Merge "[Suggestion] block setting insecure enterprise config" into rvc-dev am: 7b1e3c55f3

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/11726207 Change-Id: Ibccdf93c78ed02cb38e4575d499971cc67db01d1
2020-06-08 17:08:57 +00:00
parent c7506710a7 7b1e3c55f3
commit a91aa781fb
4 changed files with 98 additions and 2 deletions
--- a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
+++ b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
@@ -1381,4 +1381,26 @@ public class WifiEnterpriseConfig implements Parcelable {
    public String getWapiCertSuite() {
        return getFieldValue(WAPI_CERT_SUITE_KEY);
    }
+
+    /**
+     * Method determines whether the Enterprise configuration is insecure. An insecure
+     * configuration is one where EAP method requires a CA certification, i.e. PEAP, TLS, or
+     * TTLS, and any of the following conditions are met:
+     * - Both certificate and CA path are not configured.
+     * - Both alternative subject match and domain suffix match are not set.
+     *
+     * Note: this method does not exhaustively check security of the configuration - i.e. a return
+     * value of {@code false} is not a guarantee that the configuration is secure.
+     * @hide
+     */
+    public boolean isInsecure() {
+        if (mEapMethod != Eap.PEAP && mEapMethod != Eap.TLS && mEapMethod != Eap.TTLS) {
+            return false;
+        }
+        if (!mIsAppInstalledCaCert && TextUtils.isEmpty(getCaPath())) {
+            return true;
+        }
+        return TextUtils.isEmpty(getAltSubjectMatch()) && TextUtils.isEmpty(
+                getDomainSuffixMatch());
+    }
 }
--- a/wifi/java/android/net/wifi/WifiNetworkSuggestion.java
+++ b/wifi/java/android/net/wifi/WifiNetworkSuggestion.java
@@ -257,28 +257,38 @@ public final class WifiNetworkSuggestion implements Parcelable {

        /**
         * Set the associated enterprise configuration for this network. Needed for authenticating
-         * to WPA2-EAP networks. See {@link WifiEnterpriseConfig} for description.
+         * to WPA2 enterprise networks. See {@link WifiEnterpriseConfig} for description.
         *
         * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
         * @return Instance of {@link Builder} to enable chaining of the builder method.
+         * @throws IllegalArgumentException if configuration CA certificate or
+         *                                  AltSubjectMatch/DomainSuffixMatch is not set.
         */
        public @NonNull Builder setWpa2EnterpriseConfig(
                @NonNull WifiEnterpriseConfig enterpriseConfig) {
            checkNotNull(enterpriseConfig);
+            if (enterpriseConfig.isInsecure()) {
+                throw new IllegalArgumentException("Enterprise configuration is insecure");
+            }
            mWpa2EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig);
            return this;
        }

        /**
         * Set the associated enterprise configuration for this network. Needed for authenticating
-         * to WPA3-SuiteB networks. See {@link WifiEnterpriseConfig} for description.
+         * to WPA3 enterprise networks. See {@link WifiEnterpriseConfig} for description.
         *
         * @param enterpriseConfig Instance of {@link WifiEnterpriseConfig}.
         * @return Instance of {@link Builder} to enable chaining of the builder method.
+         * @throws IllegalArgumentException if configuration CA certificate or
+         *                                  AltSubjectMatch/DomainSuffixMatch is not set.
         */
        public @NonNull Builder setWpa3EnterpriseConfig(
                @NonNull WifiEnterpriseConfig enterpriseConfig) {
            checkNotNull(enterpriseConfig);
+            if (enterpriseConfig.isInsecure()) {
+                throw new IllegalArgumentException("Enterprise configuration is insecure");
+            }
            mWpa3EnterpriseConfig = new WifiEnterpriseConfig(enterpriseConfig);
            return this;
        }
--- a/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiEnterpriseConfigTest.java
@@ -47,6 +47,7 @@ public class WifiEnterpriseConfigTest {
    public static final String KEYSTORE_URI = "keystore://";
    public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE;
    public static final String KEYSTORES_URI = "keystores://";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";

    private WifiEnterpriseConfig mEnterpriseConfig;

@@ -540,4 +541,30 @@ public class WifiEnterpriseConfigTest {
        mEnterpriseConfig.setEapMethod(Eap.UNAUTH_TLS);
        assertEquals(null, getSupplicantPhase2Method());
    }
+
+    @Test
+    public void testIsEnterpriseConfigSecure() {
+        WifiEnterpriseConfig baseConfig = new WifiEnterpriseConfig();
+        baseConfig.setEapMethod(Eap.PEAP);
+        baseConfig.setPhase2Method(Phase2.MSCHAPV2);
+        assertTrue(baseConfig.isInsecure());
+
+        WifiEnterpriseConfig noMatchConfig = new WifiEnterpriseConfig(baseConfig);
+        noMatchConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        // Missing match is insecure.
+        assertTrue(noMatchConfig.isInsecure());
+
+        WifiEnterpriseConfig noCaConfig = new WifiEnterpriseConfig(baseConfig);
+        noCaConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        // Missing CA certificate is insecure.
+        assertTrue(noCaConfig.isInsecure());
+
+        WifiEnterpriseConfig secureConfig = new WifiEnterpriseConfig();
+        secureConfig.setEapMethod(Eap.PEAP);
+        secureConfig.setPhase2Method(Phase2.MSCHAPV2);
+        secureConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        secureConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+        assertFalse(secureConfig.isInsecure());
+    }
+
 }
--- a/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java
+++ b/wifi/tests/src/android/net/wifi/WifiNetworkSuggestionTest.java
@@ -38,6 +38,7 @@ public class WifiNetworkSuggestionTest {
    private static final String TEST_PRESHARED_KEY = "Test123";
    private static final String TEST_FQDN = "fqdn";
    private static final String TEST_WAPI_CERT_SUITE = "suite";
+    private static final String TEST_DOMAIN_SUFFIX_MATCH = "domainSuffixMatch";

    /**
     * Validate correctness of WifiNetworkSuggestion object created by
@@ -208,6 +209,8 @@ public class WifiNetworkSuggestionTest {
        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);

        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
                .setSsid(TEST_SSID)
@@ -229,6 +232,40 @@ public class WifiNetworkSuggestionTest {
        assertTrue(suggestion.isInitialAutoJoinEnabled);
    }

+    /**
+     * Ensure create enterprise suggestion requires CA, when CA certificate is missing, will throw
+     * an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutCa() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setDomainSuffixMatch(TEST_DOMAIN_SUFFIX_MATCH);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa2EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
+    /**
+     * Ensure create enterprise suggestion requires CA, when both domain suffix and alt subject
+     * match are missing, will throw an exception.
+     */
+    @Test (expected = IllegalArgumentException.class)
+    public void testWifiNetworkSuggestionBuilderForEapNetworkWithoutMatch() {
+        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
+        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        enterpriseConfig.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
+        enterpriseConfig.setCaCertificate(FakeKeys.CA_CERT0);
+
+        WifiNetworkSuggestion suggestion = new WifiNetworkSuggestion.Builder()
+                .setSsid(TEST_SSID)
+                .setWpa3EnterpriseConfig(enterpriseConfig)
+                .build();
+    }
+
    /**
     * Validate correctness of WifiNetworkSuggestion object created by
     * {@link WifiNetworkSuggestion.Builder#build()} for WAPI-PSK network.