summaryrefslogtreecommitdiff
path: root/libs/androidfw/misc.cpp
diff options
context:
space:
mode:
author Tom Chan <tomchan@google.com> 2025-02-03 20:09:30 +0000
committer Tom Chan <tomchan@google.com> 2025-02-06 17:29:40 +0000
commit287330e1a2d75f6499b9c1d7e2d126b886ceab8a (patch)
tree828822c422c4dc12556816c67df11b7350300c31 /libs/androidfw/misc.cpp
parent518396a3e2a47f5edf48be4d6ceb4b7c1c0f2320 (diff)
Store certificate revocation status locally
This change stores pairs of <certificate serial number, timestamp of last check against revocation list> locally on the device. It allows attestation to pass even when the device does not have an Internet connection to fetch the certificate revocation list (CRL) as long as a policy is satisfied. The current policy allows skipping CRL check for: 1. All certificates whose notBefore date is within 32 days 2. Chains whose leaf has notBefore date within 32 days and all other certs have notBefore date within 72 days 3. All certificates that have been checked against the CRL and found to be not revoked in the past 30 days This change also schedule a job to fetch the remote CRL if an attestation is requested when the device does not have Internet connection. Test: atest AttestationVerificationTest (the set of failed tests on user build is the same with and without my changes) and manual tests Bug: 389088384 Flag: EXEMPT bug fix Change-Id: Ia58b882cb1e084c1ec9929588bd94a1157b93a5e
Diffstat (limited to 'libs/androidfw/misc.cpp')
0 files changed, 0 insertions, 0 deletions