1

I want to pin a self-signed certificate.

According to the Android Developer Guide Pin certificates I assume the following configuration should work:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">192.168.0.199</domain>
            <pin-set expiration="2022-10-22">
                <pin digest="SHA-256">SZBI91U8Y1j4toZoG5cTRbzl7Nr+aeTb3a8IWy9LKy0=</pin>
            </pin-set>
    </domain-config>
</network-security-config>

However, I only get the following error:

 java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I thought the point of pinning the certificate explicitly was to avoid the need for a trust anchor.

When I add the self-signed cert as trust anchor: Add the certificate file as Resources/raw/server.cert for the Android project (same as network-security-config.xml) and change network-security-config.xml to:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">192.168.0.199</domain>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="@raw/server" />
        </trust-anchors>
        <pin-set expiration="2022-10-22">
            <pin digest="SHA-256">SZBI91U8Y1j4toZoG5cTRbzl7Nr+aeTb3a8IWy9LKy0=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

I get the error:

Hostname 192.168.0.199 not verified:
certificate: sha1/pRy8qhJSgP6btrNTqGNFxO8Yd9g=
DN: CN=192.168.0.199,O=myorg,ST=Some-State,C=DE\
subjectAltNames: []

The hostname is the CN in the certificate and I got the SHA256 pin value from gnutls-cli.

Questions

  • What's wrong with my configuration? How can I pin the certificate?
  • Is there another way to get the SHA256 pin value for a certificate?
  • Do I need to add the cert file as trust anchor?
  • Is there an alternative way to pin the certificate?
  • Is the IP allowed as hostname? If not how to pin certificates for IPs?

thanks in advance

Update 2021-11-08 I found a partial solution: Since my certificate was created for an IP address instead of a host name, the IP address must be in the subject alt name field of the certificate. Then the certificate needs to be added as trust-achor in the base-config.

What I still don't understand is why I need to add the certifcate instead of the pin.

wierob
  • 4,299
  • 1
  • 26
  • 27
  • The link below about how to fix the issue would be helpful. https://stackoverflow.com/questions/39264056/android-java-security-cert-certpathvalidatorexception-trust-anchor-for-certific – Wendy Zang - MSFT Oct 26 '21 at 05:34
  • I don't think this works for me. Since I'm using a self-signed certiface, there is no intermediate certificate that I could add on the server side. Furthermore, the point of the configuration point is to avoid setting up certificate validation in code. – wierob Oct 26 '21 at 12:09

0 Answers0