dotnet · jonathanpeppers · Apr 29, 2022 · Jan 24, 2022 · Jan 24, 2022 · Jan 25, 2022
diff --git a/Xamarin.Android-Tests.sln b/Xamarin.Android-Tests.sln
@@ -94,6 +94,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Xamarin.Android.Tools.Aidl-
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Xamarin.Android.Tools.Aidl", "src\Xamarin.Android.Tools.Aidl\Xamarin.Android.Tools.Aidl.csproj", "{302D9D2E-1F98-4374-9B6B-922F78620C4B}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Xamarin.Android.Net.Tests", "tests\Xamarin.Android.Net-Tests\Xamarin.Android.Net-Tests.csproj", "{629E079E-D898-4C71-ACB9-B4F58C22B892}"
+EndProject
 Global
 	GlobalSection(SharedMSBuildProjectFiles) = preSolution
 		tests\Mono.Android-Tests\Mono.Android-Test.Shared.projitems*{0ab4956e-6fb9-4da0-9d49-ab65a3ff403a}*SharedItemsImports = 13

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
@@ -479,6 +479,15 @@ stages:
         artifactSource: bin/Test$(ApkTestConfiguration)/Xamarin.Android.EmbeddedDSO_Test-Signed.apk
         artifactFolder: Default
 
+    - template: yaml-templates/apk-instrumentation.yaml
+      parameters:
+        configuration: $(ApkTestConfiguration)
+        testName: Xamarin.Android.Net-Tests
+        project: tests/Xamarin.Android.Net-Tests/Xamarin.Android.Net-Tests.csproj
+        testResultsFiles: TestResult-Xamarin.Android.Net_Tests.nunit-$(ApkTestConfiguration).xml
+        artifactSource: bin/Test$(ApkTestConfiguration)/Xamarin.Android.Net_Tests-Signed.apk
+        artifactFolder: Default
+
     - template: yaml-templates/apk-instrumentation.yaml
       parameters:
         configuration: $(ApkTestConfiguration)

diff --git a/build-tools/scripts/RunTests.targets b/build-tools/scripts/RunTests.targets
@@ -26,6 +26,7 @@
     <_ApkTestProject Include="$(_TopDir)\tests\EmbeddedDSOs\EmbeddedDSO\EmbeddedDSO.csproj" />
     <_ApkTestProject Include="$(_TopDir)\tests\Mono.Android-Tests\Runtime-AppBundle\Mono.Android-TestsAppBundle.csproj" />
     <_ApkTestProject Include="$(_TopDir)\tests\Mono.Android-Tests\Runtime-MultiDex\Mono.Android-TestsMultiDex.csproj" />
+    <_ApkTestProject Include="$(_TopDir)\tests\Xamarin.Android.Net-Tests\Xamarin.Android.Net-Tests.csproj" />
     <_ApkTestProjectAot Include="$(_TopDir)\tests\Mono.Android-Tests\Mono.Android-Tests.csproj" />
     <_ApkTestProjectAot Include="$(_TopDir)\tests\locales\Xamarin.Android.Locale-Tests\Xamarin.Android.Locale-Tests.csproj" />
     <_ApkTestProjectAot Include="$(_TopDir)\tests\Xamarin.Forms-Performance-Integration\Droid\Xamarin.Forms.Performance.Integration.Droid.csproj" />

@@ -367,6 +367,7 @@
     <Compile Include="Xamarin.Android.Net\AuthModuleBasic.cs" />
     <Compile Include="Xamarin.Android.Net\AuthModuleDigest.cs" />
     <Compile Include="Xamarin.Android.Net\IAndroidAuthenticationModule.cs" />
+    <Compile Include="Xamarin.Android.Net\X509TrustManagerWithValidationCallback.cs" />
     <Compile Condition=" '$(TargetFramework)' == 'monoandroid10' " Include="Xamarin.Android.Net\OldAndroidSSLSocketFactory.cs" />
   </ItemGroup>
 

diff --git a/src/Mono.Android/Xamarin.Android.Net/AndroidClientHandler.Legacy.cs b/src/Mono.Android/Xamarin.Android.Net/AndroidClientHandler.Legacy.cs
@@ -838,7 +838,7 @@ void AppendEncoding (string encoding, ref List <string>? list)
 
