Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Integration guidelines

Certificate pinning

search

Please Note:

Certificate pinning

Certificate pinning is used to check that the Risk Engine back-end server’s certificate matches a known copy of that certificate at the application.

To use certificate pinning, the application sends the array of the X509Certificate (including leaf certificate) to Risk Management’s GAHCoreConfig and sends the GAHCoreConfig object to initialize().

You can also configure the TLS connection settings.

Risk Management takes care of the default configurations if this is not set from the application.

It is not recommended to override the connection settings or attributes/parameters in a production environment.

Allowing Self Signed and Host mismatch configurations reduces the security of the communication link with the server. Insecure connections are not permitted in the Release mode.

Android - Java

/* Set certificate array to GAH Core config */
final X509Certificate[] certificates = new X509Certificate[1];
certificates[0] = AppUtils.getCertificate(this, R.raw.digital_cloud_cert_leaf_cer);
coreConfigBuilder = coreConfigBuilder.setSecureConnectionCertificates(certificates);

if (BuildConfig.DEBUG)
{
    coreConfigBuilder = coreConfigBuilder.setSecureConnectionPermits(new GAHCoreConfig.Permit[]{
        GAHCoreConfig.Permit.INSECURE_COMMUNICATIONS,
        GAHCoreConfig.Permit.HOSTNAME_MISMATCH,
        GAHCoreConfig.Permit.SELF_SIGNED_CERTIFICATES
      });
}

iOS - Objective C

/* Set certificate array to GAH Core config */
GAHCoreConfig *reConfig = [GAHCoreConfig getsharedConfigManagerObject];
GAHTLSConfiguration *tlsConfiguration = [GAHTLSConfiguration new];

#ifdef DEBUG

[tlsConfiguration setHostnameMismatchAllowed:YES];
[tlsConfiguration setSelfSignedCertAllowed:YES];
[tlsConfiguration setInsecureConnectionAllowed:YES];

#else

[tlsConfiguration setSelfSignedCertAllowed:YES];

#endif

NSString *pathToCert = [[NSBundle mainBundle]pathForResource:@"Thales_eziocloud" ofType:@"cer"];
NSData *localValidCertificate = [NSData dataWithContentsOfFile:pathToCert];

[reConfig GRESTLSConfiguration:@[localValidCertificate] withRESDKTLSConfiguration:tlsConfiguration];

Swift

/* Set certificate array to GAH Core config */

let reConfig:GAHCoreConfig = GAHCoreConfig.getsharedConfigManagerObject()
var tlsconfiguration:GAHTLSConfiguration = GAHTLSConfiguration.init()

#if DEBUG

tlsconfiguration.hostnameMismatchAllowed = true
tlsconfiguration.selfSignedCertAllowed = true
tlsconfiguration.insecureConnectionAllowed = true

#else

tlsconfiguration.selfSignedCertAllowed = true

#endif

let pathToCert = Bundle.main.path(forResource: "Thales_eziocloud", ofType: "cer")
let localValidCertificate = NSData.init(contentsOfFile: pathToCert!)

reConfig.grestlsConfiguration([localValidCertificate!] as [Any], withRESDKTLSConfiguration: tlsconfiguration)

Certificate renewal

The following code snippet shows how to upgrade to a new certificate during a server certificate renewal.

Certificate pinning is mandatory on the release variant of the Risk Management SDK. You have to update the certificate accordingly, otherwise Risk Management SDK returns the error, ERROR_CODE_NO_SSL_CERTIFICATES_PRESENT.

