Directly trust the LE R3 pin too, to fix manual case

pimterry · pimterry · commit 04fa4239e524 · 2024-04-09T14:24:06.000+02:00
Seems that badssl.com has had some changes and no longer includes ISRG.
The OkHTTP case seems to check the full chain (presumably from local
stores) but that's complicated to do ourselves. This seems like a
reasonable short-term fix, and it's easy to patch up later on now that
we know what's going on.
diff --git a/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt b/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt
@@ -40,7 +40,11 @@ import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
 import javax.net.ssl.*
 
-const val LETS_ENCRYPT_ROOT_SHA256 = "C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
+// We check for both the long-term root & intermediate, because some servers don't seem to
+// include the ISRG in the chain (assuming it's in our trust store). Unfortunately the R3
+// intermediate cert will expire in September 2025, but we may have our own testserver by then.
+const val LETS_ENCRYPT_ISRG_X1_ROOT_PK_SHA256 = "C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
+const val LETS_ENCRYPT_R3_INTERM_PK_SHA256 = "jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
 
 @Suppress("UNUSED_PARAMETER")
 @DelicateCoroutinesApi
@@ -213,7 +217,8 @@ class MainActivity : AppCompatActivity() {
             try {
                 val hostname = "ecc384.badssl.com"
                 val certificatePinner = CertificatePinner.Builder()
-                    .add(hostname, "sha256/${LETS_ENCRYPT_ROOT_SHA256}")
+                    .add(hostname, "sha256/${LETS_ENCRYPT_ISRG_X1_ROOT_PK_SHA256}")
+                    .add(hostname, "sha256/${LETS_ENCRYPT_R3_INTERM_PK_SHA256}")
                     .build()
 
                 val client = OkHttpClient.Builder()
@@ -456,7 +461,10 @@ class MainActivity : AppCompatActivity() {
 
                 val certs = socket.session.peerCertificates
 
-                if (!certs.any { cert -> doesCertMatchPin(LETS_ENCRYPT_ROOT_SHA256, cert) }) {
+                if (!certs.any { cert ->
+                        doesCertMatchPin(LETS_ENCRYPT_ISRG_X1_ROOT_PK_SHA256, cert) ||
+                        doesCertMatchPin(LETS_ENCRYPT_R3_INTERM_PK_SHA256, cert)
+                }) {
                     socket.close() // Close the socket immediately without sending a request
                     throw Error("Unrecognized cert hash.")
                 }
