Skip to content

Feature/certificate pinning #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 30 commits into
base: master
Choose a base branch
from
Draft

Feature/certificate pinning #530

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
eb137d6
Add timeout for android
Apr 16, 2020
495117d
Convert double values to NSDecimalNumber values for json serialization
Apr 17, 2020
2956c88
Add try catch and make dictionary mutable
Apr 17, 2020
dabac4f
Add recursive function for encapsulated doubles
Apr 17, 2020
6a50c54
Fix NSDecimalNumber casting for initializing
edisolino Apr 20, 2020
87f3b88
Fix allKey access Exception.
edisolino Apr 22, 2020
df681e6
Merge remote-tracking branch 'upstream/master'
edisolino May 29, 2020
401dd76
Fix iOS double precision problem
Jun 2, 2020
a605e2f
Change scale value for numbers bigger than 10000000
edisolino Jun 3, 2020
10ed4c3
Respect 6 floating point digits for rounding.
edisolino Jun 8, 2020
98d8bc3
Set xsrf token (stored in cookie) as header for put, post, delete and…
edorex-benji Sep 28, 2021
a6b92b7
add xsrf header for ios plugin
matthias-at-edorex Sep 29, 2021
9b9a9cd
remove comments
matthias-at-edorex Sep 29, 2021
6241545
add CV to prefix
matthias-at-edorex Sep 29, 2021
157e167
Merge pull request #1 from edorex/feature/xsrf-token
matthias-at-edorex Sep 29, 2021
ac73c61
trimm spaces
matthias-at-edorex Sep 29, 2021
30ea77e
Update plugin with certificate pinning
Nov 26, 2024
26ee116
release v2.5.1
Nov 28, 2024
b52588f
release v2.5.1
Nov 28, 2024
e6121f5
updated version
Nov 28, 2024
86dfc92
release v2.5.1
Nov 28, 2024
4ed6b7e
release v2.5.2
Nov 28, 2024
4dca637
fixed json-import
Dec 10, 2024
a50f31d
added configuration for pinned domains
Feb 26, 2025
4c79d64
changed json config to be static
Mar 25, 2025
1921b5a
corrected fallback handling for non pinned domains and handling of pi…
lucaberger-edorex Jul 9, 2025
0630cf1
BEKBAPP-3670 android certificate handling to have multiple certs per …
lucaberger-edorex Jul 10, 2025
699a08c
BEKBAPP-3670 certificate pinning for iOS
lucaberger-edorex Jul 14, 2025
dae7619
BEKBAPP-3670 finalizing certificate pinnning mixed mode
lucaberger-edorex Jul 14, 2025
8a88294
removed 
lucaberger-edorex Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -447,3 +447,69 @@ This plugin uses amazing cloud services to maintain quality. CI Builds and E2E t
## Contribute & Develop

We've set up a separate document for our [contribution guidelines](CONTRIBUTING.md).


## Certificate Pinning
With [BEKBAPP-3670](https://edorex.atlassian.net/browse/BEKBAPP-3670) a mixed mode of `NO PINNING` and `PINNING` got implemented.
This was necessary, as the plugin just could deal with `NO PINNING` or `PINNING` for every request / domain.
As both platforms vary in regards of their needs on `certificate pinning`, there needs to be different configuration per platform.


### Android
The file `assets/certificate_settings.json` is required.
The structure of it is as follows:
```json
{
"certificates_to_pin": [
{
"domain": "domain-a.ch",
"hashes": [
"sha256/...",
"sha256/..."
]
},
{
"domain": "domain-b.ch",
"hashes": [
"sha256/...",
"sha256/..."
]
}
]
}
```
This file will be read during plugin Initialization.
When the HTTP request being made, matches one of the domains, one of the configured hashes must match one of the corresponding certificates in the certificate chain.
ℹ️ The certificate itself still must be trusted by the OS,
the pinning is just and additional check.

⚠️ Take care of the order. Root CA's should come at last.
ℹ️ To get the `sha256-hash` execute following command:
`openssl x509 -in "certificate.pem" -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64` on a single exported certificate


### iOS
On iOS it's a bit more complex.
Relevant is the assets folder: `certificate_pinning`.
Within there the following structure is being analyzed during plugin initialization.
- certificate_pinning
- domain-a.ch
- leaf
- \<file\>.pem
- intermediate
- \<file\>.pem
- root
- \<file\>.pem
- domain-a.ch
- leaf
- \<file\>.pem
- intermediate
- \<file\>.pem
- root
- \<file\>.pem
- ...

When the HTTP request being made, matches a domain configured with the folder. It's certificates must match the ones located in the folder.

ℹ️ The certificate itself still must be trusted by the OS,
the pinning is just and additional check.
Loading