support domain patterns in certificate pinning

tranb3r · tranb3r · commit 82672420344f · 2025-11-04T11:29:39.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 2.3.5
+- support domain patterns in certificate pinning
+
 ## 2.3.4
 - vs : 17.14.17
 - dotnet sdk 9.0.306
diff --git a/README.md b/README.md
@@ -46,6 +46,8 @@ var html = await response.Content.ReadAsStringAsync();
 
 ## Certificate pining
 
+### Usage
+
 After creating a `SecureHttpClientHandler` object, call `AddCertificatePinner` to add one or more certificate pinner.
 
 The request will fail if the certificate pin is not correct.
@@ -65,6 +67,21 @@ var response = await httpClient.GetAsync("https://www.github.com");
 var html = await response.Content.ReadAsStringAsync();
 ```
 
+### Domain patterns
+
+`SecureHttpClient` behaves the same as `OkHttp`: pinning is per-hostname and/or per-wildcard pattern.
+
+To pin both `example.com` and `www.example.com` you must configure both hostnames. Or you may use patterns to match sets of related domain names. The following forms are permitted:
+- Full domain name: you may pin an exact domain name like `www.example.com`. It won't match additional prefixes (`abc.www.example.com`) or suffixes (`example.com`).
+- Any number of subdomains: Use two asterisks like `**.example.com` to match any number of prefixes (`abc.www.example.com`, `www.example.com`) including no prefix at all (`example.com`). For most applications this is the best way to configure certificate pinning.
+- Exactly one subdomain: Use a single asterisk like `*.example.com` to match exactly one prefix (`www.example.com`, `api.example.com`). Be careful with this approach as no pinning will be enforced if additional prefixes are present, or if no prefixes are present.
+
+Note that any other form is unsupported. You may not use asterisks in any position other than the leftmost label.
+
+If multiple patterns match a hostname, any match is sufficient. For example, suppose pin A applies to *.example.com and pin B applies to `api.example.com`. Handshakes for `api.example.com` are valid if either A's or B's certificate is in the chain.
+
+### Compute the pin
+
 In order to compute the pin (SPKI fingerprint of the server's SSL certificate), you can execute the following command (here for `www.github.com` host):
 ```shell
 openssl s_client -connect www.github.com:443 -servername www.github.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
diff --git a/SecureHttpClient.Test/CertificatePinnerTest.cs b/SecureHttpClient.Test/CertificatePinnerTest.cs
@@ -1,12 +1,16 @@
-﻿using System.Threading.Tasks;
+﻿using System;
 using SecureHttpClient.Test.Helpers;
+using System.Threading.Tasks;
 using Xunit;
 
 namespace SecureHttpClient.Test
 {
     public class CertificatePinnerTest : TestBase, IClassFixture<TestFixture>
     {
         private const string Hostname = @"www.howsmyssl.com";
+        private const string Wildcard1 = @"*.howsmyssl.com";
+        private const string Wildcard2 = @"**.howsmyssl.com";
+        private const string InvalidPattern = @"*.*.howsmyssl.com";
         private const string Page = @"https://www.howsmyssl.com/a/check";
         private static readonly string[] PinsOk = { @"sha256/kXo1ykvfYulcwtgnY1/sOcAF+b8pHUNGzYsXaNADPpE=" };
         private static readonly string[] PinsKo = { @"sha256/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=" };
@@ -82,5 +86,72 @@ public async Task CertificatePinnerTest_EccCertificate_Failure()
             AddCertificatePinner(Hostname3, Pins3Ko);
             await AssertExtensions.ThrowsTrustFailureAsync(() => GetAsync(Page3));
         }
+
+        [Fact]
+        public void CertificatePinnerTest_InvalidPattern()
+        {
+            Assert.Throws<ArgumentException>(() => AddCertificatePinner(InvalidPattern, PinsOk));
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Wildcard1_Success()
+        {
+            AddCertificatePinner(Wildcard1, PinsOk);
+            await GetAsync(Page);
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Wildcard2_Success()
+        {
+            AddCertificatePinner(Wildcard2, PinsOk);
+            await GetAsync(Page);
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Merge_Success()
+        {
+            AddCertificatePinner(Wildcard1, PinsKo);
+            AddCertificatePinner(Hostname, PinsOk);
+            await GetAsync(Page);
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Wildcard1_Failure()
+        {
+            AddCertificatePinner(Wildcard1, PinsKo);
+            await AssertExtensions.ThrowsTrustFailureAsync(() => GetAsync(Page));
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Wildcard2_Failure()
+        {
+            AddCertificatePinner(Wildcard2, PinsKo);
+            await AssertExtensions.ThrowsTrustFailureAsync(() => GetAsync(Page));
+        }
+
+        [Fact]
+        public async Task CertificatePinnerTest_Merge_Failure()
+        {
+            AddCertificatePinner(Wildcard1, PinsKo);
+            AddCertificatePinner(Hostname, PinsKo);
+            await AssertExtensions.ThrowsTrustFailureAsync(() => GetAsync(Page));
+        }
+
+        [Theory]
+        [InlineData("abc.example.com", "abc.example.com", true)]
+        [InlineData("abc.example.com", "def.example.com", false)]
+        [InlineData("*.example.com", "abc.example.com", true)]
+        [InlineData("*.example.com", "example.com", false)]
+        [InlineData("*.example.com", "abc.def.example.com", false)]
+        [InlineData("*.example.com", "abc.example.org", false)]
+        [InlineData("**.example.com", "example.com", true)]
+        [InlineData("**.example.com", "abc.example.com", true)]
+        [InlineData("**.example.com", "abc.def.example.com", true)]
+        [InlineData("**.example.com", "abc.def.example.org", false)]
+        public void CertificatePinnerTest_MatchesPattern(string pattern, string hostname, bool expected)
+        {
+            var actual = CertificatePinning.CertificatePinner.MatchesPattern(pattern, hostname);
+            Assert.Equal(expected, actual);
+        }
     }
 }
diff --git a/SecureHttpClient/CertificatePinning/CertificatePinner.cs b/SecureHttpClient/CertificatePinning/CertificatePinner.cs
@@ -1,7 +1,9 @@
-﻿using System;
+﻿using Microsoft.Extensions.Logging;
+using System;
 using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.Extensions.Logging;
 
 namespace SecureHttpClient.CertificatePinning
 {
@@ -19,18 +21,31 @@ public CertificatePinner(ILogger logger = null)
         public void AddPins(string hostname, string[] pins)
         {
             _logger?.LogDebug($"Add CertificatePinner: hostname:{hostname}, pins:{string.Join("|", pins)}");
+            ValidatePattern(hostname);
             _pins[hostname] = pins; // Updates value if already existing
         }
 
         public bool HasPin(string hostname)
         {
-            return _pins.ContainsKey(hostname);
+            if (string.IsNullOrEmpty(hostname))
+            {
+                throw new ArgumentException("hostname cannot be null or empty");
+            }
+            foreach (var (pattern, pins) in _pins)
+            {
+                if (MatchesPattern(pattern, hostname))
+                {
+                    return true;
+                }
+            }
+            return false;
         }
 
         public bool Check(string hostname, X509Certificate2 certificate)
         {
-            // Get pins
-            if (!_pins.TryGetValue(hostname, out var pins))
+            // Get matching pins
+            var pins = GetMatchingPins(hostname);
+            if (pins.Length == 0)
             {
                 _logger?.LogDebug($"No certificate pin found for {hostname}");
                 return true;
@@ -51,5 +66,72 @@ public bool Check(string hostname, X509Certificate2 certificate)
             }
             return match;
         }
+
+        internal static void ValidatePattern(string pattern)
+        {
+            if (string.IsNullOrEmpty(pattern))
+            {
+                throw new ArgumentException("Pattern cannot be null or empty");
+            }
+            if (pattern.StartsWith("*."))
+            {
+                if (pattern.IndexOf('*', 1) != -1)
+                {
+                    throw new ArgumentException($"Unexpected pattern: {pattern}");
+                }
+            }
+            else if (pattern.StartsWith("**."))
+            {
+                if (pattern.IndexOf('*', 2) != -1)
+                {
+                    throw new ArgumentException($"Unexpected pattern: {pattern}");
+                }
+            }
+            else if (pattern.Contains('*'))
+            {
+                throw new ArgumentException($"Unexpected pattern: {pattern}");
+            }
+        }
+
+
+        private string[] GetMatchingPins(string hostname)
+        {
+            if (string.IsNullOrEmpty(hostname))
+            {
+                throw new ArgumentException("hostname cannot be null or empty");
+            }
+            var matchedPins = new HashSet<string>();
+            foreach (var (pattern, pins) in _pins)
+            {
+                if (MatchesPattern(pattern, hostname))
+                {
+                    foreach (var pin in pins)
+                    {
+                        matchedPins.Add(pin);
+                    }
+                }
+            }
+            return matchedPins.ToArray();
+        }
+
+        internal static bool MatchesPattern(string pattern, string hostname)
+        {
+            if (pattern.StartsWith("**."))
+            {
+                var suffix = pattern[3..];
+                return hostname == suffix || hostname.EndsWith("." + suffix);
+            }
+            if (pattern.StartsWith("*."))
+            {
+                var suffix = pattern[2..];
+                if (!hostname.EndsWith("." + suffix))
+                {
+                    return false;
+                }
+                var prefix = hostname[..(hostname.Length - suffix.Length - 1)];
+                return !prefix.Contains('.');
+            }
+            return hostname == pattern;
+        }
     }
 }
diff --git a/SecureHttpClient/Platforms/Android/SecureHttpClientHandler.cs b/SecureHttpClient/Platforms/Android/SecureHttpClientHandler.cs
@@ -54,6 +54,7 @@ public SecureHttpClientHandler(ILogger<Abstractions.ISecureHttpClientHandler> lo
         public virtual void AddCertificatePinner(string hostname, string[] pins)
         {
             _logger?.LogDebug($"Add CertificatePinner: hostname:{hostname}, pins:{string.Join("|", pins)}");
+            CertificatePinning.CertificatePinner.ValidatePattern(hostname); // will throw c# exception instead of java exception if pattern is invalid
             _certificatePinnerBuilder.Value.Add(hostname, pins);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ public SecureHttpClientHandler(ILogger<Abstractions.ISecureHttpClientHandler> lo`
`54`	`54`	`public virtual void AddCertificatePinner(string hostname, string[] pins)`
`55`	`55`	`{`
`56`	`56`	`_logger?.LogDebug($"Add CertificatePinner: hostname:{hostname}, pins:{string.Join("\|", pins)}");`
	`57`	`+ CertificatePinning.CertificatePinner.ValidatePattern(hostname); // will throw c# exception instead of java exception if pattern is invalid`
`57`	`58`	`_certificatePinnerBuilder.Value.Add(hostname, pins);`
`58`	`59`	`}`
`59`	`60`