[Suggestion] block setting insecure enterprise config

If App set insecure enterprise config to suggestion builder, an exception will be raised. Bug: 157822251 Test: atest android.net.wifi Change-Id: I2e7a2421be2c1574801b853a1dddaff1d115a1b2
author: Nate Jiang <qiangjiang@google.com> 2020-06-03 15:17:39 -0700
committer: Nate Jiang <qiangjiang@google.com> 2020-06-05 17:36:49 -0700
commit: 94268fd2ab6488fea4aee73b7d71d903427671b0 (patch)
tree: 6b9db72235262a897731618f8a7b87f89aa5b04b /wifi/tests/src
parent: 83e9ba45a4f874ecd81aeda3a4ff7964b1eba3ba (diff)
2 files changed, 64 insertions, 0 deletions
diff --git a/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java b/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java
index 320c187bbc2d..268645c85cae 100644
--- a/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java
@@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest {
     public static final String KEYSTORE_URI = "keystore://";
     public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE;
     public static final String KEYSTORES_URI = "keystores://";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";
 
     private WifiEnterpriseConfig mEnterpriseConfig;
 
@@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest {
         mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS);
         assertEquals(null, getSupplicantPhase2Method());
     }
+
+    @Test
+    public void testIsEnterpriseConfigSecure() {
+        WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig();
+        baseConfig.setEapMethod(Eap.PEAP);
+        baseConfig.setPhase2Method(Phase2.MSCHAPV2);
+        assertTrue(baseConfig.isInsecure());
+
+        WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig);
+        noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        // Missing match is insecure.
+        assertTrue(noMatchConfig.isInsecure());
+
+        WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig);
+        noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        // Missing CA certificate is insecure.
+        assertTrue(noCaConfig.isInsecure());
+
+        WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig();
+        secureConfig.setEapMethod(Eap.PEAP);
+        secureConfig.setPhase2Method(Phase2.MSCHAPV2);
+        secureConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        assertFalse(secureConfig.isInsecure());
+    }
+
 }
diff --git a/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java b/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java
index d1d1c6165dbd..16b4ad08a830 100644
--- a/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java
@@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest {
     private static final String TEST_PRESHARED_KEY = "Test123";
     private static final String TEST_FQDN = "fqdn";
     private static final String TEST_WAPI_CERT_SUITE = "suite";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";
 
     /**
      * Validate correctness of WifiNetworkSuggestion object created by
@@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest {
         WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
         enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
         enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
 
         WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
                 .setSsid(TEST_SSID)
@@ -230,6 +233,40 @@ public class WifiNetworkSuggestionTest {
     }
 
     /**
+     * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw
+     * an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa2EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
+    /**
+     * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject
+     * match are missing, will throw an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa3EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
+    /**
      * Validate correctness of WifiNetworkSuggestion object created by
      * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network.
      */
author	Nate Jiang <qiangjiang@google.com>	2020-06-03 15:17:39 -0700
committer	Nate Jiang <qiangjiang@google.com>	2020-06-05 17:36:49 -0700
commit	94268fd2ab6488fea4aee73b7d71d903427671b0 (patch)
tree	6b9db72235262a897731618f8a7b87f89aa5b04b /wifi/tests/src
parent	83e9ba45a4f874ecd81aeda3a4ff7964b1eba3ba (diff)