frw / react-native-ssl-public-key-pinning Goto Github PK

After intercepting it through Proxyman, I am still able to see the API call and request after implementing initializeSslPinning, and no errors are shown.

I just got warning on the metro its said "Bridge was already shutdown" is it related to initializeSslPinning method?

Example

try {
      await initializeSslPinning({
        'google.com': {
          includeSubdomains: true,
          publicKeyHashes: [
            'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
            'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
          ],
        },
      })
        .then((response) => {
          console.log('debug:response', response);
        })
        .catch((e) => {
          console.log('debug:error', e);
        });
    } catch (error) {
      console.log('debug:error`, error);
    }

For the response, I got null even with the correct public hash key.

Versions

• react-native-ssl-public-key-pinning: 1.1.3
• Axios: 1.4.0
• RN: 0.71.13
• Android: API 33, OS 13 (Android Simulator)

Maybe can someone help me, Thank you.

`Error: The package 'react-native-ssl-public-key-pinning' doesn't seem to be linked. Make sure:

• You have run 'pod install'
• You rebuilt the app after installing the package
• You are not using Expo Go`

Hi, i am using expo go & expo dev-client, getting error like this.

"react-native": "0.71.8"
Expo 48

Currently the ssl-pining cause a crash on new iPhones 15 Pro physical devices
I tried on simulator iphone 15 and Iphone 15 Pro- ios 17.0.0 - and there is no issues

This is breaking production devices also

Target Device :
Iphone 15 Pro (Physical)
IOS v17.0.2
react-native-ssl-public-key-pinning v^1.1.3
Xcode 15

There is no error in console, will have to debug further and edit this post
But this is where Xcode crash in screenshot below

Issue seems to come from TrustKit need a little update with version 17.0.2 (iphone15)

Something I've noticed that may cause an issue, is that iphone15 Pro (physical), is read as an Iphone16 in singature binaries, I believe this is a mistake from apple, not sure if this affect TrustKit or SSL pining but worth to mention it

Hi! So, I've been trying to implement this lib to my react-native project, but it doesn't seem to correctly pin the certificate.
Problem: I need to make HTTPS requests on a server that uses Wild Card certificates, but the only other workaround, was the react-native-ssl-pinning, and it works just fine. But since I need to make many API calls to different endpoints, some of which require auth headers and such, and didn't want to change the whole Axios Instances.

The actual question is, where should the "initializeSslPinning" be called? Have tried several ways, but still getting the same old error (the following only happens on Android Devices):

"java.security.cert.CertPathValidatorException: Trust anchor for certification path not found."

Kind regards,
Rafael.

Hello

First of all, thank you for developing and maintaining the react-native-ssl-public-key-pinning library.

We are currently using Axios for making HTTP requests in our application, and we would like to apply SSL pinning to these requests using your library.

We have noticed that the library's examples use the fetch API.

My Question:
Can we apply the SSL pinning initialized by react-native-ssl-public-key-pinning to the HTTP requests made with Axios, and if so, could you provide us with an example of how this can be achieved?

Axios and fetch are different APIs that may not share the same underlying network transport, and there may be no guarantee that Axios will use the same networking stack that fetch (and presumably react-native-ssl-public-key-pinning) uses.

If Axios is not compatible with react-native-ssl-public-key-pinning, do you have any recommendations on how we can achieve SSL pinning with Axios?

In my react-native app, I want to do SSL pinning only for IOS. So, I have pinned a domain (assume aaa.bbb.com, this domain serves me the images).

I am making calls to this domain to fetch the images by two ways

1. Directly using axios
2. Using FastImage - https://www.npmjs.com/package/react-native-fast-image

When I run my application by putting some wrong hash.
if (Platform.OS === 'ios')
await initializeSslPinning({
'aaa.bbb.com': {
includeSubdomains: true,
publicKeyHashes: [
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
],
}
})

I can see that the calls made via axios are being pinned successfully and there is no response. But the calls made via FastImage gave back 200 StatusCode.

Is this something expected from this library because FastImage uses SDWebImage and SDWebImage is not supported by this library.

If it is supported - Is there anything wrong that I am doing in the above code?
If fastImage is still not supported - Is there any plan to support this library in future?

Borrowed from a recently closed issue 😅 ty

I would like for the following to error:

  const onInitializePinning = async () => {
    try {
      await initializeSslPinning({
        'google.com': {
          includeSubdomains: true,
          publicKeyHashes: [
            'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
            'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
            'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
            'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
            'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
          ],
        },
      });
    } catch (e) {
      console.log('ERROR -> ', e);
      setInitializeResult(`❌ ${e}`);
    }
  };

  const onFetch = async () => {
    try {
      const response = await fetch(`https://www.facebook.com`);
      console.log(`${response.ok ? '✅' : '❌'} Status: ${response.status}`);
    } catch (e) {
      console.log(`❌ ${e}`);
    }
  };

I appreciate the previous answer given:

"facebook.com is not listed in your pinning configuration, so the network connection passes since we don't do further checks on connections to facebook.com" -- comment

However, might it be possible to extend react-native-ssl-public-key-pinning such that a request to a domain that does not match an entry in the PinningOptions raises an error (or even a warning)?

I want a way to identify when a developer adds a fetch() request to a domain and forgets to also add the publicKeyHashes for that domain.

  const onInitializePinning = async () => {
    try {
      await initializeSslPinning({
        'google.com': {
          includeSubdomains: true,
          publicKeyHashes: [
            'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
            'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
            'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
            'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
            'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
          ],
        },
      });
    } catch (e) {
      console.log('ERROR -> ', e);
      setInitializeResult(`❌ ${e}`);
    }
  };

  const onFetch = async () => {
    try {
      const response = await fetch(`https://www.facebook.com`);
      console.log(`${response.ok ? '✅' : '❌'} Status: ${response.status}`);
    } catch (e) {
      console.log(`❌ ${e}`);
    }
  };

Xcode Log

RNStarterKit[91983:4278875] === TrustKit: Checking includeSubdomains configuration for google.com
RNStarterKit[91983:4278875] === TrustKit: Domain www.facebook.com is not pinned
RNStarterKit[91983:4278870] [javascript] ✅ Status: 200

It shouldn't be 200 Right?

Hello!
I'm using react-native-ssl-public-key-pinning, but when building the app I'm receiving the following error:

Undefined symbols for architecture arm64:
  "_OBJC_CLASS_$_RCTHTTPRequestHandler", referenced from:
      __OBJC_$_CATEGORY_RCTHTTPRequestHandler_$_SslPublicKeyPinning in SslPublicKeyPinning.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Undefined symbol: _OBJC_CLASS_$_RCTHTTPRequestHandler

Hii, I created a new project and implemented SSL package and then when tried to test in android it is working in both condition with the wrong hashkey and also with right hashkey i am getting the status 301 also tested with includeSubdomains true and false

Here is the code with the right hask key in google.com domain

useEffect(() => {
    async function test() {
      try {
        await initializeSslPinning({
          'google.com': {
            includeSubdomains: true,
            publicKeyHashes: [
              'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
              'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
              'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
              'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
              'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',
            ],
          },
          'clickit-eu-api-staging.herokuapp.com': {
            includeSubdomains: true,
            publicKeyHashes: [
              'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
              'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
            ],
          },
        });

        await fetch('https://google.com');
      } catch (e) {
        console.error(e);
      }
    }

