search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
584 stars 87 forks source link

Allow to get all domain policies from TrustKitConfiguration #33

Closed tomoyukim closed 6 years ago

tomoyukim commented 6 years ago

Hello, I'm trying to use TrustKit-Android with React Native. As discussed in https://github.com/datatheorem/TrustKit-Android/issues/6, I'm also going to use CertificatePinner in OkHttp3 but I need hostname to retrieve pins from TrustKitConfiguration in this scenario.

Currently, my application has a lot of target domains like*.domain-a.com and *.domain-b.com. So, I'd like to manage domains and pins at one place in order to keep maintainability. Also, I have to insert the pinner for all domains at first because RN doesn't allow us to recreate OkHttpClient for another domain at that time.

To create the pinner for all necessary domains, I'd like to retrieve all pins from TrustKitConfiguration without hostname. For example,

final TrustKitConfiguration config = TrustKit.getInstance().getConfiguration();
Set<DomainPinningPolicy> domainPolicies = config.getAllPolicies(); // <-- new api to retrieve all policies

CertificatePinner.Builder certificatePinnerBuilder = new CertificatePinner.Builder();
for (DomainPinningPolicy domainPolicy : domainPolicies) {
    Set<PublicKeyPin> pins = domainPolicy.getPublicKeyPins();
    for (PublicKeyPin pin : pins) {
        certificatePinnerBuilder.add(domainPolicy.getHostname(), "sha256/" + pin.toString());
    }
}
CertificatePinner certificatePinner = certificatePinnerBuilder.build();

final OkHttpClient.Builder builder = OkHttpClientProvider.createClient().newBuilder()
        .certificatePinner(certificatePinner);

I can contribute if this idea is acceptable for the library. What about it? Thanks

nabla-c0d3 commented 6 years ago

Hi @tomoyukim , Just to make sure we understand, you want to use TrustKit just to manage/retrieve the pinning configuration (to pass it to OkHttp), not to actually implement pinning validation; is that accurate? Thanks!

tomoyukim commented 6 years ago

Hi @nabla-c0d3 , Yes, you're correct. I think TrustKit-Android is very useful for me to manage pins keeping compatibility with network_security_config.xml even except for the validator.

nabla-c0d3 commented 6 years ago

Ok, that makes sense. Yes, the new getAllPolicies() API would be fine.

tomoyukim commented 6 years ago

Hi @nabla-c0d3, I created PR for this proposal. If you have time, I'd really appreciate it if you could give me your review on https://github.com/datatheorem/TrustKit-Android/pull/34. Thank you.

jobot0 commented 6 years ago

Thanks @tomoyukim ! The 1.1.0 contains your PR :)