 			// SSL context must be set up as soon as possible, before adding any content or
 			// headers. Otherwise Java won't use the socket factory
-			SetupSSL (httpConnection as HttpsURLConnection);
+			SetupSSL (httpConnection as HttpsURLConnection, request);
 			if (request.Content != null)
 				AddHeaders (httpConnection, request.Content.Headers);
 			AddHeaders (httpConnection, request.Headers);
@@ -893,7 +893,7 @@ void AppendEncoding (string encoding, ref List <string>? list)
 			return null;
 		}
 
-		void SetupSSL (HttpsURLConnection? httpsConnection)
+		void SetupSSL (HttpsURLConnection? httpsConnection, HttpRequestMessage requestMessage)
 		{
 			if (httpsConnection == null)
 				return;
@@ -911,37 +911,49 @@ void SetupSSL (HttpsURLConnection? httpsConnection)
 				return;
 			}
 
-			var keyStore = KeyStore.GetInstance (KeyStore.DefaultType);
-			keyStore?.Load (null, null);
-			bool gotCerts = TrustedCerts?.Count > 0;
-			if (gotCerts) {
-				for (int i = 0; i < TrustedCerts!.Count; i++) {
-					Certificate cert = TrustedCerts [i];
-					if (cert == null)
-						continue;
-					keyStore?.SetCertificateEntry ($"ca{i}", cert);
-				}
-			}
+			var keyStore = InitializeKeyStore (out bool gotCerts);
 			keyStore = ConfigureKeyStore (keyStore);
 			var kmf = ConfigureKeyManagerFactory (keyStore);
 			var tmf = ConfigureTrustManagerFactory (keyStore);
 
 			if (tmf == null) {
-				// If there are no certs and no trust manager factory, we can't use a custom manager
-				// because it will cause all the HTTPS requests to fail because of unverified trust
-				// chain
-				if (!gotCerts)
+				// If there are no trusted certs, no custom trust manager factory or custom certificate validation callback
+				// there is no point in changing the behavior of the default SSL socket factory
+				if (!gotCerts && ServerCertificateCustomValidationCallback == null)
 					return;
-				
+
 				tmf = TrustManagerFactory.GetInstance (TrustManagerFactory.DefaultAlgorithm);
-				tmf?.Init (keyStore);
+				tmf?.Init (gotCerts ? keyStore : null); // only use the custom key store if the user defined any trusted certs
 			}
 
+			ITrustManager[]? trustManagers =
+				ServerCertificateCustomValidationCallback == null
+					? tmf?.GetTrustManagers ()
+					: X509TrustManagerWithValidationCallback.Inject(tmf?.GetTrustManagers (), requestMessage, ServerCertificateCustomValidationCallback);
+
 			var context = SSLContext.GetInstance ("TLS");
-			context?.Init (kmf?.GetKeyManagers (), tmf?.GetTrustManagers (), null);
+			context?.Init (kmf?.GetKeyManagers (), trustManagers, null);
 			httpsConnection.SSLSocketFactory = context?.SocketFactory;
 		}
-
+
+		KeyStore? InitializeKeyStore (out bool gotCerts)
+		{
+			var keyStore = KeyStore.GetInstance (KeyStore.DefaultType);
+			keyStore?.Load (null, null);
+			gotCerts = TrustedCerts?.Count > 0;
+
+			if (gotCerts) {
+				for (int i = 0; i < TrustedCerts!.Count; i++) {
+					Certificate cert = TrustedCerts [i];
+					if (cert == null)
+						continue;
+					keyStore?.SetCertificateEntry ($"ca{i}", cert);
+				}
+			}
+
+			return keyStore;
+		}
+
 		void HandlePreAuthentication (HttpURLConnection httpConnection)
 		{
 			var data = PreAuthenticationData;

