Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chromium checkClientTrusted checkServerTrusted Arguments mismatch? #72

Open
KardRi opened this issue Aug 30, 2024 · 0 comments
Open

Chromium checkClientTrusted checkServerTrusted Arguments mismatch? #72

KardRi opened this issue Aug 30, 2024 · 0 comments

Comments

@KardRi
Copy link

KardRi commented Aug 30, 2024
edited
Loading

Update: It seems that chromium would call

public List<X509Certificate> checkServerTrusted (X509Certificate[] chain, String authType, String host)

, and the latest commit, trust manager will return ImSureItsLegitExtendedTrustManager anyways and break the method in ImSureItsLegitTrustManager.

I have managed to switch it back and build. The pinning bypass is successful though the logs still show some errors.

08-30 15:08:46.050  8209  8653 E cr_X509Util: checkServerTrusted() unexpectedly threw: %s
08-30 15:08:46.050  8209  8653 E cr_X509Util: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.050  8209  8653 E cr_X509Util:   at J.callback(Unknown Source:324)
08-30 15:08:46.050  8209  8653 E cr_X509Util:   at LSPHooker_.checkServerTrusted(Unknown Source:17)
08-30 15:08:46.050  8209  8653 E cr_X509Util:   at WV.RY.h(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:124)
08-30 15:08:46.050  8209  8653 E cr_X509Util:   at org.chromium.net.AndroidNetworkLibrary.verifyServerCertificates(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:2)
08-30 15:08:46.050  8209  8653 I cr_X509Util: Failed to validate the certificate chain, error: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.053  8209  8659 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -202
08-30 15:08:46.657  8209  8653 E cr_X509Util: checkServerTrusted() unexpectedly threw: %s
08-30 15:08:46.657  8209  8653 E cr_X509Util: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.657  8209  8653 E cr_X509Util:   at J.callback(Unknown Source:324)
08-30 15:08:46.657  8209  8653 E cr_X509Util:   at LSPHooker_.checkServerTrusted(Unknown Source:17)
08-30 15:08:46.657  8209  8653 E cr_X509Util:   at WV.RY.h(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:124)
08-30 15:08:46.657  8209  8653 E cr_X509Util:   at org.chromium.net.AndroidNetworkLibrary.verifyServerCertificates(chromium-TrichromeWebViewGoogle6432.aab-stable-653310333:2)
08-30 15:08:46.657  8209  8653 I cr_X509Util: Failed to validate the certificate chain, error: java.lang.ClassCastException: Return value's type from hook callback does not match the hooked method
08-30 15:08:46.669  8209  8659 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -202

---------------------------Original Content----------------------------
(Android 13)
I met the following error for the webview embedded in an app, which seems to be chromium

08-28 11:17:47.951 29003 29094 E cr_X509Util: Error creating trust manager (just.trust.me.Main$ImSureItsLegitExtendedTrustManager): java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
08-28 11:17:47.951 29003 29094 E cr_X509Util: Could not find suitable trust manager
08-28 11:17:47.954 29003 29094 E cr_X509Util: Error creating trust manager (just.trust.me.Main$ImSureItsLegitExtendedTrustManager): java.lang.IllegalArgumentException: Required method checkServerTrusted(X509Certificate[], String, String, String) missing
08-28 11:17:47.954 29003 29094 E cr_X509Util: Could not find suitable trust manager
08-28 11:17:47.956 29003 29098 E chromium: [ERROR:ssl_client_socket_impl.cc(883)] handshake failed; returned -1, SSL error code 1, net_error -2

The first line seems to generate from here.

After looking into Main.java to match the arguments X509Certificate[], String, String, String in class ImSureItsLegitExtendedTrustManager, I do some modify as follows, but fail to build.

So I would like to know how to find the correspond trustmanager being invoked from, and how do I actually implement this, because javax.net.ssl.X509ExtendedTrustManager doesn't seems to have X509Certificate[], String, String, String, but android.net.http.X509TrustManagerExtensions does have ?