Android - Java

/* Set certificate array to GAH Core config */
final X509Certificate[] certificates = new X509Certificate[7];

// maintain old certificates
certificates[0] = AppUtils.getCertificate(this, R.raw.old_root_cer);
certificates[1] = AppUtils.getCertificate(this, R.raw.old_intermediate_cer);
certificates[2] = AppUtils.getCertificate(this, R.raw.old_leaf_cer);

// add new certificates
certificates[3] = AppUtils.getCertificate(this, R.raw.new_root_cer);
certificates[4] = AppUtils.getCertificate(this, R.raw.new_intermediate_cer_1);
certificates[5] = AppUtils.getCertificate(this, R.raw.new_intermediate_cer_2);
certificates[6] = AppUtils.getCertificate(this, R.raw.new_leaf_cer);

coreConfigBuilder = coreConfigBuilder.setSecureConnectionCertificates(certificates);

iOS - Objective C

/* Set certificate array to GAH Core config */
GAHCoreConfig *reConfig = [GAHCoreConfig getsharedConfigManagerObject];
GAHTLSConfiguration *tlsConfiguration = [GAHTLSConfiguration new];

// maintain old certificate
NSString *pathToOldLeafCert = [[NSBundle mainBundle]pathForResource:@"old_leaf_cer" ofType:@"cer"];
NSData *oldLeafCert = [NSData dataWithContentsOfFile:pathToOldLeafCert];

// add new certificate
NSString *pathToNewLeafCert = [[NSBundle mainBundle]pathForResource:@"new_leaf_cer" ofType:@"cer"];
NSData *newLeafCert = [NSData dataWithContentsOfFile:pathToNewLeafCert];

[reConfig GRESTLSConfiguration:@[oldLeafCert, newLeafCert] withRESDKTLSConfiguration:tlsConfiguration];

Swift

/* Set certificate array to GAH Core config */
let reConfig:GAHCoreConfig = GAHCoreConfig.getsharedConfigManagerObject()
var tlsconfiguration:GAHTLSConfiguration = GAHTLSConfiguration.init()

// maintain old certificate
let pathToOldLeafCert = Bundle.main.path(forResource: "old_leaf_cer", ofType: "cer")
let oldLeafCert = NSData.init(contentsOfFile: pathToOldLeafCert!)

// add new certificate
let pathToNewLeafCert = Bundle.main.path(forResource: "new_leaf_cer", ofType: "cer")
let newLeafCert = NSData.init(contentsOfFile: pathToNewLeafCert!)

reConfig.grestlsConfiguration([oldLeafCert!, newLeafCert] as [Any], withRESDKTLSConfiguration: tlsconfiguration)

Certificate retrieval

The following code snippet shows how to get a certificate in the X509Certificate format.

Android

It is assumed that the certificate file is placed in the res/raw folder:

public static X509Certificate getCertificate(Context context, int resId)
{
    X509Certificate certificate = null;
    InputStream caInput = null;

    try {
        final CertificateFactory factory = CertificateFactory.getInstance("X.509");
        caInput = new BufferedInputStream(context.getResources().openRawResource(resId));
        certificate = (X509Certificate) factory.generateCertificate(caInput);
        Log.i(TAG, "ca=" + (certificate).getSubjectDN());
    } catch (final CertificateException exception) {
        Log.e(TAG, exception.getMessage());
    }
    finally {
        if (caInput != null) {
            try {
                caInput.close();
            } catch (IOException ex) {
                Log.e(TAG, ex.getMessage());
            }
        }
    }
    return certificate;
}

iOS - Objective C

//get certifciate path
NSString * pathToCert = [[NSBundle mainBundle]pathForResource:@"Thales_eziocloud" ofType:@"cer"];

//read data
NSData * localValidCertificate = [NSData dataWithContentsOfFile:PathToCert];

//sent to Risk Management SDK
[reConfig GRESTLSConfiguration:[NSArray arrayWithObjects:localValidCertificate, nil] withRESDKTLSConfiguration:tlsconfiguration];

Swift

// path your certifcates
let pathToCert:String = Bundle.main.path(forResource: "Thales_eziocloud", ofType: "cer")!

// read data from certifcate
do {
    let certifcatedata:NSData = try NSData.init(contentsOfFile: pathToCert)

    //sent to certifcatedata to Risk Management SDK
} catch let error as NSError {
    print(error.description)
}

On this page