[Suggestion] Fix setWpa3EnterpriseConfig

import java.nio.charset.StandardCharsets;

import java.security.PrivateKey;

import java.security.cert.X509Certificate;

import java.security.interfaces.ECPublicKey;

import java.security.interfaces.RSAPublicKey;

import java.security.spec.ECParameterSpec;

import java.util.Arrays;

import java.util.HashMap;

import java.util.List;

        }

        return TextUtils.isEmpty(getCaPath());

    }

    /**

     * Check if a given certificate Get the Suite-B cipher from the certificate

     *

     * @param x509Certificate Certificate to process

     * @return true if the certificate OID matches the Suite-B requirements for RSA or ECDSA

     * certificates, or false otherwise.

     * @hide

     */

    public static boolean isSuiteBCipherCert(@Nullable X509Certificate x509Certificate) {

        if (x509Certificate == null) {

            return false;

        }

        final String sigAlgOid = x509Certificate.getSigAlgOID();

        // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates

        // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192

        // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term

        // Suite-B was already coined in the IEEE 802.11-2016 specification for

        // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates

        // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally

        // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments,

        // we are supporting both types here.

        if (sigAlgOid.equals("1.2.840.113549.1.1.12")) {

            // sha384WithRSAEncryption

            if (x509Certificate.getPublicKey() instanceof RSAPublicKey) {

                final RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();

                if (rsaPublicKey.getModulus() != null

                        && rsaPublicKey.getModulus().bitLength() >= 3072) {

                    return true;

                }

            }

        } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) {

            // ecdsa-with-SHA384

            if (x509Certificate.getPublicKey() instanceof ECPublicKey) {

                final ECPublicKey ecPublicKey = (ECPublicKey) x509Certificate.getPublicKey();

                final ECParameterSpec ecParameterSpec = ecPublicKey.getParams();

                if (ecParameterSpec != null && ecParameterSpec.getOrder() != null

                        && ecParameterSpec.getOrder().bitLength() >= 384) {

                    return true;

                }

            }

        }

        return false;

    }

}

        private @Nullable String mWpa3SaePassphrase;

        /**

         * The enterprise configuration details specifying the EAP method,

         * certificates and other settings associated with the WPA-EAP networks.

         * certificates and other settings associated with the WPA/WPA2-Enterprise networks.

         */

        private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig;

        /**

         * The enterprise configuration details specifying the EAP method,

         * certificates and other settings associated with the SuiteB networks.

         * certificates and other settings associated with the WPA3-Enterprise networks.

         */

        private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig;

        /**

        /**

         * Set the associated enterprise configuration for this network. Needed for authenticating

         * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description.

         * to WPA3-Enterprise networks (standard and 192-bit security). See

         * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the

         * client and CA certificates must be provided, and must be of type of either

         * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384

         * (OID 1.2.840.10045.4.3.3).

         *

         * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.

         * @return Instance of {@link Builder} to enable chaining of the builder method.

            } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network

                configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);

                configuration.enterpriseConfig = mWpa2EnterpriseConfig;

            } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network

            } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise

                if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS

                        && WifiEnterpriseConfig.isSuiteBCipherCert(

                        mWpa3EnterpriseConfig.getClientCertificate())

                        && WifiEnterpriseConfig.isSuiteBCipherCert(

                        mWpa3EnterpriseConfig.getCaCertificate())) {

                    // WPA3-Enterprise in 192-bit security mode (Suite-B)

                    configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);

                } else {

                    // WPA3-Enterprise

                    configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);

                    configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN);

                    configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP);

                    configuration.allowedPairwiseCiphers.set(

                            WifiConfiguration.PairwiseCipher.GCMP_256);

                    configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP);

                    configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);

                    configuration.requirePmf = true;

                }

                configuration.enterpriseConfig = mWpa3EnterpriseConfig;

            } else if (mIsEnhancedOpen) { // OWE network

                configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE);

        private @Nullable String mWpa3SaePassphrase;

        /**

         * The enterprise configuration details specifying the EAP method,

         * certificates and other settings associated with the WPA-EAP networks.

