Loading core/java/android/security/net/config/ManifestConfigSource.java +13 −5 Original line number Diff line number Diff line Loading @@ -32,6 +32,7 @@ public class ManifestConfigSource implements ConfigSource { private final int mApplicationInfoFlags; private final int mTargetSdkVersion; private final int mConfigResourceId; private final boolean mEphemeralApp; private ConfigSource mConfigSource; Loading @@ -42,6 +43,7 @@ public class ManifestConfigSource implements ConfigSource { mApplicationInfoFlags = info.flags; mTargetSdkVersion = info.targetSdkVersion; mConfigResourceId = info.networkSecurityConfigRes; mEphemeralApp = info.isEphemeralApp(); } @Override Loading Loading @@ -69,14 +71,18 @@ public class ManifestConfigSource implements ConfigSource { + " debugBuild: " + debugBuild); } source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild, mTargetSdkVersion); mTargetSdkVersion, mEphemeralApp); } else { if (DBG) { Log.d(LOG_TAG, "No Network Security Config specified, using platform default"); } // the legacy FLAG_USES_CLEARTEXT_TRAFFIC is not supported for Ephemeral apps, they // should use the network security config. boolean usesCleartextTraffic = (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0; source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion); (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0 && !mEphemeralApp; source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion, mEphemeralApp); } mConfigSource = source; return mConfigSource; Loading @@ -87,8 +93,10 @@ public class ManifestConfigSource implements ConfigSource { private final NetworkSecurityConfig mDefaultConfig; public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion) { mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion) public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, boolean ephemeralApp) { mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion, ephemeralApp) .setCleartextTrafficPermitted(usesCleartextTraffic) .build(); } Loading core/java/android/security/net/config/NetworkSecurityConfig.java +4 −3 Original line number Diff line number Diff line Loading @@ -164,7 +164,8 @@ public final class NetworkSecurityConfig { * <p> * The default configuration has the following properties: * <ol> * <li>Cleartext traffic is permitted.</li> * <li>Cleartext traffic is permitted for non-ephemeral apps.</li> * <li>Cleartext traffic is not permitted for ephemeral apps.</li> * <li>HSTS is not enforced.</li> * <li>No certificate pinning is used.</li> * <li>The system certificate store is trusted for connections.</li> Loading @@ -174,9 +175,9 @@ public final class NetworkSecurityConfig { * * @hide */ public static final Builder getDefaultBuilder(int targetSdkVersion) { public static final Builder getDefaultBuilder(int targetSdkVersion, boolean ephemeralApp) { Builder builder = new Builder() .setCleartextTrafficPermitted(DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED) .setCleartextTrafficPermitted(!ephemeralApp) .setHstsEnforced(DEFAULT_HSTS_ENFORCED) // System certificate store, does not bypass static pins. .addCertificatesEntryRef( Loading core/java/android/security/net/config/XmlConfigSource.java +9 −1 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ public class XmlConfigSource implements ConfigSource { private final int mResourceId; private final boolean mDebugBuild; private final int mTargetSdkVersion; private final boolean mEphemeralApp; private boolean mInitialized; private NetworkSecurityConfig mDefaultConfig; Loading @@ -53,12 +54,19 @@ public class XmlConfigSource implements ConfigSource { this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT); } @VisibleForTesting public XmlConfigSource(Context context, int resourceId, boolean debugBuild, int targetSdkVersion) { this(context, resourceId, debugBuild, targetSdkVersion, false); } public XmlConfigSource(Context context, int resourceId, boolean debugBuild, int targetSdkVersion, boolean ephemeralApp) { mResourceId = resourceId; mContext = context; mDebugBuild = debugBuild; mTargetSdkVersion = targetSdkVersion; mEphemeralApp = ephemeralApp; } public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() { Loading Loading @@ -357,7 +365,7 @@ public class XmlConfigSource implements ConfigSource { // Use the platform default as the parent of the base config for any values not provided // there. If there is no base config use the platform default. NetworkSecurityConfig.Builder platformDefaultBuilder = NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion); NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mEphemeralApp); addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder); if (baseConfigBuilder != null) { baseConfigBuilder.setParent(platformDefaultBuilder); Loading tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java +3 −3 Original line number Diff line number Diff line Loading @@ -227,7 +227,7 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> { public void testConfigBuilderUsesParents() throws Exception { // Check that a builder with a parent uses the parent's values when non is set. NetworkSecurityConfig config = new NetworkSecurityConfig.Builder() .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N)) .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false)) .build(); assert(!config.getTrustAnchors().isEmpty()); } Loading Loading @@ -268,9 +268,9 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> { // Install the test CA. store.installCertificate(TEST_CA_CERT); NetworkSecurityConfig preNConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build(); NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, false).build(); NetworkSecurityConfig nConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build(); NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false).build(); Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors(); Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors(); Set<X509Certificate> preNCerts = new HashSet<X509Certificate>(); Loading Loading
core/java/android/security/net/config/ManifestConfigSource.java +13 −5 Original line number Diff line number Diff line Loading @@ -32,6 +32,7 @@ public class ManifestConfigSource implements ConfigSource { private final int mApplicationInfoFlags; private final int mTargetSdkVersion; private final int mConfigResourceId; private final boolean mEphemeralApp; private ConfigSource mConfigSource; Loading @@ -42,6 +43,7 @@ public class ManifestConfigSource implements ConfigSource { mApplicationInfoFlags = info.flags; mTargetSdkVersion = info.targetSdkVersion; mConfigResourceId = info.networkSecurityConfigRes; mEphemeralApp = info.isEphemeralApp(); } @Override Loading Loading @@ -69,14 +71,18 @@ public class ManifestConfigSource implements ConfigSource { + " debugBuild: " + debugBuild); } source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild, mTargetSdkVersion); mTargetSdkVersion, mEphemeralApp); } else { if (DBG) { Log.d(LOG_TAG, "No Network Security Config specified, using platform default"); } // the legacy FLAG_USES_CLEARTEXT_TRAFFIC is not supported for Ephemeral apps, they // should use the network security config. boolean usesCleartextTraffic = (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0; source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion); (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0 && !mEphemeralApp; source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion, mEphemeralApp); } mConfigSource = source; return mConfigSource; Loading @@ -87,8 +93,10 @@ public class ManifestConfigSource implements ConfigSource { private final NetworkSecurityConfig mDefaultConfig; public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion) { mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion) public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion, boolean ephemeralApp) { mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion, ephemeralApp) .setCleartextTrafficPermitted(usesCleartextTraffic) .build(); } Loading
core/java/android/security/net/config/NetworkSecurityConfig.java +4 −3 Original line number Diff line number Diff line Loading @@ -164,7 +164,8 @@ public final class NetworkSecurityConfig { * <p> * The default configuration has the following properties: * <ol> * <li>Cleartext traffic is permitted.</li> * <li>Cleartext traffic is permitted for non-ephemeral apps.</li> * <li>Cleartext traffic is not permitted for ephemeral apps.</li> * <li>HSTS is not enforced.</li> * <li>No certificate pinning is used.</li> * <li>The system certificate store is trusted for connections.</li> Loading @@ -174,9 +175,9 @@ public final class NetworkSecurityConfig { * * @hide */ public static final Builder getDefaultBuilder(int targetSdkVersion) { public static final Builder getDefaultBuilder(int targetSdkVersion, boolean ephemeralApp) { Builder builder = new Builder() .setCleartextTrafficPermitted(DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED) .setCleartextTrafficPermitted(!ephemeralApp) .setHstsEnforced(DEFAULT_HSTS_ENFORCED) // System certificate store, does not bypass static pins. .addCertificatesEntryRef( Loading
core/java/android/security/net/config/XmlConfigSource.java +9 −1 Original line number Diff line number Diff line Loading @@ -37,6 +37,7 @@ public class XmlConfigSource implements ConfigSource { private final int mResourceId; private final boolean mDebugBuild; private final int mTargetSdkVersion; private final boolean mEphemeralApp; private boolean mInitialized; private NetworkSecurityConfig mDefaultConfig; Loading @@ -53,12 +54,19 @@ public class XmlConfigSource implements ConfigSource { this(context, resourceId, debugBuild, Build.VERSION_CODES.CUR_DEVELOPMENT); } @VisibleForTesting public XmlConfigSource(Context context, int resourceId, boolean debugBuild, int targetSdkVersion) { this(context, resourceId, debugBuild, targetSdkVersion, false); } public XmlConfigSource(Context context, int resourceId, boolean debugBuild, int targetSdkVersion, boolean ephemeralApp) { mResourceId = resourceId; mContext = context; mDebugBuild = debugBuild; mTargetSdkVersion = targetSdkVersion; mEphemeralApp = ephemeralApp; } public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() { Loading Loading @@ -357,7 +365,7 @@ public class XmlConfigSource implements ConfigSource { // Use the platform default as the parent of the base config for any values not provided // there. If there is no base config use the platform default. NetworkSecurityConfig.Builder platformDefaultBuilder = NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion); NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mEphemeralApp); addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder); if (baseConfigBuilder != null) { baseConfigBuilder.setParent(platformDefaultBuilder); Loading
tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java +3 −3 Original line number Diff line number Diff line Loading @@ -227,7 +227,7 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> { public void testConfigBuilderUsesParents() throws Exception { // Check that a builder with a parent uses the parent's values when non is set. NetworkSecurityConfig config = new NetworkSecurityConfig.Builder() .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N)) .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false)) .build(); assert(!config.getTrustAnchors().isEmpty()); } Loading Loading @@ -268,9 +268,9 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> { // Install the test CA. store.installCertificate(TEST_CA_CERT); NetworkSecurityConfig preNConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M).build(); NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, false).build(); NetworkSecurityConfig nConfig = NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N).build(); NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false).build(); Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors(); Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors(); Set<X509Certificate> preNCerts = new HashSet<X509Certificate>(); Loading
