envoy-mobile
envoy-mobile copied to clipboard
Published
20 hours ago •
envoyproxy
envoyproxy
Cronvoy: support pinned Certificates
The Cronet API supports the pinning of certificates: CronetEngine.Builder.addPublicKeyPins
/**
* <p>
* Pins a set of public keys for a given host. By pinning a set of public keys,
* {@code pinsSha256}, communication with {@code hostName} is required to
* authenticate with a certificate with a public key from the set of pinned ones.
* An app can pin the public key of the root certificate, any of the intermediate
* certificates or the end-entry certificate. Authentication will fail and secure
* communication will not be established if none of the public keys is present in the
* host's certificate chain, even if the host attempts to authenticate with a
* certificate allowed by the device's trusted store of certificates.
* </p>
* <p>
* Calling this method multiple times with the same host name overrides the previously
* set pins for the host.
* </p>
* <p>
* More information about the public key pinning can be found in
* <a href="https://tools.ietf.org/html/rfc7469">RFC 7469</a>.
* </p>
*
* @param hostName name of the host to which the public keys should be pinned. A host that
* consists only of digits and the dot character is treated as invalid.
* @param pinsSha256 a set of pins. Each pin is the SHA-256 cryptographic
* hash of the DER-encoded ASN.1 representation of the Subject Public
* Key Info (SPKI) of the host's X.509 certificate. Use
* {@link java.security.cert.Certificate#getPublicKey()
* Certificate.getPublicKey()} and
* {@link java.security.Key#getEncoded() Key.getEncoded()}
* to obtain DER-encoded ASN.1 representation of the SPKI.
* Although, the method does not mandate the presence of the backup pin
* that can be used if the control of the primary private key has been
* lost, it is highly recommended to supply one.
* @param includeSubdomains indicates whether the pinning policy should be applied to
* subdomains of {@code hostName}.
* @param expirationDate specifies the expiration date for the pins.
* @return the builder to facilitate chaining.
* @throws NullPointerException if any of the input parameters are {@code null}.
* @throws IllegalArgumentException if the given host name is invalid or {@code pinsSha256}
* contains a byte array that does not represent a valid
* SHA-256 hash.
*/
public Builder addPublicKeyPins(String hostName, Set<byte[]> pinsSha256,
boolean includeSubdomains, Date expirationDate)
Even though this feature is discouraged, not honoring it would presumably break some App Developers.
The good news here is that Envoy already has support for certificate pinning. All that should really be needed to support this is plumbing.
