/**
 * A trust manager which implements path, hostname and pinning validation for a given hostname
 * and sends pinning failure reports if validation failed.
 *
 * Before Android N, the PinningTrustManager implements pinning validation itself. On Android
 * N and later the OS' implementation is used instead for pinning validation.
 *
 * @param serverHostname: The hostname of the server whose identity is being validated. It will
 *                      be validated against the name(s) the leaf certificate was issued for
 *                      when performing hostname validation.
 * @param serverConfig: The pinning policy to be enforced when doing pinning validation.
 * @param baselineTrustManager: The trust manager to use for path validation.
 */
public PinningTrustManager(@NonNull String serverHostname,
                           @NonNull DomainPinningPolicy serverConfig,
                           @NonNull X509TrustManager baselineTrustManager) {
    // Store server's information
    this.serverHostname = serverHostname;
    this.serverConfig = serverConfig;

    if (Build.VERSION.SDK_INT < 17) {
        // No pinning validation at all for API level < 17
        // Because X509TrustManagerExtensions is not available
        this.baselineTrustManager = null;
    } else {
        // We use the default trust manager so we can perform regular SSL validation and we wrap
        // it in the Android-specific X509TrustManagerExtensions, which provides an API to
        // compute the cleaned/verified server certificate chain that we eventually need for
        // pinning validation. Also the X509TrustManagerExtensions provides a
        // checkServerTrusted() where the hostname can be supplied, allowing it to call the
        // (system) RootTrustManager on Android N
        this.baselineTrustManager = new X509TrustManagerExtensions(baselineTrustManager);
    }
}
 

@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    String host = mServerHostname.get();
    DomainPinningPolicy serverConfig =
            TrustKit.getInstance().getConfiguration().getPolicyForHostname(host);
    X509TrustManager trustManager = TrustKit.getInstance().getTrustManager(host);

    //The first check is needed for compatibility with the Platform default's implementation of
    //the Trust Manager. For APIs 24 and greater, the Platform's default TrustManager states
    //that it requires usage of the hostname-aware version of checkServerTrusted for app's that
    //implement Android's network_security_config file. The 2nd check is to allow usage of the
    //X509TrustManagerExtensions class. Any API below will default to the baseline trust manager.
    if (serverConfig == null && Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
        new X509TrustManagerExtensions(trustManager).checkServerTrusted(chain, authType, host);
    } else {
        trustManager.checkServerTrusted(chain, authType);
    }
}
 

@SuppressLint("NewApi")
public X509TrustManagerJellyBean(X509TrustManager trustManager) {
    mTrustManagerExtensions = new X509TrustManagerExtensions(trustManager);
}
 

@SuppressLint("NewApi")
public X509TrustManagerJellyBean(X509TrustManager trustManager) {
    mTrustManagerExtensions = new X509TrustManagerExtensions(trustManager);
}