Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Passpoint] Allow profile installations with no Root CA certificate

Browse Source 
Allow Passpoint R1 profile installations with no Root CA certificate.
The system will use the default trust root in such case.

Bug: 150410562
Test: atest CredentialTest
Change-Id: I2f11ba7330aae8a8c9e0b8922bcf320eb95c5e0e
This commit is contained in:
Hai Shalom
2020-02-27 15:47:38 -08:00
parent 6b0bccc9c2
commit ef8cfa2a46
3 changed files with 57 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wifi/java/android/net/wifi/hotspot2/PasspointConfiguration.java
View File

@@ -722,7 +722,7 @@ public final class PasspointConfiguration implements Parcelable {
if (mSubscriptionUpdate != null && !mSubscriptionUpdate.validate()) {
return false;
}
return validateForCommonR1andR2(true);
return validateForCommonR1andR2();
}
/**
@@ -741,17 +741,17 @@ public final class PasspointConfiguration implements Parcelable {
if (mSubscriptionUpdate == null || !mSubscriptionUpdate.validate()) {
return false;
}
return validateForCommonR1andR2(false);
return validateForCommonR1andR2();
}
private boolean validateForCommonR1andR2(boolean isR1) {
private boolean validateForCommonR1andR2() {
// Required: PerProviderSubscription/<X+>/HomeSP
if (mHomeSp == null || !mHomeSp.validate()) {
return false;
}
// Required: PerProviderSubscription/<X+>/Credential
if (mCredential == null || !mCredential.validate(isR1)) {
if (mCredential == null || !mCredential.validate()) {
return false;
}

29
wifi/java/android/net/wifi/hotspot2/pps/Credential.java
View File

@@ -1081,11 +1081,10 @@ public final class Credential implements Parcelable {
/**
* Validate the configuration data.
*
* @param isR1 {@code true} if the configuration is for R1
* @return true on success or false on failure
* @hide
*/
public boolean validate(boolean isR1) {
public boolean validate() {
if (TextUtils.isEmpty(mRealm)) {
Log.d(TAG, "Missing realm");
return false;
@@ -1098,11 +1097,11 @@ public final class Credential implements Parcelable {
// Verify the credential.
if (mUserCredential != null) {
if (!verifyUserCredential(isR1)) {
if (!verifyUserCredential()) {
return false;
}
} else if (mCertCredential != null) {
if (!verifyCertCredential(isR1)) {
if (!verifyCertCredential()) {
return false;
}
} else if (mSimCredential != null) {
@@ -1143,11 +1142,11 @@ public final class Credential implements Parcelable {
/**
* Verify user credential.
* If no CA certificate is provided, then the system uses the CAs in the trust store.
*
* @param isR1 {@code true} if credential is for R1
* @return true if user credential is valid, false otherwise.
*/
private boolean verifyUserCredential(boolean isR1) {
private boolean verifyUserCredential() {
if (mUserCredential == null) {
Log.d(TAG, "Missing user credential");
return false;
@@ -1160,24 +1159,17 @@ public final class Credential implements Parcelable {
return false;
}
// CA certificate is required for R1 Passpoint profile.
// For R2, it is downloaded using cert URL provided in PPS MO after validation completes.
if (isR1 && mCaCertificates == null) {
Log.d(TAG, "Missing CA Certificate for user credential");
return false;
}
return true;
}
/**
* Verify certificate credential, which is used for EAP-TLS. This will verify
* that the necessary client key and certificates are provided.
* If no CA certificate is provided, then the system uses the CAs in the trust store.
*
* @param isR1 {@code true} if credential is for R1
* @return true if certificate credential is valid, false otherwise.
*/
private boolean verifyCertCredential(boolean isR1) {
private boolean verifyCertCredential() {
if (mCertCredential == null) {
Log.d(TAG, "Missing certificate credential");
return false;
@@ -1191,13 +1183,6 @@ public final class Credential implements Parcelable {
return false;
}
// Verify required key and certificates for certificate credential.
// CA certificate is required for R1 Passpoint profile.
// For R2, it is downloaded using cert URL provided in PPS MO after validation completes.
if (isR1 && mCaCertificates == null) {
Log.d(TAG, "Missing CA Certificate for certificate credential");
return false;
}
if (mClientPrivateKey == null) {
Log.d(TAG, "Missing client private key for certificate credential");
return false;

98
wifi/tests/src/android/net/wifi/hotspot2/pps/CredentialTest.java
View File

@@ -158,7 +158,7 @@ public class CredentialTest {
}
/**
* Verify parcel read/write for an user credential.
* Verify parcel read/write for a user credential.
*
* @throws Exception
*/
@@ -176,14 +176,14 @@ public class CredentialTest {
Credential cred = createCredentialWithUserCredential();
// For R1 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
// For R2 validation
assertTrue(cred.validate(false));
assertTrue(cred.validate());
}
/**
* Verify that an user credential without CA Certificate is invalid.
* Verify that a user credential without CA Certificate is valid.
*
* @throws Exception
*/
@@ -192,15 +192,12 @@ public class CredentialTest {
Credential cred = createCredentialWithUserCredential();
cred.setCaCertificate(null);
// For R1 validation
assertFalse(cred.validate(true));
// For R2 validation
assertTrue(cred.validate(false));
// Accept a configuration with no CA certificate, the system will use the default cert store
assertTrue(cred.validate());
}
/**
* Verify that an user credential with EAP type other than EAP-TTLS is invalid.
* Verify that a user credential with EAP type other than EAP-TTLS is invalid.
*
* @throws Exception
*/
@@ -210,15 +207,15 @@ public class CredentialTest {
cred.getUserCredential().setEapType(EAPConstants.EAP_TLS);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
* Verify that an user credential without realm is invalid.
* Verify that a user credential without realm is invalid.
*
* @throws Exception
*/
@@ -228,14 +225,14 @@ public class CredentialTest {
cred.setRealm(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
* Verify that an user credential without username is invalid.
* Verify that a user credential without username is invalid.
*
* @throws Exception
*/
@@ -245,14 +242,14 @@ public class CredentialTest {
cred.getUserCredential().setUsername(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
* Verify that an user credential without password is invalid.
* Verify that a user credential without password is invalid.
*
* @throws Exception
*/
@@ -262,14 +259,14 @@ public class CredentialTest {
cred.getUserCredential().setPassword(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
* Verify that an user credential without auth methoh (non-EAP inner method) is invalid.
* Verify that a user credential without auth methoh (non-EAP inner method) is invalid.
*
* @throws Exception
*/
@@ -279,10 +276,10 @@ public class CredentialTest {
cred.getUserCredential().setNonEapInnerMethod(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -297,10 +294,10 @@ public class CredentialTest {
Credential cred = createCredentialWithCertificateCredential();
// For R1 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
// For R2 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
}
/**
@@ -313,11 +310,8 @@ public class CredentialTest {
Credential cred = createCredentialWithCertificateCredential();
cred.setCaCertificate(null);
// For R1 validation
assertFalse(cred.validate(true));
// For R2 validation
assertTrue(cred.validate(false));
// Accept a configuration with no CA certificate, the system will use the default cert store
assertTrue(cred.validate());
}
/**
@@ -331,10 +325,10 @@ public class CredentialTest {
cred.setClientCertificateChain(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -348,10 +342,10 @@ public class CredentialTest {
cred.setClientPrivateKey(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -366,10 +360,10 @@ public class CredentialTest {
cred.getCertCredential().setCertSha256Fingerprint(new byte[32]);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -382,10 +376,10 @@ public class CredentialTest {
Credential cred = createCredentialWithSimCredential();
// For R1 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
// For R2 validation
assertTrue(cred.validate(false));
assertTrue(cred.validate());
}
/**
@@ -399,10 +393,10 @@ public class CredentialTest {
cred.getSimCredential().setEapType(EAPConstants.EAP_AKA);
// For R1 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
// For R2 validation
assertTrue(cred.validate(false));
assertTrue(cred.validate());
}
/**
@@ -416,10 +410,10 @@ public class CredentialTest {
cred.getSimCredential().setEapType(EAPConstants.EAP_AKA_PRIME);
// For R1 validation
assertTrue(cred.validate(true));
assertTrue(cred.validate());
// For R2 validation
assertTrue(cred.validate(false));
assertTrue(cred.validate());
}
/**
@@ -433,10 +427,10 @@ public class CredentialTest {
cred.getSimCredential().setImsi(null);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -450,10 +444,10 @@ public class CredentialTest {
cred.getSimCredential().setImsi("dummy");
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
@@ -467,14 +461,14 @@ public class CredentialTest {
cred.getSimCredential().setEapType(EAPConstants.EAP_TLS);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**
* Verify that a credential contained both an user and a SIM credential is invalid.
* Verify that a credential contained both a user and a SIM credential is invalid.
*
* @throws Exception
*/
@@ -488,10 +482,10 @@ public class CredentialTest {
cred.setSimCredential(simCredential);
// For R1 validation
assertFalse(cred.validate(true));
assertFalse(cred.validate());
// For R2 validation
assertFalse(cred.validate(false));
assertFalse(cred.validate());
}
/**