SSLPinningX509TrustManager doubts

[fmestre01]

Good afternoon, how are you ?

please we have a question related to the SSLPinningX509TrustManager class.

When creating:

final SSLPinningX509TrustManager trustManager = new SSLPinningX509TrustManager(certStore);

final SSLSocketFactory sslSocketFactory = SSLPinningIntegration.createSSLPinningSocketFactory(trustManager);

httpClient.sslSocketFactory(sslSocketFactory, trustManager);

is the certificate validation already performed automatically for each request or is it necessary to manually call the validateCert function ?

In the SSLPinningX509TrustManager class whenever a certificate is invalid is it really necessary to launch a crash?

[petrdvorak]

Hello @fmestre01, thank you for the question! :)

Internally, the SSLPinningX509TrustManager uses the validateCert function to check the top-most certificate in the certificate chain. The implementation is not complicated, see the following code for details:

https://github.com/wultra/ssl-pinning-android/blob/develop/library/src/main/java/com/wultra/android/sslpinning/integration/SSLPinningX509TrustManager.kt#L38

The untrusted certificate does not crash the app. It raises the standard java.security.cert.CertificateException (as it would in case of any invalid TLS/SSL certificate, i.e., expired certificate or certificate for a wrong domain). You need to handle such exception in your code.

@TomasKypta Feel free to add more context.

[petrdvorak]

Hello @fmestre01, just quickly checking if you managed to resolve the issue. Let me know if I could be of any assistance.