summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoshan Pius <rpius@google.com>2019-11-06 12:10:22 -0800
committerRoshan Pius <rpius@google.com>2019-11-13 06:08:08 -0800
commit90503be8f907d90977cce9e3baf3b0de0436e71d (patch)
treef8c3669914b68545c017c7e9ad018aa168f4a83f
parentb24ebef5d1f72635d69a92d55720866a8b22718b (diff)
WifiKeystore: Migrate to public keystore
a) Move keystore access to public keystore API surfaces. Some of these API's are not a 1:1 mapping. For example, the public surface has a single API for storing the private key and the user certificates. b) The public keystore API stores the CERT in DER format, so need to convert to PEM in the wifi keystore HAL. c) The public keystore API internally appends the keystore alias prefixes. So, stop appending it in the wifi stack. Bug: 142089671 Test: Connected to passpoint networks Test: Will send for full regression tests. Test: atest com.android.server.wifi Change-Id: I281f92d7dc4a042c206fb77ae9290a663fafbb6f
Diffstat
-rw-r--r--service/java/com/android/server/wifi/WifiInjector.java20
-rw-r--r--service/java/com/android/server/wifi/WifiKeyStore.java265
-rw-r--r--service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java25
-rw-r--r--service/java/com/android/server/wifi/hotspot2/PasspointManager.java1
-rw-r--r--service/java/com/android/server/wifi/hotspot2/PasspointProvider.java92
-rw-r--r--tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java2
-rw-r--r--tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java31
-rw-r--r--tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java11
-rw-r--r--tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java98
9 files changed, 232 insertions, 313 deletions
diff --git a/service/java/com/android/server/wifi/WifiInjector.java b/service/java/com/android/server/wifi/WifiInjector.java
index 7103b0444..686c4ca95 100644
--- a/service/java/com/android/server/wifi/WifiInjector.java
+++ b/service/java/com/android/server/wifi/WifiInjector.java
@@ -35,11 +35,12 @@ import android.os.HandlerThread;
import android.os.IBinder;
import android.os.INetworkManagementService;
import android.os.Looper;
+import android.os.Process;
import android.os.ServiceManager;
import android.os.SystemProperties;
import android.os.UserManager;
import android.provider.Settings.Secure;
-import android.security.KeyStore;
+import android.security.keystore.AndroidKeyStoreProvider;
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
import android.util.LocalLog;
@@ -61,6 +62,9 @@ import com.android.server.wifi.util.WifiPermissionsWrapper;
import com.android.server.wifi.wificond.IWificond;
import com.android.wifi.R;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchProviderException;
import java.util.Random;
/**
@@ -112,7 +116,6 @@ public class WifiInjector {
private WifiLastResortWatchdog mWifiLastResortWatchdog;
private final PropertyService mPropertyService = new SystemPropertyService();
private final BuildProperties mBuildProperties = new SystemBuildProperties();
- private final KeyStore mKeyStore = KeyStore.getInstance();
private final WifiBackupRestore mWifiBackupRestore;
private final WifiMulticastLockManager mWifiMulticastLockManager;
private final WifiConfigStore mWifiConfigStore;
@@ -156,6 +159,7 @@ public class WifiInjector {
private final MboOceController mMboOceController;
private final TelephonyUtil mTelephonyUtil;
private WifiChannelUtilization mWifiChannelUtilization;
+ private final KeyStore mKeyStore;
public WifiInjector(Context context) {
if (context == null) {
@@ -241,8 +245,14 @@ public class WifiInjector {
mContext,this, wifiHandler, mBackupManagerProxy, mFrameworkFacade);
// WifiConfigManager/Store objects and their dependencies.
- // New config store
+ KeyStore keyStore = null;
+ try {
+ keyStore = AndroidKeyStoreProvider.getKeyStoreForUid(Process.WIFI_UID);
+ } catch (KeyStoreException | NoSuchProviderException e) {
+ }
+ mKeyStore = keyStore;
mWifiKeyStore = new WifiKeyStore(mKeyStore);
+ // New config store
mWifiConfigStore = new WifiConfigStore(mContext, wifiHandler, mClock, mWifiMetrics,
WifiConfigStore.createSharedFile(mFrameworkFacade.isNiapModeOn(mContext)));
SubscriptionManager subscriptionManager =
@@ -465,10 +475,6 @@ public class WifiInjector {
return mBuildProperties;
}
- public KeyStore getKeyStore() {
- return mKeyStore;
- }
-
public WifiBackupRestore getWifiBackupRestore() {
return mWifiBackupRestore;
}
diff --git a/service/java/com/android/server/wifi/WifiKeyStore.java b/service/java/com/android/server/wifi/WifiKeyStore.java
index c1706a20d..11a23e64f 100644
--- a/service/java/com/android/server/wifi/WifiKeyStore.java
+++ b/service/java/com/android/server/wifi/WifiKeyStore.java
@@ -16,23 +16,21 @@
package com.android.server.wifi;
+import android.annotation.Nullable;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiEnterpriseConfig;
-import android.os.Process;
-import android.security.Credentials;
import android.security.KeyChain;
-import android.security.KeyStore;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Log;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import com.android.internal.util.ArrayUtils;
+import com.android.internal.util.Preconditions;
+
import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
@@ -49,10 +47,13 @@ public class WifiKeyStore {
private boolean mVerboseLoggingEnabled = false;
- private final KeyStore mKeyStore;
+ @Nullable private final KeyStore mKeyStore;
- WifiKeyStore(KeyStore keyStore) {
+ WifiKeyStore(@Nullable KeyStore keyStore) {
mKeyStore = keyStore;
+ if (mKeyStore == null) {
+ Log.e(TAG, "Unable to retrieve keystore, all key operations will fail");
+ }
}
/**
@@ -81,38 +82,20 @@ public class WifiKeyStore {
* @param existingConfig Existing config corresponding to the network already stored in our
* database. This maybe null if it's a new network.
