The documentation in the N Developer Preview for their network security configuration offers these instructions:
Certificate pinning is done by providing a set of certificates by hash of the public key (SubjectPublicKeyInfo of the X.509 certificate). A certificate chain is then only valid if the certificate chain contains at least one of the pinned public keys.
The XML that they show is broken (missing a closing tag), but otherwise suggests that the hash is SHA256 and encoded base64:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<pin-set expiration="2018-01-01">
<pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
<!-- backup pin -->
<pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
</domain-config>
</network-security-config>
How do we create such a hash?
I tried the approach in this gist, but openssl x509 -inform der -pubkey -noout
is not liking my CRT file. I cannot readily determine if the problem is in the CRT file, the instructions, my version of openssl
, or something else.
Does anyone have a known good recipe for creating this hash?
openssl x509 -in cert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
You may need to add -inform der
to the first command if cert.crt is in DER form rather than in PEM form.