rely on challenge rather than Not Before/After

GrapheneOS · Oct 1, 2020 · 47c7c72 · 47c7c72
1 parent 7b78200
commit 47c7c72
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -695,7 +695,14 @@ private static void verifyCertificateSignatures(Certificate[] certChain)
         for (int i = 1; i < certChain.length; ++i) {
             final PublicKey pubKey = certChain[i].getPublicKey();
             try {
-                ((X509Certificate) certChain[i - 1]).checkValidity();
+                // For now, rely on the random challenge to check validity of the attestation
+                // certificate rather than the Not Before and Not After dates in the certificate.
+                //
+                // StrongBox implementations currently have issues with time sync and this doesn't
+                // provide any additional security due to the challenge.
+                if (i != 1) {
+                    ((X509Certificate) certChain[i - 1]).checkValidity();
+                }
                 certChain[i - 1].verify(pubKey);
             } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException
                     | NoSuchProviderException | SignatureException e) {