summaryrefslogtreecommitdiff
path: root/service
diff options
context:
space:
mode:
authorHai Shalom <haishalom@google.com>2019-07-26 10:52:05 -0700
committerHai Shalom <haishalom@google.com>2019-08-02 22:37:31 +0000
commit1b0234a5ada2bdb2c0788eb274f84039302e3c98 (patch)
treef054172dc4e9e5ec8f1d6b9cae01a435814c8ff3 /service
parente2921b824d04071ae5dcea6d594986b3eeda0752 (diff)
[Passpoint] OSU system exception when the URL is HTTP
Added checks that the OSU URL is a HTTPS type, and that openConnection returns an object of HTTPS type before casting it. Added additional tests. Add addtional error logs when the OSU cert fails verifications. Bug: 138444946 Test: atest OsuServerConnectionTest Test: Verify class cast exception with HTTP URL before the change and a handled error when the change is applied. Change-Id: I85b88988f056efd993e19ba157df1d3987b60b27
Diffstat (limited to 'service')
-rw-r--r--service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java61
1 files changed, 50 insertions, 11 deletions
diff --git a/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java b/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java
index c748ca1ac..94f584f72 100644
--- a/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java
+++ b/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java
@@ -43,6 +43,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
+import java.net.URLConnection;
import java.security.KeyManagementException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
@@ -163,7 +164,7 @@ public class OsuServerConnection {
*/
public boolean connect(@NonNull URL url, @NonNull Network network) {
if (url == null) {
- Log.e(TAG, "url is null");
+ Log.e(TAG, "URL is null");
return false;
}
if (network == null) {
@@ -171,6 +172,14 @@ public class OsuServerConnection {
return false;
}
+ String protocol = url.getProtocol();
+ // According to section 7.5.1 OSU operational requirements, in HS2.0 R3 specification,
+ // the URL must be HTTPS. Enforce it here.
+ if (!TextUtils.equals(protocol, "https")) {
+ Log.e(TAG, "OSU server URL must be HTTPS");
+ return false;
+ }
+
mHandler.post(() -> performTlsConnection(url, network));
return true;
}
@@ -271,13 +280,37 @@ public class OsuServerConnection {
mNetwork = network;
mUrl = url;
- HttpsURLConnection urlConnection;
+ URLConnection urlConnection;
+ HttpsURLConnection httpsURLConnection;
+
+ try {
+ urlConnection = mNetwork.openConnection(mUrl);
+ } catch (IOException e) {
+ Log.e(TAG, "Unable to establish a URL connection: " + e);
+ if (mOsuServerCallbacks != null) {
+ mOsuServerCallbacks.onServerConnectionStatus(
+ mOsuServerCallbacks.getSessionId(),
+ false);
+ }
+ return;
+ }
+
+ if (urlConnection instanceof HttpsURLConnection) {
+ httpsURLConnection = (HttpsURLConnection) urlConnection;
+ } else {
+ Log.e(TAG, "Invalid URL connection");
+ if (mOsuServerCallbacks != null) {
+ mOsuServerCallbacks.onServerConnectionStatus(mOsuServerCallbacks.getSessionId(),
+ false);
+ }
+ return;
+ }
+
try {
- urlConnection = (HttpsURLConnection) mNetwork.openConnection(mUrl);
- urlConnection.setSSLSocketFactory(mSocketFactory);
- urlConnection.setConnectTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS);
- urlConnection.setReadTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS);
- urlConnection.connect();
+ httpsURLConnection.setSSLSocketFactory(mSocketFactory);
+ httpsURLConnection.setConnectTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS);
+ httpsURLConnection.setReadTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS);
+ httpsURLConnection.connect();
} catch (IOException e) {
Log.e(TAG, "Unable to establish a URL connection: " + e);
if (mOsuServerCallbacks != null) {
@@ -286,7 +319,7 @@ public class OsuServerConnection {
}
return;
}
- mUrlConnection = urlConnection;
+ mUrlConnection = httpsURLConnection;
if (mOsuServerCallbacks != null) {
mOsuServerCallbacks.onServerConnectionStatus(mOsuServerCallbacks.getSessionId(), true);
}
@@ -572,9 +605,15 @@ public class OsuServerConnection {
(SSLSocket) null);
certsValid = true;
} catch (CertificateException e) {
- Log.e(TAG, "Unable to validate certs " + e);
- if (mVerboseLoggingEnabled) {
- e.printStackTrace();
+ Log.e(TAG, "Certificate validation failure: " + e);
+ int i = 0;
+ for (X509Certificate cert : chain) {
+ // Provide some more details about the invalid certificate
+ Log.e(TAG, "Cert " + i + " details: " + cert.getSubjectDN());
+ Log.e(TAG, "Not before: " + cert.getNotBefore() + ", not after: "
+ + cert.getNotAfter());
+ Log.e(TAG, "Cert " + i + " issuer: " + cert.getIssuerDN());
+ i++;
}
}
if (mOsuServerCallbacks != null) {