Debug certificate resource can not be parsed

[JulienNevo]

Giving a debug certificate in the network_security_config.xml does not work. This only reveals itself on API < 24, as the certificate is read by TrustKit and not the Android system, but the parsing fails in all cases.

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">test.com</domain>
        <pin-set>
            <pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
            <pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
        </pin-set>

        <trustkit-config enforcePinning="true" disableDefaultReportUri="true" />
    </domain-config>
    <debug-overrides>
        <trust-anchors>
            <!-- Use a debug certificate -->
            <certificates overridePins="false" src="@raw/certificate" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

When debugging the Trustkit initialization, the TrustKitConfigurationParser#readDebugOverrides line String caPathFromUser = parser.getAttributeValue(null, "src").trim(); returns @2131558400 instead of the expected @raw/certificate.

This is probably because aapt converts all the references instead of keeping raw strings.

As a result, the parser skips this resource, because it does not start with @raw.

To Reproduce Use the network file with a certificate on API <24, it will not be read and thus not used in subsequent HTTP calls.

App details:

• App target SDK: 19
• App language: Kotlin
• Android version to reproduce the bug: Android Marshmallow (23), Android Pie (28)

[jobot0]

Hey @JulienNevo I've made some changes in https://github.com/datatheorem/TrustKit-Android/pull/61. Do those are fixing your issue ?

[JulienNevo]

Yes this works great, thanks a lot!