Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit db1af552 authored by Sandro Montanari's avatar Sandro Montanari
Browse files

Enable CertificateTransparency checks by default 

Bug: 407952621
Test: atest CtsNetSecConfigCertificateTransparencyTestCases NetSecConfigCertificateTransparencySctLogListTestCases NetSecConfigCertificateTransparencySctNoLogListTestCases
Flag: com.android.org.conscrypt.net.flags.certificate_transparency_default_enabled
Change-Id: Idf0e3f8ab928725670bd689237214d019adfbfd1
parent a1128d8e

AconfigFlags.bp

+9 −0
Original line number Diff line number Diff line
@@ -124,6 +124,7 @@ aconfig_declarations_group { 
        "libcore_readonly_aconfig_flags_lib",

        "libgui_flags_java_lib",

        "power_flags_lib",

        "networksecurity_exported_aconfig_flags_lib",

        "sdk_sandbox_exported_flags_lib",

        "surfaceflinger_flags_java_lib",

        "telecom_flags_core_java_lib",
@@ -217,6 +218,14 @@ java_aconfig_library { 
    defaults: ["framework-minus-apex-aconfig-java-defaults"],

}



// Conscrypt - Networksecurity

java_aconfig_library {

    name: "networksecurity_exported_aconfig_flags_lib",

    aconfig_declarations: "networksecurity-aconfig-flags",

    mode: "exported",

    defaults: ["framework-minus-apex-aconfig-java-defaults"],

}



// Telecom

java_aconfig_library {

    name: "telecom_flags_core_java_lib",

core/java/android/security/net/config/NetworkSecurityConfig.java

+22 −1
Original line number Diff line number Diff line
@@ -16,6 +16,14 @@ 


package android.security.net.config;



import static android.sdk.Flags.majorMinorVersioningScheme;



import static com.android.org.conscrypt.net.flags.Flags.certificateTransparencyDefaultEnabled;



import android.annotation.FlaggedApi;

import android.app.compat.CompatChanges;

import android.compat.annotation.ChangeId;

import android.compat.annotation.EnabledAfter;

import android.content.pm.ApplicationInfo;

import android.os.Build;

import android.util.ArrayMap;
@@ -38,8 +46,21 @@ public final class NetworkSecurityConfig { 
    public static final boolean DEFAULT_CLEARTEXT_TRAFFIC_PERMITTED = true;

    /** @hide */

    public static final boolean DEFAULT_HSTS_ENFORCED = false;



    /**

     * Enable Certificate Transparency verification checks by default on all TLS connections. Apps

     * can still opt-out via their Network Security Config.

     */

    @ChangeId

    @FlaggedApi(android.sdk.Flags.FLAG_MAJOR_MINOR_VERSIONING_SCHEME)

    @EnabledAfter(targetSdkVersion = Build.VERSION_CODES.BAKLAVA)

    static final long DEFAULT_ENABLE_CERTIFICATE_TRANSPARENCY = 407952621L;



    /** @hide */

    public static final boolean DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED = false;

    public static final boolean DEFAULT_CERTIFICATE_TRANSPARENCY_VERIFICATION_REQUIRED =

            certificateTransparencyDefaultEnabled()

                    && majorMinorVersioningScheme()

                    && CompatChanges.isChangeEnabled(DEFAULT_ENABLE_CERTIFICATE_TRANSPARENCY);



    private final boolean mCleartextTrafficPermitted;

    private final boolean mHstsEnforced;