Skip to content

feat: (android) Support pinning on the certificate chain#78

Open
jifang wants to merge 1 commit intodiefferson:masterfrom
jifang:support-root-certificate
Open

feat: (android) Support pinning on the certificate chain#78
jifang wants to merge 1 commit intodiefferson:masterfrom
jifang:support-root-certificate

Conversation

@jifang
Copy link

@jifang jifang commented Mar 11, 2025

Added support for pinning on the server's root and intermediate certificates. Previously, Android only supported pinning on the leaf certificate. This change improves operational flexibility by allowing pinning on the certificate chain, reducing downtime when issuing new server certificates.

#54

Added support for pinning on the server's root and intermediate certificates.
Previously, Android only supported pinning on the leaf certificate. This change
improves operational flexibility by allowing pinning on the certificate chain,
reducing downtime when issuing new server certificates.
@diefferson
Copy link
Owner

Hi @jifang, This seems a good improvement, but when we enable the validate root and intermediate certificates we are opening to any certificate from the same provider be valid, which I mentioned on this issue.
To summarize, pining the root or intermediate certificate in your app will give you the flexibility to not update the certificate when it expires, but open the door to the certificate pinning attacks.

For example, this root certificate is valid for any certificate generated by Let's encrypt:

9D 7C 3F 1A A6 AD 2B 2E C0 D5 CF 1E 24 6F 8D 9A E6 CB C9 FD 07 55 AD 37 BB 97 4B 1F 2F B6 03 F3

You can check it with the sites https://www.mozilla.org and https://www.noodle.cx both will considered as secure using this fingerprint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants