Disable CT verification for inline certificate and user store - platform/frameworks/base

diff options

author	Thiébaud Weksteen <tweek@google.com>	2024-11-29 14:19:19 +1100
committer	Thiébaud Weksteen <tweek@google.com>	2024-12-03 15:00:13 +1100
commit	ab328e51c77835a03057d20cb524d26f73c7ee74 (patch)
tree	21b6ec661c9472b591b299de35a31317cc47f4bd /libs/androidfw/ApkAssets.cpp
parent	0222489dda1d83b44927d9ad1317e2ee7c3e0622 (diff)

Disable CT verification for inline certificate and user store

When an app uses its own certificate (or the user store), it is likely that the certificate is not public and therefore not verifiable via certificate transparency. By default, disable CT verification for these cases. It is still possible to force the verification using <certificateTransparency enabled="true" /> in the domain configuration. For each <domain-config>, the evaluation follows this order: 1. If <certificateTransparency> is set, use it. 2. If any <trust-anchors> is "user" or inline (i.e., "@raw/cert.pem"), disable the verification. 3. Otherwise, rely on the inherited configuration (either a parent configuration or the default configuration). Bug: 377281304 Flag: AndroidSecurityCertificateTransparencyConfigurationLaunch Test: atest NetworkSecurityConfigTests:android.security.net.config.XmlConfigTests#testCertificateTransparencyDomainConfig Test: atest CtsNetSecConfigCertificateTransparencyTestCases Change-Id: Id13555cc973ac4bb526c7aa194fcfcf76a4483a4

Diffstat (limited to 'libs/androidfw/ApkAssets.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: