indexer/com.midnight.kuira.core.indexer.api/TlsConfiguration

TlsConfiguration

data class TlsConfiguration(val pinnedCertificates: List<String> = emptyList(), val allowLocalhostHttp: Boolean = false, val minTlsVersion: TlsVersion = TlsVersion.TLS_1_2)

TLS/SSL configuration for secure indexer communication.

CRITICAL SECURITY REQUIREMENT:

  • Production MUST use HTTPS with certificate pinning

  • HTTP only allowed for localhost development testing

  • Certificate pinning prevents MITM attacks

Certificate Pinning Implementation (Phase 4B):

Option 1: OkHttp Engine (Recommended)

val client = HttpClient(OkHttp) {
    engine {
        config {
            certificatePinner(CertificatePinner.Builder()
                .add("indexer.midnight.network", "sha256/AAAAAAAAAAAAA...")
                .add("indexer.midnight.network", "sha256/BBBBBBBBBBBBB...") // Backup cert
                .build()
            )
        }
    }
}
Content copied to clipboard

Option 2: Android Network Security Config (App-Level)

<!-- res/xml/network_security_config.xml -->
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">indexer.midnight.network</domain>
        <pin-set expiration="2027-01-01">
            <pin digest="SHA-256">AAAAAAAAAAAAA...</pin>
            <pin digest="SHA-256">BBBBBBBBBBBBB...</pin>
        </pin-set>
    </domain-config>
</network-security-config>
Content copied to clipboard

Option 3: Custom TrustManager (Most Control)

class PinnedCertificateTrustManager(
    private val pinnedCertificates: List<String>
) : X509TrustManager {
    override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) {
        val serverCertHash = chain[0].publicKey.encoded.sha256()
        if (!pinnedCertificates.contains(serverCertHash)) {
            throw CertificateException("Certificate pin validation failed")
        }
    }
}
Content copied to clipboard

How to Get Certificate Fingerprints:

  1. Using OpenSSL:

openssl s_client -connect indexer.midnight.network:443 < /dev/null | \
  openssl x509 -pubkey -noout | \
  openssl rsa -pubin -outform der | \
  openssl dgst -sha256 -binary | \
  openssl enc -base64
Content copied to clipboard

  1. Using Chrome DevTools:

  • Visit https://indexer.midnight.network

  • Click padlock → Certificate → Details → Copy SHA-256 fingerprint

  1. Using curl:

curl --pinnedpubkey 'sha256//AAAAAAAAAA...' https://indexer.midnight.network
Content copied to clipboard

Best Practices:

  • Pin at least 2 certificates (primary + backup)

  • Update pins before certificates expire

  • Use public key pinning (not leaf certificate)

  • Test pinning in staging before production

  • Have a backup plan if pinning fails (e.g., app update)

Testing Certificate Pinning:

  • Use mitmproxy or Charles Proxy to verify MITM protection

  • Ensure app rejects connections with invalid certificates

  • Test certificate rotation scenarios

Constructors

Link copied to clipboard
constructor(pinnedCertificates: List<String> = emptyList(), allowLocalhostHttp: Boolean = false, minTlsVersion: TlsVersion = TlsVersion.TLS_1_2)

Properties

Link copied to clipboard
val allowLocalhostHttp: Boolean = false

Allow HTTP connections to localhost (INSECURE - testing only).

Link copied to clipboard
val minTlsVersion: TlsVersion

Minimum TLS version.

Link copied to clipboard
val pinnedCertificates: List<String>

List of SHA-256 public key fingerprints (base64-encoded).