README
Wire
This repository is part of the source code of Wire. You can find more information at wire.com or by contacting opensource@wire.com.
You can find the published source code at github.com/wireapp.
For licensing information, see the attached LICENSE file and the list of third-party licenses at wire.com/legal/licenses/.
Certificate Check
Utilities to check that Wire's domains use the expected certificate.
Usage
Check if hostname should be pinned
The certificate check utility holds a list of pre-defined hostnames which should be pinned. See pinningData.ts.
Example:
const wireHost = 'wire.com';
hostnameShouldBePinned(wireHost); // true
const otherHost = 'example.com';
hostnameShouldBePinned(otherHost); // false
Verify pinned certificate
The certificate check utility holds a list of pre-defined certificates which should be verified. See CertUtil.ts.
Since we only use this utility with Electron, you need to provide an Electron-like certificate.
Example:
const hostname = 'wire.com';
const certificate = {
data: '-----BEGIN CERTIFICATE----- ...',
issuerCert: {
data: '-----BEGIN CERTIFICATE----- ...',
},
};
verifyPinning(hostname, certificate); // true
Verification sequence:
- Find a match for the hostname and if found, get the local certificate
- Extract the remote issuer (e.g. VeriSign) data from the provided certificate
- Extract the local issuer data for this hostname
- Compare the remote issuer data with the local issuer data byte by byte
- Extract the remote public key from the provided certificate
- Create a SHA256 hash from the remote public key (also called "fingerprint")
- Extract the algorithm ID and the fingerprints from the local certificate
- Compare the remote fingerprint with the local fingerprints for this hostname
- Compare the remote algorithm ID with the local algorithm ID for this hostname
If all steps succeeded, the verification is done.