Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android: Don't attempt to check revocation on non-public certificates #108

Merged
merged 1 commit into from
Jul 12, 2024
Merged

Android: Don't attempt to check revocation on non-public certificates #108

merged 1 commit into from
Jul 12, 2024

Conversation

complexspaces
Copy link
Collaborator

This PR fixes an issue on Android where the verifier was attempting to enforce revocation constraints even on self-signed certificates that don't (nor should need to) supply revocation information. This PR fixes this by bringing back our previous isKnownRoot check and using this to determine if we should even try the revocation codepaths. If a certificate isn't a known root, we don't let Android enforce revocation information.

A small cutout was left for cases where an explicit stapled OSCP response is provided by the server. This is for two reasons:

  • Our test suite needs to be able to verify a mocked, frozen-in-time, OCSP response is confirmed as revoked.
  • There might be a case where someone has this setup in the real world and they are probably expecting the OSCP data to be checked by clients.

Closes #69

@complexspaces complexspaces requested a review from cpu July 4, 2024 20:37
@complexspaces complexspaces mentioned this pull request Jul 4, 2024
Closed
cpu
cpu approved these changes Jul 5, 2024
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up! 🌠

The fix seems reasonable to me given everything we know about the various limitations/constraints we're operating with here.

...atform-verifier/src/androidTest/java/org/rustls/platformverifier/CertificateVerifierTests.kt Outdated Show resolved Hide resolved
@complexspaces complexspaces merged commit 6ae3a1b into main Jul 12, 2024
19 checks passed
@complexspaces complexspaces deleted the android-self-certs branch July 12, 2024 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Self signed certificates with user-installed CA show as revoked on Android
2 participants
@complexspaces @cpu