OkHttp certificatePinner seems not working

Question

i need some help,

im trying to implement SSLPinning on my react-native application (v0.63).

im already follow the documentation on OkHttp github page

here is code i make for my application :

public class CustomClientFactory implements OkHttpClientFactory {

@Override
  public OkHttpClient createNewNetworkModuleClient() {
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
      .add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_1)
      .add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_2)
      .add(BuildConfig.HOSTNAME, BuildConfig.SHA_PUBLIC_KEY_3)
      .build();

    OkHttpClient.Builder client = new OkHttpClient.Builder()
      .connectTimeout(0, TimeUnit.MILLISECONDS)
      .readTimeout(0, TimeUnit.MILLISECONDS)
      .writeTimeout(0, TimeUnit.MILLISECONDS)
      .cookieJar(new ReactCookieJarContainer())
      .certificatePinner(certificatePinner);

    OkHttpClient newClient = OkHttpClientProvider.enableTls12OnPreLollipop(client).build();

    return newClient;
  }
}

OkHttpCertPin :

public class OkHttpCertPin {
    public static void rebuildOkHttpForSslPinning() {
        OkHttpClientProvider.setOkHttpClientFactory(new CustomClientFactory());
    }
}

and this is my onCreate method on MainActivity :

  @Override
  protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    OkHttpCertPin.rebuildOkHttpForSslPinning();
  }

it allow all request to go trough, even if i use random public key and hostname.

what did i do wrong?

all the public key i got it from sslLabs

Tangentially: Are you sure you need enableTls12OnPreLollipop, OkHttp should negotiate TLSv1.2 when it's available on Android. — Yuri Schimke, Mar 01 '21 at 09:23
CertificatePinner will only restrict traffic for the host BuildConfig.HOSTNAME, all other hosts will be let through. What are you expecting to happen, and which hosts are you connecting to? You could implement a EventListener and print out the hosts you are connecting to and the pin from the certificate chain to help debug this. — Yuri Schimke, Mar 01 '21 at 09:25
oh so what im think is wrong?, what i want is all the hostname except the BuildConfig.HOSTNAME will be restricted, for now i use the interceptor method provided by okhttp to print request and response for each calls, i think i can use the interceptor to print the host — tiwtiwtiwtiwaaaaa, Mar 01 '21 at 10:01
Use a network interceptor and short circuit those requests. Certificate Pinner is not this. — Yuri Schimke, Mar 01 '21 at 10:58

score 1 · Accepted Answer · answered Mar 02 '21 at 19:25

CertificatePinner will only restrict traffic for the host BuildConfig.HOSTNAME, all other hosts will be let through. This is why your CertificatePinner isn't blocking anything.

You can create a custom network interceptor to reject all other traffic. See https://square.github.io/okhttp/interceptors/

n.b. for future you could implement a EventListener and print out the hosts you are connecting to and the pin from the certificate chain to help debug this.

See https://stackoverflow.com/a/66398516/1542667

yes, i think i got wrong idea about this certificate pinner, but after reading your comment on my post i already refactor my code — tiwtiwtiwtiwaaaaa, Mar 03 '21 at 02:57

OkHttp certificatePinner seems not working

1 Answers1