diff options
| author | 2025-02-03 20:09:30 +0000 | |
|---|---|---|
| committer | 2025-02-06 17:29:40 +0000 | |
| commit | 287330e1a2d75f6499b9c1d7e2d126b886ceab8a (patch) | |
| tree | 828822c422c4dc12556816c67df11b7350300c31 /libs/androidfw/misc.cpp | |
| parent | 518396a3e2a47f5edf48be4d6ceb4b7c1c0f2320 (diff) | |
Store certificate revocation status locally
This change stores pairs of <certificate serial number, timestamp of last check against revocation list> locally on the device. It allows attestation to pass even when the device does not have an
Internet connection to fetch the certificate revocation list (CRL) as
long as a policy is satisfied.
The current policy allows skipping CRL check for:
1. All certificates whose notBefore date is within 32 days
2. Chains whose leaf has notBefore date within 32 days and all other
   certs have notBefore date within 72 days
3. All certificates that have been checked against the CRL and found to
   be not revoked in the past 30 days
This change also schedule a job to fetch the remote CRL if an
attestation is requested when the device does not have Internet
connection.
Test: atest AttestationVerificationTest (the set of failed tests on user
build is the same with and without my changes) and manual tests
Bug: 389088384
Flag: EXEMPT bug fix
Change-Id: Ia58b882cb1e084c1ec9929588bd94a1157b93a5e
Diffstat (limited to 'libs/androidfw/misc.cpp')
0 files changed, 0 insertions, 0 deletions