* @param config Config corresponding to the network.
+ * @param existingAlias Alias for all the existing key store data stored.
+ * @param alias Alias for all the key store data to store.
* @return true if successful, false otherwise.
*/
private boolean installKeys(WifiEnterpriseConfig existingConfig, WifiEnterpriseConfig config,
- String name) {
- boolean ret = true;
- String privKeyName = Credentials.USER_PRIVATE_KEY + name;
- String userCertName = Credentials.USER_CERTIFICATE + name;
+ String existingAlias, String alias) {
+ Preconditions.checkNotNull(mKeyStore);
Certificate[] clientCertificateChain = config.getClientCertificateChain();
- if (clientCertificateChain != null && clientCertificateChain.length != 0) {
- byte[] privKeyData = config.getClientPrivateKey().getEncoded();
- if (mVerboseLoggingEnabled) {
- if (isHardwareBackedKey(config.getClientPrivateKey())) {
- Log.d(TAG, "importing keys " + name + " in hardware backed store");
- } else {
- Log.d(TAG, "importing keys " + name + " in software backed store");
- }
- }
- ret = mKeyStore.importKey(privKeyName, privKeyData, Process.WIFI_UID,
- KeyStore.FLAG_NONE);
-
- if (!ret) {
- return ret;
- }
-
- ret = putCertsInKeyStore(userCertName, clientCertificateChain);
- if (!ret) {
- // Remove private key installed
- mKeyStore.delete(privKeyName, Process.WIFI_UID);
- return ret;
+ if (!ArrayUtils.isEmpty(clientCertificateChain)) {
+ if (!putUserPrivKeyAndCertsInKeyStore(alias, config.getClientPrivateKey(),
+ clientCertificateChain)) {
+ return false;
}
}
-
X509Certificate[] caCertificates = config.getCaCertificates();
Set<String> oldCaCertificatesToRemove = new ArraySet<>();
if (existingConfig != null && existingConfig.getCaCertificateAliases() != null) {
@@ -123,34 +106,32 @@ public class WifiKeyStore {
if (caCertificates != null) {
caCertificateAliases = new ArrayList<>();
for (int i = 0; i < caCertificates.length; i++) {
- String alias = caCertificates.length == 1 ? name
- : String.format("%s_%d", name, i);
+ // Use a different alias only if there is more than 1 certificate in the chain.
+ String caAlias = caCertificates.length == 1
+ ? alias
+ : String.format("%s_%d", alias, i);
- oldCaCertificatesToRemove.remove(alias);
- ret = putCertInKeyStore(Credentials.CA_CERTIFICATE + alias, caCertificates[i]);
- if (!ret) {
- // Remove client key+cert
- if (config.getClientCertificate() != null) {
- mKeyStore.delete(privKeyName, Process.WIFI_UID);
- mKeyStore.delete(userCertName, Process.WIFI_UID);
- }
- // Remove added CA certs.
+ oldCaCertificatesToRemove.remove(caAlias);
+ if (!putCaCertInKeyStore(caAlias, caCertificates[i])) {
+ // cleanup everything on failure.
+ removeEntryFromKeyStore(alias);
for (String addedAlias : caCertificateAliases) {
- mKeyStore.delete(Credentials.CA_CERTIFICATE + addedAlias, Process.WIFI_UID);
+ removeEntryFromKeyStore(addedAlias);
}
- return ret;
- } else {
- caCertificateAliases.add(alias);
+ return false;
}
+ caCertificateAliases.add(alias);
}
}
- // Remove old CA certs.
+ // Remove old private keys.
+ removeEntryFromKeyStore(existingAlias);
+ // Remove any old CA certs.
for (String oldAlias : oldCaCertificatesToRemove) {
- mKeyStore.delete(Credentials.CA_CERTIFICATE + oldAlias, Process.WIFI_UID);
+ removeEntryFromKeyStore(oldAlias);
}
// Set alias names
if (config.getClientCertificate() != null) {
- config.setClientCertificateAlias(name);
+ config.setClientCertificateAlias(alias);
config.resetClientKeyEntry();
}
@@ -159,62 +140,58 @@ public class WifiKeyStore {
caCertificateAliases.toArray(new String[caCertificateAliases.size()]));
config.resetCaCertificate();
}
- return ret;
- }
-
- /**
- * Install a certificate into the keystore.
- *
- * @param name The alias name of the certificate to be installed
- * @param cert The certificate to be installed
- * @return true on success
- */
- public boolean putCertInKeyStore(String name, Certificate cert) {
- return putCertsInKeyStore(name, new Certificate[] {cert});
+ return true;
}
/**
- * Install a client certificate chain into the keystore.
+ * Install a CA certificate into the keystore.
*
- * @param name The alias name of the certificate to be installed
- * @param certs The certificate chain to be installed
+ * @param alias The alias name of the CA certificate to be installed
+ * @param cert The CA certificate to be installed
* @return true on success
*/
- public boolean putCertsInKeyStore(String name, Certificate[] certs) {
+ public boolean putCaCertInKeyStore(String alias, Certificate cert) {
try {
- byte[] certData = Credentials.convertToPem(certs);
- if (mVerboseLoggingEnabled) {
- Log.d(TAG, "putting " + certs.length + " certificate(s) "
- + name + " in keystore");
- }
- return mKeyStore.put(name, certData, Process.WIFI_UID, KeyStore.FLAG_NONE);
- } catch (IOException e1) {
- return false;
- } catch (CertificateException e2) {
+ mKeyStore.setCertificateEntry(alias, cert);
+ return true;
+ } catch (KeyStoreException e) {
+ Log.e(TAG, "Failed to put CA certificate in keystore");
return false;
}
}
/**
- * Install a key into the keystore.
