Certificate Pinning on UWP

Question

We have a Xamarin.Forms project that is currently compiled for Android, iOS and UWP using .NET Standard 2.0 for the shared project.

The communications is performed through a WCF Service Contract.

In order to pin the certificate we implemented the following code as per examples. This works correctly on Android and iOS after making sure that are using the necessary HttpClient implementations under their project properties.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate;

private bool ValidateServerCertificate(object sender,
                                       X509Certificate certificate,
                                       X509Chain chain,
                                       SslPolicyErrors sslPolicyErrors)
{
    // Make sure we have a certificate to check.
    if (certificate == null)
    {
        return false;
    }

    if (sslPolicyErrors != SslPolicyErrors.None)
    {
        return false;
    }

    return this.KnownKeys.Contains(certificate.GetCertHashString(), 
                                   StringComparer.Ordinal);
}

UWP however is proving to be rather stubborn. I am unable to get the callback to fire at any stage of the communications.

I have also looked in to implementing our own X509CertificateValidator and supplying it to the WCF config however that also does nothing.

Questions

Do I need to/Am I able to specify a HttpClient implementation under UWP much like you can for Android and iOS that will fix this?
Is there another approach that I am currently missing?

Rather than `ServicePointManager.ServerCertificateValidationCallback`, how about use `System.Net.Http.HttpClient`'s `ServerCertificateCustomValidationCallback`? — HappyNomad, Sep 25 '18 at 18:46
@HappyNomad do you mean `HttpClientHandler`s `ServerCertificateCustomValidationCallback`. If so I am pretty sure we did try that but it had no effect. — Bijington, Sep 27 '18 at 06:49

score 4 · Accepted Answer · answered Sep 13 '18 at 03:26

4

I would suggest you to use the HttpBaseProtocolFilter Class in the Windows.Web.Http Namespace in you UWP app. With the HttpBaseProtocolFilter instance, you can subscribe HttpBaseProtocolFilter.ServerCustomValidationRequested event. In this event handler, you can perform extra validation (in addition to the OS default) of the server SSL certificate.

answered Sep 13 '18 at 03:26

Breeze Liu - MSFT

3,734
1
10
13

Thank you although if I am correct and things haven't moved on from these posts: [msdn](https://social.msdn.microsoft.com/Forums/windowsapps/en-US/4dac8454-64c0-41f7-98b5-bddf184f7703/uwpignore-ssl-certificate-errors-when-using-wcf-in-uwp) and [stackoverflow](https://stackoverflow.com/questions/41150428/windows-10-universal-wcf-generated-client-setting-to-ignore-ssl-certificate-erro) then I am not able to achieve what I need using the generated WCF Service Contract code and would have to go direct using an `HttpClient`? – Bijington Sep 13 '18 at 11:44
There is a [blog](http://blog.infernored.com/securing-communications-via-certificate-pinning-in-uwp) where it includes the detailed code to implement certificate pinning using the `HttpClient`, you can have a try. – Breeze Liu - MSFT Sep 18 '18 at 03:01
Yes thank you! While the answer doesn't quite cover what I needed the blog post mentioned in your comment does. – Bijington Sep 18 '18 at 10:43

Certificate Pinning on UWP

1 Answers1

Linked