Edit: The exception hint X509Certificate[], String, String, String is misleading, however ImSureItsLegitExtendedTrustManager inherits from javax.net.ssl.X509ExtendedTrustManager doesn't have X509Certificate[] chain, String authType, String host, I tried to add but couldn't work.

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/net/http/X509TrustManagerExtensions.java#66 Does have something like this

    public X509TrustManagerExtensions(X509TrustManager tm) throws IllegalArgumentException {
        if (tm instanceof TrustManagerImpl) {
            mDelegate = (TrustManagerImpl) tm;
            mTrustManager = null;
            mCheckServerTrusted = null;
            mIsSameTrustConfiguration = null;
            return;
        }
        // Use duck typing if possible.
        mDelegate = null;
        mTrustManager = tm;
        // Check that the hostname aware checkServerTrusted is present.
        try {
            ///////////////////// **The Strange Part** ////////////////////////
            mCheckServerTrusted = tm.getClass().getMethod("checkServerTrusted",
                    X509Certificate[].class,
                    String.class,
                    String.class);
        } catch (NoSuchMethodException e) {
            throw new IllegalArgumentException("Required method"
                    + " checkServerTrusted(X509Certificate[], String, String, String) missing");
        }
        // Get the option isSameTrustConfiguration method.
        Method isSameTrustConfiguration = null;
        try {
            isSameTrustConfiguration = tm.getClass().getMethod("isSameTrustConfiguration",
                    String.class,
                    String.class);
        } catch (ReflectiveOperationException ignored) {
        }
        mIsSameTrustConfiguration = isSameTrustConfiguration;
    }

and https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/android/java/src/org/chromium/net/X509Util.java#586 is asking for a List, but I just couldn't know what to modify.

        synchronized (sLock) {
            // If no trust manager was found, fail without crashing on the null pointer.
            if (sDefaultTrustManager == null) {
                return new AndroidCertVerifyResult(CertVerifyStatusAndroid.FAILED);
            }
            List<X509Certificate> verifiedChain = null;
            try {
                verifiedChain =
                        checkServerTrustedIgnoringRuntimeException(
                                sDefaultTrustManager, serverCertificates, authType, host);
            } catch (CertificateException eDefaultManager) {
                if (sTestTrustManager != null) {
                    try {
                        verifiedChain =
                                checkServerTrustedIgnoringRuntimeException(
                                        sTestTrustManager, serverCertificates, authType, host);
                    } catch (CertificateException eTestManager) {
                        // See following if block.
                    }
                }
                if (verifiedChain == null) {
                    // Neither of the trust managers confirms the validity of the certificate chain,
                    // log the error message returned by the system trust manager.
                    Log.i(
                            TAG,
                            "Failed to validate the certificate chain, error: "
                                    + eDefaultManager.getMessage());
                    return new AndroidCertVerifyResult(CertVerifyStatusAndroid.NO_TRUSTED_ROOT);
                }
            }
            boolean isIssuedByKnownRoot = false;
            if (verifiedChain.size() > 0) {
                X509Certificate root = verifiedChain.get(verifiedChain.size() - 1);
                isIssuedByKnownRoot = isKnownRoot(root);
            }
            return new AndroidCertVerifyResult(
                    CertVerifyStatusAndroid.OK, isIssuedByKnownRoot, verifiedChain);
        }
Modification (Last two functions) 
@TargetApi(Build.VERSION_CODES.N)
    private class ImSureItsLegitExtendedTrustManager extends X509ExtendedTrustManager {
        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {

        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {

        }

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {

        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {

        }

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

        }

        // @Override
        public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
            ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
            return list;
        }
        // @Override
        public List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
            ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
            return list;
        }



        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

ErrMSG

/home/***/JustTrustMe/app/src/main/java/just/trust/me/Main.java:621: error: method checkServerTrusted(X509Certificate[],String,String) is already defined in class Main.ImSureItsLegitExtendedTrustManager
public List checkServerTrusted(X509Certificate[] chain, String authType, String host) throws CertificateException {
^
Note: /home/***/JustTrustMe/app/src/main/java/just/trust/me/Main.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
1 error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KardRi