+ * Install a private key + user certificate into the keystore.
*
- * @param name The alias name of the key to be installed
- * @param key The key to be installed
+ * @param alias The alias name of the key to be installed
+ * @param key The private key to be installed
+ * @param certs User Certificate chain.
* @return true on success
*/
- public boolean putKeyInKeyStore(String name, Key key) {
- byte[] privKeyData = key.getEncoded();
- return mKeyStore.importKey(name, privKeyData, Process.WIFI_UID, KeyStore.FLAG_NONE);
+ public boolean putUserPrivKeyAndCertsInKeyStore(String alias, Key key, Certificate[] certs) {
+ try {
+ mKeyStore.setKeyEntry(alias, key.getEncoded(), certs);
+ return true;
+ } catch (KeyStoreException e) {
+ Log.e(TAG, "Failed to put CA certificate in keystore");
+ return false;
+ }
}
/**
* Remove a certificate or key entry specified by the alias name from the keystore.
*
- * @param name The alias name of the entry to be removed
+ * @param alias The alias name of the entry to be removed
* @return true on success
*/
- public boolean removeEntryFromKeyStore(String name) {
- return mKeyStore.delete(name, Process.WIFI_UID);
+ public boolean removeEntryFromKeyStore(String alias) {
+ Preconditions.checkNotNull(mKeyStore);
+ try {
+ mKeyStore.deleteEntry(alias);
+ return true;
+ } catch (KeyStoreException e) {
+ return false;
+ }
}
/**
@@ -223,51 +200,40 @@ public class WifiKeyStore {
* @param config Config corresponding to the network.
*/
public void removeKeys(WifiEnterpriseConfig config) {
+ Preconditions.checkNotNull(mKeyStore);
// Do not remove keys that were manually installed by the user
if (config.isAppInstalledDeviceKeyAndCert()) {
String client = config.getClientCertificateAlias();
// a valid client certificate is configured
if (!TextUtils.isEmpty(client)) {
if (mVerboseLoggingEnabled) {
- Log.d(TAG, "removing client private key and user cert");
+ Log.d(TAG, "removing client private key, user cert and CA cert)");
}
- mKeyStore.delete(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID);
- mKeyStore.delete(Credentials.USER_CERTIFICATE + client, Process.WIFI_UID);
+ // if there is only a single CA certificate, then that is also stored with
+ // the same alias, hence will be removed here.
+ removeEntryFromKeyStore(client);
}
}
// Do not remove CA certs that were manually installed by the user
if (config.isAppInstalledCaCert()) {
String[] aliases = config.getCaCertificateAliases();
- // a valid ca certificate is configured
- if (aliases != null) {
+ // only need remove CA certs here in case there are more than 1 CA certificate,
+ // otherwise the remove of priv key/user cert should already handle removal of the CA
+ // certificate as well.
+ if (aliases != null || aliases.length > 1) {
for (String ca : aliases) {
if (!TextUtils.isEmpty(ca)) {
if (mVerboseLoggingEnabled) {
Log.d(TAG, "removing CA cert: " + ca);
}
- mKeyStore.delete(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID);
+ removeEntryFromKeyStore(ca);
}
}
}
}
}
-
- /**
- * @param certData byte array of the certificate
- */
- private X509Certificate buildCACertificate(byte[] certData) {
- try {
- CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
- InputStream inputStream = new ByteArrayInputStream(certData);
- X509Certificate caCertificateX509 = (X509Certificate) certificateFactory
- .generateCertificate(inputStream);
- return caCertificateX509;
- } catch (CertificateException e) {
- return null;
- }
- }
/**
* Update/Install keys for given enterprise network.
*
@@ -277,6 +243,9 @@ public class WifiKeyStore {
* @return true if successful, false otherwise.
*/
public boolean updateNetworkKeys(WifiConfiguration config, WifiConfiguration existingConfig) {
+ Preconditions.checkNotNull(mKeyStore);
+ Preconditions.checkNotNull(config.enterpriseConfig);
+ Preconditions.checkNotNull(existingConfig.enterpriseConfig);
WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig;
if (!needsKeyStore(enterpriseConfig)) {
return true;
@@ -288,8 +257,9 @@ public class WifiKeyStore {
* fields from the currently tracked configuration
*/
String keyId = config.getKeyIdForCredentials(existingConfig);
- if (!installKeys(existingConfig != null
- ? existingConfig.enterpriseConfig : null, enterpriseConfig, keyId)) {
+ String existingKeyId = existingConfig.getKeyIdForCredentials(existingConfig);
+ if (!installKeys(existingConfig.enterpriseConfig, enterpriseConfig,
+ existingKeyId, keyId)) {
Log.e(TAG, config.SSID + ": failed to install keys");
return false;
}
@@ -302,53 +272,48 @@ public class WifiKeyStore {
// CA certificate type. Suite-B requires SHA384, reject other certs.
if (config.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.SUITE_B_192)) {
// Read the first CA certificate, and initialize
- byte[] certData = mKeyStore.get(
- Credentials.CA_CERTIFICATE + config.enterpriseConfig.getCaCertificateAlias(),
- android.os.Process.WIFI_UID);
-
- if (certData == null) {
+ Certificate caCert = null;
+ try {
+ caCert = mKeyStore.getCertificate(config.enterpriseConfig.getCaCertificateAlias());
+ } catch (KeyStoreException e) {
+ Log.e(TAG, "Failed to get Suite-B certificate", e);
+ }
+ if (caCert == null || !(caCert instanceof X509Certificate)) {
Log.e(TAG, "Failed reading CA certificate for Suite-B");
return false;
}
+ X509Certificate x509CaCert = (X509Certificate) caCert;
+ String sigAlgOid = x509CaCert.getSigAlgOID();
+ if (mVerboseLoggingEnabled) {
+ Log.d(TAG, "Signature algorithm: " + sigAlgOid);
+ }
+ config.allowedSuiteBCiphers.clear();
- X509Certificate x509CaCert = buildCACertificate(certData);
-
- if (x509CaCert != null) {
- String sigAlgOid = x509CaCert.getSigAlgOID();
+ // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates
+ // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192
+ // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term
+ // Suite-B was already coined in the IEEE 802.11-2016 specification for
+ // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates
+ // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally
+ // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments,
+ // we are supporting both types here.
