WebView: validate SSL_UNTRUSTED certs via OkHttp trust store

When connecting to a Home Assistant instance using a private CA, the
WebView's Chromium TLS stack reports SSL_UNTRUSTED (error code 3) even
though network_security_config.xml includes user CAs. The app's
OkHttpClient correctly trusts user-installed CAs via AndroidCAStore, so
we use it as a second opinion before rejecting the connection.

Observed log:
  onReceivedSslError: primary error: 3 certificate: Issued to: CN=antares.milli.ways;
  Issued by: CN=milly.ways CA Intermediate CA,O=milly.ways CA;
  on URL: https://homeassistant.milli.ways/auth/authorize?...

TLSWebViewClient now overrides onReceivedSslError: for SSL_UNTRUSTED
with a non-null URL it launches async validation via isTlsTrusted();
all other errors (IDMISMATCH, EXPIRED, etc.) are rejected immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: cryptomilk

app/src/main/kotlin/io/homeassistant/companion/android/frontend/FrontendViewModel.kt

@@ -203,6 +203,7 @@ internal class FrontendViewModel @VisibleForTesting constructor(
     )
 
     val webViewClient: HAWebViewClient = webViewClientFactory.create(
+        validationScope = viewModelScope,
         currentUrlFlow = urlFlow,
         onFrontendError = ::onError,
         onCrash = ::onRetry,

app/src/main/kotlin/io/homeassistant/companion/android/onboarding/connection/ConnectionViewModel.kt

@@ -108,6 +108,7 @@ internal class ConnectionViewModel @VisibleForTesting constructor(
     }
 
     val webViewClient: HAWebViewClient = webViewClientFactory.create(
+        validationScope = viewModelScope,
         currentUrlFlow = urlFlow,
         onFrontendError = ::onError,
         onUrlIntercepted = ::interceptRedirectIfRequired,

app/src/main/kotlin/io/homeassistant/companion/android/util/HAWebViewClient.kt

@@ -15,8 +15,17 @@ import io.homeassistant.companion.android.common.R as commonR
 import io.homeassistant.companion.android.common.data.keychain.KeyChainRepository
 import io.homeassistant.companion.android.common.data.keychain.NamedKeyChain
 import io.homeassistant.companion.android.frontend.error.FrontendConnectionError
+import java.io.IOException
 import javax.inject.Inject
+import javax.net.ssl.SSLException
+import kotlin.time.Duration.Companion.seconds
+import kotlin.time.toJavaDuration
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.flow.StateFlow
+import kotlinx.coroutines.withContext
+import okhttp3.OkHttpClient
+import okhttp3.Request
 import timber.log.Timber
 
 /**
@@ -25,10 +34,16 @@ import timber.log.Timber
  * The created clients handle Home Assistant-specific concerns such as TLS client authentication,
  * error mapping to [FrontendConnectionError], and JavaScript injection into the WebView.
  */
-class HAWebViewClientFactory @Inject constructor(@NamedKeyChain private val keyChainRepository: KeyChainRepository) {
+class HAWebViewClientFactory @Inject constructor(
+    @NamedKeyChain private val keyChainRepository: KeyChainRepository,
+    private val okHttpClient: OkHttpClient,
+) {
     /**
      * Creates a new [HAWebViewClient] with the specified configuration.
      *
+     * @param validationScope Scope used for async TLS validation coroutines. Should be tied to the
+     *        caller's lifecycle (e.g., `viewModelScope`) so in-flight validations are cancelled on
+     *        destruction.
      * @param currentUrlFlow StateFlow providing the current URL being loaded.
      *        Used to filter errors - only errors for this URL trigger [onFrontendError].
      * @param onFrontendError Callback when a WebView error is mapped to a [FrontendConnectionError].
@@ -41,6 +56,7 @@ class HAWebViewClientFactory @Inject constructor(@NamedKeyChain private val keyC
      *        Receives the handler, host, the resource URL that triggered the request, and the realm.
      */
     fun create(
+        validationScope: CoroutineScope,
         currentUrlFlow: StateFlow<String?>,
         onFrontendError: (FrontendConnectionError) -> Unit,
         onCrash: (() -> Unit)? = null,
@@ -57,6 +73,8 @@ class HAWebViewClientFactory @Inject constructor(@NamedKeyChain private val keyC
     ): HAWebViewClient {
         return HAWebViewClient(
             keyChainRepository = keyChainRepository,
+            validationScope = validationScope,
+            okHttpClient = okHttpClient,
             currentUrlFlow = currentUrlFlow,
             onFrontendError = onFrontendError,
             onCrash = onCrash,
@@ -67,6 +85,8 @@ class HAWebViewClientFactory @Inject constructor(@NamedKeyChain private val keyC
     }
 }
 
+private val TLS_VALIDATION_TIMEOUT = 5.seconds
+
 /**
  * WebViewClient dedicated to loading Home Assistant frontend.
  *
@@ -75,6 +95,8 @@ class HAWebViewClientFactory @Inject constructor(@NamedKeyChain private val keyC
  */
 class HAWebViewClient internal constructor(
     keyChainRepository: KeyChainRepository,
+    validationScope: CoroutineScope,
+    private val okHttpClient: OkHttpClient,
     private val currentUrlFlow: StateFlow<String?>,
     private val onFrontendError: (FrontendConnectionError) -> Unit,
     private val onCrash: (() -> Unit)?,
@@ -83,7 +105,12 @@ class HAWebViewClient internal constructor(
     private val onReceivedHttpAuthRequest: (
         (handler: HttpAuthHandler, host: String, resource: String, realm: String) -> Unit
     )?,
-) : TLSWebViewClient(keyChainRepository) {
+) : TLSWebViewClient(keyChainRepository, validationScope) {
+
+    // callTimeout bounds the entire call (DNS + connect + TLS + transfer), no per-phase overrides needed
+    private val tlsValidationClient: OkHttpClient = okHttpClient.newBuilder()
+        .callTimeout(TLS_VALIDATION_TIMEOUT.toJavaDuration())
+        .build()
 
     /** Last resource URL loaded by the WebView, used to identify the resource requesting auth. */
     private var lastResourceUrl: String? = null
@@ -217,9 +244,27 @@ class HAWebViewClient internal constructor(
     }
 
     override fun onReceivedSslError(view: WebView?, handler: SslErrorHandler?, error: SslError?) {
+        Timber.w("onReceivedSslError: primary error ${error?.primaryError} on ${sensitive { error?.url.orEmpty() }}")
         super.onReceivedSslError(view, handler, error)
-        Timber.e("onReceivedSslError: $error")
+    }
+
+    override suspend fun isTlsTrusted(url: String): Boolean = withContext(Dispatchers.IO) {
+        try {
+            val request = Request.Builder().url(url).head().build()
+            tlsValidationClient.newCall(request).execute().use { }
+            true
+        // SSLException extends IOException but gets a more specific message
+        } catch (e: SSLException) {
+            Timber.w(e, "TLS validation failed for ${sensitive(url)}")
+            false
+        } catch (e: IOException) {
+            Timber.w(e, "Connection failed during TLS validation for ${sensitive(url)}")
+            false
+        }
+    }
 
+    override fun onSslErrorRejected(view: WebView?, error: SslError?) {
+        Timber.e("SSL connection rejected: primary error ${error?.primaryError} on ${sensitive { error?.url.orEmpty() }}")
         val messageRes = when (error?.primaryError) {
             SslError.SSL_DATE_INVALID -> commonR.string.webview_error_SSL_DATE_INVALID
             SslError.SSL_EXPIRED -> commonR.string.webview_error_SSL_EXPIRED

app/src/main/kotlin/io/homeassistant/companion/android/util/TLSWebViewClient.kt

@@ -4,9 +4,11 @@ import android.app.Activity
 import android.content.ActivityNotFoundException
 import android.content.Context
 import android.content.ContextWrapper
+import android.net.http.SslError
 import android.security.KeyChain
 import android.security.KeyChainAliasCallback
 import android.webkit.ClientCertRequest
+import android.webkit.SslErrorHandler
 import android.webkit.WebView
 import android.webkit.WebViewClient
 import androidx.annotation.VisibleForTesting
@@ -19,6 +21,7 @@ import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
 import timber.log.Timber
 
 /*
@@ -27,7 +30,10 @@ import timber.log.Timber
  * we don't want the webview code in the wear app.
  */
 
-open class TLSWebViewClient(private var keyChainRepository: KeyChainRepository) : WebViewClient() {
+open class TLSWebViewClient(
+    private var keyChainRepository: KeyChainRepository,
+    private val validationScope: CoroutineScope,
+) : WebViewClient() {
     var isTLSClientAuthNeeded = false
         @VisibleForTesting set
 
@@ -37,6 +43,48 @@ open class TLSWebViewClient(private var keyChainRepository: KeyChainRepository)
     var isCertificateChainValid = false
         @VisibleForTesting set
 
