Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit ab328e51 authored by Thiébaud Weksteen's avatar Thiébaud Weksteen
Browse files

Disable CT verification for inline certificate and user store 

When an app uses its own certificate (or the user store), it is likely
that the certificate is not public and therefore not verifiable via
certificate transparency. By default, disable CT verification for these
cases.

It is still possible to force the verification using
<certificateTransparency enabled="true" /> in the domain configuration.

For each <domain-config>, the evaluation follows this order:
1. If <certificateTransparency> is set, use it.
2. If any <trust-anchors> is "user" or inline (i.e., "@raw/cert.pem"),
   disable the verification.
3. Otherwise, rely on the inherited configuration (either a parent
   configuration or the default configuration).

Bug: 377281304
Flag: AndroidSecurityCertificateTransparencyConfigurationLaunch
Test: atest NetworkSecurityConfigTests:android.security.net.config.XmlConfigTests#testCertificateTransparencyDomainConfig
Test: atest CtsNetSecConfigCertificateTransparencyTestCases
Change-Id: Id13555cc973ac4bb526c7aa194fcfcf76a4483a4
parent 0222489d
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment