Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Advanced use cases

Certificate pinning

search

Please Note:

Certificate pinning

This is used to check that the Risk Engine backend server’s certificate matches a known copy of that certificate at the application.

To use certificate pinning, the application sends the array of X509Certificate (including leaf certificate) to OIP Risk Management’s GAHCoreConfig and sends the GAHCoreConfig object to initialize().

You can also configure the TLS connection settings. OIP Risk Management will take care of the default configurations if this is not set from the application.

Note

It is not recommended to override the connection settings or attributes/parameters in a production environment. Allowing Self Signed and Host mismatch configurations will reduce the security of the communication link with the server. Insecure connections are not permitted in the Release mode. 

/* Set certificate array to GAH Core config */
final X509Certificate[] certificates = new X509Certificate[1];
certificates[0] = AppUtils.getCertificate(this, R.raw.digital_cloud_cert_leaf_cer);
coreConfigBuilder = coreConfigBuilder.setSecureConnectionCertificates(certificates);

if (BuildConfig.DEBUG)
{
    coreConfigBuilder = coreConfigBuilder.setSecureConnectionPermits(new GAHCoreConfig.Permit[]{
        GAHCoreConfig.Permit.INSECURE_COMMUNICATIONS,
        GAHCoreConfig.Permit.HOSTNAME_MISMATCH,
        GAHCoreConfig.Permit.SELF_SIGNED_CERTIFICATES
      });
}

/* Set certificate array to GAH Core config */
GAHCoreConfig *reConfig = [GAHCoreConfig getsharedConfigManagerObject];
GAHTLSConfiguration *tlsConfiguration = [GAHTLSConfiguration new];

#ifdef DEBUG

[tlsConfiguration setHostnameMismatchAllowed:YES];
[tlsConfiguration setSelfSignedCertAllowed:YES];
[tlsConfiguration setInsecureConnectionAllowed:YES];

#else

[tlsConfiguration setSelfSignedCertAllowed:YES];

#endif

NSString *pathToCert = [[NSBundle mainBundle]pathForResource:@"Thales_eziocloud" ofType:@"cer"];
NSData *localValidCertificate = [NSData dataWithContentsOfFile:pathToCert];

[reConfig GRESTLSConfiguration:@[localValidCertificate] withRESDKTLSConfiguration:tlsConfiguration];



/* Set certificate array to GAH Core config */

let reConfig:GAHCoreConfig = GAHCoreConfig.getsharedConfigManagerObject()
var tlsconfiguration:GAHTLSConfiguration = GAHTLSConfiguration.init()

#if DEBUG

tlsconfiguration.hostnameMismatchAllowed = true
tlsconfiguration.selfSignedCertAllowed = true
tlsconfiguration.insecureConnectionAllowed = true

#else

tlsconfiguration.selfSignedCertAllowed = true

#endif

let pathToCert = Bundle.main.path(forResource: "Thales_eziocloud", ofType: "cer")
let localValidCertificate = NSData.init(contentsOfFile: pathToCert!)

reConfig.grestlsConfiguration([localValidCertificate!] as [Any], withRESDKTLSConfiguration: tlsconfiguration)

Certificate Renewal

The following code snippet shows how to upgrade to a new certificate during a server certificate renewal.

Warning

Certificate pinning is mandatory on the release variant of OIP Risk Management SDK. You have to update the certificate accordingly, otherwise OIP Risk Management SDK will return the error, ERROR_CODE_NO_SSL_CERTIFICATES_PRESENT. 

/* Set certificate array to GAH Core config */
final X509Certificate[] certificates = new X509Certificate[7];

// maintain old certificates
certificates[0] = AppUtils.getCertificate(this, R.raw.old_root_cer);
certificates[1] = AppUtils.getCertificate(this, R.raw.old_intermediate_cer);
certificates[2] = AppUtils.getCertificate(this, R.raw.old_leaf_cer);

// add new certificates
certificates[3] = AppUtils.getCertificate(this, R.raw.new_root_cer);
certificates[4] = AppUtils.getCertificate(this, R.raw.new_intermediate_cer_1);
certificates[5] = AppUtils.getCertificate(this, R.raw.new_intermediate_cer_2);
certificates[6] = AppUtils.getCertificate(this, R.raw.new_leaf_cer);

coreConfigBuilder = coreConfigBuilder.setSecureConnectionCertificates(certificates);

/* Set certificate array to GAH Core config */
GAHCoreConfig *reConfig = [GAHCoreConfig getsharedConfigManagerObject];
GAHTLSConfiguration *tlsConfiguration = [GAHTLSConfiguration new];

// maintain old certificate
NSString *pathToOldLeafCert = [[NSBundle mainBundle]pathForResource:@"old_leaf_cer" ofType:@"cer"];
NSData *oldLeafCert = [NSData dataWithContentsOfFile:pathToOldLeafCert];

// add new certificate
NSString *pathToNewLeafCert = [[NSBundle mainBundle]pathForResource:@"new_leaf_cer" ofType:@"cer"];
NSData *newLeafCert = [NSData dataWithContentsOfFile:pathToNewLeafCert];

[reConfig GRESTLSConfiguration:@[oldLeafCert, newLeafCert] withRESDKTLSConfiguration:tlsConfiguration];



/* Set certificate array to GAH Core config */
let reConfig:GAHCoreConfig = GAHCoreConfig.getsharedConfigManagerObject()
var tlsconfiguration:GAHTLSConfiguration = GAHTLSConfiguration.init()

// maintain old certificate
let pathToOldLeafCert = Bundle.main.path(forResource: "old_leaf_cer", ofType: "cer")
let oldLeafCert = NSData.init(contentsOfFile: pathToOldLeafCert!)

// add new certificate
let pathToNewLeafCert = Bundle.main.path(forResource: "new_leaf_cer", ofType: "cer")
let newLeafCert = NSData.init(contentsOfFile: pathToNewLeafCert!)

reConfig.grestlsConfiguration([oldLeafCert!, newLeafCert] as [Any], withRESDKTLSConfiguration: tlsconfiguration)

Certificate Retrieval

The following code snippet shows how to get a certificate in the X509Certificate format.

It is assumed that the certificate file is placed in res/raw folder:

public static X509Certificate getCertificate(Context context, int resId)
{
    X509Certificate certificate = null;
    InputStream caInput = null;

    try {
        final CertificateFactory factory = CertificateFactory.getInstance("X.509");
        caInput = new BufferedInputStream(context.getResources().openRawResource(resId));
        certificate = (X509Certificate) factory.generateCertificate(caInput);
        Log.i(TAG, "ca=" + (certificate).getSubjectDN());
    } catch (final CertificateException exception) {
        Log.e(TAG, exception.getMessage());
    }
    finally {
        if (caInput != null) {
            try {
                caInput.close();
            } catch (IOException ex) {
                Log.e(TAG, ex.getMessage());
            }
        }
    }
    return certificate;
}

//get certifciate path
NSString * pathToCert = [[NSBundle mainBundle]pathForResource:@"Thales_eziocloud" ofType:@"cer"];

//read data
NSData * localValidCertificate = [NSData dataWithContentsOfFile:PathToCert];

//sent to OIP Risk Management SDK
[reConfig GRESTLSConfiguration:[NSArray arrayWithObjects:localValidCertificate, nil] withRESDKTLSConfiguration:tlsconfiguration];



// path your certifcates
let pathToCert:String = Bundle.main.path(forResource: "Thales_eziocloud", ofType: "cer")!

// read data from certifcate
do {
    let certifcatedata:NSData = try NSData.init(contentsOfFile: pathToCert)

    //sent to certifcatedata to OIP Risk Management SDK
} catch let error as NSError {
    print(error.description)
}

On this page