Merge "Add CertificateTransparencyVerificationRequired to... (ac3576b0) · Commits · e / os / android_frameworks_base

core/api/current.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -39342,6 +39342,7 @@ package android.security {

		public class NetworkSecurityPolicy {
		method public static android.security.NetworkSecurityPolicy getInstance();
		method @FlaggedApi("android.security.certificate_transparency_configuration") public boolean isCertificateTransparencyVerificationRequired(@NonNull String);
		method public boolean isCleartextTrafficPermitted();
		method public boolean isCleartextTrafficPermitted(String);
		}

core/java/android/security/NetworkSecurityPolicy.java

+18 −3

Original line number	Diff line number	Diff line
		@@ -16,6 +16,8 @@

		package android.security;

		import android.annotation.FlaggedApi;
		import android.annotation.NonNull;
		import android.content.Context;
		import android.content.pm.PackageManager;
		import android.security.net.config.ApplicationConfig;
		@@ -26,9 +28,6 @@ import android.security.net.config.ManifestConfigSource;
		*
		* <p>Network stacks/components should honor this policy to make it possible to centrally control
		* the relevant aspects of network security behavior.
		*
		* <p>The policy currently consists of a single flag: whether cleartext network traffic is
		* permitted. See {@link #isCleartextTrafficPermitted()}.
		*/
		public class NetworkSecurityPolicy {

		@@ -93,6 +92,22 @@ public class NetworkSecurityPolicy {
		libcore.net.NetworkSecurityPolicy.setInstance(policy);
		}

		/**
		* Returns {@code true} if Certificate Transparency information is required to be verified by
		* the client in TLS connections to {@code hostname}.
		*
		* <p>See RFC6962 section 3.3 for more details.
		*
		* @param hostname hostname to check whether certificate transparency verification is required
		* @return {@code true} if certificate transparency verification is required and {@code false}
		* otherwise
		*/
		@FlaggedApi(Flags.FLAG_CERTIFICATE_TRANSPARENCY_CONFIGURATION)
		public boolean isCertificateTransparencyVerificationRequired(@NonNull String hostname) {
		return libcore.net.NetworkSecurityPolicy.getInstance()
		.isCertificateTransparencyVerificationRequired(hostname);
		}

		/**
		* Handle an update to the system or user certificate stores.
		* @hide

core/java/android/security/flags.aconfig

+7 −0

Original line number	Diff line number	Diff line
		package: "android.security"

		flag {
		name: "certificate_transparency_configuration"
		namespace: "network_security"
		description: "Enable certificate transparency setting in the network security config"
		bug: "28746284"
		}

		flag {
		name: "fsverity_api"
		namespace: "hardware_backed_security"

core/java/android/security/net/config/ApplicationConfig.java

+21 −0

Original line number	Diff line number	Diff line
		@@ -16,10 +16,15 @@

		package android.security.net.config;

		import static android.security.Flags.certificateTransparencyConfiguration;

		import android.annotation.NonNull;
		import android.util.Pair;

		import java.util.HashSet;
		import java.util.Locale;
		import java.util.Set;

		import javax.net.ssl.X509TrustManager;

		/**
		@@ -147,6 +152,22 @@ public final class ApplicationConfig {
		return getConfigForHostname(hostname).isCleartextTrafficPermitted();
		}

		/**
		* Returns {@code true} if Certificate Transparency information is required to be verified by
		* the client in TLS connections to {@code hostname}.
		*
		* <p>See RFC6962 section 3.3 for more details.
		*
		* @param hostname hostname to check whether certificate transparency verification is required
		* @return {@code true} if certificate transparency verification is required and {@code false}
		* otherwise
		*/
		public boolean isCertificateTransparencyVerificationRequired(@NonNull String hostname) {
		return certificateTransparencyConfiguration()
		? getConfigForHostname(hostname).isCertificateTransparencyVerificationRequired()
		: NetworkSecurityConfig.DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED;
		}

		public void handleTrustStorageUpdate() {
		synchronized(mLock) {
		// If the config is uninitialized then there is no work to be done to handle an update,

core/java/android/security/net/config/ConfigNetworkSecurityPolicy.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -40,6 +40,6 @@ public class ConfigNetworkSecurityPolicy extends libcore.net.NetworkSecurityPoli

		@Override
		public boolean isCertificateTransparencyVerificationRequired(String hostname) {
		return false;
		return mConfig.isCertificateTransparencyVerificationRequired(hostname);
		}
		}