/** * A trust manager which implements path, hostname and pinning validation for a given hostname * and sends pinning failure reports if validation failed. * * Before Android N, the PinningTrustManager implements pinning validation itself. On Android * N and later the OS' implementation is used instead for pinning validation. * * @param serverHostname: The hostname of the server whose identity is being validated. It will * be validated against the name(s) the leaf certificate was issued for * when performing hostname validation. * @param serverConfig: The pinning policy to be enforced when doing pinning validation. * @param baselineTrustManager: The trust manager to use for path validation. */ public PinningTrustManager(@NonNull String serverHostname, @NonNull DomainPinningPolicy serverConfig, @NonNull X509TrustManager baselineTrustManager) { // Store server's information this.serverHostname = serverHostname; this.serverConfig = serverConfig; if (Build.VERSION.SDK_INT < 17) { // No pinning validation at all for API level < 17 // Because X509TrustManagerExtensions is not available this.baselineTrustManager = null; } else { // We use the default trust manager so we can perform regular SSL validation and we wrap // it in the Android-specific X509TrustManagerExtensions, which provides an API to // compute the cleaned/verified server certificate chain that we eventually need for // pinning validation. Also the X509TrustManagerExtensions provides a // checkServerTrusted() where the hostname can be supplied, allowing it to call the // (system) RootTrustManager on Android N this.baselineTrustManager = new X509TrustManagerExtensions(baselineTrustManager); } }
@SuppressLint("NewApi") public X509TrustManagerJellyBean(X509TrustManager trustManager) { mTrustManagerExtensions = new X509TrustManagerExtensions(trustManager); }