summaryrefslogtreecommitdiff
path: root/wifi/java
diff options
context:
space:
mode:
Diffstat (limited to 'wifi/java')
-rw-r--r--wifi/java/android/net/wifi/ScanResult.java21
-rw-r--r--wifi/java/android/net/wifi/WifiEnterpriseConfig.java49
-rw-r--r--wifi/java/android/net/wifi/WifiNetworkSpecifier.java31
-rw-r--r--wifi/java/android/net/wifi/WifiNetworkSuggestion.java31
4 files changed, 119 insertions, 13 deletions
diff --git a/wifi/java/android/net/wifi/ScanResult.java b/wifi/java/android/net/wifi/ScanResult.java
index aa3a13925894..b276f2ed4761 100644
--- a/wifi/java/android/net/wifi/ScanResult.java
+++ b/wifi/java/android/net/wifi/ScanResult.java
@@ -581,12 +581,18 @@ public final class ScanResult implements Parcelable {
* 6 GHz band frequency of first channel in MHz
* @hide
*/
- public static final int BAND_6_GHZ_START_FREQ_MHZ = 5945;
+ public static final int BAND_6_GHZ_START_FREQ_MHZ = 5955;
/**
* 6 GHz band frequency of last channel in MHz
* @hide
*/
- public static final int BAND_6_GHZ_END_FREQ_MHZ = 7105;
+ public static final int BAND_6_GHZ_END_FREQ_MHZ = 7115;
+
+ /**
+ * 6 GHz band operating class 136 channel 2 center frequency in MHz
+ * @hide
+ */
+ public static final int BAND_6_GHZ_OP_CLASS_136_CH_2_FREQ_MHZ = 5935;
/**
* Utility function to check if a frequency within 2.4 GHz band
@@ -618,7 +624,10 @@ public final class ScanResult implements Parcelable {
* @hide
*/
public static boolean is6GHz(int freqMhz) {
- return freqMhz >= BAND_6_GHZ_START_FREQ_MHZ && freqMhz <= BAND_6_GHZ_END_FREQ_MHZ;
+ if (freqMhz == BAND_6_GHZ_OP_CLASS_136_CH_2_FREQ_MHZ) {
+ return true;
+ }
+ return (freqMhz >= BAND_6_GHZ_START_FREQ_MHZ && freqMhz <= BAND_6_GHZ_END_FREQ_MHZ);
}
/**
@@ -649,6 +658,9 @@ public final class ScanResult implements Parcelable {
}
if (band == WifiScanner.WIFI_BAND_6_GHZ) {
if (channel >= BAND_6_GHZ_FIRST_CH_NUM && channel <= BAND_6_GHZ_LAST_CH_NUM) {
+ if (channel == 2) {
+ return BAND_6_GHZ_OP_CLASS_136_CH_2_FREQ_MHZ;
+ }
return ((channel - BAND_6_GHZ_FIRST_CH_NUM) * 5) + BAND_6_GHZ_START_FREQ_MHZ;
} else {
return UNSPECIFIED;
@@ -673,6 +685,9 @@ public final class ScanResult implements Parcelable {
} else if (is5GHz(freqMhz)) {
return ((freqMhz - BAND_5_GHZ_START_FREQ_MHZ) / 5) + BAND_5_GHZ_FIRST_CH_NUM;
} else if (is6GHz(freqMhz)) {
+ if (freqMhz == BAND_6_GHZ_OP_CLASS_136_CH_2_FREQ_MHZ) {
+ return 2;
+ }
return ((freqMhz - BAND_6_GHZ_START_FREQ_MHZ) / 5) + BAND_6_GHZ_FIRST_CH_NUM;
}
diff --git a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
index 77fa673f1960..90edc4523b7b 100644
--- a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
+++ b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
@@ -30,6 +30,9 @@ import java.lang.annotation.RetentionPolicy;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.ECParameterSpec;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -1442,4 +1445,50 @@ public class WifiEnterpriseConfig implements Parcelable {
}
return TextUtils.isEmpty(getCaPath());
}
+
+ /**
+ * Check if a given certificate Get the Suite-B cipher from the certificate
+ *
+ * @param x509Certificate Certificate to process
+ * @return true if the certificate OID matches the Suite-B requirements for RSA or ECDSA
+ * certificates, or false otherwise.
+ * @hide
+ */
+ public static boolean isSuiteBCipherCert(@Nullable X509Certificate x509Certificate) {
+ if (x509Certificate == null) {
+ return false;
+ }
+ final String sigAlgOid = x509Certificate.getSigAlgOID();
+
+ // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates
+ // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192
+ // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term
+ // Suite-B was already coined in the IEEE 802.11-2016 specification for
+ // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates
+ // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally
+ // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments,
+ // we are supporting both types here.
+ if (sigAlgOid.equals("1.2.840.113549.1.1.12")) {
+ // sha384WithRSAEncryption
+ if (x509Certificate.getPublicKey() instanceof RSAPublicKey) {
+ final RSAPublicKey rsaPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
+ if (rsaPublicKey.getModulus() != null
+ && rsaPublicKey.getModulus().bitLength() >= 3072) {
+ return true;
+ }
+ }
+ } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) {
+ // ecdsa-with-SHA384
+ if (x509Certificate.getPublicKey() instanceof ECPublicKey) {
+ final ECPublicKey ecPublicKey = (ECPublicKey) x509Certificate.getPublicKey();
+ final ECParameterSpec ecParameterSpec = ecPublicKey.getParams();
+
+ if (ecParameterSpec != null && ecParameterSpec.getOrder() != null
+ && ecParameterSpec.getOrder().bitLength() >= 384) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
}
diff --git a/wifi/java/android/net/wifi/WifiNetworkSpecifier.java b/wifi/java/android/net/wifi/WifiNetworkSpecifier.java
index b0213b0ef502..e12bb9178235 100644
--- a/wifi/java/android/net/wifi/WifiNetworkSpecifier.java
+++ b/wifi/java/android/net/wifi/WifiNetworkSpecifier.java
@@ -78,12 +78,12 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc
private @Nullable String mWpa3SaePassphrase;
/**
* The enterprise configuration details specifying the EAP method,
- * certificates and other settings associated with the WPA-EAP networks.
