Switch out sha512.badssl.com, as the certificate has expired

pimterry · pimterry · commit 8ecbce6a91c5 · 2022-08-09T12:01:28.000+02:00
Sha256.badssl.com currently works, and seems more likely to work in
future, as it's set up with Let's Encrypt (so presumably renewing
automatically) instead of using Digicert.
diff --git a/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt b/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt
@@ -28,7 +28,7 @@ import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
 import javax.net.ssl.*
 
-const val DIGICERT_ROOT_SHA256 = "5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
+const val LETS_ENCRYPT_ROOT_SHA256 = "NgJeUutmfGsIONh0XaovCA5VJ05uv2gCb27pUOpTPxU="
 
 class MainActivity : AppCompatActivity() {
     override fun onCreate(savedInstanceState: Bundle?) {
@@ -105,7 +105,7 @@ class MainActivity : AppCompatActivity() {
             onStart(R.id.config_pinned)
             try {
                 // Pinned by hash in network config:
-                val mURL = URL("https://sha512.badssl.com")
+                val mURL = URL("https://sha256.badssl.com")
                 with(mURL.openConnection() as HttpsURLConnection) {
                     println("URL: ${this.url}")
                     println("Response Code: ${this.responseCode}")
@@ -124,16 +124,16 @@ class MainActivity : AppCompatActivity() {
             onStart(R.id.okhttp_pinned)
 
             try {
-                val hostname = "sha512.badssl.com"
+                val hostname = "sha256.badssl.com"
                 val certificatePinner = CertificatePinner.Builder()
-                    .add(hostname, "sha256/${DIGICERT_ROOT_SHA256}")
+                    .add(hostname, "sha256/${LETS_ENCRYPT_ROOT_SHA256}")
                     .build()
 
                 val client = OkHttpClient.Builder()
                     .certificatePinner(certificatePinner)
                     .build()
                 val request = Request.Builder()
-                    .url("https://sha512.badssl.com")
+                    .url("https://sha256.badssl.com")
                     .build();
 
                 client.newCall(request).execute().use { response ->
@@ -155,7 +155,7 @@ class MainActivity : AppCompatActivity() {
         try {
             // Create an HTTP client that only trusts our specific certificate:
             val cf = CertificateFactory.getInstance("X.509")
-            val caStream = BufferedInputStream(resources.openRawResource(R.raw.digicert_ca))
+            val caStream = BufferedInputStream(resources.openRawResource(R.raw.lets_encrypt_isrg_root))
             val ca = cf.generateCertificate(caStream)
             caStream.close()
 
@@ -179,7 +179,7 @@ class MainActivity : AppCompatActivity() {
             // Make a request using that client:
             val stringRequest = StringRequest(
                 com.android.volley.Request.Method.GET,
-                "https://sha512.badssl.com",
+                "https://sha256.badssl.com",
                 { _ ->
                     println("Volley success")
                     this@MainActivity.onSuccess(R.id.volley_pinned)
@@ -201,10 +201,10 @@ class MainActivity : AppCompatActivity() {
         GlobalScope.launch(Dispatchers.IO) {
             onStart(R.id.trustkit_pinned)
             try {
-                val mURL = URL("https://sha512.badssl.com")
+                val mURL = URL("https://sha256.badssl.com")
                 with(mURL.openConnection() as HttpsURLConnection) {
                     this.sslSocketFactory = TrustKit.getInstance().getSSLSocketFactory(
-                            "sha512.badssl.com"
+                            "sha256.badssl.com"
                     )
                     println("URL: ${this.url}")
                     println("Response Code: ${this.responseCode}")
@@ -235,19 +235,19 @@ class MainActivity : AppCompatActivity() {
                 val context = SSLContext.getInstance("TLS")
                 context.init(null, trustManager, null)
 
-                val socket = context.socketFactory.createSocket("sha512.badssl.com", 443) as SSLSocket
+                val socket = context.socketFactory.createSocket("sha256.badssl.com", 443) as SSLSocket
 
                 val certs = socket.session.peerCertificates
 
-                if (!certs.any { cert -> doesCertMatchPin(DIGICERT_ROOT_SHA256, cert) }) {
+                if (!certs.any { cert -> doesCertMatchPin(LETS_ENCRYPT_ROOT_SHA256, cert) }) {
                     socket.close() // Close the socket immediately without sending a request
                     throw Error("Unrecognized cert hash.")
                 }
 
                 // Send a real request, just to make it clear that we trust the connection:
                 val pw = PrintWriter(socket.outputStream)
                 pw.println("GET / HTTP/1.1")
-                pw.println("Host: sha512.badssl.com")
+                pw.println("Host: sha256.badssl.com")
                 pw.println("")
                 pw.flush()
 
diff --git a/app/src/main/res/raw/digicert_ca.pem b/app/src/main/res/raw/digicert_ca.pem
diff --git a/app/src/main/res/raw/lets_encrypt_isrg_root.pem b/app/src/main/res/raw/lets_encrypt_isrg_root.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/app/src/main/res/xml/network_security_config.xml b/app/src/main/res/xml/network_security_config.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
     <domain-config>
-        <domain includeSubdomains="false">sha512.badssl.com</domain>
+        <domain includeSubdomains="false">sha256.badssl.com</domain>
         <pin-set>
-            <pin digest="SHA-256">5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=</pin>
+            <pin digest="SHA-256">NgJeUutmfGsIONh0XaovCA5VJ05uv2gCb27pUOpTPxU=</pin>
         </pin-set>
         <trust-anchors>
-            <certificates src="@raw/digicert_ca" />
+            <certificates src="@raw/lets_encrypt_isrg_root" />
         </trust-anchors>
     </domain-config>
 </network-security-config>
