react-native-ssl-manager 1.0.3 → 1.1.0

package/README.md

@@ -223,6 +223,118 @@ Your `ssl_config.json` should follow this structure:
 - ❌ **Don't rename** the file - it must be exactly `ssl_config.json`
 - ❌ **Don't place** in subdirectories - must be in project root
 
+## Supported Networking Stacks
+
+This library provides SSL pinning coverage across both platforms. The table below shows which networking stacks are covered and by which mechanism.
+
+| Stack | Platform | Covered | Mechanism |
+|-------|----------|---------|-----------|
+| `fetch` / `axios` (React Native) | iOS | Yes | TrustKit swizzling (`kTSKSwizzleNetworkDelegates`) |
+| `URLSession` (Foundation) | iOS | Yes | TrustKit swizzling |
+| `SDWebImage` | iOS | Yes | TrustKit swizzling (uses URLSession) |
+| `Alamofire` | iOS | Yes | TrustKit swizzling (uses URLSession) |
+| Most URLSession-based libraries | iOS | Yes* | TrustKit swizzling |
+| `fetch` / `axios` (React Native) | Android | Yes | OkHttpClientFactory + Network Security Config |
+| OkHttp (direct) | Android | Yes | Network Security Config |
+| Cronet (`react-native-nitro-fetch`) | Android | Best-effort* | Network Security Config |
+| Android WebView | Android | Yes | Network Security Config |
+| Coil / Ktor with OkHttp engine | Android | Yes | Network Security Config |
+| Glide / OkHttp3 (`react-native-fast-image`) | Android | Yes | Network Security Config |
+| `HttpURLConnection` | Android | Yes | Network Security Config |
+
+### How It Works
+
+**iOS**: TrustKit is initialized with `kTSKSwizzleNetworkDelegates: true`, which swizzles most `URLSession` delegates at the OS level. This means most libraries that use `URLSession` under the hood (including SDWebImage, Alamofire, and React Native's networking layer) are automatically covered without any additional configuration.
+
+**Android**: The library auto-generates `network_security_config.xml` from `ssl_config.json` at build time and patches `AndroidManifest.xml` to reference it. Android's Network Security Config is enforced at the platform level for all networking stacks that use the default `TrustManager` — including OkHttp, WebView, Coil, Glide, and `HttpURLConnection`. Cronet coverage is best-effort and depends on whether Cronet uses the platform default TrustManager.
+
+### Known Limitations
+
+- **iOS**: Libraries that implement custom TLS stacks (not using `URLSession`) are NOT covered by TrustKit swizzling.
+- **iOS**: Apps with complex custom `URLSessionDelegate` implementations or other method-swizzling libraries may experience conflicts with TrustKit's swizzling. TrustKit's own documentation notes swizzling is designed for "simple apps".
+- **Android**: Libraries that build OkHttp with a custom `TrustManager` that bypasses the system default may bypass Network Security Config.
+- **Android (Cronet)**: Cronet may use its own TLS stack rather than the platform default `TrustManager`, in which case NSC pin-sets are not enforced. For authoritative Cronet pinning, use `CronetEngine.Builder.addPublicKeyPins()` directly.
+
+### PinnedOkHttpClient (Android)
+
+For native module authors who need a pinned OkHttp client (e.g., custom Glide modules, Ktor engines), the library exposes a public singleton:
+
+```kotlin
+import com.usesslpinning.PinnedOkHttpClient
+
+// Get a pinned OkHttpClient instance
+val client = PinnedOkHttpClient.getInstance(context)
+```
+
+#### Glide Integration
+
+```kotlin
+@GlideModule
+class MyAppGlideModule : AppGlideModule() {
+    override fun registerComponents(context: Context, glide: Glide, registry: Registry) {
+        val client = PinnedOkHttpClient.getInstance(context)
+        registry.replace(
+            GlideUrl::class.java,
+            InputStream::class.java,
+            OkHttpUrlLoader.Factory(client)
+        )
+    }
+}
+```
+
+#### Coil Integration
+
+```kotlin
+val imageLoader = ImageLoader.Builder(context)
+    .okHttpClient { PinnedOkHttpClient.getInstance(context) }
+    .build()
+```
+
+#### Ktor OkHttp Engine
+
+```kotlin
+val httpClient = HttpClient(OkHttp) {
+    engine {
+        preconfigured = PinnedOkHttpClient.getInstance(context)
+    }
+}
+```
+
+#### Ktor CIO Engine (Manual Pinning)
+
+The CIO engine uses its own TLS stack and is **not** covered by Network Security Config or `PinnedOkHttpClient`. You must configure a custom `TrustManager` manually:
+
+```kotlin
+import io.ktor.client.*
+import io.ktor.client.engine.cio.*
+import java.security.cert.X509Certificate
+import javax.net.ssl.X509TrustManager
+
+val httpClient = HttpClient(CIO) {
+    engine {
+        https {
+            trustManager = object : X509TrustManager {
+                override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String) {}
+                override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) {
+                    // Validate the leaf certificate's public key pin against
+                    // your expected SHA-256 hashes from ssl_config.json
+                    val leafCert = chain[0]
+                    val publicKeyHash = java.security.MessageDigest
+                        .getInstance("SHA-256")
+                        .digest(leafCert.publicKey.encoded)
+                    val pin = android.util.Base64.encodeToString(publicKeyHash, android.util.Base64.NO_WRAP)
+                    val expectedPins = listOf("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") // from ssl_config.json
+                    if (pin !in expectedPins) {
+                        throw javax.net.ssl.SSLPeerUnverifiedException("Certificate pin mismatch for CIO engine")
+                    }
+                }
+                override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
+            }
+        }
+    }
+}
+```
+
 ## Important Notes ⚠️
 
