Public key pinning and client certificate authentication

[p-barabas]

1. I want to pin the public key of IMAP and/or SMTP server over TLS. Is it possible to retrieve the certificate or public key data to application side (on iOS and Android) or to provide the accepted certificate for MailCore2 component?
2. If IMAP and/or SMTP server switch the verify client certificate capability on, how can I set the client certificate for MailCore2?

[kundanjadhav]

@p-barabas Have you got any solution?

[p-barabas]

Yes, it is in private repo since I needed to make a lot of changes in mailcore and libetpan in order to be able to build on Android 23+. The pinning is easier, only mailcore code should be changed: the public key or hash need to be set into mailcore an in src/core/security/MCCertificateUtils.cpp you can compute the pin for public key in incoming stream and compare with stored. On iOS you can use Security framework, on Android openssl is the winner.

The client certificate authentication is a bit more difficult, since you should pass the client certificate to libetpan through mailimap.c and mailsmtp.c and in src/low-level/imap/mailimap_ssl.c and in src/low-level/smtp/mailsmtp_ssl.c you could use the client certificate and password and pass to mailstream.

[kundanjadhav]

@p-barabas Thanks for the information.

[dinhvh]

@p-barabas would you be able to send pull requests for the changes you needed to make to get it working on Android properly?

[kundanjadhav]

Hi @p-barabas we have tried above changes but unable to get success in pinning. Can you share some code for same? It will be helpful. Thank you

[p-barabas]

I had no time to cleanup the code and structure but I pushed changed into libetpan and mailcore2 forks. The pinning and client certificate authentication code are clean. I made two pull requests for libetpan and mailcore2. Please review and cleanup the structure (mainly the dependency management). There were a lot of work with dependencies in order to be built on Android 23+ because of NDK.