Export from Google3

README.md

@@ -1,83 +1,3 @@
-# Evolving Conscrypt's Open Source Approach
-
-Hello Conscrypt Developers,
-
-We're refining our **open source strategy for Conscrypt** to ensure its long-term health and sustainability. To optimize our development efforts and focus resources, we are making some changes to how Conscrypt is developed and how we handle contributions. The primary development of Conscrypt will now be done internally at Google. While we value community input, we will no longer be able to accept external contributions in the form of pull requests on the GitHub repository. This change allows us to better allocate resources to core development and ensure the project's long-term sustainability. To ensure transparency and continued access for the community, we will:
-
-*   **Continue Mirroring to GitHub:** All internal changes will be regularly mirrored to the public GitHub repository. Note that mirroring to GitHub might be paused for a short period of time during the transition to internal development.
-*   **Maintain Bug Reporting Channels:** Please keep reporting bugs through GitHub Issues. For Android-specific bugs, the Android Issue Tracker is the place to go: [Report Bugs](https://source.android.com/docs/setup/contribute/report-bugs).
-
-### What’s staying the same
-
-The platform version of Conscrypt receives regular updates, including the latest features and security patches, through the Google Play system updates program (Project Mainline). This means that even devices running older Android versions can benefit from the most recent Conscrypt improvements without requiring a full OS update.
-
-### What’s changing
-
-As part of this shift, we will no longer be able to accept external pull requests on GitHub.
-
-### What do you need to do
-
-*   Immediately, nothing.
-*   For Android developers, we recommend leveraging the Conscrypt version built into the Android platform, which is also the default provider.
-
-We appreciate the Conscrypt community and look forward to continuing to offer a secure and efficient security provider.
-
-## Guidance for Android App Developers:
-
-Most Android devices include Conscrypt as a core part of the platform's security providers. The Java Cryptography Architecture (JCA) framework allows for multiple security providers, and the system selects one when you request a cryptographic algorithm implementation (like Cipher, SSLContext, MessageDigest, etc.).
-
-### Using the Platform Version (Recommended):
-
-To use the platform-provided Conscrypt, you generally don't need to do anything specific. When requesting an algorithm, omit the provider name. The Android system will automatically select the highest-priority provider that offers the requested algorithm, which is typically the built-in Conscrypt.
-
-*Example (Java):*
-
-```java
-import javax.net.ssl.SSLContext;
-import java.security.Security;
-import java.security.Provider;
-
-try {
-    // Get an SSLContext instance using the default highest-priority provider
-    SSLContext sslContext = SSLContext.getInstance("TLS");
-    // Initialize and use sslContext
-
-    // Example: Listing providers to see what's available
-    // Provider[] providers = Security.getProviders();
-    // for (Provider provider : providers) {
-    //     System.out.println("Provider: " + provider.getName());
-    // }
-} catch (NoSuchAlgorithmException e) {
-    // Handle exception
-    e.printStackTrace();
-}
-```
-
-*Example (Kotlin):*
-
-```kotlin
-import javax.net.ssl.SSLContext
-import java.security.Security
-import java.security.Provider
-
-try {
-    // Get an SSLContext instance using the default highest-priority provider
-    val sslContext = SSLContext.getInstance("TLS")
-    // Initialize and use sslContext
-
-    // Example: Listing providers to see what's available
-    // val providers = Security.getProviders()
-    // providers.forEach { provider ->
-    //     println("Provider: ${provider.name}")
-    // }
-} catch (e: NoSuchAlgorithmException) {
-    // Handle exception
-    e.printStackTrace()
-}
-```
-
-By *not* specifying a provider name in getInstance() calls, you rely on the Android system's default provider order, ensuring you use the up-to-date and maintained version of Conscrypt that is part of the Android platform.
-
 Conscrypt - A Java Security Provider
 ========================================
 

android/src/main/java/org/conscrypt/ConscryptNetworkSecurityPolicy.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
+
+/**
+ * A default NetworkSecurityPolicy for unbundled Android.
+ */
+@Internal
+public class ConscryptNetworkSecurityPolicy implements NetworkSecurityPolicy {
+    public static ConscryptNetworkSecurityPolicy getDefault() {
+        return new ConscryptNetworkSecurityPolicy();
+    }
+
+    @Override
+    public boolean isCertificateTransparencyVerificationRequired(String hostname) {
+        return false;
+    }
+
+    @Override
+    public CertificateTransparencyVerificationReason getCertificateTransparencyVerificationReason(
+            String hostname) {
+        return CertificateTransparencyVerificationReason.UNKNOWN;
+    }
+
+    @Override
+    public DomainEncryptionMode getDomainEncryptionMode(String hostname) {
+        return DomainEncryptionMode.UNKNOWN;
+    }
+}

android/src/main/java/org/conscrypt/Platform.java

@@ -59,11 +59,13 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.function.Supplier;
 
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
@@ -859,59 +861,8 @@ static boolean supportsX509ExtendedTrustManager() {
         return Build.VERSION.SDK_INT > 23;
     }
 
-    /**
-     * Check if SCT verification is required for a given hostname.
-     *
-     * SCT Verification is enabled using {@code Security} properties.
-     * The "conscrypt.ct.enable" property must be true, as well as a per domain property.
-     * The reverse notation of the domain name, prefixed with "conscrypt.ct.enforce."
-     * is used as the property name.
-     * Basic globbing is also supported.
-     *
-     * For example, for the domain foo.bar.com, the following properties will be
-     * looked up, in order of precedence.
-     * - conscrypt.ct.enforce.com.bar.foo
-     * - conscrypt.ct.enforce.com.bar.*
-     * - conscrypt.ct.enforce.com.*
-     * - conscrypt.ct.enforce.*
-     */
-    public static boolean isCTVerificationRequired(String hostname) {
-        if (hostname == null) {
-            return false;
-        }
-        // TODO: Use the platform version on platforms that support it
-
-        String property = Security.getProperty("conscrypt.ct.enable");
-        if (property == null || !Boolean.parseBoolean(property)) {
-            return false;
-        }
-
-        List<String> parts = Arrays.asList(hostname.split("\\."));
-        Collections.reverse(parts);
-
-        boolean enable = false;
-        String propertyName = "conscrypt.ct.enforce";
-        // The loop keeps going on even once we've found a match
-        // This allows for finer grained settings on subdomains
-        for (String part : parts) {
-            property = Security.getProperty(propertyName + ".*");
-            if (property != null) {
-                enable = Boolean.parseBoolean(property);
-            }
-
-            propertyName = propertyName + "." + part;
-        }
-
-        property = Security.getProperty(propertyName);
-        if (property != null) {
-            enable = Boolean.parseBoolean(property);
-        }
-        return enable;
-    }
-
-    public static CertificateTransparencyVerificationReason reasonCTVerificationRequired(
-            String hostname) {
-        return CertificateTransparencyVerificationReason.UNKNOWN;
+    static SSLException wrapInvalidEchDataException(SSLException e) {
+        return e;
     }
 
     static boolean supportsConscryptCertStore() {
@@ -940,7 +891,8 @@ static CertBlocklist newDefaultBlocklist() {
         return null;
     }
 
-    static CertificateTransparency newDefaultCertificateTransparency() {
+    static CertificateTransparency newDefaultCertificateTransparency(
+            Supplier<NetworkSecurityPolicy> policySupplier) {
         return null;
     }
 

common/src/jni/main/cpp/conscrypt/compatibility_close_monitor.cc

@@ -43,7 +43,8 @@ void CompatibilityCloseMonitor::init() {
         return;
     }
 #ifdef CONSCRYPT_UNBUNDLED
-    // Only attempt to initialise the legacy C++ API if the C API symbols were not found.
+    // Only attempt to initialise the legacy C++ API if the C API symbols were not
+    // found.
     lib = dlopen("libjavacore.so", RTLD_NOW);
     if (lib != nullptr) {
         if (asyncCloseMonitorCreate == nullptr) {

common/src/jni/main/cpp/conscrypt/jniload.cc

@@ -41,15 +41,17 @@ jint libconscrypt_JNI_OnLoad(JavaVM* vm, void*) {
     // Register all of the native JNI methods.
     NativeCrypto::registerNativeMethods(env);
 
