Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uploading report fails with: javax.net.ssl.SSLHandshakeException: Pin verification failed #72

Open
shenoymukesh opened this issue Apr 9, 2020 · 0 comments
Open

Uploading report fails with: javax.net.ssl.SSLHandshakeException: Pin verification failed #72

shenoymukesh opened this issue Apr 9, 2020 · 0 comments

Comments

@shenoymukesh
Copy link

shenoymukesh commented Apr 9, 2020
edited

Describe the bug
Uploading report would fail with "Pin verification failed" if report-uri has same domain as the domain for which the pinning failed. This is most likely case for an organization.

To Reproduce
In the TrustKit sample app, www.google.com is configured with invalid pins. So pinning would fail. If the report-uri is also set to www.google.com, it would fail to upload report with javax.net.ssl.SSLHandshakeException: Pin verification failed.
Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.

Expected behavior
We should be successfully able to upload reports without applying the pinning.

TrustKit configuration
Copy and paste your XML Network Security Policy.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">www.datatheorem.com</domain>
        <!-- Valid pins -->
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
            <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
        </pin-set>
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <report-uri>https://overmind.datatheorem.com/trustkit/report</report-uri>
        </trustkit-config>
    </domain-config>
    <domain-config enforcePinning="true">
        <domain includeSubdomains="true">www.google.com</domain>
        <pin-set>
            <!-- Invalid pins -->
            <pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
            <pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
        </pin-set>
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <report-uri>https://www.google.com</report-uri>
        </trustkit-config>
    </domain-config>
    <domain-config enforcePinning="false">
        <domain includeSubdomains="true">localhost</domain>
        <trustkit-config
          enforcePinning="false"
          disableDefaultReportUri="true" />
    </domain-config>
</network-security-config>

App details:
TrustKit Demo app
Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.

Additional context
Note that, I tested failure with invalid pin approach. I suppose results would be similar for MITM attack as well?
Is it expected to apply pining for report upload as well? If so wouldn't it obviously fail?
May be I am missing something here. Please let me know.
Thanks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shenoymukesh