diff --git a/.docs/certificate-pinning.md b/.docs/certificate-pinning.md index b28c3b477..5aed4514e 100644 --- a/.docs/certificate-pinning.md +++ b/.docs/certificate-pinning.md @@ -30,3 +30,8 @@ These are the steps to adjust the allowed certificates: 3. Calculate the base64 sha256 hash of the public key in the certificate via this command: `openssl x509 -in ./app.amsterdam.nl.pem -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64` + +### Test the new certificate + +- On Android, just add a random character to the fallback certificate hashes +- On iOS, replace the fallback hashes by the hash of another environment (eg. acc.app.amsterdam.nl when testing test.app.amsterdam.nl) diff --git a/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt b/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt index d850985c1..86d03bc73 100644 --- a/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt +++ b/android/app/src/main/java/nl/amsterdam/app/OkHttpClientWithCertificatePinningFactory.kt @@ -26,10 +26,6 @@ class OkHttpClientWithCertificatePinningFactory : OkHttpClientFactory { .add("test.app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=") .add("acc.app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=") .add("app.amsterdam.nl", "sha256/i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=") - // QuoVadis Global SSL ICA G2 - .add("test.app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=") - .add("acc.app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=") - .add("app.amsterdam.nl", "sha256/tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=") .build() val clientBuilder: OkHttpClient.Builder = OkHttpClientProvider.createClientBuilder() diff --git a/ios/AmsterdamApp/AppDelegate.mm b/ios/AmsterdamApp/AppDelegate.mm index 4d2636764..2d83cee11 100644 --- a/ios/AmsterdamApp/AppDelegate.mm +++ b/ios/AmsterdamApp/AppDelegate.mm @@ -37,7 +37,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:( kTSKPublicKeyHashes: @[ @"phZEpdzfo4JocyH23+aQrL0QBSuoWBeJ/PfR5c5n2kE=", // test.app.amsterdam.nl @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 - @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2 @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 ], kTSKEnforcePinning: @YES, @@ -48,7 +47,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:( kTSKPublicKeyHashes: @[ @"6fXqTLHGGwijHIfl1WGZUElGgmdQ4dZqVug9l6caJm4=", // acc.app.amsterdam.nl @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 - @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2 @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 ], kTSKEnforcePinning: @YES, @@ -59,7 +57,6 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:( kTSKPublicKeyHashes: @[ @"aWo/H7b6jYpKas1mQinYbeyZptbXpKOKROf2FOQEV3s=", // app.amsterdam.nl @"lXt3ip5lkns+fBxV/S9MSfUx0UUdhBEmhXz5PkrAWGg=", // DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 - @"tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb50=", // QuoVadis Global SSL ICA G2 @"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 ], kTSKEnforcePinning: @YES,