dotnet · grendello · Oct 3, 2024 · Oct 3, 2024 · Aug 5, 2025 · Aug 6, 2025
@@ -144,7 +144,12 @@ The .NET Foundation licenses this file to you under the MIT license.
       <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Apple" Condition="'$(_IsApplePlatform)' == 'true'" />
       <!-- No OpenSSL on Apple platforms or Android -->
       <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.OpenSsl" Condition="'$(StaticOpenSslLinking)' != 'true' and '$(_IsApplePlatform)' != 'true' and '$(_targetOS)' != 'android'" />
-      <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Android" Condition="'$(_targetOS)' == 'android'" />
+    </ItemGroup>
+
+    <ItemGroup Condition="'$(_targetOS)' == 'android'">
+      <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Android" />
+      <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Android.JNIExport" />
+      <IlcArg Include="--export-dynamic-symbol:Java_net_dot_android_crypto_DotnetProxyTrustManager_verifyRemoteCertificate" />
     </ItemGroup>
 
     <ItemGroup>

diff --git a/src/installer/pkg/sfx/Microsoft.NETCore.App/Directory.Build.props b/src/installer/pkg/sfx/Microsoft.NETCore.App/Directory.Build.props
@@ -91,6 +91,7 @@
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Apple.a" IsNative="true" />
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Apple.dylib" IsNative="true" />
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Android.a" IsNative="true" />
+    <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Android.JNIExport.a" IsNative="true" />
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Android.so" IsNative="true" />
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Android.dex" IsNative="true" />
     <PlatformManifestFileEntry Include="libSystem.Security.Cryptography.Native.Android.jar" IsNative="true" />

diff --git a/src/native/corehost/apphost/static/CMakeLists.txt b/src/native/corehost/apphost/static/CMakeLists.txt
@@ -176,6 +176,7 @@ else()
     else()
         list(APPEND NATIVE_LIBS
             System.Security.Cryptography.Native.Android-Static
+            System.Security.Cryptography.Native.Android.JNIExport-Static
         )
     endif()
 

diff --git a/src/native/libs/System.Security.Cryptography.Native.Android/CMakeLists.txt b/src/native/libs/System.Security.Cryptography.Native.Android/CMakeLists.txt
@@ -33,7 +33,7 @@ set(NATIVECRYPTO_SOURCES
 
 add_library(System.Security.Cryptography.Native.Android
     SHARED
-    ${NATIVECRYPTO_SOURCES} pal_jni_onload.c
+    ${NATIVECRYPTO_SOURCES} pal_jni_onload.c pal_trust_manager_jni_export.c
     ${VERSION_FILE_PATH}
 )
 
@@ -42,22 +42,42 @@ add_library(System.Security.Cryptography.Native.Android-Static
     ${NATIVECRYPTO_SOURCES}
 )
 
-set_target_properties(System.Security.Cryptography.Native.Android-Static PROPERTIES OUTPUT_NAME System.Security.Cryptography.Native.Android CLEAN_DIRECT_OUTPUT 1)
+#
+# This is necessary so that dynamic linking of the .NET for Android runtime
+# can hide all the other symbols in System.Security.Cryptography.Native.Android.
+#
+# .NET for Android dynamic runtime linking links all the relevant native BCL
+# libraries into a single .so, using the .a archives built here.  clang allows
+# hiding all the symbols in the .a archive, but there's no (working) way to
+# exclude just select symbols from hiding.
+#
+# Java VM requires that all the functions implementing the `native` methods are
+# exported from the shared libraries they are implemented in.  Therefore it is
+# necessary to put this symbol in a separate .a archive so that we can exclude it
+# from hiding described above.
+#
+add_library(System.Security.Cryptography.Native.Android.JNIExport-Static
+    STATIC
+    pal_trust_manager_jni_export.c
+)
 
 target_link_libraries(System.Security.Cryptography.Native.Android
     PRIVATE
     -llog
 )
 
 set_target_properties(System.Security.Cryptography.Native.Android PROPERTIES OUTPUT_NAME "System.Security.Cryptography.Native.Android")
-set_target_properties(System.Security.Cryptography.Native.Android-Static PROPERTIES OUTPUT_NAME "System.Security.Cryptography.Native.Android")
+set_target_properties(System.Security.Cryptography.Native.Android-Static PROPERTIES OUTPUT_NAME "System.Security.Cryptography.Native.Android" CLEAN_DIRECT_OUTPUT 1)
+set_target_properties(System.Security.Cryptography.Native.Android.JNIExport-Static PROPERTIES OUTPUT_NAME "System.Security.Cryptography.Native.Android.JNIExport"  CLEAN_DIRECT_OUTPUT 1)
 
 if (GEN_SHARED_LIB)
     install_with_stripped_symbols (System.Security.Cryptography.Native.Android PROGRAMS .)
 endif()
 
 install (TARGETS System.Security.Cryptography.Native.Android-Static DESTINATION ${STATIC_LIB_DESTINATION} COMPONENT libs)
+install (TARGETS System.Security.Cryptography.Native.Android.JNIExport-Static DESTINATION ${STATIC_LIB_DESTINATION} COMPONENT libs)
 
 if(CLR_CMAKE_HOST_ANDROID)
     install (TARGETS System.Security.Cryptography.Native.Android-Static DESTINATION sharedFramework COMPONENT runtime)
+    install (TARGETS System.Security.Cryptography.Native.Android.JNIExport-Static DESTINATION sharedFramework COMPONENT runtime)
 endif()
diff --git a/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager.c b/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager.c
@@ -1,11 +1,11 @@
-#include "pal_trust_manager.h"
-#include <stdatomic.h>
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
 
-static _Atomic RemoteCertificateValidationCallback verifyRemoteCertificate;
+#include "pal_trust_manager.h"
 
 ARGS_NON_NULL_ALL void AndroidCryptoNative_RegisterRemoteCertificateValidationCallback(RemoteCertificateValidationCallback callback)
 {
-    atomic_store(&verifyRemoteCertificate, callback);
+    StoreRemoteVerificationCallback(callback);
 }
 
 ARGS_NON_NULL_ALL jobjectArray GetTrustManagers(JNIEnv* env, intptr_t sslStreamProxyHandle)
@@ -28,10 +28,3 @@ ARGS_NON_NULL_ALL jobjectArray GetTrustManagers(JNIEnv* env, intptr_t sslStreamP
     return trustManagers;
 }
 
-ARGS_NON_NULL_ALL jboolean Java_net_dot_android_crypto_DotnetProxyTrustManager_verifyRemoteCertificate(
-    JNIEnv* env, jobject thisHandle, jlong sslStreamProxyHandle)
-{
-    RemoteCertificateValidationCallback verify = atomic_load(&verifyRemoteCertificate);
-    abort_unless(verify, "verifyRemoteCertificate callback has not been registered");
-    return verify((intptr_t)sslStreamProxyHandle);
-}
diff --git a/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager.h b/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager.h
@@ -1,3 +1,6 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
 #include "pal_jni.h"
 
 typedef bool (*RemoteCertificateValidationCallback)(intptr_t);
@@ -6,5 +9,6 @@ PALEXPORT void AndroidCryptoNative_RegisterRemoteCertificateValidationCallback(R
 
 jobjectArray GetTrustManagers(JNIEnv* env, intptr_t sslStreamProxyHandle);
 
+void StoreRemoteVerificationCallback (RemoteCertificateValidationCallback callback);
 JNIEXPORT jboolean JNICALL Java_net_dot_android_crypto_DotnetProxyTrustManager_verifyRemoteCertificate(
     JNIEnv *env, jobject thisHandle, jlong sslStreamProxyHandle);
diff --git a/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager_jni_export.c b/src/native/libs/System.Security.Cryptography.Native.Android/pal_trust_manager_jni_export.c
@@ -0,0 +1,20 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#include "pal_trust_manager.h"
+#include <stdatomic.h>
+
+static _Atomic RemoteCertificateValidationCallback verifyRemoteCertificate;
+
+void StoreRemoteVerificationCallback (RemoteCertificateValidationCallback callback)
+{
+    atomic_store(&verifyRemoteCertificate, callback);
+}
+
+ARGS_NON_NULL_ALL jboolean Java_net_dot_android_crypto_DotnetProxyTrustManager_verifyRemoteCertificate(
+    JNIEnv* env, jobject thisHandle, jlong sslStreamProxyHandle)
+{
+    RemoteCertificateValidationCallback verify = atomic_load(&verifyRemoteCertificate);
+    abort_unless(verify, "verifyRemoteCertificate callback has not been registered");
+    return verify((intptr_t)sslStreamProxyHandle);
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -176,6 +176,7 @@ else() @@
         else()
             list(APPEND NATIVE_LIBS
                 System.Security.Cryptography.Native.Android-Static
+                System.Security.Cryptography.Native.Android.JNIExport-Static
             )
         endif()
@@ Expand Down @@