+    /**
+     * Performs an async trust check for the given URL using the app's configured trust store.
+     *
+     * Called only for [SslError.SSL_UNTRUSTED] errors. Returns `true` if the server certificate
+     * chain is trusted and the connection should proceed. The default implementation denies all
+     * connections; subclasses should override this with real validation logic.
+     */
+    open suspend fun isTlsTrusted(url: String): Boolean = false
+
+    /**
+     * Called when an SSL error has been rejected and the WebView will not load the resource.
+     *
+     * Subclasses can override this to surface the error to the user. Not called when
+     * [isTlsTrusted] returns `true` (i.e., when the connection proceeds).
+     */
+    open fun onSslErrorRejected(view: WebView?, error: SslError?) {}
+
+    override fun onReceivedSslError(view: WebView?, handler: SslErrorHandler?, error: SslError?) {
+        if (error == null) {
+            handler?.cancel()
+            onSslErrorRejected(view, null)
+            return
+        }
+        if (error.primaryError == SslError.SSL_UNTRUSTED && error.url != null) {
+            val url = error.url!!
+            val viewRef = view?.let { WeakReference(it) }
+            validationScope.launch {
+                if (isTlsTrusted(url)) {
+                    withContext(Dispatchers.Main) { handler?.proceed() }
+                } else {
+                    withContext(Dispatchers.Main) {
+                        handler?.cancel()
+                        onSslErrorRejected(viewRef?.get(), error)
+                    }
+                }
+            }
+        } else {
+            handler?.cancel()
+            onSslErrorRejected(view, error)
+        }
+    }
+
     private var key: PrivateKey? = null
     private var chain: Array<X509Certificate>? = null
 

app/src/main/kotlin/io/homeassistant/companion/android/webview/WebViewActivity.kt

@@ -28,7 +28,6 @@ import android.webkit.JavascriptInterface
 import android.webkit.JsResult
 import android.webkit.PermissionRequest
 import android.webkit.RenderProcessGoneDetail
-import android.webkit.SslErrorHandler
 import android.webkit.URLUtil
 import android.webkit.ValueCallback
 import android.webkit.WebChromeClient
@@ -159,8 +158,14 @@ import io.homeassistant.companion.android.webview.externalbus.ExternalEntityAddT
 import io.homeassistant.companion.android.webview.externalbus.NavigateTo
 import io.homeassistant.companion.android.webview.externalbus.ShowSidebar
 import io.homeassistant.companion.android.webview.insecure.BlockInsecureFragment
+import java.io.IOException
 import javax.inject.Inject
+import javax.net.ssl.SSLException
+import kotlin.time.Duration.Companion.seconds
+import kotlin.time.toJavaDuration
 import kotlinx.coroutines.CancellationException
+import okhttp3.OkHttpClient
+import okhttp3.Request
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Job
 import kotlinx.coroutines.delay
@@ -270,6 +275,15 @@ class WebViewActivity :
     @Inject
     lateinit var dataSourceFactory: DataSource.Factory
 
+    @Inject
+    lateinit var okHttpClient: OkHttpClient
+
+    private val tlsValidationClient: OkHttpClient by lazy {
+        okHttpClient.newBuilder()
+            .callTimeout(5.seconds.toJavaDuration())
+            .build()
+    }
+
     private lateinit var webView: WebView
     private var loadedUrl: Uri? = null
     private lateinit var decor: FrameLayout
@@ -494,7 +508,7 @@ class WebViewActivity :
                 }
             }
 
-            webViewClient = object : TLSWebViewClient(keyChainRepository) {
+            webViewClient = object : TLSWebViewClient(keyChainRepository, lifecycleScope) {
                 @Deprecated("Deprecated in Java for SDK >= 23")
                 override fun onReceivedError(
                     view: WebView?,
@@ -570,15 +584,29 @@ class WebViewActivity :
                     authenticationDialog(handler, host, resourceURL, realm, authError)
                 }
 
-                override fun onReceivedSslError(view: WebView?, handler: SslErrorHandler?, error: SslError?) {
-                    Timber.e("onReceivedSslError: $error")
+                override fun onSslErrorRejected(view: WebView?, error: SslError?) {
+                    Timber.e("onSslErrorRejected: primary error ${error?.primaryError} on ${sensitive { error?.url.orEmpty() }}")
                     showError(
                         ErrorType.SSL,
                         error,
                         null,
                     )
                 }
 
