Skip to content

Instantly share code, notes, and snippets.

@ibnux
Created March 4, 2017 15:49
Show Gist options
  • Save ibnux/4bf68e16e1228b6568a349c583d1cd32 to your computer and use it in GitHub Desktop.
Save ibnux/4bf68e16e1228b6568a349c583d1cd32 to your computer and use it in GitHub Desktop.
SSL Pinning Android using CloudFLare SSL
package your.package;
import android.content.Context;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
/**
* this script to be used with Android Asynchronous Networking and Image Loading
* https://github.com/koush/ion/
* and maybe for other library and SSL Connection Script
*
* Save Cloudflare Origin CA — RSA Root as CloudFlareCA.crt at assets folder in Android Studio project
* https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-
* put this file anywhere in your src folder
*
* Use it like this
try {
KeyPinStore keystore = KeyPinStore.getInstance(this);
AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setSSLContext(keystore.getContext());
AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setTrustManagers(keystore.getTmf().getTrustManagers());
}catch (Exception e){}
* and do Ion Connection
*
* Created by Ricardo Iramar dos Santos on 14/08/2015.
* https://github.com/riramar/pubkey-pin-android/blob/master/src/org/owasp/pubkeypin/KeyPinStore.java
*/
public class KeyPinStore {
private static KeyPinStore instance = null;
private SSLContext sslContext = SSLContext.getInstance("TLS");
private TrustManagerFactory tmf;
public static synchronized KeyPinStore getInstance(Context cx) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
if (instance == null){
instance = new KeyPinStore(cx);
}
return instance;
}
private KeyPinStore(Context context) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
// https://developer.android.com/training/articles/security-ssl.html
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// randomCA.crt should be in the Assets directory (tip from here http://littlesvr.ca/grumble/2014/07/21/android-programming-connect-to-an-https-server-with-self-signed-certificate/)
InputStream caInput = new BufferedInputStream(context.getAssets().open("cloudflare.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
// SSLContext context = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
}
public SSLContext getContext(){
return sslContext;
}
public TrustManagerFactory getTmf(){
return tmf;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment