google · miguelaranda0 · Mar 18, 2026
diff --git a/android/src/main/java/org/conscrypt/ConscryptNetworkSecurityPolicy.java b/android/src/main/java/org/conscrypt/ConscryptNetworkSecurityPolicy.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import org.conscrypt.metrics.CertificateTransparencyVerificationReason;
+
+/**
+ * A default NetworkSecurityPolicy for unbundled Android.
+ */
+@Internal
+public class ConscryptNetworkSecurityPolicy implements NetworkSecurityPolicy {
+    public static ConscryptNetworkSecurityPolicy getDefault() {
+        return new ConscryptNetworkSecurityPolicy();
+    }
+
+    @Override
+    public boolean isCertificateTransparencyVerificationRequired(String hostname) {
+        return false;
+    }
+
+    @Override
+    public CertificateTransparencyVerificationReason getCertificateTransparencyVerificationReason(
+            String hostname) {
+        return CertificateTransparencyVerificationReason.UNKNOWN;
+    }
+
+    @Override
+    public DomainEncryptionMode getDomainEncryptionMode(String hostname) {
+        return DomainEncryptionMode.UNKNOWN;
+    }
+}
diff --git a/android/src/main/java/org/conscrypt/Platform.java b/android/src/main/java/org/conscrypt/Platform.java
@@ -59,11 +59,13 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.function.Supplier;
 
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocketFactory;
@@ -859,59 +861,8 @@ static boolean supportsX509ExtendedTrustManager() {
         return Build.VERSION.SDK_INT > 23;
     }
 
-    /**
-     * Check if SCT verification is required for a given hostname.
-     *
-     * SCT Verification is enabled using {@code Security} properties.
-     * The "conscrypt.ct.enable" property must be true, as well as a per domain property.
-     * The reverse notation of the domain name, prefixed with "conscrypt.ct.enforce."
-     * is used as the property name.
-     * Basic globbing is also supported.
-     *
-     * For example, for the domain foo.bar.com, the following properties will be
-     * looked up, in order of precedence.
-     * - conscrypt.ct.enforce.com.bar.foo
-     * - conscrypt.ct.enforce.com.bar.*
-     * - conscrypt.ct.enforce.com.*
-     * - conscrypt.ct.enforce.*
-     */
-    public static boolean isCTVerificationRequired(String hostname) {
-        if (hostname == null) {
-            return false;
-        }
-        // TODO: Use the platform version on platforms that support it
-
-        String property = Security.getProperty("conscrypt.ct.enable");
-        if (property == null || !Boolean.parseBoolean(property)) {
-            return false;
-        }
-
-        List<String> parts = Arrays.asList(hostname.split("\\."));
-        Collections.reverse(parts);
-
-        boolean enable = false;
-        String propertyName = "conscrypt.ct.enforce";
-        // The loop keeps going on even once we've found a match
-        // This allows for finer grained settings on subdomains
-        for (String part : parts) {
-            property = Security.getProperty(propertyName + ".*");
-            if (property != null) {
-                enable = Boolean.parseBoolean(property);
-            }
-
-            propertyName = propertyName + "." + part;
-        }
-
-        property = Security.getProperty(propertyName);
-        if (property != null) {
-            enable = Boolean.parseBoolean(property);
-        }
-        return enable;
-    }
-
-    public static CertificateTransparencyVerificationReason reasonCTVerificationRequired(
-            String hostname) {
-        return CertificateTransparencyVerificationReason.UNKNOWN;
+    static SSLException wrapInvalidEchDataException(SSLException e) {
+        return e;
     }
 
     static boolean supportsConscryptCertStore() {
@@ -940,7 +891,8 @@ static CertBlocklist newDefaultBlocklist() {
         return null;
     }
 
-    static CertificateTransparency newDefaultCertificateTransparency() {
+    static CertificateTransparency newDefaultCertificateTransparency(
+            Supplier<NetworkSecurityPolicy> policySupplier) {
         return null;
     }
 

diff --git a/common/src/jni/main/cpp/conscrypt/compatibility_close_monitor.cc b/common/src/jni/main/cpp/conscrypt/compatibility_close_monitor.cc
@@ -43,7 +43,8 @@ void CompatibilityCloseMonitor::init() {
         return;
     }
 #ifdef CONSCRYPT_UNBUNDLED
-    // Only attempt to initialise the legacy C++ API if the C API symbols were not found.
+    // Only attempt to initialise the legacy C++ API if the C API symbols were not
+    // found.
     lib = dlopen("libjavacore.so", RTLD_NOW);
     if (lib != nullptr) {
         if (asyncCloseMonitorCreate == nullptr) {

diff --git a/common/src/jni/main/cpp/conscrypt/jniload.cc b/common/src/jni/main/cpp/conscrypt/jniload.cc
@@ -41,15 +41,17 @@ jint libconscrypt_JNI_OnLoad(JavaVM* vm, void*) {
     // Register all of the native JNI methods.
     NativeCrypto::registerNativeMethods(env);
 
-    // Perform static initialization of the close monitor (if required on this platform).
+    // Perform static initialization of the close monitor (if required on this
+    // platform).
     CompatibilityCloseMonitor::init();
     return CONSCRYPT_JNI_VERSION;
 }
 
 #ifdef STATIC_LIB
 
-// A version of OnLoad called when the Conscrypt library has been statically linked to the JVM (For
-// Java >= 1.8). The manner in which the library is statically linked is implementation specific.
+// A version of OnLoad called when the Conscrypt library has been statically
+// linked to the JVM (For Java >= 1.8). The manner in which the library is
+// statically linked is implementation specific.
 //
 // See http://openjdk.java.net/jeps/178
 CONSCRYPT_PUBLIC jint JNI_OnLoad_conscrypt(JavaVM* vm, void* reserved) {

diff --git a/common/src/jni/main/cpp/conscrypt/jniutil.cc b/common/src/jni/main/cpp/conscrypt/jniutil.cc
@@ -93,7 +93,10 @@ void init(JavaVM* vm, JNIEnv* env) {
     openSslInputStreamClass = getGlobalRefToClass(
             env, TO_STRING(JNI_JARJAR_PREFIX) "org/conscrypt/OpenSSLBIOInputStream");
     sslHandshakeCallbacksClass = getGlobalRefToClass(
-            env, TO_STRING(JNI_JARJAR_PREFIX) "org/conscrypt/NativeCrypto$SSLHandshakeCallbacks");
+      env,
+      TO_STRING(
+          JNI_JARJAR_PREFIX) "org/conscrypt/"
+                             "NativeCrypto$SSLHandshakeCallbacks");
 
     nativeRef_address = getFieldRef(env, nativeRefClass, "address", "J");
 #if defined(ANDROID) && !defined(CONSCRYPT_OPENJDK)
@@ -119,7 +122,7 @@ void init(JavaVM* vm, JNIEnv* env) {
     sslHandshakeCallbacks_clientCertificateRequested = getMethodRef(
             env, sslHandshakeCallbacksClass, "clientCertificateRequested", "([B[I[[B)V");
     sslHandshakeCallbacks_serverCertificateRequested =
-            getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "()V");
+            getMethodRef(env, sslHandshakeCallbacksClass, "serverCertificateRequested", "([I)V");
     sslHandshakeCallbacks_clientPSKKeyRequested = getMethodRef(
             env, sslHandshakeCallbacksClass, "clientPSKKeyRequested", "(Ljava/lang/String;[B[B)I");
     sslHandshakeCallbacks_serverPSKKeyRequested =
@@ -178,8 +181,8 @@ int jniGetFDFromFileDescriptor(JNIEnv* env, jobject fileDescriptor) {
 }
 
 extern bool isDirectByteBufferInstance(JNIEnv* env, jobject buffer) {
-    // Some versions of ART do not check the buffer validity when handling GetDirectBufferAddress()
-    // and GetDirectBufferCapacity().
+    // Some versions of ART do not check the buffer validity when handling
+    // GetDirectBufferAddress() and GetDirectBufferCapacity().
     if (buffer == nullptr) {
         return false;
     }
@@ -191,7 +194,8 @@ extern bool isDirectByteBufferInstance(JNIEnv* env, jobject buffer) {
 
 bool isGetByteArrayElementsLikelyToReturnACopy(size_t size) {
 #if defined(ANDROID) && !defined(CONSCRYPT_OPENJDK)
-    // ART's GetByteArrayElements creates copies only for arrays smaller than 12 kB.
+    // ART's GetByteArrayElements creates copies only for arrays smaller than 12
+    // kB.
     return size <= 12 * 1024;
 #else
     (void)size;
@@ -447,8 +451,9 @@ void throwExceptionFromBoringSSLError(JNIEnv* env, CONSCRYPT_UNUSED const char*
         return;
     }
 
-    // If there's an error from BoringSSL it may have been caused by an exception in Java code, so
-    // ensure there isn't a pending exception before we throw a new one.
+    // If there's an error from BoringSSL it may have been caused by an exception
+    // in Java code, so ensure there isn't a pending exception before we throw a
+    // new one.
     if (!env->ExceptionCheck()) {
         char message[256];
         ERR_error_string_n(error, message, sizeof(message));