Disable CT verification for inline certificate and user store

package android.security.net.config;

package android.security.net.config;

import android.util.ArraySet;

import android.util.ArraySet;

import java.security.cert.X509Certificate;

import java.security.cert.X509Certificate;

import java.util.Set;

import java.util.Set;

public final class CertificatesEntryRef {

public final class CertificatesEntryRef {

    private final CertificateSource mSource;

    private final CertificateSource mSource;

    private final boolean mOverridesPins;

    private final boolean mOverridesPins;

    private final boolean mDisableCT;

    public CertificatesEntryRef(CertificateSource source, boolean overridesPins) {

    public CertificatesEntryRef(CertificateSource source, boolean overridesPins,

            boolean disableCT) {

        mSource = source;

        mSource = source;

        mOverridesPins = overridesPins;

        mOverridesPins = overridesPins;

        mDisableCT = disableCT;

    }

    }

    boolean overridesPins() {

    boolean overridesPins() {

        return mOverridesPins;

        return mOverridesPins;

    }

    }

    boolean disableCT() {

        return mDisableCT;

    }

    public Set<TrustAnchor> getTrustAnchors() {

    public Set<TrustAnchor> getTrustAnchors() {

        // TODO: cache this [but handle mutable sources]

        // TODO: cache this [but handle mutable sources]

        Set<TrustAnchor> anchors = new ArraySet<TrustAnchor>();

        Set<TrustAnchor> anchors = new ArraySet<TrustAnchor>();

package android.security.net.config;

package android.security.net.config;

import android.util.Pair;

import android.util.Pair;

import java.security.KeyStore;

import java.security.KeyStore;

import java.security.KeyStoreException;

import java.util.Set;

import java.util.Set;

/**

/**

        mConfig = new NetworkSecurityConfig.Builder()

        mConfig = new NetworkSecurityConfig.Builder()

                .addCertificatesEntryRef(

                .addCertificatesEntryRef(

                        // Use the KeyStore and do not override pins (of which there are none).

                        // Use the KeyStore and do not override pins (of which there are none).

                        new CertificatesEntryRef(new KeyStoreCertificateSource(ks), false))

                        new CertificatesEntryRef(new KeyStoreCertificateSource(ks), false, false))

                .build();

                .build();

    }

    }

        return mHstsEnforced;

        return mHstsEnforced;

    }

    }

    // TODO(b/28746284): add exceptions for user-added certificates and enterprise overrides.

    public boolean isCertificateTransparencyVerificationRequired() {

    public boolean isCertificateTransparencyVerificationRequired() {

        return mCertificateTransparencyVerificationRequired;

        return mCertificateTransparencyVerificationRequired;

    }

    }

     * @hide

     * @hide

     */

     */

    public static Builder getDefaultBuilder(ApplicationInfo info) {

    public static Builder getDefaultBuilder(ApplicationInfo info) {

        // System certificate store, does not bypass static pins, does not disable CT.

        CertificatesEntryRef systemRef = new CertificatesEntryRef(

                SystemCertificateSource.getInstance(), false, false);

        Builder builder = new Builder()

        Builder builder = new Builder()

                .setHstsEnforced(DEFAULT_HSTS_ENFORCED)

                .setHstsEnforced(DEFAULT_HSTS_ENFORCED)

                // System certificate store, does not bypass static pins.

                .addCertificatesEntryRef(systemRef);

                .addCertificatesEntryRef(

                        new CertificatesEntryRef(SystemCertificateSource.getInstance(), false));

        final boolean cleartextTrafficPermitted = info.targetSdkVersion < Build.VERSION_CODES.P

        final boolean cleartextTrafficPermitted = info.targetSdkVersion < Build.VERSION_CODES.P

                && !info.isInstantApp();

                && !info.isInstantApp();

        builder.setCleartextTrafficPermitted(cleartextTrafficPermitted);

        builder.setCleartextTrafficPermitted(cleartextTrafficPermitted);

        // Applications targeting N and above must opt in into trusting the user added certificate

        // Applications targeting N and above must opt in into trusting the user added certificate

        // store.

        // store.

        if (info.targetSdkVersion <= Build.VERSION_CODES.M && !info.isPrivilegedApp()) {

        if (info.targetSdkVersion <= Build.VERSION_CODES.M && !info.isPrivilegedApp()) {

            // User certificate store, does not bypass static pins.

            // User certificate store, does not bypass static pins. CT is disabled.

            builder.addCertificatesEntryRef(

            builder.addCertificatesEntryRef(

                    new CertificatesEntryRef(UserCertificateSource.getInstance(), false));

                    new CertificatesEntryRef(UserCertificateSource.getInstance(), false, true));

        }

        }

        return builder;

        return builder;

    }

    }

            if (mCertificateTransparencyVerificationRequiredSet) {

            if (mCertificateTransparencyVerificationRequiredSet) {

                return mCertificateTransparencyVerificationRequired;

                return mCertificateTransparencyVerificationRequired;

            }

            }

            // CT verification has not been set explicitly. Before deferring to

            // the parent, check if any of the CertificatesEntryRef requires it

            // to be disabled (i.e., user store or inline certificate).

            if (hasCertificatesEntryRefs()) {

                for (CertificatesEntryRef ref : getCertificatesEntryRefs()) {

                    if (ref.disableCT()) {

                        return false;

                    }

                }

            }

            if (mParentBuilder != null) {

            if (mParentBuilder != null) {

                return mParentBuilder.getCertificateTransparencyVerificationRequired();

                return mParentBuilder.getCertificateTransparencyVerificationRequired();

            }

            }

        boolean overridePins =

        boolean overridePins =

                parser.getAttributeBooleanValue(null, "overridePins", defaultOverridePins);

                parser.getAttributeBooleanValue(null, "overridePins", defaultOverridePins);

        int sourceId = parser.getAttributeResourceValue(null, "src", -1);

        int sourceId = parser.getAttributeResourceValue(null, "src", -1);

        boolean disableCT = false;

        String sourceString = parser.getAttributeValue(null, "src");

        String sourceString = parser.getAttributeValue(null, "src");

        CertificateSource source = null;

        CertificateSource source = null;

        if (sourceString == null) {

        if (sourceString == null) {

        if (sourceId != -1) {

        if (sourceId != -1) {

            // TODO: Cache ResourceCertificateSources by sourceId

            // TODO: Cache ResourceCertificateSources by sourceId

            source = new ResourceCertificateSource(sourceId, mContext);

            source = new ResourceCertificateSource(sourceId, mContext);

            disableCT = true;

        } else if ("system".equals(sourceString)) {

        } else if ("system".equals(sourceString)) {

            source = SystemCertificateSource.getInstance();

            source = SystemCertificateSource.getInstance();

        } else if ("user".equals(sourceString)) {

        } else if ("user".equals(sourceString)) {

            source = UserCertificateSource.getInstance();

            source = UserCertificateSource.getInstance();

            disableCT = true;

        } else if ("wfa".equals(sourceString)) {

        } else if ("wfa".equals(sourceString)) {

            source = WfaCertificateSource.getInstance();

            source = WfaCertificateSource.getInstance();

        } else {

        } else {

                    + "Should be one of system|user|@resourceVal");

                    + "Should be one of system|user|@resourceVal");

        }

        }

        XmlUtils.skipCurrentTag(parser);

        XmlUtils.skipCurrentTag(parser);

        return new CertificatesEntryRef(source, overridePins);

        return new CertificatesEntryRef(source, overridePins, disableCT);

    }

    }

    private Collection<CertificatesEntryRef> parseTrustAnchors(XmlResourceParser parser,

    private Collection<CertificatesEntryRef> parseTrustAnchors(XmlResourceParser parser,

<?xml version="1.0" encoding="utf-8"?>

<network-security-config>

  <base-config>

      <certificateTransparency enabled="true" />

  </base-config>

  <domain-config>

    <domain>android.com</domain>

    <trust-anchors>

      <certificates src="system" />

    </trust-anchors>

  </domain-config>

  <domain-config>

    <domain>subdomain_user.android.com</domain>

    <trust-anchors>

      <certificates src="user" />

    </trust-anchors>

  </domain-config>

  <domain-config>

    <certificateTransparency enabled="true" />

    <domain>subdomain_user_ct.android.com</domain>

    <trust-anchors>

      <certificates src="user" />

    </trust-anchors>

  </domain-config>

  <domain-config>

    <domain>subdomain_inline.android.com</domain>

    <trust-anchors>

      <certificates src="@raw/ca_certs_pem" />

    </trust-anchors>

  </domain-config>

  <domain-config>

    <certificateTransparency enabled="true" />

    <domain>subdomain_inline_ct.android.com</domain>

    <trust-anchors>

      <certificates src="@raw/ca_certs_pem" />

    </trust-anchors>

  </domain-config>

</network-security-config>