API Gateway 11 - MAG 4.2.2 - OTK 4.6.1 - MAG SDK 2.3
We configured the SSL Pinning for trusting only the Intermediate Certificate as described here:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/mobile-sdk-for-ca-mobile-api-gateway/2-3/android-sdk/android-2-3-guide/SSL-Pinning-and-SSL-Trusted-Certificates/enable-ssl-intermediate-certificate-pinning.html
with the following code:
X509Certificate certificate = ...;
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String
MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
.host(new Uri.Builder().encodedAuthority(HOST).build())
.add(certificate)
.add(pkHash1)
.pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_INTERMEDIATE_CERTIFICATE)
.build();
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);
it works.
Now customer is changing the CA Certificate (because he has changed the certificate provider) and he is expecting to maintain for a temporary period the trusting of both the CAs.
We tried to change the code for adding 2 CA certificates, changing the code in this way:
X509Certificate certificate1 = ...;
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String
X509Certificate certificate2 = ...;
String pkHash2 = "X1js78topEPatTx ... ="; //Base64 String
MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
.host(new Uri.Builder().encodedAuthority(HOST).build())
.add(certificate1)
.add(pkHash1)
.add(certificate2)
.add(pkHash2) .pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_INTERMEDIATE_CERTIFICATE)
.build();
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);
but it does not works.
How can we create a configuration validating only the intermediate certificate trusting 2 CAs?
Release : 2.3
The engineering team is planning a solution for this scenario , this will be in the next version of the sdk which is planned by the end of the year.
There is a hotfix available which can be requested through support which add a function to resolve this situation .
We have updated the android sdk with a new pinning mode configuration(MAS_SECURITY_PINNING_MODE_ANY_ONE_CERTIFICATE),
In this mode sdk allow requests if any one of the certificate passed via security configuration is valid with respect to the server certificate chain
Sample usage:
X509Certificate certificate1 = ...;//existing certificate
String pkHash1 = "H9hoBtopEPatTn ... ="; //Base64 String//existing certificate hash
X509Certificate certificate2 = ...;//new certificate
String pkHash2 = "X1js78topEPatTx ... ="; //Base64 String //new certificate hash
MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder()
.host(new Uri.Builder().encodedAuthority(HOST).build())
.add(certificate1)
.add(pkHash1)
.add(certificate2)
.add(pkHash2)
.pinningMode(MASSecurityPinningMode.MAS_SECURITY_PINNING_MODE_ANY_ONE_CERTIFICATE)
.build();
MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration);