Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 287330e1 authored by Tom Chan's avatar Tom Chan
Browse files

Store certificate revocation status locally 

This change stores pairs of <certificate serial number, timestamp of last check against revocation list> locally on the device. It allows attestation to pass even when the device does not have an
Internet connection to fetch the certificate revocation list (CRL) as
long as a policy is satisfied.

The current policy allows skipping CRL check for:
1. All certificates whose notBefore date is within 32 days
2. Chains whose leaf has notBefore date within 32 days and all other
   certs have notBefore date within 72 days
3. All certificates that have been checked against the CRL and found to
   be not revoked in the past 30 days

This change also schedule a job to fetch the remote CRL if an
attestation is requested when the device does not have Internet
connection.

Test: atest AttestationVerificationTest (the set of failed tests on user
build is the same with and without my changes) and manual tests
Bug: 389088384
Flag: EXEMPT bug fix

Change-Id: Ia58b882cb1e084c1ec9929588bd94a1157b93a5e
parent 518396a3
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment