update certificate pinning logic

Author: t0thkr1s

app/src/main/java/infosecadventures/allsafe/challenges/CertificatePinning.java

@@ -13,6 +13,8 @@
 import org.jetbrains.annotations.NotNull;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Objects;
 
 import infosecadventures.allsafe.R;
@@ -27,21 +29,28 @@
 
 public class CertificatePinning extends Fragment {
 
+    private static final String INVALID_HASH = "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+
     @Override
     public View onCreateView(@NonNull LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
         View view = inflater.inflate(R.layout.fragment_certificate_pinning, container, false);
         setHasOptionsMenu(true);
+
+        //  make an intentional request with broken config
+        //  to get the actual peer certificate chain public key hashes from  okhttp exception
+        List<String> hashes = extractPeerCertificateChain();
+
         Button test = view.findViewById(R.id.execute);
         test.setOnClickListener(v -> {
-            CertificatePinner certificatePinner = new CertificatePinner.Builder()
-                    .add("httpbin.org",
-                            "sha256/J0dKy1gw45muM4o/vm/tskFQ2BWudtp9XLxaW7OtowQ=")
-                    .add("httpbin.org",
-                            "sha256/JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA=")
-                    .build();
+
+            CertificatePinner.Builder certificatePinner = new CertificatePinner.Builder();
+            for (String hash : hashes) {
+                Log.d("ALLSAFE", hash);
+                certificatePinner.add("httpbing.org", hash);
+            }
 
             OkHttpClient okHttpClient = new OkHttpClient.Builder()
-                    .certificatePinner(certificatePinner)
+                    .certificatePinner(certificatePinner.build())
                     .build();
 
             Request request = new Request.Builder()
@@ -51,6 +60,7 @@ public View onCreateView(@NonNull LayoutInflater inflater, ViewGroup container,
             okHttpClient.newCall(request).enqueue(new Callback() {
                 @Override
                 public void onFailure(@NotNull Call call, @NotNull IOException e) {
+                    Log.d("ALLSAFE", e.getMessage());
                     requireActivity().runOnUiThread(() -> SnackUtil.INSTANCE.simpleMessage(requireActivity(), e.getMessage()));
                 }
 
@@ -67,4 +77,39 @@ public void onResponse(@NotNull Call call, @NotNull Response response) throws IO
         });
         return view;
     }
+
+    private List<String> extractPeerCertificateChain() {
+        List<String> chain = new ArrayList<>();
+
+        OkHttpClient okHttpClient = new OkHttpClient.Builder()
+                .certificatePinner(new CertificatePinner.Builder()
+                        .add("httpbin.org", INVALID_HASH)
+                        .build())
+                .build();
+
+        Request request = new Request.Builder()
+                .url("https://httpbin.org/json")
+                .build();
+
+        okHttpClient.newCall(request).enqueue(new Callback() {
+            @Override
+            public void onFailure(@NotNull Call call, @NotNull IOException e) {
+                requireActivity().runOnUiThread(() -> {
+                    String[] lines = e.getMessage().split(System.getProperty("line.separator"));
+                    for (String line : lines) {
+                        if (!line.trim().equals(INVALID_HASH) && line.trim().startsWith("sha256")) {
+                            String pin = line.trim().split(":")[0].trim();
+                            chain.add(pin);
+                        }
+                    }
+                });
+            }
+
+            @Override
+            public void onResponse(@NotNull Call call, @NotNull Response response) {
+
+            }
+        });
+        return chain;
+    }
 }