npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

mm-react-native-cert-pinner

v0.4.2

Published

For React Native, pins TLS connections to specific trusted certificates' public keys

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

murat-mehmetmurat-mehmet

Keywords

react-nativeiosandroidfetchcertificate-pinningtlshttps

Readme

react-native-cert-pinner

IMPORTANT: This repository relates to Approov 1 and has not been updated to reflect the new features and usage of Approov 2, the latest version of Approov. We will be updating the repository soon. Meanwhile, please refer to the guide for migrating from Approov 1 to Approov 2.

This package manages TLS certificate pinning in react-native for Android and iOS.

Getting started

$ npm install react-native-cert-pinner --save

Mostly automatic installation

$ react-native link react-native-cert-pinner

Manual installation

iOS

Add the following line to the project targets in your Podfile:

pod 'TrustKit', '~> 1.4.2'

Then run pod install.

Android

  1. Open up android/app/src/main/java/[...]/MainApplication.java
  • Add import com.criticalblue.reactnative.CertPinnerPackage; to the imports at the top of the file
  • Add new CertPinnerPackage() to the list returned by the getPackages() method
  1. Append the following lines to android/settings.gradle:
    include ':react-native-cert-pinner'
project(':react-native-cert-pinner').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-cert-pinner/android')
  2. Insert the following lines inside the dependencies block in android/app/build.gradle:
      compile project(':react-native-cert-pinner')

Usage

To use the react-native networking utilities, like fetch(), certificate pinning must be done in the native app before the app's react-native javascript is run.

Unlike typical installed packages, there is no need to require any modules in the javascript. Everything is setup and enforced inside the native module.

Certificate Pinning Configuration

A pinset utility is provided to help configure the native modules for pinning.

The default setup assumes you are running in your project's home directory. The default configuration file is ./pinset.json, and the default native android project is assumed to be located at ./android. Both these locations may be overriden on the command line.

Command Help

To get help:

$ npx pinset -h

    pinset [command] [options]

      init ..... initialize pinset configuration
      gen ...... generate pinset configuration
      version .. show package version
      help ..... show help menu for a command

or for a sub-command:

$ npx pinset help gen

    pinset gen [options] [config]

      --android, -a <path> .. path to Android project (defaults to './android')
      --ios, -i <path> ...... path to iOS project (defaults to './ios')
      --force, -f ........... always overwrite existing configuration

      config ................ configuration file - defaults to 'pinset.json'

Initialization

The first step is to generate a starter configuration:

$ npx pinset init

This command will not overwrite an existing configuration file unless the --force flag is used.

Lookup

Next, determine which URLs you want to pin, and determine each certificate's public key hash. A convenient utility is provided by Report URI at https://report-uri.com/home/pkp_hash. Enter a URL to see the current chain of certificate hashes.

Enter the desired public key hashes into the pinset.json file:

{
  "domains": {
    "*.approov.io": {
      "pins": [
        "sha256/0000000000000000000000000000000000000000000",
        "sha256/1111111111111111111111111111111111111111111"
      ]
    },
    "*.criticalblue.com": {
      "pins": [
        "sha256/2222222222222222222222222222222222222222222",
        "sha256/3333333333333333333333333333333333333333333"
      ]
    }
  }
}

Domains starting with*. will include all subdomains.

It is recommended to select multiple hashes with at least one of them being from an intermediate certificate.

Generation

Once the configuration is set, generate the native project sources:

$ npx pinset gen
Reading config file './pinset.json'.
Updating java file './android/app/src/main/java/com/criticalblue/reactnative/GeneratedCertificatePinner.java'.
Updating plist file './ios/example/info.plist'.

Build and run the react-native app, for example:

$ react-native run-ios

Updates

To update the certificate pins, edit the configuration file, regenerate the native sources, and rebuild the app.

Note, there is no way to update the pin sets from javascript while the app is running.

Certificate Security

If you consider publishing hashes of public key certificates to be a security breach, you may want to remove or ignore the pinset configuration and generated fines from your repository.

To ignore the default files in a git repository, add to .gitignore:

# default configuration file
./pinset.json

# default generated android source
./android/app/src/main/java/com/criticalblue/reactnative/GeneratedCertificatePinner.java
./ios/<your project here>/info.plist

Future Enhancements

  • Automatically regenerate native source files whenever the pin set configuration changes.
  • Add source regeneration and git ignores to the mostly automatic react-native linking step.
  • Add certificate lookup to the pinset utility.
  • Better secure pinset information within the app.