@@ -157,7 +157,7 @@ public CookieContainer CookieContainer
 
 		public bool CheckCertificateRevocationList { get; set; } = false;
 
-		public Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> ServerCertificateCustomValidationCallback { get; set; }
+		public Func<HttpRequestMessage, X509Certificate2?, X509Chain?, SslPolicyErrors, bool>? ServerCertificateCustomValidationCallback { get; set; }
 
 		// See: https://developer.android.com/reference/javax/net/ssl/SSLSocket#protocols
 		public SslProtocols SslProtocols { get; set; } =
@@ -194,12 +194,12 @@ public int MaxAutomaticRedirections
 		/// </summary>
 		/// <value>The pre authentication data.</value>
 		public AuthenticationData? PreAuthenticationData { get; set; }
-		
+
 		/// <summary>
 		/// If the website requires authentication, this property will contain data about each scheme supported
 		/// by the server after the response. Note that unauthorized request will return a valid response - you
 		/// need to check the status code and and (re)configure AndroidMessageHandler instance accordingly by providing
-		/// both the credentials and the authentication scheme by setting the <see cref="PreAuthenticationData"/> 
+		/// both the credentials and the authentication scheme by setting the <see cref="PreAuthenticationData"/>
 		/// property. If AndroidMessageHandler is not able to detect the kind of authentication scheme it will store an
 		/// instance of <see cref="AuthenticationData"/> with its <see cref="AuthenticationData.Scheme"/> property
 		/// set to <c>AuthenticationScheme.Unsupported</c> and the application will be responsible for providing an
@@ -226,12 +226,12 @@ public bool RequestNeedsAuthorization {
 		/// <summary>
 		/// <para>
 		/// If the request is to the server protected with a self-signed (or otherwise untrusted) SSL certificate, the request will
-		/// fail security chain verification unless the application provides either the CA certificate of the entity which issued the 
+		/// fail security chain verification unless the application provides either the CA certificate of the entity which issued the
 		/// server's certificate or, alternatively, provides the server public key. Whichever the case, the certificate(s) must be stored
 		/// in this property in order for AndroidMessageHandler to configure the request to accept the server certificate.</para>
-		/// <para>AndroidMessageHandler uses a custom <see cref="KeyStore"/> and <see cref="TrustManagerFactory"/> to configure the connection. 
+		/// <para>AndroidMessageHandler uses a custom <see cref="KeyStore"/> and <see cref="TrustManagerFactory"/> to configure the connection.
 		/// If, however, the application requires finer control over the SSL configuration (e.g. it implements its own TrustManager) then
-		/// it should leave this property empty and instead derive a custom class from AndroidMessageHandler and override, as needed, the 
+		/// it should leave this property empty and instead derive a custom class from AndroidMessageHandler and override, as needed, the
 		/// <see cref="ConfigureTrustManagerFactory"/>, <see cref="ConfigureKeyManagerFactory"/> and <see cref="ConfigureKeyStore"/> methods
 		/// instead</para>
 		/// </summary>
@@ -328,7 +328,7 @@ string EncodeUrl (Uri url)
 			AssertSelf ();
 			if (request == null)
 				throw new ArgumentNullException (nameof (request));
-			
+
 			if (!request.RequestUri.IsAbsoluteUri)
 				throw new ArgumentException ("Must represent an absolute URI", "request");
 
@@ -625,7 +625,7 @@ internal Task WriteRequestContentToOutputInternal (HttpRequestMessage request, H
 			return ret;
 		}
 
-		HttpContent GetErrorContent (HttpURLConnection httpConnection, HttpContent fallbackContent) 
+		HttpContent GetErrorContent (HttpURLConnection httpConnection, HttpContent fallbackContent)
 		{
 			var contentStream = httpConnection.ErrorStream;
 
@@ -788,7 +788,7 @@ void CollectAuthInfo (HttpHeaderValueCollection <AuthenticationHeaderValue> head
 
