Skip to content
/ ssl-pin-generator Public

Simple jar to generate SSL pins based on a certificate's public key. Pins are base-64 SHA-1 hashes by default.

License

MIT license
94 stars 29 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

scottyab/ssl-pin-generator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
dist
dist
 
 
libs
libs
 
 
src
src
 
 
.classpath
.classpath
 
 
.gitignore
.gitignore
 
 
.project
.project
 
 
LICENSE
LICENSE
 
 
readme.md
readme.md
 
 

Repository files navigation

SSL Pin Generator

Is a simple Java base util to generate SSL pins based on a certificate's Subject Public Key Info as described on Adam Langley's Weblog (a.k.a Public Key pinning). Pins are base-64 SHA-1 [default] hashes, consistent with the format Chromium uses for static certificates. See Chromium's pinsets for hostnames that are pinned in that browser.

I created this mainly to be compatible with okhttp 2.1+, but later added the option to specific which hashing algorithm can be used to make this compatible with Android's <network-security-config>

Usage

Warning you should ensure you run this on a trusted network

Either fork the project and call the SSLPinGenerator.java class directly or Download the latest release jar here.

Simply pass to hostname with optionally port, and algorithm to the jar. $ java -jar generatePins.jar <your hostname:port"> algorithm

Default

i.e $ java -jar generatePins.jar publicobject.com

or

$ java -jar generatePins.jar scottyab.com sha-256

Output:

Generating SSL pins for: publicobject.com
sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=
sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=
sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=
sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=

Then if you are using okhttp add them to the com.squareup.okhttp.CertificatePinner like this (from the okhttp java docs)

CertificatePinner certificatePinner = new CertificatePinner.Builder()
        .add("publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=")
        .add("publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=")
        .add("publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=")
        .add("publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=")
        .build();

Custom Hash,

In this exmaple we use SHA-256 to be compatible with Android's <network-security-config>

$ java -jar generatePins.jar publicobject.com sha-256 debug

Generating SSL pins for: publicobject.com
subject :  CN=publicobject.com, OU=PositiveSSL, OU=Domain Control Validated
sha-256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
subject :  CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
sha-256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=
subject :  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
sha-256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
subject :  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
sha-256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=

This also shows the debug option to print out subject name to help identifiy which pin belongs to which cert in the chain.

Further reading

Shameless plug alert!

I wrote about SSL pinning and several other interesting things you can do to make your apps more secure in the Android Security Cookbook

License

The MIT License

Copyright (c) 2014 Scott Alexander-Bown http://scottyab.com

About

Simple jar to generate SSL pins based on a certificate's public key. Pins are base-64 SHA-1 hashes by default.

Topics

java ssl-pins

Resources

Readme

License

MIT license
Activity

Stars

94 stars

Watchers

6 watching

Forks

29 forks
Report repository

Releases 2

v0.2 Latest
Apr 13, 2017
+ 1 release

Packages

No packages published

Languages