How to implement SSL Pinning in Jetpack Compose?

I want to implement the SSL Pinning (specifically public key pinning) in Jetpack Compose according to these criteria:

• with custom SSL Socket Factory (like OkHttpClientFactory)
• without using any available 3rd party libraries

1. Steps to Implement SSL Pinning with OkHttp Extract the SHA-256 Fingerprint of the Public Key Use this openssl command to extract the public key hash in Base64 format:

   openssl s_client -connect yourserver.com:443 -servername yourserver.com </dev/null 2>/dev/null |
   openssl x509 -pubkey -noout | openssl rsa -pubin -outform der 2>/dev/null |
   openssl dgst -sha256 -binary | openssl enc -base64

Example Output:

w4x1Xv8qS9pN2PeKc+/Fy0mD6x6RNRhHT72apJPyOw0=

2. Set Up OkHttp with SSL Pinning OkHttp has built-in support for public key pinning using CertificatePinner. Here’s how you configure it:

   // Replace this with your server's hostname and public key SHA-256 fingerprint
   private const val HOSTNAME = "yourserver.com"
   private const val PUBLIC_KEY_HASH = "sha256/w4x1Xv8qS9pN2PeKc+/Fy0mD6x6RNRhHT72apJPyOw0="
   
   fun createOkHttpClient(): OkHttpClient {
       val certificatePinner = CertificatePinner.Builder()
           .add(HOSTNAME, PUBLIC_KEY_HASH)
           .build()
   
       return OkHttpClient.Builder()
           .certificatePinner(certificatePinner)
           .build()
   }
   
   fun performSecureRequest() {
       val client = createOkHttpClient()
       val request = Request.Builder()
           .url("https://$HOSTNAME/endpoint")
           .build()
   
       try {
           val response = client.newCall(request).execute()
           println("Response: ${response.body?.string()}")
       } catch (e: IOException) {
           println("SSL Pinning Failed: ${e.message}")
       }
   }
   

Code Walkthrough

CertificatePinner:

• The CertificatePinner class allows you to specify the expected SHA-256 hash of the server's public key.
• Use the sha256/ prefix followed by the Base64-encoded public key.

OkHttpClient.Builder():

• Attach the CertificatePinner to the client.

Network Call:

• Any communication to the server will validate the public key. If it doesn’t match the pinned value, the request will fail with an SSLPeerUnverifiedException.

How to Handle Multiple Certificates If your server has multiple public keys (e.g., during certificate rotation), you can pin multiple keys:

val certificatePinner = CertificatePinner.Builder()
.add(HOSTNAME, "sha256/FirstPublicKeyHash=")
.add(HOSTNAME, "sha256/SecondPublicKeyHash=") // Backup key
.build()

What Happens When Pinning Fails? If the public key doesn’t match the pinned key, the following exception occurs:

javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!

This ensures that your app doesn’t proceed with an insecure connection.

---

Update

without any third part Lib

Create a Custom TrustManager for Pinning

You’ll write a custom X509TrustManager to compare the server's public key with the pinned value.

import android.util.Base64
import java.io.InputStream
import java.security.KeyFactory
import java.security.cert.Certificate
import java.security.cert.CertificateFactory
import java.security.cert.X509Certificate
import java.security.spec.X509EncodedKeySpec
import javax.net.ssl.X509TrustManager

class PublicKeyPinningTrustManager(
    private val pinnedKey: String // Base64-encoded SHA-256 public key
) : X509TrustManager {

    override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()

override fun checkClientTrusted(chain: Array<out X509Certificate>?, authType: String?) {
    // Not needed for public key pinning
}

override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
    if (chain == null || chain.isEmpty()) {
        throw SecurityException("Certificate chain is invalid")
    }

    val certificate = chain[0] as X509Certificate
    val publicKey = certificate.publicKey
    val keyFactory = KeyFactory.getInstance(publicKey.algorithm)
    val keySpec = X509EncodedKeySpec(publicKey.encoded)
    val encodedKey = keyFactory.generatePublic(keySpec).encoded

    val sha256 = java.security.MessageDigest.getInstance("SHA-256")
    val publicKeyHash = Base64.encodeToString(sha256.digest(encodedKey), Base64.DEFAULT).trim()



       if (pinnedKey != publicKeyHash) {
            throw SecurityException("Public key pinning failed: key mismatch")
        }
    }
}

3. Set Up a Custom SSLSocketFactory Use the custom TrustManager with an SSLContext to create an SSLSocketFactory:

    fun createPinnedSSLSocketFactory(pinnedKey: String): SSLSocketFactory {
    val trustManager = PublicKeyPinningTrustManager(pinnedKey)
    val sslContext = SSLContext.getInstance("TLS")
    sslContext.init(null, arrayOf<TrustManager>(trustManager), null)
    return sslContext.socketFactory
   

   }

4. Integrate the SSLSocketFactory with HttpsURLConnection You can manually set the custom SSLSocketFactory to HttpsURLConnection for secure network requests:

   val pinnedKey = "w4x1Xv8qS9pN2PeKc+/Fy0mD6x6RNRhHT72apJPyOw0="

   val sslSocketFactory =createPinnedSSLSocketFactory(pinnedKey)

    val url = URL("https://yourserver.com")
    val urlConnection = url.openConnection() as HttpsURLConnection
    urlConnection.sslSocketFactory = sslSocketFactory
   
    try {
        val response = urlConnection.inputStream.bufferedReader().use { it.readText() }
        println("Response: $response")
    } catch (e: Exception) {
        println("SSL Pinning Failed: ${e.message}")
    } finally {
        urlConnection.disconnect()
    }