy1gw45muM4o/vm/tskFQ2BWudtp9XLxaW7OtowQ=")
.add("httpbin.org",
"sha256/JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA=")
.build();

CertificatePinner.Builder certificatePinner = new CertificatePinner.Builder();
for (String hash : hashes) {
Log.d("ALLSAFE", hash);
certificatePinner.add("httpbing.org", hash);
}

OkHttpClient okHttpClient = new OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.certificatePinner(certificatePinner.build())
.build();

Request request = new Request.Builder()
Expand All @@ -51,6 +60,7 @@ public View onCreateView(@NonNull LayoutInflater inflater, ViewGroup container,
okHttpClient.newCall(request).enqueue(new Callback() {
@Override
public void onFailure(@NotNull Call call, @NotNull IOException e) {
Log.d("ALLSAFE", e.getMessage());
requireActivity().runOnUiThread(() -> SnackUtil.INSTANCE.simpleMessage(requireActivity(), e.getMessage()));
}

Expand All @@ -67,4 +77,39 @@ public void onResponse(@NotNull Call call, @NotNull Response response) throws IO
});
return view;
}

private List<String> extractPeerCertificateChain() {
List<String> chain = new ArrayList<>();

OkHttpClient okHttpClient = new OkHttpClient.Builder()
.certificatePinner(new CertificatePinner.Builder()
.add("httpbin.org", INVALID_HASH)
.build())
.build();

Request request = new Request.Builder()
.url("https://httpbin.org/json")
.build();

okHttpClient.newCall(request).enqueue(new Callback() {
@Override
public void onFailure(@NotNull Call call, @NotNull IOException e) {
requireActivity().runOnUiThread(() -> {
String[] lines = e.getMessage().split(System.getProperty("line.separator"));
for (String line : lines) {
if (!line.trim().equals(INVALID_HASH) && line.trim().startsWith("sha256")) {
String pin = line.trim().split(":")[0].trim();
chain.add(pin);
}
}
});
}

@Override
public void onResponse(@NotNull Call call, @NotNull Response response) {

}
});
return chain;
}
}

0 comments on commit e731401

Please sign in to comment.