Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 2b16cd39 authored by Samuel Tan's avatar Samuel Tan
Browse files

Allow trusted system certificates to be used in EAP network configs 

Add an option to the "CA certificate" field of the EAP network
configuration menu, "Use system certificates". Choosing this option
will cause the trusted, pre-installed, system CA certificates
to be used to validate EAP servers during the authentication process.
This only applies to EAP-TLS, EAP-TTLS, and EAP-PEAP network
configurations, where the CA certificate option is available.

If the user selects "Use system certificates" and leaves the
"Domain" field empty, display a warning and prevent the
EAP network configuration from being saved. Such a configuration
would be insecure--the user should constrain the domain that
the system certificates can be used to validate.

BUG: 26879191
TEST: 1)  Set up AP connected to test RADIUS server.
TEST: 2)  Generate a self-signed cert (Cert 1)
TEST: 3)  Use Cert 1 to sign another cert (Cert 2) with common name
          "sub1.sub2.domain.com"
TEST: 4)  Setup RADIUS server, and configure it to present Cert 2 to EAP peer.
TEST: 5)  Build angler image with Cert 1 installed in
          /system/etc/security/cacerts/
TEST: 6)  Set up an AP connected to the RADIUS server to broadcast
          a WPA-Enterprise network.
TEST: 7)  On Angler, connect to this WPA-Enterprise network with settings:
            Network name: (AP SSID)
            Security: 802.1x EAP
            EAP method: TLS
            CA certificate: Use system certificates
            Domain: domain.com
            User certificate: (test certificate from RADIUS setup)
            Identity: (identity used for RADIUS setup)
TEST: 8)  Verify that we connect successfully to the AP.
TEST: 9)  Verify that connection still succeeds if Domain is set to
          "sub2.domain.com" and "sub1.sub2.domain.com".
TEST: 10) Verify that connection fails if Domain is set to
          "sub0.sub1.domain.com" and "otherdomain.com".
TEST: 11) Verify that network configuration cannot be saved, and an
          warning message "Must specify a domain" is displayed if Domain
          is left blank in the configuration in step 7
TEST: 12) Verify that the "Do not validate" option still appears in the
          CA certificate dropdown menu.

Change-Id: I346d4d301305719033b84ec4599bf3d57d9d4ee5
parent 3d8cdb10
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment