i need some help,
im trying to implement SSLPinning on my react-native application (v0.63).
im already follow the documentation on OkHttp github page
here is code i make for my application :
public class CustomClientFactory implements OkHttpClientFactory {
@Override
public OkHttpClient createNewNetworkModuleClient() {
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_1)
.add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_2)
.add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_3)
.build();
OkHttpClient.Builder client = new OkHttpClient.Builder()
.connectTimeout(0, TimeUnit.MILLISECONDS)
.readTimeout(0, TimeUnit.MILLISECONDS)
.writeTimeout(0, TimeUnit.MILLISECONDS)
.cookieJar(new ReactCookieJarContainer())
.certificatePinner(certificatePinner);
OkHttpClient newClient = OkHttpClientProvider.enableTls12OnPreLollipop(client).build();
return newClient;
}
}
OkHttpCertPin :
public class OkHttpCertPin {
public static void rebuildOkHttpForSslPinning() {
OkHttpClientProvider.setOkHttpClientFactory(new CustomClientFactory());
}
}
and this is my onCreate method on MainActivity :
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
OkHttpCertPin.rebuildOkHttpForSslPinning();
}
it allow all request to go trough, even if i use random public key and hostname.
what did i do wrong?
all the public key i got it from sslLabs
CertificatePinner will only restrict traffic for the host BuildConfig.HOSTNAME, all other hosts will be let through. This is why your CertificatePinner isn't blocking anything.
You can create a custom network interceptor to reject all other traffic. See https://square.github.io/okhttp/interceptors/
n.b. for future you could implement a EventListener and print out the hosts you are connecting to and the pin from the certificate chain to help debug this.
See https://stackoverflow.com/a/66398516/1542667