1

I have SSL pinning implemented in the app and here are my settings.

network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">test.test.com</domain>
       <pin-set>
            <pin digest="SHA-256">pthisisatestpin8989DmbY=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

I was looking at this website which writes about generating the pin but could not figure out how.

https://calvin.my/posts/implement-and-verify-certificate-pinning-in-android

The website says The PIN can be obtained using the following command. It will print the pin hash in the last row of the output. Copy this hash and put it in your config file.

openssl s_client -servername api.your-domain.com -connect api.your-domain.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
writing RSA key
fqiLxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Can some one guide me on where exactly I should be running the openssl commant in CMD or in Android terminal?.

Sorry guys I have no idea about this, thank you for your help.

jww
  • 97,681
  • 90
  • 411
  • 885
BRDroid
  • 3,920
  • 8
  • 65
  • 143
  • You can find another example of pinning for Android at [Certificate and Public Key Pinning](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning). – jww Feb 09 '18 at 01:52
  • *"on where exactly I should be running the openssl commant"* - you might probably run this in CMD if you have openssl installed. Or run it in some UNIX/Linux where openssl is usually installed. But, the post you cite also provides another way of getting the pin: use SSLLabs. – Steffen Ullrich Feb 09 '18 at 06:15

0 Answers0