diff options
author | Hai Shalom <haishalom@google.com> | 2019-07-26 10:52:05 -0700 |
---|---|---|
committer | Hai Shalom <haishalom@google.com> | 2019-08-02 22:37:31 +0000 |
commit | 1b0234a5ada2bdb2c0788eb274f84039302e3c98 (patch) | |
tree | f054172dc4e9e5ec8f1d6b9cae01a435814c8ff3 /service | |
parent | e2921b824d04071ae5dcea6d594986b3eeda0752 (diff) |
[Passpoint] OSU system exception when the URL is HTTP
Added checks that the OSU URL is a HTTPS type, and that openConnection
returns an object of HTTPS type before casting it.
Added additional tests.
Add addtional error logs when the OSU cert fails verifications.
Bug: 138444946
Test: atest OsuServerConnectionTest
Test: Verify class cast exception with HTTP URL before the change and
a handled error when the change is applied.
Change-Id: I85b88988f056efd993e19ba157df1d3987b60b27
Diffstat (limited to 'service')
-rw-r--r-- | service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java | 61 |
1 files changed, 50 insertions, 11 deletions
diff --git a/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java b/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java index c748ca1ac..94f584f72 100644 --- a/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java +++ b/service/java/com/android/server/wifi/hotspot2/OsuServerConnection.java @@ -43,6 +43,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.HttpURLConnection; import java.net.URL; +import java.net.URLConnection; import java.security.KeyManagementException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; @@ -163,7 +164,7 @@ public class OsuServerConnection { */ public boolean connect(@NonNull URL url, @NonNull Network network) { if (url == null) { - Log.e(TAG, "url is null"); + Log.e(TAG, "URL is null"); return false; } if (network == null) { @@ -171,6 +172,14 @@ public class OsuServerConnection { return false; } + String protocol = url.getProtocol(); + // According to section 7.5.1 OSU operational requirements, in HS2.0 R3 specification, + // the URL must be HTTPS. Enforce it here. + if (!TextUtils.equals(protocol, "https")) { + Log.e(TAG, "OSU server URL must be HTTPS"); + return false; + } + mHandler.post(() -> performTlsConnection(url, network)); return true; } @@ -271,13 +280,37 @@ public class OsuServerConnection { mNetwork = network; mUrl = url; - HttpsURLConnection urlConnection; + URLConnection urlConnection; + HttpsURLConnection httpsURLConnection; + + try { + urlConnection = mNetwork.openConnection(mUrl); + } catch (IOException e) { + Log.e(TAG, "Unable to establish a URL connection: " + e); + if (mOsuServerCallbacks != null) { + mOsuServerCallbacks.onServerConnectionStatus( + mOsuServerCallbacks.getSessionId(), + false); + } + return; + } + + if (urlConnection instanceof HttpsURLConnection) { + httpsURLConnection = (HttpsURLConnection) urlConnection; + } else { + Log.e(TAG, "Invalid URL connection"); + if (mOsuServerCallbacks != null) { + mOsuServerCallbacks.onServerConnectionStatus(mOsuServerCallbacks.getSessionId(), + false); + } + return; + } + try { - urlConnection = (HttpsURLConnection) mNetwork.openConnection(mUrl); - urlConnection.setSSLSocketFactory(mSocketFactory); - urlConnection.setConnectTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS); - urlConnection.setReadTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS); - urlConnection.connect(); + httpsURLConnection.setSSLSocketFactory(mSocketFactory); + httpsURLConnection.setConnectTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS); + httpsURLConnection.setReadTimeout(HttpsServiceConnection.DEFAULT_TIMEOUT_MS); + httpsURLConnection.connect(); } catch (IOException e) { Log.e(TAG, "Unable to establish a URL connection: " + e); if (mOsuServerCallbacks != null) { @@ -286,7 +319,7 @@ public class OsuServerConnection { } return; } - mUrlConnection = urlConnection; + mUrlConnection = httpsURLConnection; if (mOsuServerCallbacks != null) { mOsuServerCallbacks.onServerConnectionStatus(mOsuServerCallbacks.getSessionId(), true); } @@ -572,9 +605,15 @@ public class OsuServerConnection { (SSLSocket) null); certsValid = true; } catch (CertificateException e) { - Log.e(TAG, "Unable to validate certs " + e); - if (mVerboseLoggingEnabled) { - e.printStackTrace(); + Log.e(TAG, "Certificate validation failure: " + e); + int i = 0; + for (X509Certificate cert : chain) { + // Provide some more details about the invalid certificate + Log.e(TAG, "Cert " + i + " details: " + cert.getSubjectDN()); + Log.e(TAG, "Not before: " + cert.getNotBefore() + ", not after: " + + cert.getNotAfter()); + Log.e(TAG, "Cert " + i + " issuer: " + cert.getIssuerDN()); + i++; } } if (mOsuServerCallbacks != null) { |