Loading wifi/java/android/net/wifi/WifiEnterpriseConfig.java +49 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,9 @@ import java.lang.annotation.RetentionPolicy; import java.nio.charset.StandardCharsets; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.ECParameterSpec; import java.util.Arrays; import java.util.HashMap; import java.util.List; Loading Loading @@ -1442,4 +1445,50 @@ public class WifiEnterpriseConfig implements Parcelable { } return TextUtils.isEmpty(getCaPath()); } /** * Check if a given certificate Get the Suite-B cipher from the certificate * * @param x509Certificate Certificate to process * @return true if the certificate OID matches the Suite-B requirements for RSA or ECDSA * certificates, or false otherwise. * @hide */ public static boolean isSuiteBCipherCert(@Nullable X509Certificate x509Certificate) { if (x509Certificate == null) { return false; } final String sigAlgOid = x509Certificate.getSigAlgOID(); // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192 // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term // Suite-B was already coined in the IEEE 802.11-2016 specification for // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments, // we are supporting both types here. if (sigAlgOid.equals("1.2.840.113549.1.1.12")) { // sha384WithRSAEncryption if (x509Certificate.getPublicKey() instanceof RSAPublicKey) { final RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey(); if (rsaPublicKey.getModulus() != null && rsaPublicKey.getModulus().bitLength() >= 3072) { return true; } } } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) { // ecdsa-with-SHA384 if (x509Certificate.getPublicKey() instanceof ECPublicKey) { final ECPublicKey ecPublicKey = (ECPublicKey) x509Certificate.getPublicKey(); final ECParameterSpec ecParameterSpec = ecPublicKey.getParams(); if (ecParameterSpec != null && ecParameterSpec.getOrder() != null && ecParameterSpec.getOrder().bitLength() >= 384) { return true; } } } return false; } } wifi/java/android/net/wifi/WifiNetworkSpecifier.java +26 −5 Original line number Diff line number Diff line Loading @@ -78,12 +78,12 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc private @Nullable String mWpa3SaePassphrase; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the WPA-EAP networks. * certificates and other settings associated with the WPA/WPA2-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the SuiteB networks. * certificates and other settings associated with the WPA3-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig; /** Loading Loading @@ -243,7 +243,11 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. * to WPA3-Enterprise networks (standard and 192-bit security). See * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the * client and CA certificates must be provided, and must be of type of either * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384 * (OID 1.2.840.10045.4.3.3). * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. Loading Loading @@ -284,8 +288,25 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.enterpriseConfig = mWpa2EnterpriseConfig; } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getClientCertificate()) && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getCaCertificate())) { // WPA3-Enterprise in 192-bit security mode (Suite-B) configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B); } else { // WPA3-Enterprise configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN); configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP); configuration.allowedPairwiseCiphers.set( WifiConfiguration.PairwiseCipher.GCMP_256); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256); configuration.requirePmf = true; } configuration.enterpriseConfig = mWpa3EnterpriseConfig; } else if (mIsEnhancedOpen) { // OWE network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE); Loading wifi/java/android/net/wifi/WifiNetworkSuggestion.java +26 −5 Original line number Diff line number Diff line Loading @@ -72,12 +72,12 @@ public final class WifiNetworkSuggestion implements Parcelable { private @Nullable String mWpa3SaePassphrase; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the WPA-EAP networks. * certificates and other settings associated with the WPA/WPA2-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the SuiteB networks. * certificates and other settings associated with the WPA3-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig; /** Loading Loading @@ -288,7 +288,11 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * to WPA3-Enterprise networks (standard and 192-bit security). See * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the * client and CA certificates must be provided, and must be of type of either * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384 * (OID 1.2.840.10045.4.3.3). * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. Loading Loading @@ -570,8 +574,25 @@ public final class WifiNetworkSuggestion implements Parcelable { } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.enterpriseConfig = mWpa2EnterpriseConfig; } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getClientCertificate()) && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getCaCertificate())) { // WPA3-Enterprise in 192-bit security mode (Suite-B) configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B); } else { // WPA3-Enterprise configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN); configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP); configuration.allowedPairwiseCiphers.set( WifiConfiguration.PairwiseCipher.GCMP_256); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256); configuration.requirePmf = true; } configuration.enterpriseConfig = mWpa3EnterpriseConfig; } else if (mIsEnhancedOpen) { // OWE network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE); Loading Loading
wifi/java/android/net/wifi/WifiEnterpriseConfig.java +49 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,9 @@ import java.lang.annotation.RetentionPolicy; import java.nio.charset.StandardCharsets; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.ECParameterSpec; import java.util.Arrays; import java.util.HashMap; import java.util.List; Loading Loading @@ -1442,4 +1445,50 @@ public class WifiEnterpriseConfig implements Parcelable { } return TextUtils.isEmpty(getCaPath()); } /** * Check if a given certificate Get the Suite-B cipher from the certificate * * @param x509Certificate Certificate to process * @return true if the certificate OID matches the Suite-B requirements for RSA or ECDSA * certificates, or false otherwise. * @hide */ public static boolean isSuiteBCipherCert(@Nullable X509Certificate x509Certificate) { if (x509Certificate == null) { return false; } final String sigAlgOid = x509Certificate.getSigAlgOID(); // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192 // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term // Suite-B was already coined in the IEEE 802.11-2016 specification for // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments, // we are supporting both types here. if (sigAlgOid.equals("1.2.840.113549.1.1.12")) { // sha384WithRSAEncryption if (x509Certificate.getPublicKey() instanceof RSAPublicKey) { final RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey(); if (rsaPublicKey.getModulus() != null && rsaPublicKey.getModulus().bitLength() >= 3072) { return true; } } } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) { // ecdsa-with-SHA384 if (x509Certificate.getPublicKey() instanceof ECPublicKey) { final ECPublicKey ecPublicKey = (ECPublicKey) x509Certificate.getPublicKey(); final ECParameterSpec ecParameterSpec = ecPublicKey.getParams(); if (ecParameterSpec != null && ecParameterSpec.getOrder() != null && ecParameterSpec.getOrder().bitLength() >= 384) { return true; } } } return false; } }
wifi/java/android/net/wifi/WifiNetworkSpecifier.java +26 −5 Original line number Diff line number Diff line Loading @@ -78,12 +78,12 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc private @Nullable String mWpa3SaePassphrase; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the WPA-EAP networks. * certificates and other settings associated with the WPA/WPA2-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the SuiteB networks. * certificates and other settings associated with the WPA3-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig; /** Loading Loading @@ -243,7 +243,11 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. * to WPA3-Enterprise networks (standard and 192-bit security). See * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the * client and CA certificates must be provided, and must be of type of either * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384 * (OID 1.2.840.10045.4.3.3). * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. Loading Loading @@ -284,8 +288,25 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.enterpriseConfig = mWpa2EnterpriseConfig; } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getClientCertificate()) && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getCaCertificate())) { // WPA3-Enterprise in 192-bit security mode (Suite-B) configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B); } else { // WPA3-Enterprise configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN); configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP); configuration.allowedPairwiseCiphers.set( WifiConfiguration.PairwiseCipher.GCMP_256); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256); configuration.requirePmf = true; } configuration.enterpriseConfig = mWpa3EnterpriseConfig; } else if (mIsEnhancedOpen) { // OWE network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE); Loading
wifi/java/android/net/wifi/WifiNetworkSuggestion.java +26 −5 Original line number Diff line number Diff line Loading @@ -72,12 +72,12 @@ public final class WifiNetworkSuggestion implements Parcelable { private @Nullable String mWpa3SaePassphrase; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the WPA-EAP networks. * certificates and other settings associated with the WPA/WPA2-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig; /** * The enterprise configuration details specifying the EAP method, * certificates and other settings associated with the SuiteB networks. * certificates and other settings associated with the WPA3-Enterprise networks. */ private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig; /** Loading Loading @@ -288,7 +288,11 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * to WPA3-Enterprise networks (standard and 192-bit security). See * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the * client and CA certificates must be provided, and must be of type of either * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384 * (OID 1.2.840.10045.4.3.3). * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. Loading Loading @@ -570,8 +574,25 @@ public final class WifiNetworkSuggestion implements Parcelable { } else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.enterpriseConfig = mWpa2EnterpriseConfig; } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getClientCertificate()) && WifiEnterpriseConfig.isSuiteBCipherCert( mWpa3EnterpriseConfig.getCaCertificate())) { // WPA3-Enterprise in 192-bit security mode (Suite-B) configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B); } else { // WPA3-Enterprise configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP); configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN); configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP); configuration.allowedPairwiseCiphers.set( WifiConfiguration.PairwiseCipher.GCMP_256); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP); configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256); configuration.requirePmf = true; } configuration.enterpriseConfig = mWpa3EnterpriseConfig; } else if (mIsEnhancedOpen) { // OWE network configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE); Loading