-    // Perform static initialization of the close monitor (if required on this platform).
+    // Perform static initialization of the close monitor (if required on this
+    // platform).
     CompatibilityCloseMonitor::init();
     return CONSCRYPT_JNI_VERSION;
 }
 
 #ifdef STATIC_LIB
 
-// A version of OnLoad called when the Conscrypt library has been statically linked to the JVM (For
-// Java >= 1.8). The manner in which the library is statically linked is implementation specific.
+// A version of OnLoad called when the Conscrypt library has been statically
+// linked to the JVM (For Java >= 1.8). The manner in which the library is
+// statically linked is implementation specific.
 //
 // See http://openjdk.java.net/jeps/178
 CONSCRYPT_PUBLIC jint JNI_OnLoad_conscrypt(JavaVM* vm, void* reserved) {

common/src/jni/main/cpp/conscrypt/jniutil.cc

@@ -93,7 +93,10 @@ void init(JavaVM* vm, JNIEnv* env) {
     openSslInputStreamClass = getGlobalRefToClass(
             env, TO_STRING(JNI_JARJAR_PREFIX) "org/conscrypt/OpenSSLBIOInputStream");
     sslHandshakeCallbacksClass = getGlobalRefToClass(
-            env, TO_STRING(JNI_JARJAR_PREFIX) "org/conscrypt/NativeCrypto$SSLHandshakeCallbacks");
+      env,
+      TO_STRING(
+          JNI_JARJAR_PREFIX) "org/conscrypt/"
+                             "NativeCrypto$SSLHandshakeCallbacks");
 
     nativeRef_address = getFieldRef(env, nativeRefClass, "address", "J");
 #if defined(ANDROID) && !defined(CONSCRYPT_OPENJDK)
@@ -119,7 +122,7 @@ void init(JavaVM* vm, JNIEnv* env) {
     sslHandshakeCallbacks_clientCertificateRequested = getMethodRef(
             env, sslHandshakeCallbacksClass, "clientCertificateRequested", "([B[I[[B)V");
     sslHandshakeCallbacks_serverCertificateRequested =
-            getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "()V");
+            getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "([I)V");
     sslHandshakeCallbacks_clientPSKKeyRequested = getMethodRef(
             env, sslHandshakeCallbacksClass, "clientPSKKeyRequested", "(Ljava/lang/String;[B[B)I");
     sslHandshakeCallbacks_serverPSKKeyRequested =
@@ -178,8 +181,8 @@ int jniGetFDFromFileDescriptor(JNIEnv* env, jobject fileDescriptor) {
 }
 
 extern bool isDirectByteBufferInstance(JNIEnv* env, jobject buffer) {
-    // Some versions of ART do not check the buffer validity when handling GetDirectBufferAddress()
-    // and GetDirectBufferCapacity().
+    // Some versions of ART do not check the buffer validity when handling
+    // GetDirectBufferAddress() and GetDirectBufferCapacity().
     if (buffer == nullptr) {
         return false;
     }
@@ -191,7 +194,8 @@ extern bool isDirectByteBufferInstance(JNIEnv* env, jobject buffer) {
 
 bool isGetByteArrayElementsLikelyToReturnACopy(size_t size) {
 #if defined(ANDROID) && !defined(CONSCRYPT_OPENJDK)
-    // ART's GetByteArrayElements creates copies only for arrays smaller than 12 kB.
+    // ART's GetByteArrayElements creates copies only for arrays smaller than 12
+    // kB.
     return size <= 12 * 1024;
 #else
     (void)size;
@@ -447,8 +451,9 @@ void throwExceptionFromBoringSSLError(JNIEnv* env, CONSCRYPT_UNUSED const char*
         return;
     }
 
-    // If there's an error from BoringSSL it may have been caused by an exception in Java code, so
-    // ensure there isn't a pending exception before we throw a new one.
+    // If there's an error from BoringSSL it may have been caused by an exception
+    // in Java code, so ensure there isn't a pending exception before we throw a
+    // new one.
     if (!env->ExceptionCheck()) {
         char message[256];
         ERR_error_string_n(error, message, sizeof(message));