+ if (sigAlgOid.equals("1.2.840.113549.1.1.12")) {
+ // sha384WithRSAEncryption
+ config.allowedSuiteBCiphers.set(
+ WifiConfiguration.SuiteBCipher.ECDHE_RSA);
if (mVerboseLoggingEnabled) {
- Log.d(TAG, "Signature algorithm: " + sigAlgOid);
+ Log.d(TAG, "Selecting Suite-B RSA");
}
- config.allowedSuiteBCiphers.clear();
-
- // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates
- // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192
- // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term
- // Suite-B was already coined in the IEEE 802.11-2016 specification for
- // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates
- // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally
- // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments,
- // we are supporting both types here.
- if (sigAlgOid.equals("1.2.840.113549.1.1.12")) {
- // sha384WithRSAEncryption
- config.allowedSuiteBCiphers.set(
- WifiConfiguration.SuiteBCipher.ECDHE_RSA);
- if (mVerboseLoggingEnabled) {
- Log.d(TAG, "Selecting Suite-B RSA");
- }
- } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) {
- // ecdsa-with-SHA384
- config.allowedSuiteBCiphers.set(
- WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
- if (mVerboseLoggingEnabled) {
- Log.d(TAG, "Selecting Suite-B ECDSA");
- }
- } else {
- Log.e(TAG, "Invalid CA certificate type for Suite-B: "
- + sigAlgOid);
- return false;
+ } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) {
+ // ecdsa-with-SHA384
+ config.allowedSuiteBCiphers.set(
+ WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
+ if (mVerboseLoggingEnabled) {
+ Log.d(TAG, "Selecting Suite-B ECDSA");
}
} else {
- Log.e(TAG, "Invalid CA certificate for Suite-B");
+ Log.e(TAG, "Invalid CA certificate type for Suite-B: "
+ + sigAlgOid);
return false;
}
}
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java b/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java
index 83a22f96c..9e64417d0 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java
@@ -69,8 +69,7 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData {
private static final String XML_TAG_PACKAGE_NAME = "PackageName";
private static final String XML_TAG_CA_CERTIFICATE_ALIASES = "CaCertificateAliases";
private static final String XML_TAG_CA_CERTIFICATE_ALIAS = "CaCertificateAlias";
- private static final String XML_TAG_CLIENT_CERTIFICATE_ALIAS = "ClientCertificateAlias";
- private static final String XML_TAG_CLIENT_PRIVATE_KEY_ALIAS = "ClientPrivateKeyAlias";
+ private static final String XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "ClientPrivateKeyAlias";
private static final String XML_TAG_REMEDIATION_CA_CERTIFICATE_ALIAS =
"RemediationCaCertificateAlias";
@@ -200,10 +199,8 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData {
}
XmlUtil.writeNextValue(out, XML_TAG_CA_CERTIFICATE_ALIASES,
provider.getCaCertificateAliases());
- XmlUtil.writeNextValue(out, XML_TAG_CLIENT_CERTIFICATE_ALIAS,
- provider.getClientCertificateAlias());
- XmlUtil.writeNextValue(out, XML_TAG_CLIENT_PRIVATE_KEY_ALIAS,
- provider.getClientPrivateKeyAlias());
+ XmlUtil.writeNextValue(out, XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS,
+ provider.getClientPrivateKeyAndCertificateAlias());
XmlUtil.writeNextValue(out, XML_TAG_HAS_EVER_CONNECTED, provider.getHasEverConnected());
XmlUtil.writeNextValue(out, XML_TAG_IS_FROM_SUGGESTION, provider.isFromSuggestion());
if (provider.getConfig() != null) {
@@ -273,8 +270,7 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData {
int creatorUid = Integer.MIN_VALUE;
List<String> caCertificateAliases = null;
String caCertificateAlias = null;
- String clientCertificateAlias = null;
- String clientPrivateKeyAlias = null;
+ String clientPrivateKeyAndCertificateAlias = null;
String remediationCaCertificateAlias = null;
String packageName = null;
boolean hasEverConnected = false;
@@ -304,11 +300,8 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData {
// uses this alias.
