Summary
Add runtime configuration file support for certificate pins to complement existing hardcoded defaults.
Motivation
- Enable pin updates without recompilation in production
- Support emergency certificate rotations
- Allow environment-specific pins (dev/staging/prod)
Proposed Solution
Implement hybrid approach in CertificatePinner::initializeDefaultPins():
- Try loading from
config/certificate_pins.json first
- Fall back to hardcoded pins if file doesn't exist
- Maintain backward compatibility
Implementation Notes
- Documentation already covers this approach (CERTIFICATE_PINNING.md:108-130)
- Keep hardcoded pins as safe defaults
- Add JSON schema validation for config file
Phase
Phase 4 - Production Deployment
References
core/utils/CertificatePinner.cpp:166-187docs/security/CERTIFICATE_PINNING.md
Summary
Add runtime configuration file support for certificate pins to complement existing hardcoded defaults.
Motivation
Proposed Solution
Implement hybrid approach in
CertificatePinner::initializeDefaultPins():config/certificate_pins.jsonfirstImplementation Notes
Phase
Phase 4 - Production Deployment
References
core/utils/CertificatePinner.cpp:166-187docs/security/CERTIFICATE_PINNING.md