         * certificates and other settings associated with the WPA/WPA2-Enterprise networks.

         */

        private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig;

        /**

         * The enterprise configuration details specifying the EAP method,

         * certificates and other settings associated with the SuiteB networks.

         * certificates and other settings associated with the WPA3-Enterprise networks.

         */

        private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig;

        /**

        /**

         * Set the associated enterprise configuration for this network. Needed for authenticating

         * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description.

         * to WPA3-Enterprise networks (standard and 192-bit security). See

         * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the

         * client and CA certificates must be provided, and must be of type of either

         * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384

         * (OID 1.2.840.10045.4.3.3).

         *

         * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.

         * @return Instance of {@link Builder} to enable chaining of the builder method.

            } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network

                configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);

                configuration.enterpriseConfig = mWpa2EnterpriseConfig;

            } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network

            } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise

                if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS

                        && WifiEnterpriseConfig.isSuiteBCipherCert(

                        mWpa3EnterpriseConfig.getClientCertificate())

                        && WifiEnterpriseConfig.isSuiteBCipherCert(

                        mWpa3EnterpriseConfig.getCaCertificate())) {

                    // WPA3-Enterprise in 192-bit security mode (Suite-B)

                    configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);

                } else {

                    // WPA3-Enterprise

                    configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);

                    configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN);

                    configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP);

                    configuration.allowedPairwiseCiphers.set(

                            WifiConfiguration.PairwiseCipher.GCMP_256);

                    configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP);

                    configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);

                    configuration.requirePmf = true;

                }

                configuration.enterpriseConfig = mWpa3EnterpriseConfig;

            } else if (mIsEnhancedOpen) { // OWE network

                configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE);

import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertFalse;

import static org.junit.Assert.assertNotNull;

import static org.junit.Assert.assertNull;

import static org.junit.Assert.assertTrue;

import android.net.MacAddress;

import org.junit.Test;

import java.security.cert.X509Certificate;

/**

 * Unit tests for {@link android.net.wifi.WifiNetworkSpecifier}.

 */

    private static final String TEST_BSSID_OUI_MASK = "ff:ff:ff:00:00:00";

    private static final String TEST_BSSID = "12:12:12:12:12:12";

    private static final String TEST_PRESHARED_KEY = "\"Test123\"";

    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";

    /**

     * Validate correctness of WifiNetworkSpecifier object created by

                wifiNetworkSpecifier.wifiConfiguration.enterpriseConfig.getPhase2Method());

    }

    /**

     * Validate correctness of WifiNetworkSuggestion object created by

     * {@link WifiNetworkSuggestion.Builder#build()} for WPA3-Enterprise network.

     */

    @Test

    public void testWifiNetworkSuggestionBuilderForWpa3EapNetwork() {

        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();

        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);

        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);

        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);

        NetworkSpecifier specifier = new WifiNetworkSpecifier.Builder()

                .setSsid(TEST_SSID)

                .setWpa3EnterpriseConfig(enterpriseConfig)

                .build();

        assertTrue(specifier instanceof WifiNetworkSpecifier);

        WifiNetworkSpecifier wifiNetworkSpecifier = (WifiNetworkSpecifier) specifier;

        assertEquals("\"" + TEST_SSID + "\"", wifiNetworkSpecifier.wifiConfiguration.SSID);

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedKeyManagement

                .get(WifiConfiguration.KeyMgmt.IEEE8021X));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedKeyManagement

                .get(WifiConfiguration.KeyMgmt.WPA_EAP));

        assertFalse(wifiNetworkSpecifier.wifiConfiguration.allowedKeyManagement

                .get(WifiConfiguration.KeyMgmt.SUITE_B_192));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedGroupCiphers

                .get(WifiConfiguration.GroupCipher.CCMP));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.requirePmf);

        assertNull(wifiNetworkSpecifier.wifiConfiguration.preSharedKey);

        assertNotNull(wifiNetworkSpecifier.wifiConfiguration.enterpriseConfig);

    }

    /**

     * Validate correctness of WifiNetworkSuggestion object created by

     * {@link WifiNetworkSuggestion.Builder#build()} for WPA3-Enterprise 192-bit RSA SuiteB network.

     */

    @Test

    public void testWifiNetworkSuggestionBuilderForWpa3SuiteBRsaEapNetwork() {

        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();

        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);

        enterpriseConfig.setCaCertificate(FakeKeys.CA_SUITE_B_RSA3072_CERT);

        enterpriseConfig.setClientKeyEntryWithCertificateChain(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY,

                new X509Certificate[] {FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});

        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);

        NetworkSpecifier specifier = new WifiNetworkSpecifier.Builder()

                .setSsid(TEST_SSID)

                .setWpa3EnterpriseConfig(enterpriseConfig)

                .build();

        assertTrue(specifier instanceof WifiNetworkSpecifier);

        WifiNetworkSpecifier wifiNetworkSpecifier = (WifiNetworkSpecifier) specifier;

        assertEquals("\"" + TEST_SSID + "\"", wifiNetworkSpecifier.wifiConfiguration.SSID);

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedKeyManagement

                .get(WifiConfiguration.KeyMgmt.SUITE_B_192));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedGroupCiphers

                .get(WifiConfiguration.GroupCipher.GCMP_256));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedGroupManagementCiphers

                .get(WifiConfiguration.GroupMgmtCipher.BIP_GMAC_256));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.requirePmf);

        assertNull(wifiNetworkSpecifier.wifiConfiguration.preSharedKey);

        assertNotNull(wifiNetworkSpecifier.wifiConfiguration.enterpriseConfig);

    }

    /**

     * Validate correctness of WifiNetworkSuggestion object created by

     * {@link WifiNetworkSuggestion.Builder#build()} for WPA3-Enterprise 192-bit ECC SuiteB network.

     */

    @Test

    public void testWifiNetworkSuggestionBuilderForWpa3SuiteBEccEapNetwork() {

        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();

        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);

        enterpriseConfig.setCaCertificate(FakeKeys.CA_SUITE_B_ECDSA_CERT);

        enterpriseConfig.setClientKeyEntryWithCertificateChain(FakeKeys.CLIENT_SUITE_B_ECC_KEY,

                new X509Certificate[] {FakeKeys.CLIENT_SUITE_B_ECDSA_CERT});

        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);

        NetworkSpecifier specifier = new WifiNetworkSpecifier.Builder()

                .setSsid(TEST_SSID)

                .setWpa3EnterpriseConfig(enterpriseConfig)

                .build();

        assertTrue(specifier instanceof WifiNetworkSpecifier);

        WifiNetworkSpecifier wifiNetworkSpecifier = (WifiNetworkSpecifier) specifier;

        assertEquals("\"" + TEST_SSID + "\"", wifiNetworkSpecifier.wifiConfiguration.SSID);

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedKeyManagement

                .get(WifiConfiguration.KeyMgmt.SUITE_B_192));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedGroupCiphers

                .get(WifiConfiguration.GroupCipher.GCMP_256));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.allowedGroupManagementCiphers

                .get(WifiConfiguration.GroupMgmtCipher.BIP_GMAC_256));

        assertTrue(wifiNetworkSpecifier.wifiConfiguration.requirePmf);

        assertNull(wifiNetworkSpecifier.wifiConfiguration.preSharedKey);

        assertNotNull(wifiNetworkSpecifier.wifiConfiguration.enterpriseConfig);

    }

    /**

     * Ensure {@link WifiNetworkSpecifier.Builder#setSsid(String)} throws an exception