    test();
  }, []);```

  Here is the code with wrong hashkey 
  ```useEffect(() => {
    async function test() {
      try {
        await initializeSslPinning({
          'google.com': {
            includeSubdomains: true,
            publicKeyHashes: [
               'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
              'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
            ],
          },
![Screenshot 2023-06-02 at 4 27 04 PM](https://github.com/frw/react-native-ssl-public-key-pinning/assets/134288913/6470fb7c-1dc6-424e-bba2-44def72fa9da)

          'clickit-eu-api-staging.herokuapp.com': {
            includeSubdomains: true,
            publicKeyHashes: [
              'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
              'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
            ],
          },
        });

        await fetch('https://google.com');
      } catch (e) {
        console.error(e);
      }
    }
    test();
  }, []);```
  
  You will get the status 301 in response i am adding the screenshot below:-
  
![Screenshot 2023-06-02 at 4 27 04 PM](https://github.com/frw/react-native-ssl-public-key-pinning/assets/134288913/cf1cb3dc-a68c-4e9d-81ca-a5995d8eff99)

  

Similar to the Android network security config which provide option to put the expiration date in , which helps to prevent the network connectivity issues in the app which is not updated with newer ssl pinning configuration, when user has disabled to auto update.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <domain-config>
        <domain includeSubdomains="true">*.example.com</domain>
        <pin-set expiration="2024-01-01">
            <pin digest="SHA-256">...</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">...</pin>
        </pin-set>
    </domain-config>
</network-security-config>

The date, in yyyy-MM-dd format, on which the pins expire, thus disabling pinning. If the attribute is not set, then the pins do not expire.
Expiration helps prevent connectivity issues in apps which do not get updates to their pin set, such as when the user disables app updates.
https://developer.android.com/privacy-and-security/security-config#pin-set

Would be handy cool if we can pass expiration date in DomainOptions

export type DomainOptions = {
  /**
   * Whether all subdomains of the specified domain should also be pinned.
   * @default false
   */
  includeSubdomains?: boolean;
  /**
   * An array of SSL pins, where each pin is the base64-encoded SHA-256 hash of a certificate's Subject Public Key Info.
   * Note that at least two pins are needed per domain on iOS.
   */
  publicKeyHashes: string[];

+  expiration?: Date | string
};

And usage

await initializeSslPinning({
            'example.com': {
+                expiration: '2024-01-01',
                includeSubdomains: true,
                publicKeyHashes: [
                    'CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk=',
                    'hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=',
                    'Vfd95BwDeSQo+NUYxVEEIlvkOlWY2SalKK1lPhzOx78=',
                    'QXnt2YHvdHR3tJYmQIr0Paosp6t/nggsEGD4QJZ3Q0g=',
                    'mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=',

                ],
            },
        });

iOS 16.6 is crashing (app closes) when sending a request to a domain that has the valid public key configured.

With another device with lower iOS it works. any idea?

Hello there!

I am trying to integrate self-signed SSL pinning with Axios in a bare react-native project.

My domain:

https://my-domain.com

Here is my configuration using initializeSslPinning:

    await initializeSslPinning({
      'my-domain.com': {
        includeSubdomains: true,
        publicKeyHashes: ['hash-1', 'hash-2'],
      },
    });

I am calling this method at the very top of my application (App.tsx) and no error is being return from initializeSslPinning.

However when I use axios or even fetch it keeps returning the following error:

TypeError: Network request failed

or

AxiosError: Network Error

Could it be possible to get an example that uses axios or guidance on how to fix this issue please? Thank you very much.

build failed when enable new arch with [email protected]

fatal error: 'RNSslPublicKeyPinningSpec.h' file not found
#import "RNSslPublicKeyPinningSpec.h"
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.

Hi! I am trying to pin a client certificate with axios and I was wondering if the key should be reflected somehow in the requests? The implementation is the same as stated in the docs.

Even isSslPinningAvailable returns true but I can't see if something is really happening after pinning.

Some help will be appreciated!

I am experiencing an immediate crash on iOS, probably due to a bad conversion in initialize method.

Setting the type value to JS::NativeSslPublicKeyPinning::SpecInitializeOptions the crash disappear

Hi.

I'm having some trouble using this library and I am not quite sure where to start debugging. I have created a minimal app setup and this library works perfectly. However, in a bigger project, I am having some trouble being able to block domains that should fail validation.

I've tried the exact code as per the testing section of the README and I am now trying to run it against my own domain which is not used anywhere else in the app to avoid any caching issues.

This is the code I am using to test. I am using expo-router and the file containing this code is the very first import in the root layout folder:

