diff options
| author | 2025-02-10 18:14:27 +0000 | |
|---|---|---|
| committer | 2025-02-10 20:03:47 +0000 | |
| commit | 0d5933f12177d16b4fdc1faca801f00911c9b16a (patch) | |
| tree | 53738a2e10f1cdbed4a3d5216e72197a976bd7bb | |
| parent | b04e0f116a05ff080bcb2cb5338b1ee72ca24fcb (diff) | |
Do not check revocation status of leaf certificate
The leaf certificate is generated at runtime and contains attestation
attributes specific to this attestation operation instance, including
the one-time challenge. This certificate is ephemeral and will not be
revoked.
Test: manually
Bug: 389088384
Flag: EXEMPT bug fix
Change-Id: I614f0ed18fe1154b089f6ecdada6c458fd545e53
| -rw-r--r-- | services/core/java/com/android/server/security/AttestationVerificationPeerDeviceVerifier.java | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/security/AttestationVerificationPeerDeviceVerifier.java b/services/core/java/com/android/server/security/AttestationVerificationPeerDeviceVerifier.java index f060e4d11e82..82df310db9a4 100644 --- a/services/core/java/com/android/server/security/AttestationVerificationPeerDeviceVerifier.java +++ b/services/core/java/com/android/server/security/AttestationVerificationPeerDeviceVerifier.java @@ -303,7 +303,11 @@ class AttestationVerificationPeerDeviceVerifier { if (mRevocationEnabled) { // Checks Revocation Status List based on // https://developer.android.com/training/articles/security-key-attestation#certificate_status - mCertificateRevocationStatusManager.checkRevocationStatus(certificates); + // The first certificate is the leaf, which is generated at runtime with the attestation + // attributes such as the challenge. It is specific to this attestation instance and + // does not need to be checked for revocation. + mCertificateRevocationStatusManager.checkRevocationStatus( + new ArrayList<>(certificates.subList(1, certificates.size()))); } } |