Merge "[Suggestion] block setting insecure enterprise config" into rvc-dev

wifi/java/android/net/wifi/WifiEnterpriseConfig.java

@@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable {
     public String getWapiCertSuite() {
         return getFieldValue(WAPI_CERT_SUITE_KEY);
     }
+
+    /**
+     * Method determines whether the Enterprise configuration is insecure. An insecure
+     * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or
+     * TTLS, and any of the following conditions are met:
+     * - Both certificate and CA path are not configured.
+     * - Both alternative subject match and domain suffix match are not set.
+     *
+     * Note: this method does not exhaustively check security of the configuration - i.e. a return
+     * value of {@code false} is not a guarantee that the configuration is secure.
+     * @hide
+     */
+    public boolean isInsecure() {
+        if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) {
+            return false;
+        }
+        if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) {
+            return true;
+        }
+        return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty(
+                getDomainSuffixMatch());
+    }
 }

wifi/java/android/net/wifi/WifiNetworkSuggestion.java

@@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable {
 
         /**
          * Set the associated enterprise configuration for this network. Needed for authenticating
-         * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description.
+         * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description.
          *
          * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
          * @return Instance of {@link Builder} to enable chaining of the builder method.
+         * @throws IllegalArgumentException if configuration CA certificate or
+         *                                  AltSubjectMatch/DomainSuffixMatch is not set.
          */
         public @NonNull Builder setWpa2EnterpriseConfig(
                 @NonNull WifiEnterpriseConfig enterpriseConfig) {
             checkNotNull(enterpriseConfig);
+            if (enterpriseConfig.isInsecure()) {
+                throw new IllegalArgumentException("Enterprise configuration is insecure");
+            }
             mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig);
             return this;
         }
 
         /**
          * Set the associated enterprise configuration for this network. Needed for authenticating
-         * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description.
+         * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description.
          *
          * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
          * @return Instance of {@link Builder} to enable chaining of the builder method.
+         * @throws IllegalArgumentException if configuration CA certificate or
+         *                                  AltSubjectMatch/DomainSuffixMatch is not set.
          */
         public @NonNull Builder setWpa3EnterpriseConfig(
                 @NonNull WifiEnterpriseConfig enterpriseConfig) {
             checkNotNull(enterpriseConfig);
+            if (enterpriseConfig.isInsecure()) {
+                throw new IllegalArgumentException("Enterprise configuration is insecure");
+            }
             mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig);
             return this;
         }

wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java

@@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest {
     public static final String KEYSTORE_URI = "keystore://";
     public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE;
     public static final String KEYSTORES_URI = "keystores://";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";
 
     private WifiEnterpriseConfig mEnterpriseConfig;
 
@@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest {
         mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS);
         assertEquals(null, getSupplicantPhase2Method());
     }
+
+    @Test
+    public void testIsEnterpriseConfigSecure() {
+        WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig();
+        baseConfig.setEapMethod(Eap.PEAP);
+        baseConfig.setPhase2Method(Phase2.MSCHAPV2);
+        assertTrue(baseConfig.isInsecure());
+
+        WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig);
+        noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        // Missing match is insecure.
+        assertTrue(noMatchConfig.isInsecure());
+
+        WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig);
+        noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        // Missing CA certificate is insecure.
+        assertTrue(noCaConfig.isInsecure());
+
+        WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig();
+        secureConfig.setEapMethod(Eap.PEAP);
+        secureConfig.setPhase2Method(Phase2.MSCHAPV2);
+        secureConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        assertFalse(secureConfig.isInsecure());
+    }
+
 }

wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java

@@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest {
     private static final String TEST_PRESHARED_KEY = "Test123";
     private static final String TEST_FQDN = "fqdn";
     private static final String TEST_WAPI_CERT_SUITE = "suite";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";
 
     /**
      * Validate correctness of WifiNetworkSuggestion object created by
@@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest {
         WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
         enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
         enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
 
         WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
                 .setSsid(TEST_SSID)
@@ -229,6 +232,40 @@ public class WifiNetworkSuggestionTest {
         assertTrue(suggestion.isInitialAutoJoinEnabled);
     }
 
+    /**
+     * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw
+     * an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa2EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
+    /**
+     * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject
+     * match are missing, will throw an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa3EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
     /**
      * Validate correctness of WifiNetworkSuggestion object created by
      * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network.