Skip to content

httpsurlconn service message-signing integration#8

Open
charlesoj6205 wants to merge 8 commits intomainfrom
httpsurl-serivce-msgsign-integration
Open

httpsurlconn service message-signing integration#8
charlesoj6205 wants to merge 8 commits intomainfrom
httpsurl-serivce-msgsign-integration

Conversation

@charlesoj6205
Copy link
Copy Markdown

@charlesoj6205 charlesoj6205 commented Apr 16, 2026

Implements message-signing/service mutator for HttpsURLConnection service layer. Lifted base line code from okhttp service layer and refactored for HttpsURLConnection.

Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an HTTP message-signing capability to the HttpsURLConnection Approov service layer by introducing a service mutator hook, a default message-signing mutator implementation, and supporting HTTP Structured Field Values (RFC 8941) + signature-base building utilities.

Changes:

  • Add ApproovServiceMutator callbacks and wire them into ApproovService.addApproov(...) to allow post-processing/mutation of requests.
  • Implement default message signing for HttpsURLConnection requests (Signature / Signature-Input headers) with supporting signature-base construction utilities.
  • Add a Structured Field Values (RFC 8941) implementation used for Signature/Signature-Input header serialization, and add BouncyCastle for ASN.1 parsing.

Reviewed changes

Copilot reviewed 34 out of 34 changed files in this pull request and generated 19 comments.

Show a summary per file
File Description
approov-service/build.gradle Updates Android SDK levels and adds BouncyCastle dependency needed for ASN.1 parsing in message signing
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovService.java Adds mutator plumbing, status-as-token option, message signing helper APIs, and changes addApproov signature
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovServiceMutator.java New mutator interface providing configurable hooks across token/substitution/interceptor flows
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovDefaultMessageSigning.java Default message-signing mutator that builds signature base and adds Signature/Signature-Input headers
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovRequestMutations.java Records request mutations (token header key, substituted headers, trace header key, etc.) for mutator use
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovInterceptorExtensions.java Deprecated compatibility interface bridging older extension API to the new mutator API
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovFetchStatusException.java New exception type to surface non-success token fetch statuses
approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovNetworkException.java Extends network exception to optionally carry TokenFetchStatus
approov-service/src/main/java/io/approov/util/sig/ComponentProvider.java Signature component value provider abstraction for building signature bases
approov-service/src/main/java/io/approov/util/sig/SignatureBaseBuilder.java Builds the signature base string from covered components and signature parameters
approov-service/src/main/java/io/approov/util/sig/SignatureParameters.java Represents signature parameters and covered component identifiers; supports SFV serialization/parsing
approov-service/src/main/java/io/approov/util/sig/LICENSE License file for the signature utility package
approov-service/src/main/java/io/approov/util/http/sfv/package-info.java Package documentation for the Structured Field Values implementation
approov-service/src/main/java/io/approov/util/http/sfv/Parser.java RFC 8941 parser implementation
approov-service/src/main/java/io/approov/util/http/sfv/ParseException.java Parser exception with position/diagnostics support
approov-service/src/main/java/io/approov/util/http/sfv/Type.java Base interface for SFV types with serialization support
approov-service/src/main/java/io/approov/util/http/sfv/Parameterizable.java Common interface for SFV types that can carry parameters
approov-service/src/main/java/io/approov/util/http/sfv/Parameters.java Immutable parameter map with serialization and validation
approov-service/src/main/java/io/approov/util/http/sfv/Utils.java Validation helpers for SFV keys
approov-service/src/main/java/io/approov/util/http/sfv/ListElement.java Marker interface for elements of outer lists
approov-service/src/main/java/io/approov/util/http/sfv/OuterList.java SFV Outer List type
approov-service/src/main/java/io/approov/util/http/sfv/InnerList.java SFV Inner List type
approov-service/src/main/java/io/approov/util/http/sfv/Dictionary.java SFV Dictionary type
approov-service/src/main/java/io/approov/util/http/sfv/Item.java Item abstraction with conversions from raw Java types
approov-service/src/main/java/io/approov/util/http/sfv/StringItem.java SFV String item
approov-service/src/main/java/io/approov/util/http/sfv/TokenItem.java SFV Token item
approov-service/src/main/java/io/approov/util/http/sfv/BooleanItem.java SFV Boolean item
approov-service/src/main/java/io/approov/util/http/sfv/IntegerItem.java SFV Integer item
approov-service/src/main/java/io/approov/util/http/sfv/DecimalItem.java SFV Decimal item
approov-service/src/main/java/io/approov/util/http/sfv/DateItem.java SFV Date item
approov-service/src/main/java/io/approov/util/http/sfv/NumberItem.java Common interface for numeric items
approov-service/src/main/java/io/approov/util/http/sfv/ByteSequenceItem.java SFV Byte Sequence item
approov-service/src/main/java/io/approov/util/http/sfv/DisplayStringItem.java SFV Display String item
approov-service/src/main/java/io/approov/util/http/sfv/LICENSE License file for the SFV implementation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovService.java Outdated
Comment on lines +278 to +282
String sigHeader = Dictionary.valueOf(Map.of(
sigId, ByteSequenceItem.valueOf(signature))).serialize();
String sigInputHeader = Dictionary.valueOf(Map.of(
sigId, params.toComponentValue())).serialize();

Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Map.of(...) is a Java 9 API and isn’t available on Android without additional desugaring; this will either fail at build time or at runtime on older Android versions. Use an Android/Java-8 compatible map construction (e.g., Collections.singletonMap, or a small LinkedHashMap) instead.

Copilot uses AI. Check for mistakes.
Comment thread approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovService.java Outdated
Comment on lines 15 to +19
compileSdkVersion 30

defaultConfig {
minSdkVersion 21
targetSdkVersion 28
minSdkVersion 23
targetSdkVersion 34
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compileSdkVersion (30) is lower than targetSdkVersion (34), which is likely to fail Android build/tooling checks. Align these values (typically set compileSdkVersion >= targetSdkVersion), and confirm whether raising minSdkVersion from 21 to 23 is intended (it’s a breaking change for library consumers).

Copilot uses AI. Check for mistakes.
Comment thread approov-service/src/main/java/io/approov/service/httpsurlconn/ApproovService.java Outdated
* @throws ApproovException if it is not possible to obtain an Approov token or secure strings
*/
public static synchronized void addApproov(HttpsURLConnection connection) throws ApproovException {
public static synchronized HttpsURLConnection addApproov(HttpsURLConnection request) throws ApproovException {
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing addApproov to return HttpsURLConnection is a source/binary breaking change for existing consumers. Consider keeping the old void addApproov(HttpsURLConnection) signature as a deprecated wrapper that delegates to this method for backwards compatibility.

Copilot uses AI. Check for mistakes.
@adriantuk adriantuk added the enhancement New feature or request label Apr 17, 2026
@adriantuk
Copy link
Copy Markdown
Contributor

I think we should address the issues from copilot code review. Did you verify message signing with Shapes API v5? (there is a better way to test message signing, such as using Cloudflare worker, we can disucss on Monday)

charlesoj6205 and others added 7 commits April 20, 2026 11:20
…ApproovService.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovDefaultMessageSigning.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovNetworkException.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovServiceMutator.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovNetworkException.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovService.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ApproovDefaultMessageSigning.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants