search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
584 stars 87 forks source link

Localhost and Pins Exception #25

Closed jazzyjester closed 6 years ago

jazzyjester commented 6 years ago

Hello, thank you for such great library. I'm currently implementing it for our app, Basically, it works.

But, We have in network_sec_config.xml - a localhost domain. when running the app, the library throw exception : 

    DomainValidator domainValidator = DomainValidator.getInstance(false);
    if (!domainValidator.isValid(hostname)) {
        throw new ConfigurationException("Tried to pin an invalid domain: " + hostname);
    }

@jobot0 Can you help please ?

I see that DomainValidator domainValidator = DomainValidator.getInstance(false); domainValidator is always inited with false, and thats why it fails in returning true in returning allowLocal && hostnameRegex.isValid(domain) because allowLocal is always false.

BTW, localhost sits inside different [domain-config] without [pin-set] , and your library throws exception where no pins provided there. I don't want pins there..

Thanks for the help...

Jazzy.

nabla-c0d3 commented 6 years ago

Hello, Thanks for the report. Just to make sure we understand issue, can you post your full network_sec_config.xml ?

jazzyjester commented 6 years ago

@nabla-c0d3 Sure, here it is : 

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false"/>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">cloudfront.net</domain>
        <domain includeSubdomains="true">amazonaws.com</domain>
        <domain includeSubdomains="true">localhost</domain>
        <pin-set>
            <pin digest="SHA-256">XXX</pin>
            <pin digest="SHA-256">XXX</pin>
        </pin-set>
        <trustkit-config enforcePinning="false"/>
    </domain-config>

    <domain-config>
        <domain includeSubdomains="true">URL1</domain>
        <pin-set>
            <pin digest="SHA-256">XXX</pin>
            <pin digest="SHA-256">XXX</pin>
        </pin-set>
        <trustkit-config enforcePinning="true"/>
    </domain-config>

    <domain-config>
        <domain includeSubdomains="true">URL2</domain>
        <pin-set>
            <pin digest="SHA-256">XXX</pin>
            <pin digest="SHA-256">XXX</pin>
        </pin-set>
        <trustkit-config enforcePinning="true"/>
    </domain-config>

</network-security-config>
nabla-c0d3 commented 6 years ago

Thanks! We'll take a look.

jazzyjester commented 6 years ago

Hey @nabla-c0d3 , Did you had a chance to look into it ? Thanks...

jazzyjester commented 6 years ago

Hey @nabla-c0d3 Did you had a chance to look into it ? Thanks...

jobot0 commented 6 years ago

Hi @jazzyjester I'm checking into this issue. Sorry for the delay of our answer.

jazzyjester commented 6 years ago

Hey @jobot0 , almost 2 months passed and we are waiting for this fix. any news regarding this ticket ?

jobot0 commented 6 years ago

Should be solved with #29 . I'm closing this issue.