diff options
Diffstat (limited to 'wifi/java')
| -rw-r--r-- | wifi/java/android/net/wifi/WifiEnterpriseConfig.java | 22 | ||||
| -rw-r--r-- | wifi/java/android/net/wifi/WifiNetworkSuggestion.java | 14 |
2 files changed, 34 insertions, 2 deletions
diff --git a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java index 2e4e7f541ac2..7b86b084baab 100644 --- a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java +++ b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java @@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable { public String getWapiCertSuite() { return getFieldValue(WAPI_CERT_SUITE_KEY); } + + /** + * Method determines whether the Enterprise configuration is insecure. An insecure + * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or + * TTLS, and any of the following conditions are met: + * - Both certificate and CA path are not configured. + * - Both alternative subject match and domain suffix match are not set. + * + * Note: this method does not exhaustively check security of the configuration - i.e. a return + * value of {@code false} is not a guarantee that the configuration is secure. + * @hide + */ + public boolean isInsecure() { + if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) { + return false; + } + if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) { + return true; + } + return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty( + getDomainSuffixMatch()); + } } diff --git a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java index 8c494943200f..4d3a2c02c686 100644 --- a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java +++ b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java @@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable { /** * Set the associated enterprise configuration for this network. Needed for authenticating - * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description. + * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. + * @throws IllegalArgumentException if configuration CA certificate or + * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa2EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); + if (enterpriseConfig.isInsecure()) { + throw new IllegalArgumentException("Enterprise configuration is insecure"); + } mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } /** * Set the associated enterprise configuration for this network. Needed for authenticating - * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description. + * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description. * * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}. * @return Instance of {@link Builder} to enable chaining of the builder method. + * @throws IllegalArgumentException if configuration CA certificate or + * AltSubjectMatch/DomainSuffixMatch is not set. */ public @NonNull Builder setWpa3EnterpriseConfig( @NonNull WifiEnterpriseConfig enterpriseConfig) { checkNotNull(enterpriseConfig); + if (enterpriseConfig.isInsecure()) { + throw new IllegalArgumentException("Enterprise configuration is insecure"); + } mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig); return this; } |