import { initializeSslPinning, isSslPinningAvailable } from 'react-native-ssl-public-key-pinning';


const options = {
    'erasmuswill.dev': {
        publicKeyHashes: [
            'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
            'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
        ],
    },
};

if (isSslPinningAvailable())
    initializeSslPinning(options)
        .then(() => {
            setTimeout(
                () =>
                    fetch('https://erasmuswill.dev')
                        .then(console.log)
                        .catch(console.error),
                1000
            );
        })
        .catch(console.error);
else {
    console.warn('SSL Pinning Native Module Unavailable');
}

The above code fetches and does not return a certificate error as expected. Xcode log shows the following, which I take to mean that setup has been completed successfully.

=== TrustKit: Successfully initialized with configuration {
TSKPinnedDomains = {
"erasmuswill.dev" = {
TSKDisableDefaultReportUri = 1;
TSKEnforcePinning = 1;
TSKIncludeSubdomains = 0;
TSKPublicKeyHashes = "{(\n {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
kSKExcludeSubdomainFromParentPolicy = 0;
};
};
TSKSwizzleNetworkDelegates = 0;
}

Hi,

thank you for this great library!

When setting up the pinning and sending a request e.g. with axios there is no custom error message available to distinguish between normal network errors or SSL pinning related errors.

initializeSslPinning({
    'https://example.com': {
        includeSubdomains: true,
        publicKeyHashes: [
            'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
            'ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
        ],
    },
}).then(function() {

    axios.get('https://example.com').then(function() {

        console.log('success');

    }, function(err) {
        console.log('err:' + err.message);
    });

});

The err.message in this example always shows a generic 'Network Error'.

Would it be possible to add this to this library?

I have followed the instruction of installing the library. and in App.js i have added the following.

` try {
await initializeSslPinning({
'google.com': {
includeSubdomains: true,
publicKeyHashes: [
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
],
},
})
.then((response) => {
console.log('THIS CALLED (1) ', response);
})
.catch((e) => {
console.log('ERROR ####', e);
});
} catch (error) {
console.log('ERROR ****', error);
}

// ...

// This request should fail with an error
try {
const response = await fetch('https://google.com');
console.log('RESPOSNSE (1) -----> ', response.status);
} catch (error) {
console.log('ERROR ', error);
}`

This always returns 200.

"react-native": "0.63.2",
"react-native-ssl-public-key-pinning": "^1.0.6",

I just installed this package and did some POCs running the simple usage provided. But my App is not running properly and getting error with details below.

error SyntaxError: /Users/name/documents/repositories/my-app/node_modules/react-native-ssl-public-key-pinning/src/index.ts: Unexpected token (9:12)

   7 |
   8 | import type { ErrorListenerCallback, PinningOptions } from './types';
>  9 | export type * from './types';
     |             ^
  10 |
  11 | const LINKING_ERROR =
  12 |   `The package 'react-native-ssl-public-key-pinning' doesn't seem to be linked. Make sure: \n\n` +

FAILURE: Build completed with 2 failures.

Actually, I tried the link manually but still got the same error. Can you please how to solve this? Thank You

FYI, i still running on Android and my RN version is 0.71.6

Hi,
About 1-2 months ago, I had used this library to enforce SSL pinning in my company's app on a PoC branch, which worked as expected.

And just today, I tried to install and apply the library again in a new branch, but now it does not block any request to pinned domain when using invalid keys.

Already run cd ios && pod install then expo run:ios

UPDATE (2024-01-24):

• Also opened an issue in TrustKit repo.
• Created a test repo in attempt to reproduce the issue, but still can't:
  test-expo-ssl-pinning-1
• Tried with Android and it shows Certificate pinning failure! error message as expected.

Configuration

(Testing invalid keys case)

{
  "some-service.tech": {
    "includeSubdomains": true,
    "publicKeyHashes": [
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
      "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
    ]
  }
}

Logs

(iOS to MacOS Console log)

=== TrustKit: Successfully initialized with configuration {
    TSKPinnedDomains =     {
        "some-service.tech" =         {
            TSKDisableDefaultReportUri = 1;
            TSKEnforcePinning = 1;
            TSKIncludeSubdomains = 1;
            TSKPublicKeyHashes = "{(\n    {length = 32, bytes = 0x00000000 00000000 00000000 00000000 ... 00000000 00000000 },\n    {length = 32, bytes = 0x04104104 10410410 41041041 04104104 ... 04104104 10410410 }\n)}";
            kSKExcludeSubdomainFromParentPolicy = 0;
        };
    };
    TSKSwizzleNetworkDelegates = 0;
}

Versions

• react-native-ssl-public-key-pinning: 1.1.3
• TrustKit: 3.0.3
• Axios: 0.25.0
• Expo: 49.0.13
• RN: 0.72.6
• CocoaPods: 1.14.3
• iOS: 16.2 (iPhone Simulator)

Thanks!

Hey, I am trying to do the setup on my react native project and i have added the domain and public hash keys but when i am adding wrong hash key then also it is working and in right hash key also it is working. Can you send me the solution so that i can implement because i want to write the code in javascript itself trying to ignore the native codes