Change CA Intermediate Certificate after having "Enable SSL Intermediate Certificate Pinning"
search cancel

Change CA Intermediate Certificate after having "Enable SSL Intermediate Certificate Pinning"

book

Article ID: 269001

calendar_today

Updated On:

Products

CA Mobile API Gateway

Issue/Introduction

API Gateway 11 - MAG 4.2.2 - OTK 4.6.1 - MAG SDK 2.3

We configured the SSL Pinning for trusting only the Intermediate Certificate as described here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/mobile-sdk-for-ca-mobile-api-gateway/2-3/android-sdk/android-2-3-guide/SSL-Pinning-and-SSL-Trusted-Certificates/enable-ssl-intermediate-certificate-pinning.html

with the following code:

X509Certificate certificate = ...;
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String
 
MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
        .host(new Uri.Builder().encodedAuthority(HOST).build())
        .add(certificate)
        .add(pkHash1)                
        .pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_INTERMEDIATE_CERTIFICATE)
        .build();
 
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);

it works.

Now  customer is changing the CA Certificate (because he has changed the certificate provider) and he is expecting to maintain for a temporary period the trusting of both the CAs.

We tried to change the code for adding 2 CA certificates, changing the code in this way:

X509Certificate certificate1 = ...;
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String
X509Certificate certificate2 = ...;
String pkHash2 = "X1js78topEPatTx ... ="; //Base64 String 


MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
        .host(new Uri.Builder().encodedAuthority(HOST).build())
        .add(certificate1)
        .add(pkHash1)                

        .add(certificate2)
        .add(pkHash2)                       .pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_INTERMEDIATE_CERTIFICATE)
        .build();
 
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);

but it does not works.

How can we create a configuration validating only the intermediate certificate trusting 2 CAs?

 

Environment

Release : 2.3

Resolution

The engineering team is planning a solution for this scenario , this will be in the next version of the sdk which is planned by the end of the year.

There is a hotfix available which can be requested through support which add a function to resolve this situation .

We  have updated the android sdk with a new pinning mode configuration(MAS_SECURITY_PINNING_MODE_ANY_ONE_CERTIFICATE),
In this mode sdk allow requests if any one of the certificate passed via security configuration is valid with respect to the server certificate chain

 

Sample usage:
 

X509Certificate certificate1 = ...;//existing certificate
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String//existing certificate hash
X509Certificate certificate2 = ...;//new certificate
String pkHash2 = "X1js78topEPatTx ... ="; //Base64 String //new certificate hash


MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
        .host(new Uri.Builder().encodedAuthority(HOST).build())
        .add(certificate1)
        .add(pkHash1)                

        .add(certificate2)
        .add(pkHash2)                       

        .pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_ANY_ONE_CERTIFICATE)
        .build();
 
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);

 

Powered by Wolken Software