SSL Certificate and Public Key Pinning

jeremiah · wrote on 22 Apr 2016, 17:04

Does QT support certificate pinning? I am not finding much when searching documentation and google.

To give more clarification: we are looking to do more to stop the MITM attacks. One way is to store a hash of the server's public key in the client when the client is built, so that when the client reaches out to the server for the first time for the server's public key, it can hash that key and compare it to its stored hash to ensure it's legitimate. And then do the compare for each request.

Thoughts? There a better way to achieve this result?

jeremiah · wrote on 22 Apr 2016, 17:45

will i have to manually do the public key comparison myself, or does QT have this built in?

jeremiah · wrote on 22 Apr 2016, 20:31

here is how i solved it:

connected to encrypted signal

QObject::connect(&mgr, SIGNAL(encrypted(QNetworkReply*)), this, SLOT(on_Encrypted(QNetworkReply*)));

then in the slot, check and verify if using pinning and check the hash

void on_Encrypted(QNetworkReply *reply){
       if (useCertPinning) {
        QSslCertificate cert = reply->sslConfiguration().peerCertificate();

        QString serverHash = QCryptographicHash::hash(cert.publicKey().toDer(),QCryptographicHash::Sha256).toBase64();
        
        if (pinningHash.compare(serverHash) != 0) {
            qDebug()<< "Public Key Hashes don't match, abort";
            reply->abort();
        }

    }
}