Certificate pinning on Android

Question

I did certificate pinning on Android(using Retrofit) like says in OkHttp3 docs (put wrong value -> got exception -> put expected values).

But how to get these values for pinning if I decide to rotate server certificate.

For example: I have certificate 'X' and this certificate is going to be rotated in two month with certificate 'Y'. Obviously I have to update my app on Google play and add new hashes for pinning with new certificate. So how can I do it if currently I can get these hashes only from exception.

Answer 1

When pinning you have a few options, firstly you don't have to pin to the leaf certificate and instead could pin to the intermediate or root certificate instead, this way should you continue to use the same trusted certificate authority your app will continue to work without change.

Of course there's nothing stopping you having multiple pins defined in your app for seamless certificate rotating which I assume you'd want.

You can use a bash script such as the following to retrieve the pins:

#!/bin/bash
certs=`openssl s_client -servername $1 -host $1 -port 443 -showcerts </dev/null 2>/dev/null | sed -n '/Certificate chain/,/Server certificate/p'`

rest=$certs
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]]
do
 cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
 rest=${rest#*-----END CERTIFICATE-----}

 echo `echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/'`

 echo "$cert" | openssl x509 -pubkey -noout | 
     openssl rsa -pubin -outform der 2>/dev/null | 
     openssl dgst -sha256 -binary | openssl enc -base64
done

And then run with ./certs.sh www.appmattus.com although this script won't print out the root certificate.

Alternatively take a look at https://github.com/scottyab/ssl-pin-generator , run the tool in debug so you know what certificates your pinning!

For more details about SSL pinning on Android in general I wrote the following article: Android Security: SSL Pinning