+ * certificates and other settings associated with the WPA/WPA2-Enterprise networks.
*/
private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig;
/**
* The enterprise configuration details specifying the EAP method,
- * certificates and other settings associated with the SuiteB networks.
+ * certificates and other settings associated with the WPA3-Enterprise networks.
*/
private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig;
/**
@@ -243,7 +243,11 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc
/**
* Set the associated enterprise configuration for this network. Needed for authenticating
- * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description.
+ * to WPA3-Enterprise networks (standard and 192-bit security). See
+ * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the
+ * client and CA certificates must be provided, and must be of type of either
+ * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384
+ * (OID 1.2.840.10045.4.3.3).
*
* @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
* @return Instance of {@link Builder} to enable chaining of the builder method.
@@ -284,8 +288,25 @@ public final class WifiNetworkSpecifier extends NetworkSpecifier implements Parc
} else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network
configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);
configuration.enterpriseConfig = mWpa2EnterpriseConfig;
- } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network
- configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);
+ } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise
+ if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS
+ && WifiEnterpriseConfig.isSuiteBCipherCert(
+ mWpa3EnterpriseConfig.getClientCertificate())
+ && WifiEnterpriseConfig.isSuiteBCipherCert(
+ mWpa3EnterpriseConfig.getCaCertificate())) {
+ // WPA3-Enterprise in 192-bit security mode (Suite-B)
+ configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);
+ } else {
+ // WPA3-Enterprise
+ configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);
+ configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN);
+ configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP);
+ configuration.allowedPairwiseCiphers.set(
+ WifiConfiguration.PairwiseCipher.GCMP_256);
+ configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP);
+ configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);
+ configuration.requirePmf = true;
+ }
configuration.enterpriseConfig = mWpa3EnterpriseConfig;
} else if (mIsEnhancedOpen) { // OWE network
configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE);
diff --git a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java
index 68eb1bbd8a79..d8be1d2c853c 100644
--- a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java
+++ b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java
@@ -72,12 +72,12 @@ public final class WifiNetworkSuggestion implements Parcelable {
private @Nullable String mWpa3SaePassphrase;
/**
* The enterprise configuration details specifying the EAP method,
- * certificates and other settings associated with the WPA-EAP networks.
+ * certificates and other settings associated with the WPA/WPA2-Enterprise networks.
*/
private @Nullable WifiEnterpriseConfig mWpa2EnterpriseConfig;
/**
* The enterprise configuration details specifying the EAP method,
- * certificates and other settings associated with the SuiteB networks.
+ * certificates and other settings associated with the WPA3-Enterprise networks.
*/
private @Nullable WifiEnterpriseConfig mWpa3EnterpriseConfig;
/**
@@ -276,7 +276,11 @@ public final class WifiNetworkSuggestion implements Parcelable {
/**
* Set the associated enterprise configuration for this network. Needed for authenticating
- * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description.
+ * to WPA3-Enterprise networks (standard and 192-bit security). See
+ * {@link WifiEnterpriseConfig} for description. For 192-bit security networks, both the
+ * client and CA certificates must be provided, and must be of type of either
+ * sha384WithRSAEncryption (OID 1.2.840.113549.1.1.12) or ecdsa-with-SHA384
+ * (OID 1.2.840.10045.4.3.3).
*
* @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
* @return Instance of {@link Builder} to enable chaining of the builder method.
@@ -522,8 +526,25 @@ public final class WifiNetworkSuggestion implements Parcelable {
} else if (mWpa2EnterpriseConfig != null) { // WPA-EAP network
configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);
configuration.enterpriseConfig = mWpa2EnterpriseConfig;
- } else if (mWpa3EnterpriseConfig != null) { // WPA3-SuiteB network
- configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);
+ } else if (mWpa3EnterpriseConfig != null) { // WPA3-Enterprise
+ if (mWpa3EnterpriseConfig.getEapMethod() == WifiEnterpriseConfig.Eap.TLS
+ && WifiEnterpriseConfig.isSuiteBCipherCert(
+ mWpa3EnterpriseConfig.getClientCertificate())
+ && WifiEnterpriseConfig.isSuiteBCipherCert(
+ mWpa3EnterpriseConfig.getCaCertificate())) {
+ // WPA3-Enterprise in 192-bit security mode (Suite-B)
+ configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP_SUITE_B);
+ } else {
+ // WPA3-Enterprise
+ configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_EAP);
+ configuration.allowedProtocols.set(WifiConfiguration.Protocol.RSN);
+ configuration.allowedPairwiseCiphers.set(WifiConfiguration.PairwiseCipher.CCMP);
+ configuration.allowedPairwiseCiphers.set(
+ WifiConfiguration.PairwiseCipher.GCMP_256);
+ configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.CCMP);
+ configuration.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);
+ configuration.requirePmf = true;
+ }
configuration.enterpriseConfig = mWpa3EnterpriseConfig;
} else if (mIsEnhancedOpen) { // OWE network
configuration.setSecurityParams(WifiConfiguration.SECURITY_TYPE_OWE);
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 08:13:57 +0000