caCertificateAlias = (String) value;
break;
- case XML_TAG_CLIENT_CERTIFICATE_ALIAS:
- clientCertificateAlias = (String) value;
- break;
- case XML_TAG_CLIENT_PRIVATE_KEY_ALIAS:
- clientPrivateKeyAlias = (String) value;
+ case XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS:
+ clientPrivateKeyAndCertificateAlias = (String) value;
break;
case XML_TAG_REMEDIATION_CA_CERTIFICATE_ALIAS:
remediationCaCertificateAlias = (String) value;
@@ -347,13 +340,13 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData {
if (caCertificateAlias != null) {
caCertificateAliases = Arrays.asList(caCertificateAlias);
}
-
if (config == null) {
throw new XmlPullParserException("Missing Passpoint configuration");
}
return new PasspointProvider(config, mKeyStore, mSimAccessor, providerId, creatorUid,
- packageName, isFromSuggestion, caCertificateAliases, clientCertificateAlias,
- clientPrivateKeyAlias, remediationCaCertificateAlias, hasEverConnected, shared);
+ packageName, isFromSuggestion, caCertificateAliases,
+ clientPrivateKeyAndCertificateAlias, remediationCaCertificateAlias,
+ hasEverConnected, shared);
}
}
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
index 9e7a184bb..bce2f6c69 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
@@ -957,7 +957,6 @@ public class PasspointManager {
PasspointProvider provider = new PasspointProvider(passpointConfig, mKeyStore,
mSimAccessor, mProviderIndex++, wifiConfig.creatorUid, null, false,
Arrays.asList(enterpriseConfig.getCaCertificateAlias()),
- enterpriseConfig.getClientCertificateAlias(),
enterpriseConfig.getClientCertificateAlias(), null, false, false);
mProviders.put(passpointConfig.getHomeSp().getFqdn(), provider);
return true;
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
index 080903fa8..111048d2b 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
@@ -25,7 +25,6 @@ import android.net.wifi.hotspot2.pps.Credential;
import android.net.wifi.hotspot2.pps.Credential.SimCredential;
import android.net.wifi.hotspot2.pps.Credential.UserCredential;
import android.net.wifi.hotspot2.pps.HomeSp;
-import android.security.Credentials;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
@@ -47,6 +46,8 @@ import com.android.server.wifi.util.InformationElementUtil.RoamingConsortium;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -82,8 +83,7 @@ public class PasspointProvider {
* This will be consistent with the usage of the term "alias" in {@link WifiEnterpriseConfig}.
*/
private List<String> mCaCertificateAliases;
- private String mClientPrivateKeyAlias;
- private String mClientCertificateAlias;
+ private String mClientPrivateKeyAndCertificateAlias;
private String mRemediationCaCertificateAlias;
private final long mProviderId;
@@ -104,13 +104,13 @@ public class PasspointProvider {
SIMAccessor simAccessor, long providerId, int creatorUid, String packageName,
boolean isFromSuggestion) {
this(config, keyStore, simAccessor, providerId, creatorUid, packageName, isFromSuggestion,
- null, null, null, null, false, false);
+ null, null, null, false, false);
}
public PasspointProvider(PasspointConfiguration config, WifiKeyStore keyStore,
SIMAccessor simAccessor, long providerId, int creatorUid, String packageName,
boolean isFromSuggestion, List<String> caCertificateAliases,
- String clientCertificateAlias, String clientPrivateKeyAlias,
+ String clientPrivateKeyAndCertificateAlias,
String remediationCaCertificateAlias,
boolean hasEverConnected, boolean isShared) {
// Maintain a copy of the configuration to avoid it being updated by others.
@@ -120,8 +120,7 @@ public class PasspointProvider {
mCreatorUid = creatorUid;
mPackageName = packageName;
mCaCertificateAliases = caCertificateAliases;
- mClientCertificateAlias = clientCertificateAlias;
- mClientPrivateKeyAlias = clientPrivateKeyAlias;
+ mClientPrivateKeyAndCertificateAlias = clientPrivateKeyAndCertificateAlias;
mRemediationCaCertificateAlias = remediationCaCertificateAlias;
mHasEverConnected = hasEverConnected;
mIsShared = isShared;
@@ -157,12 +156,8 @@ public class PasspointProvider {
return mCaCertificateAliases;
}
- public String getClientPrivateKeyAlias() {
- return mClientPrivateKeyAlias;
- }
-
- public String getClientCertificateAlias() {
- return mClientCertificateAlias;
+ public String getClientPrivateKeyAndCertificateAlias() {
+ return mClientPrivateKeyAndCertificateAlias;
}
public String getRemediationCaCertificateAlias() {
@@ -208,8 +203,7 @@ public class PasspointProvider {
mCaCertificateAliases = new ArrayList<>();
for (int i = 0; i < x509Certificates.length; i++) {
String alias = String.format("%s%s_%d", ALIAS_HS_TYPE, mProviderId, i);
- if (!mKeyStore.putCertInKeyStore(Credentials.CA_CERTIFICATE + alias,
- x509Certificates[i])) {
+ if (!mKeyStore.putCaCertInKeyStore(alias, x509Certificates[i])) {
Log.e(TAG, "Failed to install CA Certificate");
uninstallCertsAndKeys();
return false;
@@ -219,20 +213,11 @@ public class PasspointProvider {
}
}
- // Install the client private key.
- if (mConfig.getCredential().getClientPrivateKey() != null) {
- String keyName = Credentials.USER_PRIVATE_KEY + ALIAS_HS_TYPE + mProviderId;
- if (!mKeyStore.putKeyInKeyStore(keyName,
- mConfig.getCredential().getClientPrivateKey())) {
- Log.e(TAG, "Failed to install client private key");
- uninstallCertsAndKeys();
- return false;
- }
- mClientPrivateKeyAlias = ALIAS_HS_TYPE + mProviderId;
- }
-
- // Install the client certificate.
- if (mConfig.getCredential().getClientCertificateChain() != null) {
+ // Install the client private key & certificate.
