Gitiles
Code Review Sign In
review.blissroms.org / platform_frameworks_base / ab328e51c77835a03057d20cb524d26f73c7ee74
commitab328e51c77835a03057d20cb524d26f73c7ee74[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Fri Nov 29 14:19:19 2024 +1100
committerThiƩbaud Weksteen <tweek@google.com>Tue Dec 03 15:00:13 2024 +1100
tree21b6ec661c9472b591b299de35a31317cc47f4bd
parent0222489dda1d83b44927d9ad1317e2ee7c3e0622 [diff]
Disable CT verification for inline certificate and user store

When an app uses its own certificate (or the user store), it is likely
that the certificate is not public and therefore not verifiable via
certificate transparency. By default, disable CT verification for these
cases.

It is still possible to force the verification using
<certificateTransparency enabled="true" /> in the domain configuration.

For each <domain-config>, the evaluation follows this order:
1. If <certificateTransparency> is set, use it.
2. If any <trust-anchors> is "user" or inline (i.e., "@raw/cert.pem"),
   disable the verification.
3. Otherwise, rely on the inherited configuration (either a parent
   configuration or the default configuration).

Bug: 377281304
Flag: AndroidSecurityCertificateTransparencyConfigurationLaunch
Test: atest NetworkSecurityConfigTests:android.security.net.config.XmlConfigTests#testCertificateTransparencyDomainConfig
Test: atest CtsNetSecConfigCertificateTransparencyTestCases
Change-Id: Id13555cc973ac4bb526c7aa194fcfcf76a4483a4
8 files changed
tree: 21b6ec661c9472b591b299de35a31317cc47f4bd
  1. .prebuilt_info/
  2. apct-tests/
  3. apex/
  4. api/
  5. boot/
  6. cmds/
  7. config/
  8. core/
  9. data/
  10. docs/
  11. drm/
  12. errorprone/
  13. graphics/
  14. identity/
  15. keystore/
  16. libs/
  17. location/
  18. media/
  19. mime/
  20. mms/
  21. native/
  22. nfc/
  23. nfc-extras/
  24. obex/
  25. omapi/
  26. opengl/
  27. packages/
  28. proto/
  29. ravenwood/
  30. rs/
  31. samples/
  32. sax/
  33. services/
  34. startop/
  35. telecomm/
  36. telephony/
  37. test-base/
  38. test-junit/
  39. test-legacy/
  40. test-mock/
  41. test-runner/
  42. tests/
  43. tools/
  44. wifi/
  45. .clang-format
  46. .gitignore
  47. .mailmap
  48. AconfigFlags.bp
  49. ACTIVITY_MANAGER_OWNERS
  50. ACTIVITY_SECURITY_OWNERS
  51. ADPF_OWNERS
  52. Android.bp
  53. BAL_OWNERS
  54. BATTERY_STATS_OWNERS
  55. BROADCASTS_OWNERS
  56. CleanSpec.mk
  57. FF_LEADS_OWNERS
  58. framework-jarjar-rules.txt
  59. GAME_MANAGER_OWNERS
  60. INPUT_OWNERS
  61. INTENT_OWNERS
  62. lint-baseline.xml
  63. LSE_APP_COMPAT_OWNERS
  64. MEMORY_OWNERS
  65. METADATA
  66. MODULE_LICENSE_APACHE2
  67. MULTIUSER_OWNERS
  68. NOTICE
  69. OOM_ADJUSTER_OWNERS
  70. OWNERS
  71. OWNERS.md
  72. PACKAGE_MANAGER_OWNERS
  73. pathmap.mk
  74. PERFORMANCE_OWNERS
  75. PREUPLOAD.cfg
  76. ProtoLibraries.bp
  77. Ravenwood.bp
  78. SDK_OWNERS
  79. SECURITY_STATE_OWNERS
  80. SQLITE_OWNERS
  81. TEST_MAPPING
  82. TestProtoLibraries.bp
  83. THERMAL_OWNERS
  84. TRACE_OWNERS
  85. WEAR_OWNERS
  86. ZYGOTE_OWNERS