 			RequestedAuthentication = authData.AsReadOnly ();
 		}
-		
+
 		AuthenticationScheme GetAuthScheme (string scheme)
 		{
 			if (String.Compare ("basic", scheme, StringComparison.OrdinalIgnoreCase) == 0)
@@ -843,7 +843,7 @@ void CopyHeaders (HttpURLConnection httpConnection, HttpResponseMessage response
 		/// <summary>
 		/// Configure the <see cref="HttpURLConnection"/> before the request is sent. This method is meant to be overriden
 		/// by applications which need to perform some extra configuration steps on the connection. It is called with all
-		/// the request headers set, pre-authentication performed (if applicable) but before the request body is set 
+		/// the request headers set, pre-authentication performed (if applicable) but before the request body is set
 		/// (e.g. for POST requests). The default implementation in AndroidMessageHandler does nothing.
 		/// </summary>
 		/// <param name="request">Request data</param>
@@ -897,9 +897,9 @@ internal Task SetupRequestInternal (HttpRequestMessage request, HttpURLConnectio
 		/// <summary>
 		/// Create and configure an instance of <see cref="TrustManagerFactory"/>. The <paramref name="keyStore"/> parameter is set to the
 		/// return value of the <see cref="ConfigureKeyStore"/> method, so it might be null if the application overrode the method and provided
-		/// no key store. It will not be <c>null</c> when the default implementation is used. The application can return <c>null</c> from this 
+		/// no key store. It will not be <c>null</c> when the default implementation is used. The application can return <c>null</c> from this
 		/// method in which case AndroidMessageHandler will create its own instance of the trust manager factory provided that the <see cref="TrustCerts"/>
-		/// list contains at least one valid certificate. If there are no valid certificates and this method returns <c>null</c>, no custom 
+		/// list contains at least one valid certificate. If there are no valid certificates and this method returns <c>null</c>, no custom
 		/// trust manager will be created since that would make all the HTTPS requests fail.
 		/// </summary>
 		/// <returns>The trust manager factory.</returns>
@@ -922,7 +922,7 @@ void AppendEncoding (string encoding, ref List <string>? list)
 				return;
 			list.Add (encoding);
 		}
-		
+
 		async Task <HttpURLConnection> SetupRequestInternal (HttpRequestMessage request, URLConnection conn)
 		{
 			if (conn == null)
@@ -939,19 +939,19 @@ void AppendEncoding (string encoding, ref List <string>? list)
 
 			// SSL context must be set up as soon as possible, before adding any content or
 			// headers. Otherwise Java won't use the socket factory
-			SetupSSL (httpConnection as HttpsURLConnection);
+			SetupSSL (httpConnection as HttpsURLConnection, request);
 			if (request.Content != null)
 				AddHeaders (httpConnection, request.Content.Headers);
 			AddHeaders (httpConnection, request.Headers);
-			
+
 			List <string>? accept_encoding = null;
 
 			decompress_here = false;
 			if ((AutomaticDecompression & DecompressionMethods.GZip) != 0) {
 				AppendEncoding (GZIP_ENCODING, ref accept_encoding);
 				decompress_here = true;
 			}
-			
+
 			if ((AutomaticDecompression & DecompressionMethods.Deflate) != 0) {
 				AppendEncoding (DEFLATE_ENCODING, ref accept_encoding);
 				decompress_here = true;
@@ -970,7 +970,7 @@ void AppendEncoding (string encoding, ref List <string>? list)
 				if (!String.IsNullOrEmpty (cookieHeaderValue))
 					httpConnection.SetRequestProperty ("Cookie", cookieHeaderValue);
 			}
-			
+
 			HandlePreAuthentication (httpConnection);
 			await SetupRequest (request, httpConnection).ConfigureAwait (continueOnCapturedContext: false);;
 			SetupRequestBody (httpConnection, request);
@@ -997,10 +997,11 @@ void AppendEncoding (string encoding, ref List <string>? list)
 		internal SSLSocketFactory? ConfigureCustomSSLSocketFactoryInternal (HttpsURLConnection connection)
 			=> ConfigureCustomSSLSocketFactoryInternal (connection);
 