+ if (mConfig.getCredential().getClientPrivateKey() != null
+ && mConfig.getCredential().getClientCertificateChain() != null) {
+ String keyName = ALIAS_HS_TYPE + mProviderId;
+ PrivateKey clientKey = mConfig.getCredential().getClientPrivateKey();
X509Certificate clientCert = getClientCertificate(
mConfig.getCredential().getClientCertificateChain(),
mConfig.getCredential().getCertCredential().getCertSha256Fingerprint());
@@ -241,13 +226,13 @@ public class PasspointProvider {
uninstallCertsAndKeys();
return false;
}
- String certName = Credentials.USER_CERTIFICATE + ALIAS_HS_TYPE + mProviderId;
- if (!mKeyStore.putCertInKeyStore(certName, clientCert)) {
- Log.e(TAG, "Failed to install client certificate");
+ if (!mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ keyName, clientKey, new Certificate[] {clientCert})) {
+ Log.e(TAG, "Failed to install client private key & certificate");
uninstallCertsAndKeys();
return false;
}
- mClientCertificateAlias = ALIAS_HS_TYPE + mProviderId;
+ mClientPrivateKeyAndCertificateAlias = keyName;
}
if (mConfig.getSubscriptionUpdate() != null) {
@@ -257,15 +242,13 @@ public class PasspointProvider {
uninstallCertsAndKeys();
return false;
}
- mRemediationCaCertificateAlias =
- ALIAS_HS_TYPE + ALIAS_ALIAS_REMEDIATION_TYPE + mProviderId;
- String certName = Credentials.CA_CERTIFICATE + mRemediationCaCertificateAlias;
- if (!mKeyStore.putCertInKeyStore(certName, certificate)) {
+ String certName = ALIAS_HS_TYPE + ALIAS_ALIAS_REMEDIATION_TYPE + mProviderId;
+ if (!mKeyStore.putCaCertInKeyStore(certName, certificate)) {
Log.e(TAG, "Failed to install CA certificate for remediation");
- mRemediationCaCertificateAlias = null;
uninstallCertsAndKeys();
return false;
}
+ mRemediationCaCertificateAlias = certName;
}
// Clear the keys and certificates in the configuration.
@@ -284,31 +267,20 @@ public class PasspointProvider {
public void uninstallCertsAndKeys() {
if (mCaCertificateAliases != null) {
for (String certificateAlias : mCaCertificateAliases) {
- if (!mKeyStore.removeEntryFromKeyStore(
- Credentials.CA_CERTIFICATE + certificateAlias)) {
+ if (!mKeyStore.removeEntryFromKeyStore(certificateAlias)) {
Log.e(TAG, "Failed to remove entry: " + certificateAlias);
}
}
mCaCertificateAliases = null;
}
- if (mClientPrivateKeyAlias != null) {
- if (!mKeyStore.removeEntryFromKeyStore(
- Credentials.USER_PRIVATE_KEY + mClientPrivateKeyAlias)) {
- Log.e(TAG, "Failed to remove entry: " + mClientPrivateKeyAlias);
+ if (mClientPrivateKeyAndCertificateAlias != null) {
+ if (!mKeyStore.removeEntryFromKeyStore(mClientPrivateKeyAndCertificateAlias)) {
+ Log.e(TAG, "Failed to remove entry: " + mClientPrivateKeyAndCertificateAlias);
}
- mClientPrivateKeyAlias = null;
+ mClientPrivateKeyAndCertificateAlias = null;
}
- if (mClientCertificateAlias != null) {
- if (!mKeyStore.removeEntryFromKeyStore(
- Credentials.USER_CERTIFICATE + mClientCertificateAlias)) {
- Log.e(TAG, "Failed to remove entry: " + mClientCertificateAlias);
- }
- mClientCertificateAlias = null;
- }
-
if (mRemediationCaCertificateAlias != null) {
- if (!mKeyStore.removeEntryFromKeyStore(
- Credentials.CA_CERTIFICATE + mRemediationCaCertificateAlias)) {
+ if (!mKeyStore.removeEntryFromKeyStore(mRemediationCaCertificateAlias)) {
Log.e(TAG, "Failed to remove entry: " + mRemediationCaCertificateAlias);
}
mRemediationCaCertificateAlias = null;
@@ -505,8 +477,8 @@ public class PasspointProvider {
return mProviderId == that.mProviderId
&& (mCaCertificateAliases == null ? that.mCaCertificateAliases == null
: mCaCertificateAliases.equals(that.mCaCertificateAliases))
- && TextUtils.equals(mClientCertificateAlias, that.mClientCertificateAlias)
- && TextUtils.equals(mClientPrivateKeyAlias, that.mClientPrivateKeyAlias)
+ && TextUtils.equals(mClientPrivateKeyAndCertificateAlias,
+ that.mClientPrivateKeyAndCertificateAlias)
&& (mConfig == null ? that.mConfig == null : mConfig.equals(that.mConfig))
&& TextUtils.equals(mRemediationCaCertificateAlias,
that.mRemediationCaCertificateAlias);
@@ -514,8 +486,8 @@ public class PasspointProvider {
@Override
public int hashCode() {
- return Objects.hash(mProviderId, mCaCertificateAliases, mClientCertificateAlias,
- mClientPrivateKeyAlias, mConfig, mRemediationCaCertificateAlias);
+ return Objects.hash(mProviderId, mCaCertificateAliases,
+ mClientPrivateKeyAndCertificateAlias, mConfig, mRemediationCaCertificateAlias);
}
@Override
@@ -667,7 +639,7 @@ public class PasspointProvider {
*/
private void buildEnterpriseConfigForCertCredential(WifiEnterpriseConfig config) {
config.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
- config.setClientCertificateAlias(mClientCertificateAlias);
+ config.setClientCertificateAlias(mClientPrivateKeyAndCertificateAlias);
if (!ArrayUtils.isEmpty(mCaCertificateAliases)) {
config.setCaCertificateAliases(mCaCertificateAliases.toArray(new String[0]));
} else {
diff --git a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
index f26cf939d..2b3491b31 100644
--- a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
@@ -77,7 +77,6 @@ import android.os.Process;
import android.os.UserManager;
import android.os.test.TestLooper;
import android.provider.Settings;
-import android.security.KeyStore;
import android.telephony.SubscriptionInfo;
import android.telephony.SubscriptionManager;
import android.telephony.TelephonyManager;
@@ -421,7 +420,6 @@ public class ClientModeImplTest extends WifiBaseTest {
when(mWifiInjector.getWifiLastResortWatchdog()).thenReturn(mWifiLastResortWatchdog);
when(mWifiInjector.getPropertyService()).thenReturn(mPropertyService);
when(mWifiInjector.getBuildProperties()).thenReturn(mBuildProperties);
- when(mWifiInjector.getKeyStore()).thenReturn(mock(KeyStore.class));
when(mWifiInjector.getWifiBackupRestore()).thenReturn(mock(WifiBackupRestore.class));
when(mWifiInjector.getWifiDiagnostics()).thenReturn(mWifiDiagnostics);
when(mWifiInjector.getWifiConfigManager()).thenReturn(mWifiConfigManager);
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
index 1cb432ef8..42eb52613 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java
@@ -22,9 +22,6 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
import android.net.wifi.WifiEnterpriseConfig;
-import android.os.Process;
-import android.security.Credentials;
-import android.security.KeyStore;
import androidx.test.filters.SmallTest;
@@ -34,6 +31,8 @@ import org.junit.Test;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
+import java.security.KeyStore;
+
/**
* Unit tests for {@link com.android.server.wifi.WifiConfigManager}.
