diff options
4 files changed, 98 insertions, 2 deletions
diff --git a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java index 2e4e7f541ac2..7b86b084baab 100644 --- a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java +++ b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java @@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable { public String getWapiCertSuite() { return getFieldValue(WAPI_CERT_SUITE_KEY); } + + /** + * Method determines whether the Enterprise configuration is insecure. An insecure + * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or + * TTLS, and any of the following conditions are met: + * - Both certificate and CA path are not configured. + * - Both alternative subject match and domain suffix match are not set. + * + * Note: this method does not exhaustively check security of the configuration - i.e. a return + * value of {@code false} is not a guarantee that the configuration is secure. + * @hide + */ + public boolean isInsecure() { + if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) { + return false; + } + if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) { + return true; + } + return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty( + getDomainSuffixMatch()); + } } diff --git a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java index 8c494943200f..4d3a2c02c686 100644 --- a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java +++ b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java @@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating - * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description. + * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. + * @throws IllegalArgumentException if configuration CA certificate or + * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa2EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); + if (enterpriseConfig.isInsecure()) { + throw new IllegalArgumentException("Enterprise configuration is insecure"); + } mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } /** * Set the associated enterprise configuration for this network. Needed for authenticating - * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. + * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. + * @throws IllegalArgumentException if configuration CA certificate or + * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa3EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); + if (enterpriseConfig.isInsecure()) { + throw new IllegalArgumentException("Enterprise configuration is insecure"); + } mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } diff --git a/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java b/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java index 320c187bbc2d..268645c85cae 100644 --- a/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java +++ b/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java @@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest { public static final String KEYSTORE_URI = "keystore://"; public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE; public static final String KEYSTORES_URI = "keystores://"; + private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; private WifiEnterpriseConfig mEnterpriseConfig; @@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest { mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS); assertEquals(null, getSupplicantPhase2Method()); } + + @Test + public void testIsEnterpriseConfigSecure() { + WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig(); + baseConfig.setEapMethod(Eap.PEAP); + baseConfig.setPhase2Method(Phase2.MSCHAPV2); + assertTrue(baseConfig.isInsecure()); + + WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig); + noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0); + // Missing match is insecure. + assertTrue(noMatchConfig.isInsecure()); + + WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig); + noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); + // Missing CA certificate is insecure. + assertTrue(noCaConfig.isInsecure()); + + WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig(); + secureConfig.setEapMethod(Eap.PEAP); + secureConfig.setPhase2Method(Phase2.MSCHAPV2); + secureConfig.setCaCertificate(FakeKeys.CA_CERT0); + secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); + assertFalse(secureConfig.isInsecure()); + } + } diff --git a/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java b/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java index d1d1c6165dbd..16b4ad08a830 100644 --- a/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java +++ b/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java @@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest { private static final String TEST_PRESHARED_KEY = "Test123"; private static final String TEST_FQDN = "fqdn"; private static final String TEST_WAPI_CERT_SUITE = "suite"; + private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch"; /** * Validate correctness of WifiNetworkSuggestion object created by @@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest { WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); + enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); + enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() .setSsid(TEST_SSID) @@ -230,6 +233,40 @@ public class WifiNetworkSuggestionTest { } /** + * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw + * an exception. + */ + @Test (expected = IllegalArgumentException.class) + public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() { + WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); + enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); + enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); + enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH); + + WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() + .setSsid(TEST_SSID) + .setWpa2EnterpriseConfig(enterpriseConfig) + .build(); + } + + /** + * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject + * match are missing, will throw an exception. + */ + @Test (expected = IllegalArgumentException.class) + public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() { + WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); + enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS); + enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); + enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0); + + WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder() + .setSsid(TEST_SSID) + .setWpa3EnterpriseConfig(enterpriseConfig) + .build(); + } + + /** * Validate correctness of WifiNetworkSuggestion object created by * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network. */ |