react-native-cert-pinner
Advanced tools
For React Native, pins TLS connections to specific trusted certificates' public keys
This package manages TLS certificate pinning in react-native for Android and iOS.
$ npm install react-native-cert-pinner --save
$ react-native link react-native-cert-pinner
Add the following line to the project targets in your Podfile:
pod 'TrustKit', '~> 1.4.2'
Then run pod install.
android/app/src/main/java/[...]/MainApplication.javaimport com.criticalblue.reactnative.CertPinnerPackage; to the imports at the top of the filenew CertPinnerPackage() to the list returned by the getPackages() methodandroid/settings.gradle:
include ':react-native-cert-pinner'
project(':react-native-cert-pinner').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-cert-pinner/android')
android/app/build.gradle:
compile project(':react-native-cert-pinner')
To use the react-native networking utilities, like fetch(), certificate pinning must be done in the native app before the app's react-native javascript is run.
Unlike typical installed packages, there is no need to require any modules in the javascript. Everything is setup and enforced inside the native module.
A pinset utility is provided to help configure the native modules for pinning.
The default setup assumes you are running in your project's home directory. The default configuration file is ./pinset.json, and the default native android project is assumed to be located at ./android. Both these locations may be overriden on the command line.
To get help:
$ npx pinset -h
pinset [command] [options]
init ..... initialize pinset configuration
gen ...... generate pinset configuration
version .. show package version
help ..... show help menu for a command
or for a sub-command:
$ npx pinset help gen
pinset gen [options] [config]
--android, -a <path> .. path to Android project (defaults to './android')
--ios, -i <path> ...... path to iOS project (defaults to './ios')
--force, -f ........... always overwrite existing configuration
config ................ configuration file - defaults to 'pinset.json'
The first step is to generate a starter configuration:
$ npx pinset init
This command will not overwrite an existing configuration file unless the --force flag is used.
Next, determine which URLs you want to pin, and determine each certificate's public key hash. A convenient utility is provided by Report URI at https://report-uri.com/home/pkp_hash. Enter a URL to see the current chain of certificate hashes.
Enter the desired public key hashes into the pinset.json file:
{
"domains": {
"*.approov.io": {
"pins": [
"sha256/0000000000000000000000000000000000000000000",
"sha256/1111111111111111111111111111111111111111111"
]
},
"*.criticalblue.com": {
"pins": [
"sha256/2222222222222222222222222222222222222222222",
"sha256/3333333333333333333333333333333333333333333"
]
}
}
}
Domains starting with*. will include all subdomains.
It is recommended to select multiple hashes with at least one of them being from an intermediate certificate.
Once the configuration is set, generate the native project sources:
$ npx pinset gen
Reading config file './pinset.json'.
Updating java file './android/app/src/main/java/com/criticalblue/reactnative/GeneratedCertificatePinner.java'.
Updating plist file './ios/example/info.plist'.
Build and run the react-native app, for example:
$ react-native run-ios
To update the certificate pins, edit the configuration file, regenerate the native sources, and rebuild the app.
Note, there is no way to update the pin sets from javascript while the app is running.
If you consider publishing hashes of public key certificates to be a security breach, you may want to remove or ignore the pinset configuration and generated fines from your repository.
To ignore the default files in a git repository, add to .gitignore:
# default configuration file
./pinset.json
# default generated android source
./android/app/src/main/java/com/criticalblue/reactnative/GeneratedCertificatePinner.java
./ios/<your project here>/info.plist
pinset utility.FAQs
For React Native, pins TLS connections to specific trusted certificates' public keys
We found that react-native-cert-pinner demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.
Security News
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.