search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
588 stars 87 forks source link

domain-config without pin set results in ConfigurationException: Policy contains 0 domains to pin #53

Closed MaRuifeng closed 5 years ago

MaRuifeng commented 5 years ago

Describe the bug In the network_security_config.xml file, if there is a domain-config block without any pin set like below, an com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin exception will be thrown upon app launch which causes the app to crash. I believe this results from the fix to #49 .

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

Exception stack trace from logcat:

04-02 17:15:30.089 23250 23250 E AndroidRuntime: java.lang.RuntimeException: Unable to create application xxx.xxx.xxx.MainApplication: com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5876)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.ActivityThread.access$1100(ActivityThread.java:199)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1650)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:193)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:6669)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: Caused by: com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.config.TrustKitConfiguration.<init>(TrustKitConfiguration.java:42)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.config.TrustKitConfiguration.<init>(TrustKitConfiguration.java:33)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.config.TrustKitConfigurationParser.fromXmlPolicy(TrustKitConfigurationParser.java:71)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.config.TrustKitConfiguration.fromXmlPolicy(TrustKitConfiguration.java:28)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.TrustKit.initializeWithNetworkSecurityConfiguration(TrustKit.java:311)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.datatheorem.android.trustkit.TrustKit.initializeWithNetworkSecurityConfiguration(TrustKit.java:271)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at com.hpb.nhp.MainApplication.onCreate(MainApplication.java:76)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1154)
04-02 17:15:30.089 23250 23250 E AndroidRuntime:    at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5871)

To Reproduce Put above XML config block for clear text traffic in an RN (version >= 0.58) app with TrustKit module (v1.1.1) installed, run react-native run-android to install and launch it in an Android emulator. The app will crash upon launch and the above exception messages can be read via logcat.

Expected behavior Domains without pin set should just be ignored as promised in the release notes of version 1.1.1.

TrustKit version 1.1.1

App details: App target SDK: 28.0.3 App language: JS/React Native Android version to reproduce the bug: Andorid 9.0.

MaRuifeng commented 5 years ago

Taking a look at the commit to fix issue #49 , below code portion indicates that only non-null DomainPinningPolicy is added to the domainConfigSet.

https://github.com/datatheorem/TrustKit-Android/blob/5759dbc171b1d29ad847f941b54f5c5d5d7d5fd0/trustkit/src/main/java/com/datatheorem/android/trustkit/config/TrustKitConfigurationParser.java#L56-L72

When instantiating the TrustKitConfiguration object, the mentioned exception is thrown when the domainConfigSet has a size less than 1.

https://github.com/datatheorem/TrustKit-Android/blob/890f15beda5491bd49cb2cf08cee67988e003cf0/trustkit/src/main/java/com/datatheorem/android/trustkit/config/TrustKitConfiguration.java#L36-L56

This part may need to be reworked.

nabla-c0d3 commented 5 years ago

Thanks for the detailed report - it all makes sense.

nabla-c0d3 commented 5 years ago

Fixed in 1.1.2