[Android] The CertificateVerifier class not included in the output apk

[neevek]

I followed the steps in the README to have added the rustls-platform-verifier module to my Android project, the rustls project and the rustls-platform-verifier module appear in the project view as expected. Then I tried ./gradlew assembleRelease from command line and directly build the project from inside Android Studio, all showed "BUILD SUCCESSFUL", but when I unzip the apk I can see all the class files from main project, but there's no org.rustls.platformverifier.CertificateVerifier class.

I don't know how the rustls-platform-verifier module can be picked up when building my main module, there seems no connection between the verifier module and my main module.

I tried adding the following in my app's build.gradle:

implementation project(path: ':rustls-platform-verifier')

Android Studio failed to build with:

Project with path ':rustls-platform-verifier' could not be found in project ':app'

[complexspaces]

Hi there @neevek, thanks for giving the project a try.

I don't know how the rustls-platform-verifier module can be picked up when building my main module, there seems no connection between the verifier module and my main module.

I think this is something I forgot in the current version of the README, sorry. Internally we used this to get it picked up by Gradle, let me know if this works for you:

implementation 'rustls:rustls-platform-verifier'

May I ask if you're using any proguard/optimization rules in your release builds as well? The verifier class appears entirely unused to optimization tools because no Java/Kotlin ever calls it, so its a prime candidate to get stripped without rules to allowlist it.

FWIW we're working on re-doing the way the Android component is built and distributed in #32, which should hopefully make things much simpler long-term.

[neevek]

Hi @complexspaces, thank you for the reply and for this great project.
Adding the implementation directive did the trick.

I am wondering if it is possible to do the verification directly from Rust through JNI, I mean without the org.rustls.platformverifier.CertificateVerifier class and the entire Android project, simply creating the Android X509TrustManager class with reflection through JNI calls, and do all the verification with reflection calls. Do you think this is possible?

[complexspaces]

Sorry the delay replying here. Its certainly possible to do purely through JNI but so far we haven't deemed it worthwhile because it would put a huge maintenance burden on that area of the code. The Kotlin code does a fair amount and trying to do all that through JNI would, AFAICT, result in a large mess of unsafe code thats hard to audit for correctness.

[cpu]

I think this can be closed, but if I'm mistaken and there is work to track here we can re-open.