*/
@@ -71,18 +70,15 @@ public class WifiKeyStoreTest extends WifiBaseTest {
* Verifies that keys and certs are removed when they were installed by an app.
*/
@Test
- public void testRemoveKeysForAppInstalledCerts() {
+ public void testRemoveKeysForAppInstalledCerts() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 4 times, user key, user cert, and 2 CA cert
- verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.USER_CERTIFICATE + USER_CERT_ALIAS, Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0],
- Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[1],
- Process.WIFI_UID);
+ verify(mKeyStore).deleteEntry(USER_CERT_ALIAS);
+ verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[0]);
+ verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[1]);
}
/**
@@ -90,14 +86,13 @@ public class WifiKeyStoreTest extends WifiBaseTest {
* when CA certs are installed by the user.
*/
@Test
- public void testRemoveKeysForMixedInstalledCerts1() {
+ public void testRemoveKeysForMixedInstalledCerts1() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
- // Method calls the KeyStore#delete method 2 times: user key and user cert
- verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.USER_CERTIFICATE + USER_CERT_ALIAS, Process.WIFI_UID);
+ // Method calls the KeyStore#deleteEntry method: user key and user cert
+ verify(mKeyStore).deleteEntry(USER_CERT_ALIAS);
verifyNoMoreInteractions(mKeyStore);
}
@@ -106,16 +101,14 @@ public class WifiKeyStoreTest extends WifiBaseTest {
* removed when CA certs are installed by the app.
*/
@Test
- public void testRemoveKeysForMixedInstalledCerts2() {
+ public void testRemoveKeysForMixedInstalledCerts2() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 2 times: 2 CA certs
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0],
- Process.WIFI_UID);
- verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[1],
- Process.WIFI_UID);
+ verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[0]);
+ verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[1]);
verifyNoMoreInteractions(mKeyStore);
}
diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java
index 563731965..5a30d7164 100644
--- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java
@@ -61,8 +61,7 @@ import java.util.Map;
public class PasspointConfigUserStoreDataTest extends WifiBaseTest {
private static final String TEST_CA_CERTIFICATE_ALIAS = "CaCert";
private static final String TEST_CA_CERTIFICATE_ALIAS_2 = "CaCert_2";
- private static final String TEST_CLIENT_CERTIFICATE_ALIAS = "ClientCert";
- private static final String TEST_CLIENT_PRIVATE_KEY_ALIAS = "ClientPrivateKey";
+ private static final String TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "ClientPrivateKeyAndCert";
private static final String TEST_REMEDIATION_CA_CERTIFICATE_ALIAS = "CaCert_3";
private static final String TEST_CREATOR_PACKAGE = "com.android.test";
private static final long TEST_PROVIDER_ID = 1;
@@ -247,13 +246,13 @@ public class PasspointConfigUserStoreDataTest extends WifiBaseTest {
List<PasspointProvider> providerList = new ArrayList<>();
providerList.add(new PasspointProvider(createFullPasspointConfiguration(),
mKeyStore, mSimAccessor, TEST_PROVIDER_ID, TEST_CREATOR_UID, TEST_CREATOR_PACKAGE,
- false, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS), TEST_CLIENT_CERTIFICATE_ALIAS,
- TEST_CLIENT_PRIVATE_KEY_ALIAS, null, TEST_HAS_EVER_CONNECTED, TEST_SHARED));
+ false, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS),
+ TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, null,
+ TEST_HAS_EVER_CONNECTED, TEST_SHARED));
providerList.add(new PasspointProvider(createFullPasspointConfiguration(),
mKeyStore, mSimAccessor, TEST_PROVIDER_ID_2, TEST_CREATOR_UID, TEST_CREATOR_PACKAGE,
true, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS, TEST_CA_CERTIFICATE_ALIAS_2),
- TEST_CLIENT_CERTIFICATE_ALIAS,
- TEST_CLIENT_PRIVATE_KEY_ALIAS, TEST_REMEDIATION_CA_CERTIFICATE_ALIAS,
+ TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, TEST_REMEDIATION_CA_CERTIFICATE_ALIAS,
TEST_HAS_EVER_CONNECTED, TEST_SHARED));
// Serialize data for user store.
diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
index ec0533214..beddb2199 100644
--- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
@@ -62,6 +62,7 @@ import org.mockito.Mock;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
+import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.BitSet;
@@ -80,15 +81,10 @@ public class PasspointProviderTest extends WifiBaseTest {
private static final long PROVIDER_ID = 12L;
private static final int CREATOR_UID = 1234;
private static final String CREATOR_PACKAGE = "com.android.test";
- private static final String CA_CERTIFICATE_NAME = "CACERT_HS2_12_0";
- private static final String CA_CERTIFICATE_NAME_2 = "CACERT_HS2_12_1";
- private static final String CLIENT_CERTIFICATE_NAME = "USRCERT_HS2_12";
- private static final String CLIENT_PRIVATE_KEY_NAME = "USRPKEY_HS2_12";
- private static final String REMEDIATION_CA_CERTIFICATE_NAME = "CACERT_HS2_REMEDIATION_12";
private static final String CA_CERTIFICATE_ALIAS = "HS2_12_0";
private static final String CA_CERTIFICATE_ALIAS_2 = "HS2_12_1";
private static final String CLIENT_CERTIFICATE_ALIAS = "HS2_12";
- private static final String CLIENT_PRIVATE_KEY_ALIAS = "HS2_12";
+ private static final String CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "HS2_12";
private static final String REMEDIATION_CA_CERTIFICATE_ALIAS = "HS2_REMEDIATION_12";
private static final String SYSTEM_CA_STORE_PATH = "/system/etc/security/cacerts";
@@ -377,8 +373,6 @@ public class PasspointProviderTest extends WifiBaseTest {
assertEquals("anonymous@" + credential.getRealm(),
wifiEnterpriseConfig.getAnonymousIdentity());
assertEquals(WifiEnterpriseConfig.Eap.TLS, wifiEnterpriseConfig.getEapMethod());
- assertEquals(CLIENT_CERTIFICATE_ALIAS,
- wifiEnterpriseConfig.getClientCertificateAlias());
assertEquals(WifiConfiguration.METERED_OVERRIDE_METERED, wifiConfig.meteredOverride);
// Domain suffix match
if (ArrayUtils.isEmpty(passpointConfig.getAaaServerTrustedNames())) {
@@ -488,15 +482,15 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install client certificate and key to the keystore successfully.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1))
.thenReturn(true);
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
- .thenReturn(true);
- when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
@@ -511,8 +505,10 @@ public class PasspointProviderTest extends WifiBaseTest {
}
assertTrue(mProvider.getCaCertificateAliases().equals(
Arrays.asList(CA_CERTIFICATE_ALIAS, CA_CERTIFICATE_ALIAS_2)));
- assertTrue(mProvider.getClientPrivateKeyAlias().equals(CLIENT_PRIVATE_KEY_ALIAS));
- assertTrue(mProvider.getClientCertificateAlias().equals(CLIENT_CERTIFICATE_ALIAS));
+ assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias()
+ .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS));
+ assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias()
+ .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS));
assertTrue(TextUtils.equals(mProvider.getRemediationCaCertificateAlias(), mExpectedResult));
}
@@ -535,15 +531,15 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Failed to install client certificate to the keystore.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1))
.thenReturn(false);
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
- .thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
assertFalse(mProvider.installCertsAndKeys());
@@ -557,8 +553,7 @@ public class PasspointProviderTest extends WifiBaseTest {
assertTrue(curConfig.getSubscriptionUpdate().getCaCertificate() != null);
}
assertTrue(mProvider.getCaCertificateAliases() == null);
- assertTrue(mProvider.getClientPrivateKeyAlias() == null);
- assertTrue(mProvider.getClientCertificateAlias() == null);
+ assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() == null);
assertTrue(mProvider.getRemediationCaCertificateAlias() == null);
}
@@ -582,36 +577,35 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install client certificate and key to the keystore successfully.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
- .thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
assertTrue(mProvider.getCaCertificateAliases().equals(
Arrays.asList(CA_CERTIFICATE_ALIAS, CA_CERTIFICATE_ALIAS_2)));
- assertTrue(mProvider.getClientPrivateKeyAlias().equals(CLIENT_PRIVATE_KEY_ALIAS));
- assertTrue(mProvider.getClientCertificateAlias().equals(CLIENT_CERTIFICATE_ALIAS));
+ assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias()
+ .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS));
assertTrue(TextUtils.equals(mProvider.getRemediationCaCertificateAlias(), mExpectedResult));
// Uninstall certificates and key from the keystore.
mProvider.uninstallCertsAndKeys();
- verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_NAME);
- verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_NAME_2);
- verify(mKeyStore).removeEntryFromKeyStore(CLIENT_CERTIFICATE_NAME);
- verify(mKeyStore).removeEntryFromKeyStore(CLIENT_PRIVATE_KEY_NAME);
+ verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_ALIAS);
+ verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_ALIAS_2);
+ verify(mKeyStore).removeEntryFromKeyStore(CLIENT_CERTIFICATE_ALIAS);
+ verify(mKeyStore).removeEntryFromKeyStore(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS);
if (mRemediationCaCertificate != null) {
- verify(mKeyStore).removeEntryFromKeyStore(REMEDIATION_CA_CERTIFICATE_NAME);
+ verify(mKeyStore).removeEntryFromKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS);
}
assertTrue(mProvider.getCaCertificateAliases() == null);
- assertTrue(mProvider.getClientPrivateKeyAlias() == null);
- assertTrue(mProvider.getClientCertificateAlias() == null);
+ assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() == null);
assertTrue(mProvider.getRemediationCaCertificateAlias() == null);
}
@@ -1009,7 +1003,7 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install certificate.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
@@ -1042,7 +1036,7 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install certificate.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
@@ -1090,11 +1084,11 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install certificate.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
- .thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
@@ -1118,11 +1112,11 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install certificate.
- when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0))
- .thenReturn(true);
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
+ when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0))
.thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
@@ -1146,9 +1140,9 @@ public class PasspointProviderTest extends WifiBaseTest {
mProvider = createProvider(config);
// Install certificate.
- when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1))
- .thenReturn(true);
- when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT))
+ when(mKeyStore.putUserPrivKeyAndCertsInKeyStore(
+ CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1,
+ new Certificate[] {FakeKeys.CLIENT_CERT}))
.thenReturn(true);
assertTrue(mProvider.installCertsAndKeys());
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 04:26:12 +0000