Public key pinning in cronet Android version
454 views
Skip to first unread message
Ali Shirvani
Mar 29, 2021, 3:46:21 AM3/29/21
to net-dev
Hi all,
I tried to pin my public key during building `CronetEngine`, but I got following error:
X509Util: Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
I also checked the base64 representation of the SPKI with the `curl --pinnedpubkey` and it works fine. Would you please guide me how I should pin a public key in cronet Android version?
Regards,
Ali
Ryan Sleevi
Mar 29, 2021, 12:14:03 PM3/29/21
to Ali Shirvani, net-dev
While pinning in general should _never_ be encouraged, as it actively harms the security and stability of the Internet at large, if you're pinning to a private CA, Android's Network Security Config ( https://developer.android.com/training/articles/security-config ) is the preferred approach.
Is there a reason this doesn't work for you?
Note: you should not pin: to CA, to server cert, to intermediate - unless it's to a CA your organization controls and a trust store you maintain (e.g. via Security Config). Any other pinning (e.g. relying on the OS CAs) is inherently insecure and harmful.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/b0ca4ab1-eaa8-461c-9664-9ec70af7f54fn%40chromium.org.
Ali Shirvani
Mar 30, 2021, 1:25:32 AM3/30/21
to net-dev, rsl...@chromium.org, net-dev, Ali Shirvani
Thanks a lot for your guidance. Honestly I did not know the "Network Security Config" approach. I used the following configuration for network security config and disabled the pinning in cronet engine, but I got the same error again.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">mydomain.org</domain>
<trust-anchors>
<certificates src="@raw/cert"/>
</trust-anchors>
</domain-config>
</network-security-config>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">mydomain.org</domain>
<trust-anchors>
<certificates src="@raw/cert"/>
</trust-anchors>
</domain-config>
</network-security-config>
I've also checked the self-signed certificate with `curl -v --cacert cert.pem https://mydomain.org` and it works fine. Would you please guide me how I should debug this issue?
Regards,
Ali
Ryan Sleevi
Mar 30, 2021, 10:04:20 AM3/30/21
to Ali Shirvani, net-dev, rsl...@chromium.org
You could always look at a NetLog via https://netlog-viewer.appspot.com/
It does sound like it's completely unrelated to pinning, and simply that the certificate path is not valid. Since you mentioned self-signed certificate, it's entirely possible you used a tool, such as OpenSSL, that creates invalid sequences of bytes that are "like Certificates" but not actually certificates (OpenSSL sees this as a feature, not a bug). Pinning issues would cause a different error.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/2fa5dab0-8d32-456b-862c-48064bf5d314n%40chromium.org.
Ali
Mar 30, 2021, 11:28:13 PM3/30/21
to net-dev, rsl...@chromium.org, net-dev, Ali
Thanks a lot for your helpful guidance. As you guessed right, I've used OpenSSL for generating self-signed certificate. I changed the tool and the issue resolved.
Thanks again.
Reply all
Reply to author
Forward
0 new messages