domain-config without pin set results in ConfigurationException: Policy contains 0 domains to pin

[MaRuifeng]

Describe the bug
In the network_security_config.xml file, if there is a domain-config block without any pin set like below, an com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin exception will be thrown upon app launch which causes the app to crash. I believe this results from the fix to #49 .

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

Exception stack trace from logcat:

04-02 17:15:30.089 23250 23250 E AndroidRuntime: java.lang.RuntimeException: Unable to create application xxx.xxx.xxx.MainApplication: com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5876)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.ActivityThread.access$1100(ActivityThread.java:199)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1650)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:193)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:6669)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: Caused by: com.datatheorem.android.trustkit.config.ConfigurationException: Policy contains 0 domains to pin
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.config.TrustKitConfiguration.<init>(TrustKitConfiguration.java:42)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.config.TrustKitConfiguration.<init>(TrustKitConfiguration.java:33)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.config.TrustKitConfigurationParser.fromXmlPolicy(TrustKitConfigurationParser.java:71)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.config.TrustKitConfiguration.fromXmlPolicy(TrustKitConfiguration.java:28)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.TrustKit.initializeWithNetworkSecurityConfiguration(TrustKit.java:311)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.datatheorem.android.trustkit.TrustKit.initializeWithNetworkSecurityConfiguration(TrustKit.java:271)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at com.hpb.nhp.MainApplication.onCreate(MainApplication.java:76)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1154)
04-02 17:15:30.089 23250 23250 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5871)

To Reproduce
Put above XML config block for clear text traffic in an RN (version >= 0.58) app with TrustKit module (v1.1.1) installed, run react-native run-android to install and launch it in an Android emulator. The app will crash upon launch and the above exception messages can be read via logcat.

Expected behavior
Domains without pin set should just be ignored as promised in the release notes of version 1.1.1.

TrustKit version
1.1.1

App details:
App target SDK: 28.0.3
App language: JS/React Native
Android version to reproduce the bug: Andorid 9.0.

[MaRuifeng]

Taking a look at the commit to fix issue #49 , below code portion indicates that only non-null DomainPinningPolicy is added to the domainConfigSet.

TrustKit-Android/trustkit/src/main/java/com/datatheorem/android/trustkit/config/TrustKitConfigurationParser.java

Lines 56 to 72 in 5759dbc

	HashSet<DomainPinningPolicy> domainConfigSet = new HashSet<>();
	for (DomainPinningPolicy.Builder builder : builderList) {
	DomainPinningPolicy policy = builder.build();
	if (policy != null) {
	domainConfigSet.add(policy);
	}
	}
	if (debugOverridesTag != null) {
	config = new TrustKitConfiguration(
	domainConfigSet,
	debugOverridesTag.overridePins,
	debugOverridesTag.debugCaCertificates
	);
	} else {
	config = new TrustKitConfiguration(domainConfigSet);
	}

When instantiating the TrustKitConfiguration object, the mentioned exception is thrown when the domainConfigSet has a size less than 1.

TrustKit-Android/trustkit/src/main/java/com/datatheorem/android/trustkit/config/TrustKitConfiguration.java

Lines 36 to 56 in 890f15b

	protected TrustKitConfiguration(
	@NonNull Set<DomainPinningPolicy> domainConfigSet,
	boolean shouldOverridePins,
	@Nullable Set<Certificate> debugCaCerts
	) {
	if (domainConfigSet.size() < 1) {
	throw new ConfigurationException("Policy contains 0 domains to pin");
	}
	Set<String> hostnameSet = new HashSet<>();
	for (DomainPinningPolicy domainConfig : domainConfigSet) {
	if (hostnameSet.contains(domainConfig.getHostname())) {
	throw new ConfigurationException("Policy contains the same domain defined twice: "
	+ domainConfig.getHostname());
	}
	hostnameSet.add(domainConfig.getHostname());
	}
	this.domainPolicies = domainConfigSet;
	this.shouldOverridePins = shouldOverridePins;
	this.debugCaCertificates = debugCaCerts;
	}

This part may need to be reworked.

[nabla-c0d3]

Thanks for the detailed report - it all makes sense.

[nabla-c0d3]

Fixed in 1.1.2