Certificate Pinning in Applications

Certificate Pinning in Applications

Certificate pinning prevents man-in-the-middle attacks by validating specific certificates or public keys. Implement pinning carefully with update mechanisms to prevent breaking applications during certificate rotation.

Implementation strategies:

# Python certificate pinning
import ssl
import hashlib
from urllib.request import urlopen

def get_certificate_pin(hostname, port=443):
    context = ssl.create_default_context()
    with socket.create_connection((hostname, port)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            der_cert = ssock.getpeercert(binary_form=True)
            return hashlib.sha256(der_cert).hexdigest()

# Pin validation
expected_pin = "d4de20d05e66fc53fe1a0..."
actual_pin = get_certificate_pin("api.example.com")

if actual_pin != expected_pin:
    raise SecurityError("Certificate pin mismatch!")

# Multiple pins for rotation
valid_pins = {
    "current_pin_hash",
    "backup_pin_hash",
    "next_rotation_pin_hash"
}

if actual_pin not in valid_pins:
    raise SecurityError("Certificate not in pinset!")