Switch the pinned target to a genuine good URL

pimterry · pimterry · commit 75ae928bc6af · 2021-11-19T18:15:57.000+01:00
It's useful if that target is actually valid, because it means
that intercepted requests in HTTP Toolkit will succeed, once
they're captured. It can be a bit confusing otherwise!
diff --git a/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt b/app/src/main/java/tech/httptoolkit/pinning_demo/MainActivity.kt
@@ -28,7 +28,7 @@ import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
 import javax.net.ssl.*
 
-const val BADSSL_UNTRUSTED_ROOT_SHA256 = "sr2tjak7H6QRi8o0fyIXGWdPiU32rDsczcIEAqA+s4g="
+const val DIGICERT_ROOT_SHA256 = "5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
 
 class MainActivity : AppCompatActivity() {
     override fun onCreate(savedInstanceState: Bundle?) {
@@ -86,7 +86,7 @@ class MainActivity : AppCompatActivity() {
         GlobalScope.launch(Dispatchers.IO) {
             onStart(R.id.unpinned)
             try {
-                val mURL = URL("https://badssl.com")
+                val mURL = URL("https://example.com")
                 with(mURL.openConnection() as HttpsURLConnection) {
                     println("URL: ${this.url}")
                     println("Response Code: ${this.responseCode}")
@@ -104,8 +104,8 @@ class MainActivity : AppCompatActivity() {
         GlobalScope.launch(Dispatchers.IO) {
             onStart(R.id.config_pinned)
             try {
-                // Untrusted in system store, trusted & pinned in network config:
-                val mURL = URL("https://untrusted-root.badssl.com")
+                // Pinned by hash in network config:
+                val mURL = URL("https://sha512.badssl.com")
                 with(mURL.openConnection() as HttpsURLConnection) {
                     println("URL: ${this.url}")
                     println("Response Code: ${this.responseCode}")
@@ -124,16 +124,16 @@ class MainActivity : AppCompatActivity() {
             onStart(R.id.okhttp_pinned)
 
             try {
-                val hostname = "badssl.com"
+                val hostname = "sha512.badssl.com"
                 val certificatePinner = CertificatePinner.Builder()
-                    .add(hostname, "sha256/${BADSSL_UNTRUSTED_ROOT_SHA256}")
+                    .add(hostname, "sha256/${DIGICERT_ROOT_SHA256}")
                     .build()
 
                 val client = OkHttpClient.Builder()
                     .certificatePinner(certificatePinner)
                     .build()
                 val request = Request.Builder()
-                    .url("https://untrusted-root.badssl.com")
+                    .url("https://sha512.badssl.com")
                     .build();
 
                 client.newCall(request).execute().use { response ->
@@ -155,7 +155,7 @@ class MainActivity : AppCompatActivity() {
         try {
             // Create an HTTP client that only trusts our specific certificate:
             val cf = CertificateFactory.getInstance("X.509")
-            val caStream = BufferedInputStream(resources.openRawResource(R.raw.example_com_digicert_ca))
+            val caStream = BufferedInputStream(resources.openRawResource(R.raw.digicert_ca))
             val ca = cf.generateCertificate(caStream)
             caStream.close()
 
@@ -179,7 +179,7 @@ class MainActivity : AppCompatActivity() {
             // Make a request using that client:
             val stringRequest = StringRequest(
                 com.android.volley.Request.Method.GET,
-                "https://example.com",
+                "https://sha512.badssl.com",
                 { _ ->
                     println("Volley success")
                     this@MainActivity.onSuccess(R.id.volley_pinned)
@@ -201,10 +201,10 @@ class MainActivity : AppCompatActivity() {
         GlobalScope.launch(Dispatchers.IO) {
             onStart(R.id.trustkit_pinned)
             try {
-                val mURL = URL("https://untrusted-root.badssl.com")
+                val mURL = URL("https://sha512.badssl.com")
                 with(mURL.openConnection() as HttpsURLConnection) {
                     this.sslSocketFactory = TrustKit.getInstance().getSSLSocketFactory(
-                            "untrusted-root.badssl.com"
+                            "sha512.badssl.com"
                     )
                     println("URL: ${this.url}")
                     println("Response Code: ${this.responseCode}")
@@ -235,19 +235,19 @@ class MainActivity : AppCompatActivity() {
                 val context = SSLContext.getInstance("TLS")
                 context.init(null, trustManager, null)
 
-                val socket = context.socketFactory.createSocket("untrusted-root.badssl.com", 443) as SSLSocket
+                val socket = context.socketFactory.createSocket("sha512.badssl.com", 443) as SSLSocket
 
                 val certs = socket.session.peerCertificates
 
-                if (!certs.any { cert -> doesCertMatchPin(BADSSL_UNTRUSTED_ROOT_SHA256, cert) }) {
+                if (!certs.any { cert -> doesCertMatchPin(DIGICERT_ROOT_SHA256, cert) }) {
                     socket.close() // Close the socket immediately without sending a request
                     throw Error("Unrecognized cert hash.")
                 }
 
                 // Send a real request, just to make it clear that we trust the connection:
                 val pw = PrintWriter(socket.outputStream)
                 pw.println("GET / HTTP/1.1")
-                pw.println("Host: untrusted-root.badssl.com")
+                pw.println("Host: sha512.badssl.com")
                 pw.println("")
                 pw.flush()
 
diff --git a/app/src/main/res/raw/badssl_untrusted_root.pem b/app/src/main/res/raw/badssl_untrusted_root.pem
diff --git a/app/src/main/res/raw/digicert_ca.pem b/app/src/main/res/raw/digicert_ca.pem
@@ -19,4 +19,4 @@ hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
 PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
 YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
 CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
+-----END CERTIFICATE-----
diff --git a/app/src/main/res/xml/network_security_config.xml b/app/src/main/res/xml/network_security_config.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
     <domain-config>
-        <domain includeSubdomains="false">untrusted-root.badssl.com</domain>
+        <domain includeSubdomains="false">sha512.badssl.com</domain>
         <pin-set>
-            <pin digest="SHA-256">sr2tjak7H6QRi8o0fyIXGWdPiU32rDsczcIEAqA+s4g=</pin>
+            <pin digest="SHA-256">5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=</pin>
         </pin-set>
         <trust-anchors>
-            <certificates src="@raw/badssl_untrusted_root" />
+            <certificates src="@raw/digicert_ca" />
         </trust-anchors>
     </domain-config>
 </network-security-config>