 ### Restarting After SSL Pinning Changes
@@ -305,6 +417,90 @@ const handleSSLToggle = async (enabled: boolean) => {
    - Regularly update certificates before expiration
    - Maintain multiple backup certificates
 
+## Supported Networking Stacks
+
+This library provides platform-level SSL pinning coverage across both iOS and Android. The table below shows which networking stacks are covered on each platform and the mechanism used.
+
+| Stack | Platform | Covered | Mechanism |
+|-------|----------|---------|-----------|
+| `fetch` / `axios` (React Native) | iOS | Yes | TrustKit URLSession swizzling |
+| `fetch` / `axios` (React Native) | Android | Yes | OkHttpClientFactory + Network Security Config |
+| `URLSession` (Foundation) | iOS | Yes | TrustKit swizzling (`kTSKSwizzleNetworkDelegates`) |
+| `SDWebImage` | iOS | Yes | TrustKit swizzling (uses URLSession internally) |
+| `Alamofire` | iOS | Yes | TrustKit swizzling (uses URLSession internally) |
+| Most URLSession-based libraries | iOS | Yes* | TrustKit swizzling |
+| OkHttp | Android | Yes | Network Security Config + CertificatePinner |
+| Cronet (`react-native-nitro-fetch`) | Android | Best-effort* | Network Security Config |
+| Android WebView | Android | Yes | Network Security Config |
+| Coil / Ktor with OkHttp engine | Android | Yes | Network Security Config |
+| Glide / OkHttp3 (`react-native-fast-image`) | Android | Yes | Network Security Config |
+| `HttpURLConnection` | Android | Yes | Network Security Config |
+
+### iOS Coverage
+
+On iOS, TrustKit is initialized with `kTSKSwizzleNetworkDelegates: true`, which automatically swizzles most `URLSession` delegates. This means **most libraries that use `URLSession` under the hood** are covered without additional configuration — including `SDWebImage`, `Alamofire`, and React Native's built-in networking.
+
+**Known limitations:**
+- Custom TLS stacks that do not use `URLSession` (e.g., custom OpenSSL bindings) are NOT covered by TrustKit swizzling.
+- Apps with complex custom `URLSessionDelegate` implementations or other method-swizzling libraries may experience conflicts with TrustKit's swizzling.
+
+### Android Coverage
+
+On Android, the library generates a `network_security_config.xml` at build time from your `ssl_config.json`. This is enforced at the OS level for all networking stacks that use the platform default `TrustManager`, covering OkHttp, WebView, Coil, Glide, and `HttpURLConnection` without per-library configuration. Cronet coverage is best-effort (see below).
+
+**Known limitations:**
+- Libraries that build OkHttp with a custom `TrustManager` that bypasses the system default may not be covered by Network Security Config.
+- **Cronet**: No authoritative documentation confirms Cronet always respects NSC `<pin-set>` directives. Cronet has its own pinning API (`CronetEngine.Builder.addPublicKeyPins()`), which should be used for guaranteed Cronet pinning.
+
+### PinnedOkHttpClient API (Android)
+
+For native module authors who need a pre-configured pinned OkHttp client, the library exposes `PinnedOkHttpClient`:
+
+```kotlin
+// Get the singleton pinned client
+val client = PinnedOkHttpClient.getInstance(context)
+```
+
+The client reads `ssl_config.json` and configures `CertificatePinner` when SSL pinning is enabled. It returns a plain `OkHttpClient` when pinning is disabled. The singleton is automatically invalidated when the pinning state changes.
+
+#### Glide Integration
+
+```kotlin
+@GlideModule
+class MyAppGlideModule : AppGlideModule() {
+    override fun registerComponents(context: Context, glide: Glide, registry: Registry) {
+        val client = PinnedOkHttpClient.getInstance(context)
+        registry.replace(
+            GlideUrl::class.java,
+            InputStream::class.java,
+            OkHttpUrlLoader.Factory(client)
+        )
+    }
+}
+```
+
+#### Coil Integration
+
+```kotlin
+val imageLoader = ImageLoader.Builder(context)
+    .okHttpClient { PinnedOkHttpClient.getInstance(context) }
+    .build()
+```
+
+#### Ktor OkHttp Engine Integration
+
+```kotlin
+val httpClient = HttpClient(OkHttp) {
+    engine {
+        preconfigured = PinnedOkHttpClient.getInstance(context)
+    }
+}
+```
+
+#### Ktor CIO Engine (Manual Pinning)
+
+The CIO engine uses its own TLS stack and is **not** covered by Network Security Config or `PinnedOkHttpClient`. See the [Ktor CIO Engine manual pinning example](#ktor-cio-engine-manual-pinning) above for a complete code sample using a custom `TrustManager`.
+
 ## ✅ Completed Roadmap
 
 ### Recently Completed Features
@@ -344,6 +540,9 @@ const handleSSLToggle = async (enabled: boolean) => {
   - Web support for React Native Web
   - Additional certificate formats support
 
+- 📦 **Optional Library Artifacts**
+  - `react-native-ssl-manager-glide` — first-class Glide integration with pre-configured `AppGlideModule` (currently manual via `PinnedOkHttpClient`)
+
 ## 🧪 Testing Your SSL Implementation
 
 ### Using the Example App

package/android/src/main/java/com/usesslpinning/PinnedOkHttpClient.kt

@@ -0,0 +1,106 @@
+package com.usesslpinning
+
+import android.content.Context
+import okhttp3.CertificatePinner
+import okhttp3.OkHttpClient
+import org.json.JSONObject
+import java.io.IOException
+
+/**
+ * Public singleton providing a pinned OkHttpClient for native module authors.
+ *
+ * Usage:
+ *   val client = PinnedOkHttpClient.getInstance(context)
+ *
+ * The client is configured with CertificatePinner from ssl_config.json when
+ * SSL pinning is enabled. When disabled, a plain OkHttpClient is returned.
+ *
+ * The singleton is invalidated when the pinning state changes via setUseSSLPinning.
+ */
+object PinnedOkHttpClient {
+
+    @Volatile
+    private var instance: OkHttpClient? = null
+
+    @Volatile
+    private var lastPinningState: Boolean? = null
+
+    /**
+     * Returns a singleton OkHttpClient configured with certificate pinning
+     * from ssl_config.json (when SSL pinning is enabled).
+     */
+    @JvmStatic
+    fun getInstance(context: Context): OkHttpClient {
+        val prefs = context.getSharedPreferences("AppSettings", Context.MODE_PRIVATE)
+        val useSSLPinning = prefs.getBoolean("useSSLPinning", true)
+
+        // Invalidate if pinning state changed
+        if (useSSLPinning != lastPinningState) {
+            instance = null
+        }
+
+        return instance ?: synchronized(this) {
+            instance ?: buildClient(context, useSSLPinning).also {
+                instance = it
+                lastPinningState = useSSLPinning
+            }
+        }
+    }
+
+    /**
+     * Invalidate the cached client. Called when setUseSSLPinning changes state.
+     */
+    @JvmStatic
+    fun invalidate() {
+        synchronized(this) {
+            instance = null
+            lastPinningState = null
+        }
+    }
+
+    private fun buildClient(context: Context, useSSLPinning: Boolean): OkHttpClient {
+        val builder = OkHttpClient.Builder()
+
+        if (useSSLPinning) {
+            try {
+                val configJson = readSslConfig(context)
+                if (configJson != null) {
+                    val pinnerBuilder = CertificatePinner.Builder()
+                    val sha256Keys = configJson.getJSONObject("sha256Keys")
+                    val hostnames = sha256Keys.keys()
+                    while (hostnames.hasNext()) {
+                        val hostname = hostnames.next()
+                        val keysArray = sha256Keys.getJSONArray(hostname)
+                        for (i in 0 until keysArray.length()) {
+                            pinnerBuilder.add(hostname, keysArray.getString(i))
+                        }
+                    }
+                    builder.certificatePinner(pinnerBuilder.build())
+                }
+            } catch (_: Exception) {
+                // SSL pinning setup failed — return plain client
+            }
+        }
+
+        return builder.build()
+    }
+
+    private fun readSslConfig(context: Context): JSONObject? {
+        // Check runtime config first (set via JS API)
+        val prefs = context.getSharedPreferences("AppSettings", Context.MODE_PRIVATE)
+        val runtimeConfig = prefs.getString("sslConfig", null)
+        if (!runtimeConfig.isNullOrEmpty()) {
+            return JSONObject(runtimeConfig)
+        }
+
+        // Fall back to bundled asset
+        return try {
+            val inputStream = context.assets.open("ssl_config.json")
+            val bytes = inputStream.readBytes()
+            inputStream.close()
+            JSONObject(String(bytes, Charsets.UTF_8))
+        } catch (_: IOException) {
+            null
+        }
+    }
+}

package/android/ssl-pinning-setup.gradle

@@ -20,6 +20,146 @@ def ensureAssetsDir() {
 def assetsDir = file("${projectDir}/src/main/assets")
 def destFile  = file("${projectDir}/src/main/assets/ssl_config.json")
 
+import groovy.xml.XmlParser
+import groovy.xml.XmlNodePrinter
+import groovy.xml.MarkupBuilder
+
+/**
+ * Generate network_security_config.xml from ssl_config.json
+ * Returns true if XML was generated, false otherwise
+ */
+def generateNetworkSecurityConfigXml(File sslConfigFile, File xmlOutputFile) {
+    if (!sslConfigFile || !sslConfigFile.exists()) {
+        println "⚠️ SSL Config not found, skipping Network Security Config XML generation"
+        return false
+    }
+
+    def json = new groovy.json.JsonSlurper().parse(sslConfigFile)
+    def sha256Keys = json?.sha256Keys
+    if (!sha256Keys || sha256Keys.isEmpty()) {
+        println "⚠️ No sha256Keys found in ssl_config.json, skipping XML generation"
+        return false
+    }
+
+    // Calculate default expiration: 1 year from now
+    def cal = Calendar.getInstance()
+    cal.add(Calendar.YEAR, 1)
+    def expirationDate = String.format("%tF", cal) // YYYY-MM-DD format
+
+    // Ensure output directory exists
+    def xmlDir = xmlOutputFile.parentFile
+    if (!xmlDir.exists()) xmlDir.mkdirs()
+
+    // Check for existing NSC and merge if present
+    if (xmlOutputFile.exists()) {
+        println "🔄 Existing network_security_config.xml found, merging pin entries"
+        mergeNetworkSecurityConfigXml(xmlOutputFile, sha256Keys, expirationDate)
+    } else {
+        writeNewNetworkSecurityConfigXml(xmlOutputFile, sha256Keys, expirationDate)
+    }
+
+    return true
+}
+
+/**
+ * Write a fresh network_security_config.xml
+ */
+def writeNewNetworkSecurityConfigXml(File xmlFile, Map sha256Keys, String expirationDate) {
+    def writer = new StringWriter()
+    def xml = new MarkupBuilder(writer)
+    xml.setDoubleQuotes(true)
+
+    writer.write('<?xml version="1.0" encoding="utf-8"?>\n')
+    xml.'network-security-config' {
+        sha256Keys.each { domain, pins ->
+            'domain-config'('cleartextTrafficPermitted': 'false') {
+                'domain'('includeSubdomains': 'true', domain)
+                'pin-set'('expiration': expirationDate) {
+                    pins.each { pinValue ->
+                        def cleanPin = pinValue.replaceFirst('^sha256/', '')
+                        'pin'('digest': 'SHA-256', cleanPin)
+                    }
+                }
+            }
+        }
+    }
+
+    xmlFile.text = writer.toString()
+    println "✅ Generated network_security_config.xml with ${sha256Keys.size()} domain(s)"
+}
+
+/**
+ * Merge pin-set entries into an existing network_security_config.xml
+ * Preserves existing config (debug-overrides, base-config, other domain-configs)
+ * Replaces pin-set for domains that already exist, adds new domain-configs otherwise
+ */
+def mergeNetworkSecurityConfigXml(File xmlFile, Map sha256Keys, String expirationDate) {
+    def parser = new XmlParser()
+    def root = parser.parse(xmlFile)
+
+    sha256Keys.each { domain, pins ->
+        // Find existing domain-config for this domain
+        def existingDomainConfig = root.'domain-config'.find { dc ->
+            dc.'domain'.any { d -> d.text() == domain }
+        }
+
+        if (existingDomainConfig) {
+            println "⚠️ Replacing existing pin-set for domain: ${domain}"
+            // Remove old pin-set(s)
+            existingDomainConfig.'pin-set'.each { existingDomainConfig.remove(it) }
+            // Add new pin-set
+            def pinSetNode = new Node(existingDomainConfig, 'pin-set', [expiration: expirationDate])
+            pins.each { pinValue ->
+                def cleanPin = pinValue.replaceFirst('^sha256/', '')
+                new Node(pinSetNode, 'pin', [digest: 'SHA-256'], cleanPin)
+            }
+        } else {
+            // Add new domain-config
+            def domainConfigNode = new Node(root, 'domain-config', [cleartextTrafficPermitted: 'false'])
+            new Node(domainConfigNode, 'domain', [includeSubdomains: 'true'], domain)
+            def pinSetNode = new Node(domainConfigNode, 'pin-set', [expiration: expirationDate])
+            pins.each { pinValue ->
+                def cleanPin = pinValue.replaceFirst('^sha256/', '')
+                new Node(pinSetNode, 'pin', [digest: 'SHA-256'], cleanPin)
+            }
+        }
+    }
+
+    // Write merged XML back
+    def writer = new StringWriter()
+    writer.write('<?xml version="1.0" encoding="utf-8"?>\n')
+    def printer = new XmlNodePrinter(new PrintWriter(writer))
+    printer.setPreserveWhitespace(true)
+    printer.print(root)
+    xmlFile.text = writer.toString()
+    println "✅ Merged pin entries into existing network_security_config.xml"
+}
+
+/**
+ * Patch AndroidManifest.xml to reference network_security_config if not already set
+ */
+def patchAndroidManifest(File manifestFile) {
+    if (!manifestFile || !manifestFile.exists()) {
+        println "⚠️ AndroidManifest.xml not found, skipping manifest patching"
+        return false
+    }
+
+    def content = manifestFile.text
+    if (content.contains('android:networkSecurityConfig')) {
+        println "ℹ️ AndroidManifest already has networkSecurityConfig reference, preserving existing"
+        return false
+    }
+
+    // Add networkSecurityConfig attribute to <application> tag
+    content = content.replaceFirst(
+        '(<application\\b[^>]*)(>)',
+        '$1 android:networkSecurityConfig="@xml/network_security_config"$2'
+    )
+    manifestFile.text = content
+    println "✅ Added networkSecurityConfig reference to AndroidManifest.xml"
+    return true
+}
+
 plugins.withId('com.android.application') {
 
     // ===== AGP 7/8: androidComponents DSL =====
@@ -64,10 +204,29 @@ plugins.withId('com.android.application') {
                     }
                 }
 
-                // Hook chắc chắn cho assemble/install/mergeAssets
-                tasks.matching { it.name == "merge${vNameCap}Assets" }.configureEach { dependsOn taskName }
-                tasks.matching { it.name == "install${vNameCap}" }.configureEach   { dependsOn taskName }
-                tasks.matching { it.name == "assemble${vNameCap}" }.configureEach  { dependsOn taskName }
+                // ===== Generate Network Security Config XML =====
+                def nscTaskName = "generateNetworkSecurityConfig${vNameCap}"
+                tasks.register(nscTaskName) {
+                    group = "SSL Pinning"
+                    description = "Generate network_security_config.xml for ${vName}"
+
+                    doLast {
+                        def sourceFile = findSslConfigFile()
+                        def xmlDir = file("${projectDir}/src/main/res/xml")
+                        def xmlFile = file("${xmlDir}/network_security_config.xml")
+                        if (generateNetworkSecurityConfigXml(sourceFile, xmlFile)) {
+                            // Patch manifest
+                            def manifestFile = file("${projectDir}/src/main/AndroidManifest.xml")
+                            patchAndroidManifest(manifestFile)
+                        }
+                    }
+                }
+
+                // Hook both tasks before merge/assemble/install
+                tasks.matching { it.name == "merge${vNameCap}Assets" }.configureEach { dependsOn taskName; dependsOn nscTaskName }
+                tasks.matching { it.name == "install${vNameCap}" }.configureEach   { dependsOn taskName; dependsOn nscTaskName }
+                tasks.matching { it.name == "assemble${vNameCap}" }.configureEach  { dependsOn taskName; dependsOn nscTaskName }
+                tasks.matching { it.name == "merge${vNameCap}Resources" }.configureEach { dependsOn nscTaskName }
             }
         }
 
@@ -114,15 +273,33 @@ plugins.withId('com.android.application') {
                     }
                 }
 
+                // ===== Generate Network Security Config XML (legacy path) =====
+                def nscTaskName = "generateNetworkSecurityConfig${vNameCap}"
+                def nscTask = tasks.create(nscTaskName) {
+                    group = "SSL Pinning"
+                    description = "Generate network_security_config.xml for ${vNameCap}"
+
+                    doLast {
+                        def sourceFile = findSslConfigFile()
+                        def xmlDir = file("${projectDir}/src/main/res/xml")
+                        def xmlFile = file("${xmlDir}/network_security_config.xml")
+                        if (generateNetworkSecurityConfigXml(sourceFile, xmlFile)) {
+                            def manifestFile = file("${projectDir}/src/main/AndroidManifest.xml")
+                            patchAndroidManifest(manifestFile)
+                        }
+                    }
+                }
+
                 try {
                     if (variant.hasProperty("mergeAssetsProvider")) {
-                        variant.mergeAssetsProvider.configure { dependsOn copyTask }
+                        variant.mergeAssetsProvider.configure { dependsOn copyTask; dependsOn nscTask }
                     } else {
-                        tasks.named("merge${vNameCap}Assets").configure { dependsOn copyTask }
+                        tasks.named("merge${vNameCap}Assets").configure { dependsOn copyTask; dependsOn nscTask }
                     }
                 } catch (ignored) { }
-                try { tasks.named("install${vNameCap}").configure { dependsOn copyTask } } catch (ignored) { }
-                try { tasks.named("assemble${vNameCap}").configure { dependsOn copyTask } } catch (ignored) { }
+                try { tasks.named("merge${vNameCap}Resources").configure { dependsOn nscTask } } catch (ignored) { }
+                try { tasks.named("install${vNameCap}").configure { dependsOn copyTask; dependsOn nscTask } } catch (ignored) { }
+                try { tasks.named("assemble${vNameCap}").configure { dependsOn copyTask; dependsOn nscTask } } catch (ignored) { }
             }
         }
     }

package/app.plugin.js

@@ -21,6 +21,8 @@ function withSslManager(config, options = {}) {
     config = withAndroidSslPinning(config);
     config = withAndroidMainApplication(config);
     config = withAndroidAssets(config, { sslConfigPath });
+    config = withAndroidNetworkSecurityConfig(config, { sslConfigPath });
+    config = withAndroidNscManifest(config);
   }
 
   // Add iOS configuration
@@ -287,4 +289,101 @@ function withIosAssets(config, options) {
   return config;
 }
 
