Merged PR 33054: Remove Quovadis hashes and update readme

Remove Quovadis hashes and update readme Related work items: #123390
Amsterdam · Sep 16, 2024 · 9ce391a · 9ce391a
2 parents 9a7a88c + eb3b934
commit 9ce391a
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 7 deletions.
diff --git a/.docs/certificate-pinning.md b/.docs/certificate-pinning.md
@@ -30,3 +30,8 @@ These are the steps to adjust the allowed certificates:
 3. Calculate the base64 sha256 hash of the public key in the certificate via this command:
 
 `openssl x509 -in ./app.amsterdam.nl.pem -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64`
+
+### Test the new certificate
+
+- On Android, just add a random character to the fallback certificate hashes
+- On iOS, replace the fallback hashes by the hash of another environment (eg. acc.app.amsterdam.nl when testing test.app.amsterdam.nl)
diff --git a/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt b/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt
@@ -26,10 +26,6 @@ class OkHttpClientWithCertificatePinningFactory : OkHttpClientFactory {
                 .add("test.app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=")
                 .add("acc.app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=")
                 .add("app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=")
-                // QuoVadis Global SSL ICA G2
-                .add("test.app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=")
-                .add("acc.app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=")
-                .add("app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=")
                 .build()
 
         val clientBuilder: OkHttpClient.Builder = OkHttpClientProvider.createClientBuilder()

diff --git a/ios/AmsterdamApp/AppDelegate.mm b/ios/AmsterdamApp/AppDelegate.mm
@@ -37,7 +37,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
         kTSKPublicKeyHashes: @[
           @"phZEpdzfo4JocyH23+aQrL0QBSuoWBeJ/PfR5c5n2kE=", // test.app.amsterdam.nl
           @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 
-          @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2
           @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2
         ],
         kTSKEnforcePinning: @YES,
@@ -48,7 +47,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
         kTSKPublicKeyHashes: @[
           @"6fXqTLHGGwijHIfl1WGZUElGgmdQ4dZqVug9l6caJm4=", // acc.app.amsterdam.nl
           @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 
-          @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2
           @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2
         ],
         kTSKEnforcePinning: @YES,
@@ -59,7 +57,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
         kTSKPublicKeyHashes: @[
           @"aWo/H7b6jYpKas1mQinYbeyZptbXpKOKROf2FOQEV3s=", // app.amsterdam.nl
           @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 
-          @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2
           @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2
         ],
         kTSKEnforcePinning: @YES,