-		void SetupSSL (HttpsURLConnection? httpsConnection)
+		void SetupSSL (HttpsURLConnection? httpsConnection, HttpRequestMessage requestMessage)
 		{
-			if (httpsConnection == null)
+			if (httpsConnection == null) {
 				return;
+			}
 
 			var socketFactory = ConfigureCustomSSLSocketFactory (httpsConnection);
 			if (socketFactory != null) {
@@ -1017,37 +1018,51 @@ void SetupSSL (HttpsURLConnection? httpsConnection)
 			}
 #endif
 
-			var keyStore = KeyStore.GetInstance (KeyStore.DefaultType);
-			keyStore?.Load (null, null);
-			bool gotCerts = TrustedCerts?.Count > 0;
-			if (gotCerts) {
-				for (int i = 0; i < TrustedCerts!.Count; i++) {
-					Certificate cert = TrustedCerts [i];
-					if (cert == null)
-						continue;
-					keyStore?.SetCertificateEntry ($"ca{i}", cert);
-				}
-			}
+			var keyStore = InitializeKeyStore (out bool gotCerts);
 			keyStore = ConfigureKeyStore (keyStore);
 			var kmf = ConfigureKeyManagerFactory (keyStore);
 			var tmf = ConfigureTrustManagerFactory (keyStore);
 
-			if (tmf == null) {
-				// If there are no certs and no trust manager factory, we can't use a custom manager
-				// because it will cause all the HTTPS requests to fail because of unverified trust
-				// chain
-				if (!gotCerts)
+			if (tmf == null)
+			{
+				// If there are no trusted certs, no custom trust manager factory or custom certificate validation callback
+				// there is no point in changing the behavior of the default SSL socket factory
+				if (!gotCerts && ServerCertificateCustomValidationCallback == null)
 					return;
-				
+
 				tmf = TrustManagerFactory.GetInstance (TrustManagerFactory.DefaultAlgorithm);
-				tmf?.Init (keyStore);
+				tmf?.Init (gotCerts ? keyStore : null); // only use the custom key store if the user defined any trusted certs
 			}
 
+			ITrustManager[]? trustManagers =
+				ServerCertificateCustomValidationCallback == null
+					? tmf?.GetTrustManagers ()
+					: X509TrustManagerWithValidationCallback.Inject(tmf?.GetTrustManagers (), requestMessage, ServerCertificateCustomValidationCallback);
+
 			var context = SSLContext.GetInstance ("TLS");
-			context?.Init (kmf?.GetKeyManagers (), tmf?.GetTrustManagers (), null);
+			context?.Init (kmf?.GetKeyManagers (), trustManagers, null);
 			httpsConnection.SSLSocketFactory = context?.SocketFactory;
+
+			KeyStore? InitializeKeyStore (out bool gotCerts)
+			{
+				var keyStore = KeyStore.GetInstance (KeyStore.DefaultType);
+				keyStore?.Load (null, null);
+				gotCerts = TrustedCerts?.Count > 0;
+
+				if (gotCerts) {
+					for (int i = 0; i < TrustedCerts!.Count; i++) {
+						Certificate cert = TrustedCerts [i];
+						if (cert == null)
+							continue;
+						keyStore?.SetCertificateEntry ($"ca{i}", cert);
+					}
+				}
+
+				return keyStore;
+			}
 		}
-
+
+
 		void HandlePreAuthentication (HttpURLConnection httpConnection)
 		{
 			var data = PreAuthenticationData;
@@ -1093,7 +1108,7 @@ void AddHeaders (HttpURLConnection conn, HttpHeaders headers)
 				conn.SetRequestProperty (header.Key, header.Value != null ? String.Join (GetHeaderSeparator (header.Key), header.Value) : String.Empty);
 			}
 		}
-		
+
 		void SetupRequestBody (HttpURLConnection httpConnection, HttpRequestMessage request)
 		{
 			if (request.Content == null) {
@@ -1116,4 +1131,4 @@ void SetupRequestBody (HttpURLConnection httpConnection, HttpRequestMessage requ
 		}
 	}
 
-}
+}