Skip to content

JSSE: add Android non-standard checkServerTrusted() in X509TrustManager#288

Merged
rlm2002 merged 2 commits intowolfSSL:masterfrom
cconlon:androidCheckServer
Dec 17, 2025
Merged

JSSE: add Android non-standard checkServerTrusted() in X509TrustManager#288
rlm2002 merged 2 commits intowolfSSL:masterfrom
cconlon:androidCheckServer

Conversation

@cconlon
Copy link
Copy Markdown
Member

@cconlon cconlon commented Sep 25, 2025

This PR implements the following non-standard Android X509TrustManager API:

public List<X509Certificate> checkServerTrusted (X509Certificate[] chain, 
                byte[] ocspData, 
                byte[] tlsSctData, 
                String authType, 
                String host)

This also verifies OCSP response data if passed in using native wolfSSL's CertManager functionality. tlsSctData is ignored since native wolfSSL does not support SCT.

This includes unit tests of this functionality as well.

@cconlon cconlon self-assigned this Sep 25, 2025
@cconlon cconlon requested a review from Copilot September 25, 2025 22:36
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements the non-standard Android X509TrustManager API that includes OCSP and SCT data parameters for certificate chain validation. The implementation adds OCSP response verification using native wolfSSL's CertManager functionality while ignoring SCT data since wolfSSL doesn't support it.

Key Changes:

  • Added Android-specific checkServerTrusted method with OCSP/SCT parameters
  • Implemented OCSP response validation through native wolfSSL CertManager
  • Added comprehensive unit tests for the new functionality

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
WolfSSLTrustX509.java Implements the Android-specific checkServerTrusted method with OCSP validation
WolfSSLCertManager.java Adds CertManagerCheckOCSPResponse method for OCSP response validation
com_wolfssl_WolfSSLCertManager.h Declares native JNI method for OCSP response checking
com_wolfssl_WolfSSLCertManager.c Implements native OCSP response validation using wolfSSL
WolfSSLTrustX509Test.java Comprehensive test suite for the new Android API functionality

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java Outdated
Comment thread src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
Comment thread native/com_wolfssl_WolfSSLCertManager.c Outdated
@cconlon cconlon requested a review from Copilot December 16, 2025 20:40
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
@cconlon cconlon force-pushed the androidCheckServer branch 2 times, most recently from 88a0110 to 8db9ab6 Compare December 17, 2025 18:39
@cconlon cconlon requested a review from Copilot December 17, 2025 18:40
Copilot AI reviewed Dec 17, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java
Comment thread src/java/com/wolfssl/WolfSSLCertManager.java Outdated
Comment thread src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java Outdated
Comment thread src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Outdated
@cconlon cconlon assigned rlm2002 and unassigned cconlon Dec 17, 2025
@rlm2002 rlm2002 merged commit 8822d49 into wolfSSL:master Dec 17, 2025
57 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rlm2002 rlm2002 rlm2002 approved these changes

Assignees

@rlm2002 rlm2002

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cconlon @rlm2002