+const { generateNscXml, mergeNscXml } = require('./scripts/nsc-utils');
+
+/**
+ * Read ssl_config.json and return parsed sha256Keys, or null if not found
+ */
+function readSslConfig(projectRoot, sslConfigPath) {
+  const sourceConfigPath = path.resolve(projectRoot, sslConfigPath);
+  if (!fs.existsSync(sourceConfigPath)) {
+    return null;
+  }
+  try {
+    const config = JSON.parse(fs.readFileSync(sourceConfigPath, 'utf8'));
+    return config.sha256Keys || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Generate network_security_config.xml during Expo prebuild
+ */
+function withAndroidNetworkSecurityConfig(config, options) {
+  return withDangerousMod(config, [
+    'android',
+    async (config) => {
+      const { sslConfigPath = 'ssl_config.json' } = options;
+      const projectRoot = config.modRequest.projectRoot;
+      const sha256Keys = readSslConfig(projectRoot, sslConfigPath);
+
+      if (!sha256Keys || Object.keys(sha256Keys).length === 0) {
+        console.warn(
+          '⚠️  No SSL pins found, skipping network_security_config.xml generation'
+        );
+        return config;
+      }
+
+      const xmlDir = path.join(
+        config.modRequest.platformProjectRoot,
+        'app/src/main/res/xml'
+      );
+      const xmlPath = path.join(xmlDir, 'network_security_config.xml');
+
+      if (!fs.existsSync(xmlDir)) {
+        fs.mkdirSync(xmlDir, { recursive: true });
+      }
+
+      if (fs.existsSync(xmlPath)) {
+        // Merge with existing
+        const existingXml = fs.readFileSync(xmlPath, 'utf8');
+        const mergedXml = mergeNscXml(existingXml, sha256Keys);
+        fs.writeFileSync(xmlPath, mergedXml);
+        console.log(
+          '✅ Merged SSL pins into existing network_security_config.xml'
+        );
+      } else {
+        // Generate new
+        const xml = generateNscXml(sha256Keys);
+        fs.writeFileSync(xmlPath, xml);
+        console.log('✅ Generated network_security_config.xml');
+      }
+
+      return config;
+    },
+  ]);
+}
+
+/**
+ * Patch AndroidManifest to reference network_security_config.xml
+ */
+function withAndroidNscManifest(config) {
+  return withAndroidManifest(config, (config) => {
+    const manifest = config.modResults;
+    const application = manifest.manifest.application?.[0];
+
+    if (!application) {
+      return config;
+    }
+
+    if (!application.$) {
+      application.$ = {};
+    }
+
+    if (application.$['android:networkSecurityConfig']) {
+      console.log(
+        'ℹ️  AndroidManifest already has networkSecurityConfig, preserving existing'
+      );
+      return config;
+    }
+
+    application.$['android:networkSecurityConfig'] =
+      '@xml/network_security_config';
+    console.log('✅ Added networkSecurityConfig to AndroidManifest.xml');
+
+    return config;
+  });
+}
+
 module.exports = withSslManager;

package/lib/NativeUseSslPinning.d.ts

@@ -0,0 +1,8 @@
+import type { TurboModule } from 'react-native';
+export interface Spec extends TurboModule {
+    readonly setUseSSLPinning: (usePinning: boolean) => Promise<void>;
+    readonly getUseSSLPinning: () => Promise<boolean>;
+}
+declare const _default: Spec;
+export default _default;
+//# sourceMappingURL=NativeUseSslPinning.d.ts.map

package/lib/NativeUseSslPinning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"NativeUseSslPinning.d.ts","sourceRoot":"","sources":["../src/NativeUseSslPinning.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAGhD,MAAM,WAAW,IAAK,SAAQ,WAAW;IACvC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,UAAU,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,QAAQ,CAAC,gBAAgB,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CACnD;;AAED,wBAAuE"}

package/lib/NativeUseSslPinning.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const react_native_1 = require("react-native");
+exports.default = react_native_1.TurboModuleRegistry.getEnforcing('UseSslPinning');

package/lib/UseSslPinning.types.d.ts

@@ -0,0 +1,17 @@
+/**
+ * SSL Pinning Configuration Interface
+ * Defines the structure for SSL pinning configuration
+ */
+export interface SslPinningConfig {
+    sha256Keys: {
+        [domain: string]: string[];
+    };
+}
+/**
+ * SSL Pinning Error Interface
+ */
+export interface SslPinningError extends Error {
+    code?: string;
+    message: string;
+}
+//# sourceMappingURL=UseSslPinning.types.d.ts.map

package/lib/UseSslPinning.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UseSslPinning.types.d.ts","sourceRoot":"","sources":["../src/UseSslPinning.types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE;QACV,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;KAC5B,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,eAAgB,SAAQ,KAAK;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB"}

package/lib/UseSslPinning.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/index.d.ts

@@ -0,0 +1,15 @@
+export type { SslPinningConfig, SslPinningError } from './UseSslPinning.types';
+/**
+ * Sets whether SSL pinning should be used.
+ *
+ * @param {boolean} usePinning - Whether to enable SSL pinning
+ * @returns {Promise<void>} A promise that resolves when the setting is saved
+ */
+export declare const setUseSSLPinning: (usePinning: boolean) => Promise<void>;
+/**
+ * Retrieves the current state of SSL pinning usage.
+ *
+ * @returns A promise that resolves to a boolean indicating whether SSL pinning is being used.
+ */
+export declare const getUseSSLPinning: () => Promise<boolean>;
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.tsx"],"names":[],"mappings":"AAGA,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AA0C/E;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,eAAgB,OAAO,KAAG,QAAQ,IAAI,CAElE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,QAAa,QAAQ,OAAO,CAExD,CAAC"}

package/lib/index.js

@@ -0,0 +1,58 @@
+"use strict";
+// Remove unused Platform import since we no longer check OS
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUseSSLPinning = exports.setUseSSLPinning = void 0;
+// New Architecture and Legacy Architecture support
+let UseSslPinning;
+try {
+    // Try Legacy NativeModules first (more reliable)
+    const { NativeModules } = require('react-native');
+    // Look for our universal module (works in both CLI and Expo)
+    UseSslPinning = NativeModules.UseSslPinning;
+    if (UseSslPinning) {
+    }
+    else {
+        // Fallback to TurboModule if available
+        try {
+            UseSslPinning = require('./NativeUseSslPinning').default;
+        }
+        catch (turboModuleError) {
+            console.log('❌ TurboModule failed:', turboModuleError.message);
+            UseSslPinning = null;
+        }
+    }
+}
+catch (error) {
+    console.log('❌ Overall module loading failed:', error.message);
+    UseSslPinning = null;
+}
+// Fallback implementation if native module is not available
+if (!UseSslPinning) {
+    UseSslPinning = {
+        setUseSSLPinning: (_usePinning) => {
+            return Promise.resolve();
+        },
+        getUseSSLPinning: () => {
+            return Promise.resolve(true);
+        },
+    };
+}
+/**
+ * Sets whether SSL pinning should be used.
+ *
+ * @param {boolean} usePinning - Whether to enable SSL pinning
+ * @returns {Promise<void>} A promise that resolves when the setting is saved
+ */
+const setUseSSLPinning = (usePinning) => {
+    return UseSslPinning.setUseSSLPinning(usePinning);
+};
+exports.setUseSSLPinning = setUseSSLPinning;
+/**
+ * Retrieves the current state of SSL pinning usage.
+ *
+ * @returns A promise that resolves to a boolean indicating whether SSL pinning is being used.
+ */
+const getUseSSLPinning = async () => {
+    return await UseSslPinning.getUseSSLPinning();
+};
+exports.getUseSSLPinning = getUseSSLPinning;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-ssl-manager",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "React Native SSL Pinning provides seamless SSL certificate pinning integration for enhanced network security in React Native apps. This module enables developers to easily implement and manage certificate pinning, protecting applications against man-in-the-middle (MITM) attacks. With dynamic configuration options and the ability to toggle SSL pinning, it's particularly useful for development and testing scenarios.",
   "main": "lib/index.js",
   "module": "lib/index.js",
@@ -137,11 +137,6 @@
       "react-native": "*"
     }
   },
-  "codegenConfig": {
-    "name": "RNUseSslPinningSpec",
-    "type": "modules",
-    "jsSrcsDir": "src"
-  },
   "jest": {
     "preset": "react-native",
     "modulePathIgnorePatterns": [
@@ -204,11 +199,6 @@
     "trailingComma": "es5",
     "useTabs": false
   },
-  "codegenConfig": {
-    "name": "RNUseSslPinningSpec",
-    "type": "modules",
-    "jsSrcsDir": "src"
-  },
   "dependencies": {
     "@babel/runtime": "^7.23.0",
     "postinstall": "^0.10.3"

