Pinning issue when using Authorize.net payment flow in Xamarin.Forms Webview

[tbaggett]

There is one part of our Xamarin.Forms app that contains an embedded Webview. A remote page is loaded in the webview that contains an iframe. The iframe loads an Authorize.Net web page to complete a payment flow. This worked when using the original modernhttpclientbefore package. However, after switching to your package, I see this exception when opening the webview:

[MonoDroid] UNHANDLED EXCEPTION: [MonoDroid] System.OperationCanceledException: Certificate pinning failure: subject name mismatch. ---> Java.IO.IOException: Hostname apitest.authorize.net not verified: [MonoDroid] certificate: sha256/W3kCFc3dDvJHtISSXdb/QXx5WhPOOjoMIs+2y6Bxkxc= [MonoDroid] DN: CN=test.authorize.net,OU=Operations,O=Authorize.Net LLC,L=American Fork,ST=Utah,C=US [MonoDroid] subjectAltNames: [test.authorize.net, testcaptcha.authorize.net, jstest.authorize.net, apitest.authorize.net, testpartner.authorize.net, vpos2test.authorize.net, logintest.authorize.net, sandbox.authorize.net, scotest.authorize.net, statictest.authorize.net, invoicetest.authorize.net, testcontent.authorize.net, testverify.authorize.net] [MonoDroid] --- End of inner exception stack trace --- [MonoDroid] at ModernHttpClient.NativeMessageHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x004e7] in :0 [MonoDroid] at System.Net.Http.HttpClient.SendAsyncWorker (System.Net.Http.HttpRequestMessage request, System.Net.Http.HttpCompletionOption completionOption, System.Threading.CancellationToken cancellationToken) [0x000ca] in <14fa7bba5a8d48d08b3e029ab45783ca>:0

I added this Pin instantiation to the NativeMessageHandler constructor...

new Pin { Hostname = "apitest.authorize.net", PublicKeys = new string[] { "sha256/W3kCFc3dDvJHtISSXdb/QXx5WhPOOjoMIs+2y6Bxkxc=", "sha256/zUIraRNo+4JoAYA7ROeWjARtIoN4rIEbCpfCRQT6N6A=", "sha256/r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=" } }

...based on this output from the code at https://github.com/alexrainman/ModernHttpClient#how-to-obtain-server-certificate-chain-public-keys:

Javax.Net.Ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/W3kCFc3dDvJHtISSXdb/QXx5WhPOOjoMIs+2y6Bxkxc=: CN=test.authorize.net,OU=Operations,O=Authorize.Net LLC,L=American Fork,ST=Utah,C=US sha256/zUIraRNo+4JoAYA7ROeWjARtIoN4rIEbCpfCRQT6N6A=: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US sha256/r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Pinned certificates for apitest.authorize.net: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Additional info: The url being hit, apitest.authorize.net, is listed as one of the subjectAltNames instead of the CN, which is set to test.authorize.net. I tried adding another Pin with the test.authorize.net hostname and the same keys, but it still fails.

Any suggestions/ideas to fix this? Thanks.

[alexrainman]

@tbaggett I new version has been released. I hope it solves your issue.

[tbaggett]

We need to test further, but Initial tests look like it is solved! Thanks again for the effort you put into this.