Added support for API 36 checkServerTrusted (#139)

EpariNigam · web-flow · commit 188b519b6771 · 2025-05-11T17:14:57.000+01:00
diff --git a/certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/verifier/CertificateTransparencyTrustManagerBasic.kt b/certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/verifier/CertificateTransparencyTrustManagerBasic.kt
@@ -69,6 +69,19 @@ internal class CertificateTransparencyTrustManagerBasic(
         null
     }
 
+    private val checkServerTrustedMethodApi36: Method? = try {
+        delegate::class.java.getDeclaredMethod(
+            "checkServerTrusted",
+            Array<X509Certificate>::class.java,
+            ByteArray::class.java,
+            ByteArray::class.java,
+            String::class.java,
+            String::class.java
+        )
+    } catch (ignored: NoSuchMethodException) {
+        null
+    }
+
     private val isSameTrustConfigurationMethod: Method? = try {
         delegate::class.java.getDeclaredMethod("isSameTrustConfiguration", String::class.java, String::class.java)
     } catch (ignored: NoSuchMethodException) {
@@ -118,6 +131,29 @@ internal class CertificateTransparencyTrustManagerBasic(
         return certs
     }
 
+    // Called through reflection by X509TrustManagerExtensions on Android
+    @Suppress("unused")
+    fun checkServerTrusted(
+        chain: Array<out X509Certificate>,
+        ocspData: ByteArray?,
+        tlsSctData: ByteArray?,
+        authType: String,
+        host: String
+    ): List<X509Certificate> {
+        @Suppress("UNCHECKED_CAST")
+        val certs = checkServerTrustedMethodApi36!!.invoke(delegate, chain, ocspData, tlsSctData, authType, host) as List<X509Certificate>
+
+        val result = verifyCertificateTransparency(host, certs.toList())
+
+        logger?.log(host, result)
+
+        if (result is VerificationResult.Failure && failOnError()) {
+            throw CertificateException("Certificate transparency failed")
+        }
+
+        return certs
+    }
+
     // Called through reflection by X509TrustManagerExtensions on Android
     @Suppress("unused")
     fun isSameTrustConfiguration(hostname1: String?, hostname2: String?): Boolean {
diff --git a/certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/verifier/CertificateTransparencyTrustManagerExtended.kt b/certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/verifier/CertificateTransparencyTrustManagerExtended.kt
@@ -37,7 +37,7 @@ import javax.net.ssl.SSLEngine
 import javax.net.ssl.X509ExtendedTrustManager
 import javax.net.ssl.X509TrustManager
 
-@Suppress("LongParameterList", "CustomX509TrustManager", "NewApi")
+@Suppress("LongParameterList", "CustomX509TrustManager", "NewApi", "TooManyFunctions")
 internal class CertificateTransparencyTrustManagerExtended(
     private val delegate: X509TrustManager,
     includeHosts: Set<Host>,
@@ -72,6 +72,19 @@ internal class CertificateTransparencyTrustManagerExtended(
         null
     }
 
+    private val checkServerTrustedMethodApi36: Method? = try {
+        delegate::class.java.getDeclaredMethod(
+            "checkServerTrusted",
+            Array<X509Certificate>::class.java,
+            ByteArray::class.java,
+            ByteArray::class.java,
+            String::class.java,
+            String::class.java
+        )
+    } catch (ignored: NoSuchMethodException) {
+        null
+    }
+
     private val isSameTrustConfigurationMethod: Method? = try {
         delegate::class.java.getDeclaredMethod("isSameTrustConfiguration", String::class.java, String::class.java)
     } catch (ignored: NoSuchMethodException) {
@@ -154,6 +167,29 @@ internal class CertificateTransparencyTrustManagerExtended(
         return certs
     }
 
+    // Called through reflection by X509TrustManagerExtensions on Android
+    @Suppress("unused")
+    fun checkServerTrusted(
+        chain: Array<out X509Certificate>,
+        ocspData: ByteArray?,
+        tlsSctData: ByteArray?,
+        authType: String,
+        host: String
+    ): List<X509Certificate> {
+        @Suppress("UNCHECKED_CAST")
+        val certs = checkServerTrustedMethodApi36!!.invoke(delegate, chain, ocspData, tlsSctData, authType, host) as List<X509Certificate>
+
+        val result = verifyCertificateTransparency(host, certs.toList())
+
+        logger?.log(host, result)
+
+        if (result is VerificationResult.Failure && failOnError()) {
+            throw CertificateException("Certificate transparency failed")
+        }
+
+        return certs
+    }
+
     // Called through reflection by X509TrustManagerExtensions on Android
     @Suppress("unused")
     fun isSameTrustConfiguration(hostname1: String?, hostname2: String?): Boolean {