package/scripts/nsc-utils.js

@@ -0,0 +1,82 @@
+/**
+ * Shared utilities for Network Security Config XML generation.
+ * Used by app.plugin.js, postinstall.js, and tests.
+ */
+
+/**
+ * Generate network_security_config.xml content from sha256Keys
+ */
+function generateNscXml(sha256Keys) {
+  // Default expiration: 1 year from now
+  const expDate = new Date();
+  expDate.setFullYear(expDate.getFullYear() + 1);
+  const expiration = expDate.toISOString().split('T')[0]; // YYYY-MM-DD
+
+  let xml = '<?xml version="1.0" encoding="utf-8"?>\n';
+  xml += '<network-security-config>\n';
+
+  for (const [domain, pins] of Object.entries(sha256Keys)) {
+    xml += '    <domain-config cleartextTrafficPermitted="false">\n';
+    xml += `        <domain includeSubdomains="true">${domain}</domain>\n`;
+    xml += `        <pin-set expiration="${expiration}">\n`;
+    for (const pin of pins) {
+      const cleanPin = pin.replace(/^sha256\//, '');
+      xml += `            <pin digest="SHA-256">${cleanPin}</pin>\n`;
+    }
+    xml += '        </pin-set>\n';
+    xml += '    </domain-config>\n';
+  }
+
+  xml += '</network-security-config>\n';
+  return xml;
+}
+
+/**
+ * Merge pin-set entries into existing NSC XML string.
+ * Preserves existing config, replaces pin-set for matching domains, adds new ones.
+ */
+function mergeNscXml(existingXml, sha256Keys) {
+  const expDate = new Date();
+  expDate.setFullYear(expDate.getFullYear() + 1);
+  const expiration = expDate.toISOString().split('T')[0];
+
+  for (const [domain, pins] of Object.entries(sha256Keys)) {
+    const pinSetXml = pins
+      .map((pin) => {
+        const cleanPin = pin.replace(/^sha256\//, '');
+        return `            <pin digest="SHA-256">${cleanPin}</pin>`;
+      })
+      .join('\n');
+
+    const domainConfigBlock =
+      `    <domain-config cleartextTrafficPermitted="false">\n` +
+      `        <domain includeSubdomains="true">${domain}</domain>\n` +
+      `        <pin-set expiration="${expiration}">\n` +
+      `${pinSetXml}\n` +
+      `        </pin-set>\n` +
+      `    </domain-config>`;
+
+    // Check if domain already exists in the XML
+    const domainRegex = new RegExp(
+      `<domain-config[^>]*>\\s*<domain[^>]*>${domain.replace(/\./g, '\\.')}</domain>[\\s\\S]*?</domain-config>`,
+      'g'
+    );
+
+    if (domainRegex.test(existingXml)) {
+      console.warn(`⚠️  Replacing existing pin-set for domain: ${domain}`);
+      // Reset regex lastIndex since test() advanced it
+      domainRegex.lastIndex = 0;
+      existingXml = existingXml.replace(domainRegex, domainConfigBlock);
+    } else {
+      // Insert before closing </network-security-config>
+      existingXml = existingXml.replace(
+        '</network-security-config>',
+        `${domainConfigBlock}\n</network-security-config>`
+      );
+    }
+  }
+
+  return existingXml;
+}
+
+module.exports = { generateNscXml, mergeNscXml };

package/scripts/postinstall.js

@@ -105,4 +105,76 @@ if (fs.existsSync(sslConfigPath)) {
   );
 }
 
+// Generate Network Security Config XML for Android
+const { generateNscXml, mergeNscXml } = require('./nsc-utils');
+const androidDir = path.join(projectRoot, 'android');
+if (fs.existsSync(androidDir) && fs.existsSync(sslConfigPath)) {
+  console.log('🔄 Generating Android Network Security Config XML...');
+
+  try {
+    const sslConfig = JSON.parse(fs.readFileSync(sslConfigPath, 'utf8'));
+    const sha256Keys = sslConfig.sha256Keys;
+
+    if (sha256Keys && Object.keys(sha256Keys).length > 0) {
+      const xmlDir = path.join(
+        androidDir,
+        'app',
+        'src',
+        'main',
+        'res',
+        'xml'
+      );
+      const xmlPath = path.join(xmlDir, 'network_security_config.xml');
+
+      if (fs.existsSync(xmlPath)) {
+        // Merge with existing NSC
+        const existingXml = fs.readFileSync(xmlPath, 'utf8');
+        const mergedXml = mergeNscXml(existingXml, sha256Keys);
+        fs.writeFileSync(xmlPath, mergedXml);
+        console.log(
+          '✅ Merged SSL pins into existing network_security_config.xml'
+        );
+      } else {
+        // Generate new XML
+        if (!fs.existsSync(xmlDir)) {
+          fs.mkdirSync(xmlDir, { recursive: true });
+        }
+        const xml = generateNscXml(sha256Keys);
+        fs.writeFileSync(xmlPath, xml);
+        console.log('✅ Generated network_security_config.xml');
+      }
+
+      // Patch AndroidManifest.xml
+      const manifestPath = path.join(
+        androidDir,
+        'app',
+        'src',
+        'main',
+        'AndroidManifest.xml'
+      );
+      if (fs.existsSync(manifestPath)) {
+        let manifestContent = fs.readFileSync(manifestPath, 'utf8');
+        if (!manifestContent.includes('android:networkSecurityConfig')) {
+          manifestContent = manifestContent.replace(
+            /(<application\b[^>]*)(>)/,
+            '$1 android:networkSecurityConfig="@xml/network_security_config"$2'
+          );
+          fs.writeFileSync(manifestPath, manifestContent);
+          console.log('✅ Added networkSecurityConfig to AndroidManifest.xml');
+        } else {
+          console.log(
+            'ℹ️ AndroidManifest already has networkSecurityConfig reference'
+          );
+        }
+      }
+    } else {
+      console.log('⚠️ No sha256Keys in ssl_config.json, skipping XML generation');
+    }
+  } catch (error) {
+    console.warn('⚠️ Failed to generate Network Security Config XML:', error.message);
+  }
+} else if (!fs.existsSync(androidDir)) {
+  console.log('ℹ️ No android/ directory found, skipping NSC XML generation');
+}
+
 console.log('🎉 React Native SSL Manager setup complete!');