+                override suspend fun isTlsTrusted(url: String): Boolean = withContext(Dispatchers.IO) {
+                    try {
+                        val request = Request.Builder().url(url).head().build()
+                        tlsValidationClient.newCall(request).execute().use { }
+                        true
+                    } catch (e: SSLException) {
+                        Timber.w(e, "TLS validation failed for ${sensitive(url)}")
+                        false
+                    } catch (e: IOException) {
+                        Timber.w(e, "Connection failed during TLS validation for ${sensitive(url)}")
+                        false
+                    }
+                }
+
                 override fun onRenderProcessGone(view: WebView?, handler: RenderProcessGoneDetail?): Boolean {
                     Timber.e("onRenderProcessGone: webView crashed")
                     view?.let {
@@ -1844,7 +1872,9 @@ class WebViewActivity :
             } else if (errorType == ErrorType.SSL) {
                 if (description != null) {
                     alert.setMessage(getString(commonR.string.webview_error_description) + " " + description)
-                } else if (error!!.primaryError == SslError.SSL_DATE_INVALID) {
+                } else if (error == null) {
+                    alert.setMessage(commonR.string.error_ssl)
+                } else if (error.primaryError == SslError.SSL_DATE_INVALID) {
                     alert.setMessage(commonR.string.webview_error_SSL_DATE_INVALID)
                 } else if (error.primaryError == SslError.SSL_EXPIRED) {
                     alert.setMessage(commonR.string.webview_error_SSL_EXPIRED)

app/src/test/kotlin/io/homeassistant/companion/android/frontend/FrontendViewModelTest.kt

@@ -915,6 +915,7 @@ class FrontendViewModelTest {
             var capturedPageFinished: (() -> Unit)? = null
             every {
                 webViewClientFactory.create(
+                    validationScope = any(),
                     currentUrlFlow = any(),
                     onFrontendError = any(),
                     onCrash = any(),
@@ -923,8 +924,8 @@ class FrontendViewModelTest {
                     onReceivedHttpAuthRequest = any(),
                 )
             } answers {
-                // onPageFinished is the 5th of the 6 named arguments (zero-based index 4)
-                capturedPageFinished = arg(4)
+                // onPageFinished is the 6th of the 7 named arguments (zero-based index 5)
+                capturedPageFinished = arg(5)
                 mockk(relaxed = true)
             }
 
@@ -1014,6 +1015,7 @@ class FrontendViewModelTest {
             var capturedCallback: ((HttpAuthHandler, String, String, String) -> Unit)? = null
             every {
                 webViewClientFactory.create(
+                    validationScope = any(),
                     currentUrlFlow = any(),
                     onFrontendError = any(),
                     onCrash = any(),

app/src/test/kotlin/io/homeassistant/companion/android/onboarding/connection/ConnectionViewModelTest.kt

@@ -24,13 +24,17 @@ import io.mockk.slot
 import io.mockk.verify
 import java.net.URL
 import kotlin.reflect.KClass
+import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.StateFlow
 import kotlinx.coroutines.flow.emptyFlow
+import kotlinx.coroutines.test.UnconfinedTestDispatcher
+import kotlinx.coroutines.test.TestScope
 import kotlinx.coroutines.test.advanceUntilIdle
 import kotlinx.coroutines.test.runCurrent
 import kotlinx.coroutines.test.runTest
+import okhttp3.OkHttpClient
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Assertions.assertFalse
 import org.junit.jupiter.api.Assertions.assertTrue
@@ -53,24 +57,29 @@ import org.junit.jupiter.params.provider.ValueSource
 class ConnectionViewModelTest {
 
     private val keyChainRepository: KeyChainRepository = mockk(relaxed = true)
+    private val okHttpClient: OkHttpClient = mockk(relaxed = true)
     private val webViewClientFactory: HAWebViewClientFactory = mockk {
         every {
             create(
+                validationScope = any<CoroutineScope>(),
                 currentUrlFlow = any<StateFlow<String?>>(),
                 onFrontendError = any(),
                 onCrash = any(),
                 onUrlIntercepted = any(),
                 onPageFinished = any(),
+                onReceivedHttpAuthRequest = any(),
             )
         } answers {
             HAWebViewClient(
                 keyChainRepository = keyChainRepository,
-                currentUrlFlow = firstArg(),
-                onFrontendError = secondArg(),
-                onCrash = thirdArg(),
-                onUrlIntercepted = arg(3),
-                onPageFinished = arg(4),
-                onReceivedHttpAuthRequest = arg(5),
+                validationScope = TestScope(UnconfinedTestDispatcher()),
+                okHttpClient = okHttpClient,
+                currentUrlFlow = secondArg(),
+                onFrontendError = thirdArg(),
+                onCrash = arg(3),
+                onUrlIntercepted = arg(4),
+                onPageFinished = arg(5),
+                onReceivedHttpAuthRequest = arg(6),
             )
         }
     }