Loading wifi/java/android/net/wifi/WifiEnterpriseConfig.java +22 −0 Original line number Diff line number Diff line Loading @@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable { public String getWapiCertSuite() { return getFieldValue(WAPI_CERT_SUITE_KEY); } /** * Method determines whether the Enterprise configuration is insecure. An insecure * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or * TTLS, and any of the following conditions are met: * - Both certificate and CA path are not configured. * - Both alternative subject match and domain suffix match are not set. * * Note: this method does not exhaustively check security of the configuration - i.e. a return * value of {@code false} is not a guarantee that the configuration is secure. * @hide */ public boolean isInsecure() { if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) { return false; } if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) { return true; } return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty( getDomainSuffixMatch()); } } wifi/java/android/net/wifi/WifiNetworkSuggestion.java +12 −2 Original line number Diff line number Diff line Loading @@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description. * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. * @throws IllegalArgumentException if configuration CA certificate or * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa2EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); if (enterpriseConfig.isInsecure()) { throw new IllegalArgumentException("Enterprise configuration is insecure"); } mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. * @throws IllegalArgumentException if configuration CA certificate or * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa3EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); if (enterpriseConfig.isInsecure()) { throw new IllegalArgumentException("Enterprise configuration is insecure"); } mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } Loading wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java +27 −0 Original line number Diff line number Diff line Loading @@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest { public static final String KEYSTORE_URI = "keystore://"; public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE; public static final String KEYSTORES_URI = "keystores://"; private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; private WifiEnterpriseConfig mEnterpriseConfig; Loading Loading @@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest { mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS); assertEquals(null, getSupplicantPhase2Method()); } @Test public void testIsEnterpriseConfigSecure() { WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig(); baseConfig.setEapMethod(Eap.PEAP); baseConfig.setPhase2Method(Phase2.MSCHAPV2); assertTrue(baseConfig.isInsecure()); WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig); noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0); // Missing match is insecure. assertTrue(noMatchConfig.isInsecure()); WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig); noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); // Missing CA certificate is insecure. assertTrue(noCaConfig.isInsecure()); WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig(); secureConfig.setEapMethod(Eap.PEAP); secureConfig.setPhase2Method(Phase2.MSCHAPV2); secureConfig.setCaCertificate(FakeKeys.CA_CERT0); secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); assertFalse(secureConfig.isInsecure()); } } wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java +37 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest { private static final String TEST_PRESHARED_KEY = "Test123"; private static final String TEST_FQDN = "fqdn"; private static final String TEST_WAPI_CERT_SUITE = "suite"; private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; /** * Validate correctness of WifiNetworkSuggestion object created by Loading Loading @@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) Loading @@ -229,6 +232,40 @@ public class WifiNetworkSuggestionTest { assertTrue(suggestion.isInitialAutoJoinEnabled); } /** * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw * an exception. */ @Test (expected = IllegalArgumentException.class) public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) .setWpa2EnterpriseConfig(enterpriseConfig) .build(); } /** * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject * match are missing, will throw an exception. */ @Test (expected = IllegalArgumentException.class) public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) .setWpa3EnterpriseConfig(enterpriseConfig) .build(); } /** * Validate correctness of WifiNetworkSuggestion object created by * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network. Loading Loading
wifi/java/android/net/wifi/WifiEnterpriseConfig.java +22 −0 Original line number Diff line number Diff line Loading @@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable { public String getWapiCertSuite() { return getFieldValue(WAPI_CERT_SUITE_KEY); } /** * Method determines whether the Enterprise configuration is insecure. An insecure * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or * TTLS, and any of the following conditions are met: * - Both certificate and CA path are not configured. * - Both alternative subject match and domain suffix match are not set. * * Note: this method does not exhaustively check security of the configuration - i.e. a return * value of {@code false} is not a guarantee that the configuration is secure. * @hide */ public boolean isInsecure() { if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) { return false; } if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) { return true; } return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty( getDomainSuffixMatch()); } }
wifi/java/android/net/wifi/WifiNetworkSuggestion.java +12 −2 Original line number Diff line number Diff line Loading @@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description. * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. * @throws IllegalArgumentException if configuration CA certificate or * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa2EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); if (enterpriseConfig.isInsecure()) { throw new IllegalArgumentException("Enterprise configuration is insecure"); } mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. * @throws IllegalArgumentException if configuration CA certificate or * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa3EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); if (enterpriseConfig.isInsecure()) { throw new IllegalArgumentException("Enterprise configuration is insecure"); } mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } Loading
wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java +27 −0 Original line number Diff line number Diff line Loading @@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest { public static final String KEYSTORE_URI = "keystore://"; public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE; public static final String KEYSTORES_URI = "keystores://"; private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; private WifiEnterpriseConfig mEnterpriseConfig; Loading Loading @@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest { mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS); assertEquals(null, getSupplicantPhase2Method()); } @Test public void testIsEnterpriseConfigSecure() { WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig(); baseConfig.setEapMethod(Eap.PEAP); baseConfig.setPhase2Method(Phase2.MSCHAPV2); assertTrue(baseConfig.isInsecure()); WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig); noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0); // Missing match is insecure. assertTrue(noMatchConfig.isInsecure()); WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig); noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); // Missing CA certificate is insecure. assertTrue(noCaConfig.isInsecure()); WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig(); secureConfig.setEapMethod(Eap.PEAP); secureConfig.setPhase2Method(Phase2.MSCHAPV2); secureConfig.setCaCertificate(FakeKeys.CA_CERT0); secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); assertFalse(secureConfig.isInsecure()); } }
wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java +37 −0 Original line number Diff line number Diff line Loading @@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest { private static final String TEST_PRESHARED_KEY = "Test123"; private static final String TEST_FQDN = "fqdn"; private static final String TEST_WAPI_CERT_SUITE = "suite"; private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; /** * Validate correctness of WifiNetworkSuggestion object created by Loading Loading @@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) Loading @@ -229,6 +232,40 @@ public class WifiNetworkSuggestionTest { assertTrue(suggestion.isInitialAutoJoinEnabled); } /** * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw * an exception. */ @Test (expected = IllegalArgumentException.class) public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) .setWpa2EnterpriseConfig(enterpriseConfig) .build(); } /** * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject * match are missing, will throw an exception. */ @Test (expected = IllegalArgumentException.class) public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) .setWpa3EnterpriseConfig(enterpriseConfig) .build(); } /** * Validate correctness of WifiNetworkSuggestion object created by * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network. Loading
