32c060fc81c919ed95f3d35d115876db9421211a - android_packages_modules_Connectivity

commit	32c060fc81c919ed95f3d35d115876db9421211a	[log] [tgz]
author	Sandro Montanari <sandrom@google.com>	Wed Jan 15 09:49:10 2025 +0000
committer	Sandro Montanari <sandrom@google.com>	Wed Mar 05 11:16:10 2025 +0000
tree	240fdf2a07dea88ebcf87db3fb4554830a130177
parent	a812717d2dd3c8067aefc60f2c8caa60188f6fa4 [diff]

Add checks for CT public key against allowlist

This CL adds a check to make sure the public key downloaded by the CTDownloader
matches a known allowlist of keys. If the key does not appear in the allowlist,
we cannot make guarantee that the key has not been tampered with, so we will not
proceed with the downloads of the CT log list and its signature.

Bug: 374719543
Test: atest NetworkSecurityUnitTests
Change-Id: I185a2330d9a4d138c93522cd4b22920e8a2412a2

networksecurity/service/Android.bp[diff]
networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyJob.java[diff]
networksecurity/service/src/com/android/server/net/ct/CertificateTransparencyService.java[diff]
networksecurity/service/src/com/android/server/net/ct/PemReader.java[Added - diff]
networksecurity/service/src/com/android/server/net/ct/SignatureVerifier.java[diff]
networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java[diff]
networksecurity/tests/unit/src/com/android/server/net/ct/PemReaderTest.java[Added - diff]

7 files changed

tree: 240fdf2a07dea88ebcf87db3fb4554830a130177