[Passpoint] Allow self signed CAs for Passpoint R1

Allow self signed CAs to be installed from Passpoint R1
profile. This removes the restriction that a CA certificate
must be validated first.

Bug: 147302157
Test: atest PasspointManagerTest
Change-Id: Id7fe3620839d08b42c57ff25b4cb99e101f1b824

3 files changed, 0 insertions, 86 deletions

diff --git a/service/java/com/android/server/wifi/hotspot2/CertificateVerifier.java b/service/java/com/android/server/wifi/hotspot2/CertificateVerifier.java
deleted file mode 100644
index 004a32fbd..000000000
--- a/service/java/com/android/server/wifi/hotspot2/CertificateVerifier.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.server.wifi.hotspot2;
-
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertificateFactory;
-import java.security.cert.PKIXParameters;
-import java.security.cert.X509Certificate;
-import java.util.Arrays;
-
-/**
- * Utility class used for verifying certificates against the pre-loaded public CAs in the
- * system key store.  This class is created to allow the certificate verification to be mocked in
- * unit tests.
- */
-public class CertificateVerifier {
-
-    /**
-     * Verify that the given certificate is trusted by one of the pre-loaded public CAs in the
-     * system key store.
-     *
-     * @param caCert The CA Certificate to verify
-     * @throws GeneralSecurityException
-     * @throws IOException
-     */
-    public void verifyCaCert(X509Certificate caCert)
-            throws GeneralSecurityException, IOException {
-        CertificateFactory factory = CertificateFactory.getInstance("X.509");
-        CertPathValidator validator =
-                CertPathValidator.getInstance(CertPathValidator.getDefaultType());
-        CertPath path = factory.generateCertPath(
-                Arrays.asList(caCert));
-        KeyStore ks = KeyStore.getInstance("AndroidCAStore");
-        ks.load(null, null);
-        PKIXParameters params = new PKIXParameters(ks);
-        params.setRevocationEnabled(false);
-        validator.validate(path, params);
-    }
-}
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
index 25ba078d1..29c9a4cdd 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
@@ -64,7 +64,6 @@ import com.android.server.wifi.util.InformationElementUtil;
 import com.android.server.wifi.util.TelephonyUtil;
 
 import java.io.PrintWriter;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -113,7 +112,6 @@ public class PasspointManager {
     private final AnqpCache mAnqpCache;
     private final ANQPRequestManager mAnqpRequestManager;
     private final WifiConfigManager mWifiConfigManager;
-    private final CertificateVerifier mCertVerifier;
     private final WifiMetrics mWifiMetrics;
     private final PasspointProvisioner mPasspointProvisioner;
     private final AppOpsManager mAppOps;
@@ -334,7 +332,6 @@ public class PasspointManager {
         mProviders = new HashMap<>();
         mAnqpCache = objectFactory.makeAnqpCache(clock);
         mAnqpRequestManager = objectFactory.makeANQPRequestManager(mPasspointEventHandler, clock);
-        mCertVerifier = objectFactory.makeCertificateVerifier();
         mWifiConfigManager = wifiConfigManager;
         mWifiMetrics = wifiMetrics;
         mProviderIndex = 0;
@@ -390,23 +387,6 @@ public class PasspointManager {
             return false;
         }
 
-        // For Hotspot 2.0 Release 1, the CA Certificate must be trusted by one of the pre-loaded
-        // public CAs in the system key store on the device.  Since the provisioning method
-        // for Release 1 is not standardized nor trusted,  this is a reasonable restriction
-        // to improve security.  The presence of UpdateIdentifier is used to differentiate
-        // between R1 and R2 configuration.
-        X509Certificate[] x509Certificates = config.getCredential().getCaCertificates();
-        if (config.getUpdateIdentifier() == Integer.MIN_VALUE && x509Certificates != null) {
-            try {
-                for (X509Certificate certificate : x509Certificates) {
-                    mCertVerifier.verifyCaCert(certificate);
-                }
-            } catch (Exception e) {
-                Log.e(TAG, "Failed to verify CA certificate: " + e.getMessage());
-                return false;
-            }
-        }
-
         mTelephonyUtil.tryUpdateCarrierIdForPasspoint(config);
         // Create a provider and install the necessary certificates and keys.
         PasspointProvider newProvider = mObjectFactory.makePasspointProvider(config, mKeyStore,
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointObjectFactory.java b/service/java/com/android/server/wifi/hotspot2/PasspointObjectFactory.java
index 8c1f68b92..12b9b9ccd 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointObjectFactory.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointObjectFactory.java
@@ -109,15 +109,6 @@ public class PasspointObjectFactory{
     }
 
     /**
-     * Create an instance of {@link CertificateVerifier}.
-     *
-     * @return {@link CertificateVerifier}
-     */
-    public CertificateVerifier makeCertificateVerifier() {
-        return new CertificateVerifier();
-    }
-
-    /**
      * Create an instance of {@link PasspointProvisioner}.
      *
      * @param context Instance of {@link Context}