Certificate pinning issue after bunq certificate renewal #115
Comments
erwindeg
changed the title
|
waw 🤦♂️ 👏, lets hope that they will be more careful when doing this on prod. This prob means that all SDK's are broken. There is a way you can fix this yourself however, anyone can update the hardcoded cert. I forgot the command however, it was in my notes back in the day. @kojoru If esan is still there, you can ask him if he remembers. |
|
This should be the new value: |
A nice, create a pull request I would say 😊 Also, it would be a good idea to add a comment in the code in https://github.com/bunq/sdk_java/blob/f3818e3380b472cafd1dbe69bf45a78434f54c84/src/main/java/com/bunq/sdk/context/ApiEnvironmentType.java on the command to run to update it 😊 |
|
Yes, I just did :) |
|
FYI: This is how we got the new value. String hostname = "public-api.sandbox.bunq.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = new OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute(); |
|
hmm, I used to use the openssl command to get this. That was the command I was referring tho. Interesting method however :P |
|
There, I figured it out :-P openssl s_client -connect sandbox.bunq.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -pubkey -noout | openssl enc -base64 -d | openssl dgst -sha256 -binary | openssl enc -base64 (and yes, this is considerably more classy than grabbing it from okhttp's error output...) |
Steps to reproduce:
What should happen:
What happens:
SDK version and environment
Extra info:
It looks like your certificate for https://public-api.sandbox.bunq.com/ was renewed last night and now the hardcoded pinned key in the SDK doesn't match the key of the new certificate
The text was updated successfully, but these errors were encountered: