@wireapp/certificate-check

Wire

This repository is part of the source code of Wire. You can find more information at wire.com or by contacting opensource@wire.com.

You can find the published source code at github.com/wireapp.

For licensing information, see the attached LICENSE file and the list of third-party licenses at wire.com/legal/licenses/.

Certificate Check

Utilities to check that Wire's domains use the expected certificate.

Usage

Check if hostname should be pinned

The certificate check utility holds a list of pre-defined hostnames which should be pinned. See pinningData.ts.

Example:

const wireHost = 'wire.com';
hostnameShouldBePinned(wireHost); // true

const otherHost = 'example.com';
hostnameShouldBePinned(otherHost); // false

Verify pinned certificate

The certificate check utility holds a list of pre-defined certificates which should be verified. See CertUtil.ts.

Since we only use this utility with Electron, you need to provide an Electron-like certificate.

Example:

const hostname = 'wire.com';
const certificate = {
  data: '-----BEGIN CERTIFICATE----- ...',
  issuerCert: {
    data: '-----BEGIN CERTIFICATE----- ...',
  },
};

verifyPinning(hostname, certificate); // true

Verification sequence:

• Find a match for the hostname and if found, get the local certificate
• Extract the remote issuer (e.g. VeriSign) data from the provided certificate
• Extract the local issuer data for this hostname
• Compare the remote issuer data with the local issuer data byte by byte
• Extract the remote public key from the provided certificate
• Create a SHA256 hash from the remote public key (also called "fingerprint")
• Extract the algorithm ID and the fingerprints from the local certificate
• Compare the remote fingerprint with the local fingerprints for this hostname
• Compare the remote algorithm ID with the local algorithm ID for this hostname

If all steps succeeded, the verification is done.