Merge "Revert "Add CertificateTransparencyVerificationRequired to...

  public class NetworkSecurityPolicy {

    method public static android.security.NetworkSecurityPolicy getInstance();

    method @FlaggedApi("android.security.certificate_transparency_configuration") public boolean isCertificateTransparencyVerificationRequired(@NonNull String);

    method public boolean isCleartextTrafficPermitted();

    method public boolean isCleartextTrafficPermitted(String);

  }

package android.security;

import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.content.Context;

import android.content.pm.PackageManager;

import android.security.net.config.ApplicationConfig;

 *

 * <p>Network stacks/components should honor this policy to make it possible to centrally control

 * the relevant aspects of network security behavior.

 *

 * <p>The policy currently consists of a single flag: whether cleartext network traffic is

 * permitted. See {@link #isCleartextTrafficPermitted()}.

 */

public class NetworkSecurityPolicy {

        libcore.net.NetworkSecurityPolicy.setInstance(policy);

    }

    /**

     * Returns {@code true} if Certificate Transparency information is required to be verified by

     * the client in TLS connections to {@code hostname}.

     *

     * <p>See RFC6962 section 3.3 for more details.

     *

     * @param hostname hostname to check whether certificate transparency verification is required

     * @return {@code true} if certificate transparency verification is required and {@code false}

     *     otherwise

     */

    @FlaggedApi(Flags.FLAG_CERTIFICATE_TRANSPARENCY_CONFIGURATION)

    public boolean isCertificateTransparencyVerificationRequired(@NonNull String hostname) {

        return libcore.net.NetworkSecurityPolicy.getInstance()

                .isCertificateTransparencyVerificationRequired(hostname);

    }

    /**

     * Handle an update to the system or user certificate stores.

     * @hide

package: "android.security"

flag {

    name: "certificate_transparency_configuration"

    namespace: "network_security"

    description: "Enable certificate transparency setting in the network security config"

    bug: "28746284"

}

flag {

    name: "fsverity_api"

    namespace: "hardware_backed_security"

package android.security.net.config;

import static android.security.Flags.certificateTransparencyConfiguration;

import android.annotation.NonNull;

import android.util.Pair;

import java.util.HashSet;

import java.util.Locale;

import java.util.Set;

import javax.net.ssl.X509TrustManager;

/**

        return getConfigForHostname(hostname).isCleartextTrafficPermitted();

    }

    /**

     * Returns {@code true} if Certificate Transparency information is required to be verified by

     * the client in TLS connections to {@code hostname}.

     *

     * <p>See RFC6962 section 3.3 for more details.

     *

     * @param hostname hostname to check whether certificate transparency verification is required

     * @return {@code true} if certificate transparency verification is required and {@code false}

     *     otherwise

     */

    public boolean isCertificateTransparencyVerificationRequired(@NonNull String hostname) {

        return certificateTransparencyConfiguration()

                ? getConfigForHostname(hostname).isCertificateTransparencyVerificationRequired()

                : NetworkSecurityConfig.DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED;

    }

    public void handleTrustStorageUpdate() {

        synchronized(mLock) {

            // If the config is uninitialized then there is no work to be done to handle an update,

    @Override

    public boolean isCertificateTransparencyVerificationRequired(String hostname) {

        return mConfig.isCertificateTransparencyVerificationRequired(hostname);

        return false;

    }

}