Certificate Pinning - Generate SHA256 Pinning Key from Certificate .crt file - android

I have a running Android application that implements Certificate Pinning with a SHA256 Pin. I use the https://www.ssllabs.com/ssltest tool to obtain that pin.
The current server certificate is about to expire, and a new certificate will be applied to the server. I need to generate the SHA256 Pin for the new certificate before it is applied to the server so that I can add it to the application and introduce it in an update.
I have the new certificate .crt file. Any idea how to generate the SHA256 key from the file? I have no access to the server, just the .crt file.
As per OkHttp's CertificatePinner documentation:
SHA-256 or SHA-1 hashes. Each pin is a hash of a certificate's Subject
Public Key Info, base64-encoded and prefixed with either sha256/ or
sha1/.

Try this command
openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Then use
"sha256/" + ${ouput hash from the command line above}.
More commands you will find at the Public Key Pinning page at the Mozilla Developer Network

Related

How to get the openssl hash corresponding to Fiddler root certificate

I'm using OpenSsl for windows.
I want to get the certificate hash associated with Fiddler's root certificate that I downloaded from:
http://ipv4.fiddler:8888/
So I'm executing from the command-line:
openssl x509 -hash -noout -in FiddlerRoot.cer
But I'm getting this error instead of getting the 8 characters long alphanumeric hash:
unable to load certificate
15176:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
The message seems related to PEM (Privacy-Enhaced Mail), but Fiddler's cert doesn't have PEM and I don't need it since I just want the cert to "Ensure the identity of a remote computer".
Maybe I got something wrong and the hash is only for other purposes?
The command does work with other certificates that I extracted from Android at /system/etc/security/cacerts/00673b5b.0. which returns 00673b5b.
I opened both certs in notepad to compare them and notice that the cert from Android is readable format and has a PEM section, while FiddlerRoot.cer is binary and no PEM, so it may have something to do.
Notice that the certificate hash is not the same as the file's CRC32 or other file hashes, but something related to SSL (I already tested if the file's hash matched with the SSL hash but it didn't).
The reason I need the cert hash is because I think Android requires certificate files to be named with the hash and the ".0" extension: [CertHash].0
and installing the cert in Android in the "user" store won't work for me, it has to be in the "system" store.
Can someone provide a way/command to get FiddlerRoot.cer hash?
Or am I mistaken in Android's naming requirement for installing FiddlerRoot.cer in the "system" store?
Is there any other way to install FiddlerRoot.cer in the "system" store without calculating the cert hash?
Notice that from Android's user interface, installing a cert goes to the "user" store, not to "system".
PEM is not just for emails, it is the file format (see wikipedia).
The FiddlerRoot.cer must be converted to .pem format before calculating the hash:
openssl x509 -inform der -in FiddlerRoot.cer -outform PEM -out FiddlerRoot.pem
And then you can finally get the hash with the command:
openssl x509 -hash -noout -in FiddlerRoot.pem

creating certificate for android volley and nodejs

I am developing an android application which can connect with multiple node server. This connection needs to be secure so i need certificates. But i cant pay to certificates. As my researches, i will create certificates for each server and sign them with my own root certificate(I also need that). Then i will pin root certificate into my android application. So i can connect multiple server from one android app. But i dont know to create this certificates and how to pin it into android application.
A CA can generate a certificate bound to an IP, but it is not usual. I agree in this case it is more appropriate to use self-generated certificates. You need
1) Create the CA certificate and SSL certificate
Extracted from here You will need openssl
Create the CA certificate
openssl genrsa -out rootCA.key 2048
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This will start an interactive script which will ask you for various bits of information. You will get rootCA.pem
Create one certificate for each device
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
You’ll be asked various questions (Country, State/Province, etc.) in the second step insert in 'common name' the IP or name of your device. It is important to match the real name because browser or android device will validate it
2) Configure your nodejs server to use https
I have no enough knowledge of node.js to provide you a good explanation or a link, so use the official documentation. Maybe some reader could edit this and provide a link
3) add the public key and the chain of the certificate to the truststore of the android application.
Extracted here from
You will need
1) Get the public part of your CA certificate
2) Create a BKS keystore and import the certificate (only the root will be needed)
3) Use the keystore in your app. Create a Custom Apache HTTP client which uses your keystore to configure de SSL connection
The details are in the link, that is in the community wiki.
For Android Volley. Using Android Volley With Self-Signed SSL Certificate

Can a certificate of an android keystore be calculated from its fingerprint?

Using Keytool and openssl,
Given the following certificate's fingerprint of an android debug certificate:
MD5: AD:CC:28:BE:3F:E9:CD:ED:2C:07:9E:C7:44:8E:C2:44
SHA1: 43:F6:F1:D9:2C:83:5E:F3:44:B0:99:6C:28:B8:94:DA:71:FB:DD:4B
SHA256:3D:D0:AA:2B:A7:50:00:D9:64:CC:FF:F3:75:67:FB:0B:39:13:F6:8D:CC:47:55:5E:56:EB:0B:5E:61:96:0F:71
And given the SHA1 hash of the certificate, written in base 64 (using openssl sha1 -binary | openssl base64):
2Zbz2SyIGvNEsDRhKLiU2nH73Us0
Can I calculate a fingerprint to get the certifiace and vise versa to verify the certificate and its fingerprint?
No, you cannot reverse a hash function. But given several candidate certificates you could hash each of them and find out for which one the hash matches.

How do I sign an apk with a private key I made with GPG?

Is this even possible? I have a key-pair that I already made with GPG but I just can't find a way to sign it with that key. I don't really want to make a new key with keytool or whatever just for this; I'd rather use the key I have now. Anybody know how I could do this? Thanks in advance.
I very much doubt that GPG generates keys that could be used by jarsigner. It might be possible to write a converter to do this, but it would be far less work to just bite the bullet and generate a new key. The command to do this is simply
keytool -genkey -alias mynickname -validity 20000 -keystore ~/.android/my-keystore
(p.s. make a backup of the key and make very sure you don't forget either the keystore password or the key password. There are far too many sad stories of people who've put apps on the market and then forgotten or lost the password.)
I just wanna manage the OpenPGP keys only too. So here is my way.
openpgp2ssh
First install it from monkeysphere.
sudo apt install monkeysphere
Note: openpgp2ssh works only if the secret key is not password-protected and RSA keys. So it might be necessary to remove the protection.
Now, export the PGP key and hand it over to openpgp2ssh:
gpg --list-keys # show your keys with keyid.
gpg --export-secret-subkeys your#email | openpgp2ssh $SubKeyId > id_rsa
openssl rsa -in id_rsa -outform pem > key.pem
openssl req -new -key key.pem -out request.pem
openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
You do need to sign with jarsigner. But jarsigner is actually a little more flexible than you'd think. If you already have a signing key you want to use then you can export it out of gpg and import it into a java keystore then sign that way. If you want to attempt to do that you can try keytool but it's far easier to get Keytool Explorer because keytool has a lot of options.
Jarsigner is actually pretty flexible. This Document describes a process by which you can create your own providers. I'm surprised there isn't already one that uses the GPG keystores already. There is a way to do it with a Yubikey which is the only reason I am aware of all of this - my signing keys are safely locked away in my yubikey where even I can't get them (yes I have a secure backup somewhere).

How to retrieve a signature hash for facebook from a public private key pair?

I'm using a version of signapk for one of my projects. I sign my apk with a public, private key pair (.pk8 & .pem).
My application uses the facebook single sign on mechanism and I need a hash of the signing certificate registered with facebook to ensure that the correct app is starting the single sign on process.
Facebook gives the following example code for generating this hash:
keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore
| openssl sha1 -binary
| openssl base64
I'm a little bit confused on how to generate the appropriate hash from my public key, private key pair that I use for signing.
This method works for you APK signed with your PK8 + PEM key pair. Or with any other (correctly) signed APK
Certificate could be known from *.apk file
Unzip apk file and extract META-INF\CERT.RSA file
execute:
keytool -printcert -file CERT.RSA
Check sha1 bytes
the bytes at sha1 fingerprint signature are needed to write to sha1.bin (you can use an hexadecimal editor)
just execute:
openssl base64 -in sha1.bin -out base64.txt
so, base64.txt contains the APK's FB KeyHash
Facebook hash is actually the base64 encoding of SHA1.
So you have to generate sha1 from your certificate file that ends with .pem extension!..
Command to get SHA1 from a .pem file:-
openssl x509 -fingerprint -in certificate.pem -noout
this command will return SHA1 of your .pem file, replace certicicate.pem with the name of your .pem file!...
After succesfully getting the SHA1 Now your task is to encode the SHA1 into base64 and there are alot of ways to do that, i recommend this website:
http://tomeko.net/online_tools/hex_to_base64.php?lang=en
go to this site write your SHA1 and in the last textbox you will received the encoded base64 that is the HASH for your facebook developer app!..
Download Open SSl and install in your PC.. Check this i asked this question already some answers for Question..

Categories

Resources