Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54f14da0 authored by Sandro Montanari's avatar Sandro Montanari
Browse files

Delay CompatChanges evaluation for CT enabled default value 

The default value of CT verification was evaluated as a static final field. The early evaluation caused issues in the `CtsNetSecConfigCertificateTransparencyDefaultSdk36TestCases` test, as it appears the app compat environment was not initialized properly yet.

To fix the problem, `DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED` was replaced with a function. The function computes the value on demand, and it is now called when the `CompatChanges` initialization is finished.

Bug: 407952621
Test: atest CtsNetSecConfigCertificateTransparencyDefaultSdk36TestCases
Flag: com.android.org.conscrypt.net.flags.certificate_transparency_default_enabled
Change-Id: Ia8fb0606002bee1993994f3d3746bf7c8d98b7b5
parent 30aae8b5

core/java/android/security/net/config/ApplicationConfig.java

+1 −1
Original line number Diff line number Diff line
@@ -165,7 +165,7 @@ public final class ApplicationConfig { 
    public boolean isCertificateTransparencyVerificationRequired(@NonNull String hostname) {

        return certificateTransparencyConfiguration()

                ? getConfigForHostname(hostname).isCertificateTransparencyVerificationRequired()

                : NetworkSecurityConfig.DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED;

                : NetworkSecurityConfig.certificateTransparencyVerificationRequiredDefault();

    }



    public void handleTrustStorageUpdate() {

core/java/android/security/net/config/NetworkSecurityConfig.java

+14 −8
Original line number Diff line number Diff line
@@ -56,12 +56,6 @@ public final class NetworkSecurityConfig { 
    @EnabledAfter(targetSdkVersion = Build.VERSION_CODES.BAKLAVA)

    static final long DEFAULT_ENABLE_CERTIFICATE_TRANSPARENCY = 407952621L;



    /** @hide */

    public static final boolean DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED =

            certificateTransparencyDefaultEnabled()

                    && majorMinorVersioningScheme()

                    && CompatChanges.isChangeEnabled(DEFAULT_ENABLE_CERTIFICATE_TRANSPARENCY);



    private final boolean mCleartextTrafficPermitted;

    private final boolean mHstsEnforced;

    private final boolean mCertificateTransparencyVerificationRequired;
@@ -191,6 +185,18 @@ public final class NetworkSecurityConfig { 
        getTrustManager().handleTrustStorageUpdate();

    }



    /**

     * Returns the default value for SCT verification. The value depends on the platform version and

     * on the app target sdk level.

     *

     * @hide

     */

    public static boolean certificateTransparencyVerificationRequiredDefault() {

        return certificateTransparencyDefaultEnabled()

                && majorMinorVersioningScheme()

                && CompatChanges.isChangeEnabled(DEFAULT_ENABLE_CERTIFICATE_TRANSPARENCY);

    }



    /**

     * Return a {@link Builder} for the default {@code NetworkSecurityConfig}.

     *
@@ -243,7 +249,7 @@ public final class NetworkSecurityConfig { 
        private boolean mCleartextTrafficPermittedSet = false;

        private boolean mHstsEnforcedSet = false;

        private boolean mCertificateTransparencyVerificationRequired =

                DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED;

                certificateTransparencyVerificationRequiredDefault();

        private boolean mCertificateTransparencyVerificationRequiredSet = false;

        private Builder mParentBuilder;
@@ -373,7 +379,7 @@ public final class NetworkSecurityConfig { 
            if (mParentBuilder != null) {

                return mParentBuilder.getCertificateTransparencyVerificationRequired();

            }

            return DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED;

            return certificateTransparencyVerificationRequiredDefault();

        }



        public NetworkSecurityConfig build() {