Update: It seems that chromium would call
public List<X509Certificate> checkServerTrusted (X509Certificate[] chain, String authType, String host)
, and the latest commit, trust manager will return ImSureItsLegitExtendedTrustManager
anyways and break the method in ImSureItsLegitTrustManager
.
I have managed to switch it back and build. The pinning bypass is successful though the logs still show some errors.
08-30 15:08:46.050 8209 8653 E cr_X509Util: checkServerTrusted() unexpectedly threw: %s
08-30 15:08:46.050 8209 8653 E cr_X509Util: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.050 8209 8653 E cr_X509Util: at J.callback(Unknown Source:324)
08-30 15:08:46.050 8209 8653 E cr_X509Util: at LSPHooker_.checkServerTrusted(Unknown Source:17)
08-30 15:08:46.050 8209 8653 E cr_X509Util: at WV.RY.h(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:124)
08-30 15:08:46.050 8209 8653 E cr_X509Util: at org.chromium.net.AndroidNetworkLibrary.verifyServerCertificates(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:2)
08-30 15:08:46.050 8209 8653 I cr_X509Util: Failed to validate the certificate chain, error: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.053 8209 8659 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -202
08-30 15:08:46.657 8209 8653 E cr_X509Util: checkServerTrusted() unexpectedly threw: %s
08-30 15:08:46.657 8209 8653 E cr_X509Util: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.657 8209 8653 E cr_X509Util: at J.callback(Unknown Source:324)
08-30 15:08:46.657 8209 8653 E cr_X509Util: at LSPHooker_.checkServerTrusted(Unknown Source:17)
08-30 15:08:46.657 8209 8653 E cr_X509Util: at WV.RY.h(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:124)
08-30 15:08:46.657 8209 8653 E cr_X509Util: at org.chromium.net.AndroidNetworkLibrary.verifyServerCertificates(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:2)
08-30 15:08:46.657 8209 8653 I cr_X509Util: Failed to validate the certificate chain, error: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.669 8209 8659 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -202
---------------------------Original Content----------------------------
(Android 13)
I met the following error for the webview embedded in an app, which seems to be chromium
08-28 11:17:47.951 29003 29094 E cr_X509Util: Error creating trust manager (just.trust.me.Main$ImSureItsLegitExtendedTrustManager): java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
08-28 11:17:47.951 29003 29094 E cr_X509Util: Could not find suitable trust manager
08-28 11:17:47.954 29003 29094 E cr_X509Util: Error creating trust manager (just.trust.me.Main$ImSureItsLegitExtendedTrustManager): java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
08-28 11:17:47.954 29003 29094 E cr_X509Util: Could not find suitable trust manager
08-28 11:17:47.956 29003 29098 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -2
The first line seems to generate from here.
After looking into Main.java to match the arguments X509Certificate[], String, String, String
in class ImSureItsLegitExtendedTrustManager
, I do some modify as follows, but fail to build.
So I would like to know how to find the correspond trustmanager being invoked from, and how do I actually implement this, because javax.net.ssl.X509ExtendedTrustManager doesn't seems to have X509Certificate[], String, String, String
, but android.net.http.X509TrustManagerExtensions does have ?
Edit: The exception hint X509Certificate[], String, String, String
is misleading, however ImSureItsLegitExtendedTrustManager
inherits from javax.net.ssl.X509ExtendedTrustManager
doesn't have X509Certificate[] chain, String authType, String host
, I tried to add but couldn't work.
https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/net/http/X509TrustManagerExtensions.java#66 Does have something like this
public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException {
if (tm instanceof TrustManagerImpl) {
mDelegate = (TrustManagerImpl) tm;
mTrustManager = null;
mCheckServerTrusted = null;
mIsSameTrustConfiguration = null;
return;
}
// Use duck typing if possible.
mDelegate = null;
mTrustManager = tm;
// Check that the hostname aware checkServerTrusted is present.
try {
///////////////////// **The Strange Part** ////////////////////////
mCheckServerTrusted = tm.getClass().getMethod("checkServerTrusted",
X509Certificate[].class,
String.class,
String.class);
} catch (NoSuchMethodException e) {
throw new IllegalArgumentException("Required method"
+ " checkServerTrusted(X509Certificate[], String, String, String) missing");
}
// Get the option isSameTrustConfiguration method.
Method isSameTrustConfiguration = null;
try {
isSameTrustConfiguration = tm.getClass().getMethod("isSameTrustConfiguration",
String.class,
String.class);
} catch (ReflectiveOperationException ignored) {
}
mIsSameTrustConfiguration = isSameTrustConfiguration;
}
and https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/android/java/src/org/chromium/net/X509Util.java#586 is asking for a List, but I just couldn't know what to modify.
synchronized (sLock) {
// If no trust manager was found, fail without crashing on the null pointer.
if (sDefaultTrustManager == null) {
return new AndroidCertVerifyResult(CertVerifyStatusAndroid.FAILED);
}
List<X509Certificate> verifiedChain = null;
try {
verifiedChain =
checkServerTrustedIgnoringRuntimeException(
sDefaultTrustManager, serverCertificates, authType, host);
} catch (CertificateException eDefaultManager) {
if (sTestTrustManager != null) {
try {
verifiedChain =
checkServerTrustedIgnoringRuntimeException(
sTestTrustManager, serverCertificates, authType, host);
} catch (CertificateException eTestManager) {
// See following if block.
}
}
if (verifiedChain == null) {
// Neither of the trust managers confirms the validity of the certificate chain,
// log the error message returned by the system trust manager.
Log.i(
TAG,
"Failed to validate the certificate chain, error: "
+ eDefaultManager.getMessage());
return new AndroidCertVerifyResult(CertVerifyStatusAndroid.NO_TRUSTED_ROOT);
}
}
boolean isIssuedByKnownRoot = false;
if (verifiedChain.size() > 0) {
X509Certificate root = verifiedChain.get(verifiedChain.size() - 1);
isIssuedByKnownRoot = isKnownRoot(root);
}
return new AndroidCertVerifyResult(
CertVerifyStatusAndroid.OK, isIssuedByKnownRoot, verifiedChain);
}
Modification (Last two functions)
@TargetApi(Build.VERSION_CODES.N)
private class ImSureItsLegitExtendedTrustManager extends X509ExtendedTrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
// @Override
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
return list;
}
// @Override
public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
return list;
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
ErrMSG
/home/***/JustTrustMe/app/src/main/java/just/trust/me/Main.java:621: error: method checkServerTrusted(X509Certificate[],String,String) is already defined in class Main.ImSureItsLegitExtendedTrustManager
public List checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
^
Note: /home/***/JustTrustMe/app/src/main/java/just/trust/me/Main.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
1 error