diff options
9 files changed, 232 insertions, 313 deletions
diff --git a/service/java/com/android/server/wifi/WifiInjector.java b/service/java/com/android/server/wifi/WifiInjector.java index 7103b0444..686c4ca95 100644 --- a/service/java/com/android/server/wifi/WifiInjector.java +++ b/service/java/com/android/server/wifi/WifiInjector.java @@ -35,11 +35,12 @@ import android.os.HandlerThread; import android.os.IBinder; import android.os.INetworkManagementService; import android.os.Looper; +import android.os.Process; import android.os.ServiceManager; import android.os.SystemProperties; import android.os.UserManager; import android.provider.Settings.Secure; -import android.security.KeyStore; +import android.security.keystore.AndroidKeyStoreProvider; import android.telephony.SubscriptionManager; import android.telephony.TelephonyManager; import android.util.LocalLog; @@ -61,6 +62,9 @@ import com.android.server.wifi.util.WifiPermissionsWrapper; import com.android.server.wifi.wificond.IWificond; import com.android.wifi.R; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchProviderException; import java.util.Random; /** @@ -112,7 +116,6 @@ public class WifiInjector { private WifiLastResortWatchdog mWifiLastResortWatchdog; private final PropertyService mPropertyService = new SystemPropertyService(); private final BuildProperties mBuildProperties = new SystemBuildProperties(); - private final KeyStore mKeyStore = KeyStore.getInstance(); private final WifiBackupRestore mWifiBackupRestore; private final WifiMulticastLockManager mWifiMulticastLockManager; private final WifiConfigStore mWifiConfigStore; @@ -156,6 +159,7 @@ public class WifiInjector { private final MboOceController mMboOceController; private final TelephonyUtil mTelephonyUtil; private WifiChannelUtilization mWifiChannelUtilization; + private final KeyStore mKeyStore; public WifiInjector(Context context) { if (context == null) { @@ -241,8 +245,14 @@ public class WifiInjector { mContext,this, wifiHandler, mBackupManagerProxy, mFrameworkFacade); // WifiConfigManager/Store objects and their dependencies. - // New config store + KeyStore keyStore = null; + try { + keyStore = AndroidKeyStoreProvider.getKeyStoreForUid(Process.WIFI_UID); + } catch (KeyStoreException | NoSuchProviderException e) { + } + mKeyStore = keyStore; mWifiKeyStore = new WifiKeyStore(mKeyStore); + // New config store mWifiConfigStore = new WifiConfigStore(mContext, wifiHandler, mClock, mWifiMetrics, WifiConfigStore.createSharedFile(mFrameworkFacade.isNiapModeOn(mContext))); SubscriptionManager subscriptionManager = @@ -465,10 +475,6 @@ public class WifiInjector { return mBuildProperties; } - public KeyStore getKeyStore() { - return mKeyStore; - } - public WifiBackupRestore getWifiBackupRestore() { return mWifiBackupRestore; } diff --git a/service/java/com/android/server/wifi/WifiKeyStore.java b/service/java/com/android/server/wifi/WifiKeyStore.java index c1706a20d..11a23e64f 100644 --- a/service/java/com/android/server/wifi/WifiKeyStore.java +++ b/service/java/com/android/server/wifi/WifiKeyStore.java @@ -16,23 +16,21 @@ package com.android.server.wifi; +import android.annotation.Nullable; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiEnterpriseConfig; -import android.os.Process; -import android.security.Credentials; import android.security.KeyChain; -import android.security.KeyStore; import android.text.TextUtils; import android.util.ArraySet; import android.util.Log; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; +import com.android.internal.util.ArrayUtils; +import com.android.internal.util.Preconditions; + import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -49,10 +47,13 @@ public class WifiKeyStore { private boolean mVerboseLoggingEnabled = false; - private final KeyStore mKeyStore; + @Nullable private final KeyStore mKeyStore; - WifiKeyStore(KeyStore keyStore) { + WifiKeyStore(@Nullable KeyStore keyStore) { mKeyStore = keyStore; + if (mKeyStore == null) { + Log.e(TAG, "Unable to retrieve keystore, all key operations will fail"); + } } /** @@ -81,38 +82,20 @@ public class WifiKeyStore { * @param existingConfig Existing config corresponding to the network already stored in our * database. This maybe null if it's a new network. * @param config Config corresponding to the network. + * @param existingAlias Alias for all the existing key store data stored. + * @param alias Alias for all the key store data to store. * @return true if successful, false otherwise. */ private boolean installKeys(WifiEnterpriseConfig existingConfig, WifiEnterpriseConfig config, - String name) { - boolean ret = true; - String privKeyName = Credentials.USER_PRIVATE_KEY + name; - String userCertName = Credentials.USER_CERTIFICATE + name; + String existingAlias, String alias) { + Preconditions.checkNotNull(mKeyStore); Certificate[] clientCertificateChain = config.getClientCertificateChain(); - if (clientCertificateChain != null && clientCertificateChain.length != 0) { - byte[] privKeyData = config.getClientPrivateKey().getEncoded(); - if (mVerboseLoggingEnabled) { - if (isHardwareBackedKey(config.getClientPrivateKey())) { - Log.d(TAG, "importing keys " + name + " in hardware backed store"); - } else { - Log.d(TAG, "importing keys " + name + " in software backed store"); - } - } - ret = mKeyStore.importKey(privKeyName, privKeyData, Process.WIFI_UID, - KeyStore.FLAG_NONE); - - if (!ret) { - return ret; - } - - ret = putCertsInKeyStore(userCertName, clientCertificateChain); - if (!ret) { - // Remove private key installed - mKeyStore.delete(privKeyName, Process.WIFI_UID); - return ret; + if (!ArrayUtils.isEmpty(clientCertificateChain)) { + if (!putUserPrivKeyAndCertsInKeyStore(alias, config.getClientPrivateKey(), + clientCertificateChain)) { + return false; } } - X509Certificate[] caCertificates = config.getCaCertificates(); Set<String> oldCaCertificatesToRemove = new ArraySet<>(); if (existingConfig != null && existingConfig.getCaCertificateAliases() != null) { @@ -123,34 +106,32 @@ public class WifiKeyStore { if (caCertificates != null) { caCertificateAliases = new ArrayList<>(); for (int i = 0; i < caCertificates.length; i++) { - String alias = caCertificates.length == 1 ? name - : String.format("%s_%d", name, i); + // Use a different alias only if there is more than 1 certificate in the chain. + String caAlias = caCertificates.length == 1 + ? alias + : String.format("%s_%d", alias, i); - oldCaCertificatesToRemove.remove(alias); - ret = putCertInKeyStore(Credentials.CA_CERTIFICATE + alias, caCertificates[i]); - if (!ret) { - // Remove client key+cert - if (config.getClientCertificate() != null) { - mKeyStore.delete(privKeyName, Process.WIFI_UID); - mKeyStore.delete(userCertName, Process.WIFI_UID); - } - // Remove added CA certs. + oldCaCertificatesToRemove.remove(caAlias); + if (!putCaCertInKeyStore(caAlias, caCertificates[i])) { + // cleanup everything on failure. + removeEntryFromKeyStore(alias); for (String addedAlias : caCertificateAliases) { - mKeyStore.delete(Credentials.CA_CERTIFICATE + addedAlias, Process.WIFI_UID); + removeEntryFromKeyStore(addedAlias); } - return ret; - } else { - caCertificateAliases.add(alias); + return false; } + caCertificateAliases.add(alias); } } - // Remove old CA certs. + // Remove old private keys. + removeEntryFromKeyStore(existingAlias); + // Remove any old CA certs. for (String oldAlias : oldCaCertificatesToRemove) { - mKeyStore.delete(Credentials.CA_CERTIFICATE + oldAlias, Process.WIFI_UID); + removeEntryFromKeyStore(oldAlias); } // Set alias names if (config.getClientCertificate() != null) { - config.setClientCertificateAlias(name); + config.setClientCertificateAlias(alias); config.resetClientKeyEntry(); } @@ -159,62 +140,58 @@ public class WifiKeyStore { caCertificateAliases.toArray(new String[caCertificateAliases.size()])); config.resetCaCertificate(); } - return ret; - } - - /** - * Install a certificate into the keystore. - * - * @param name The alias name of the certificate to be installed - * @param cert The certificate to be installed - * @return true on success - */ - public boolean putCertInKeyStore(String name, Certificate cert) { - return putCertsInKeyStore(name, new Certificate[] {cert}); + return true; } /** - * Install a client certificate chain into the keystore. + * Install a CA certificate into the keystore. * - * @param name The alias name of the certificate to be installed - * @param certs The certificate chain to be installed + * @param alias The alias name of the CA certificate to be installed + * @param cert The CA certificate to be installed * @return true on success */ - public boolean putCertsInKeyStore(String name, Certificate[] certs) { + public boolean putCaCertInKeyStore(String alias, Certificate cert) { try { - byte[] certData = Credentials.convertToPem(certs); - if (mVerboseLoggingEnabled) { - Log.d(TAG, "putting " + certs.length + " certificate(s) " - + name + " in keystore"); - } - return mKeyStore.put(name, certData, Process.WIFI_UID, KeyStore.FLAG_NONE); - } catch (IOException e1) { - return false; - } catch (CertificateException e2) { + mKeyStore.setCertificateEntry(alias, cert); + return true; + } catch (KeyStoreException e) { + Log.e(TAG, "Failed to put CA certificate in keystore"); return false; } } /** - * Install a key into the keystore. + * Install a private key + user certificate into the keystore. * - * @param name The alias name of the key to be installed - * @param key The key to be installed + * @param alias The alias name of the key to be installed + * @param key The private key to be installed + * @param certs User Certificate chain. * @return true on success */ - public boolean putKeyInKeyStore(String name, Key key) { - byte[] privKeyData = key.getEncoded(); - return mKeyStore.importKey(name, privKeyData, Process.WIFI_UID, KeyStore.FLAG_NONE); + public boolean putUserPrivKeyAndCertsInKeyStore(String alias, Key key, Certificate[] certs) { + try { + mKeyStore.setKeyEntry(alias, key.getEncoded(), certs); + return true; + } catch (KeyStoreException e) { + Log.e(TAG, "Failed to put CA certificate in keystore"); + return false; + } } /** * Remove a certificate or key entry specified by the alias name from the keystore. * - * @param name The alias name of the entry to be removed + * @param alias The alias name of the entry to be removed * @return true on success */ - public boolean removeEntryFromKeyStore(String name) { - return mKeyStore.delete(name, Process.WIFI_UID); + public boolean removeEntryFromKeyStore(String alias) { + Preconditions.checkNotNull(mKeyStore); + try { + mKeyStore.deleteEntry(alias); + return true; + } catch (KeyStoreException e) { + return false; + } } /** @@ -223,51 +200,40 @@ public class WifiKeyStore { * @param config Config corresponding to the network. */ public void removeKeys(WifiEnterpriseConfig config) { + Preconditions.checkNotNull(mKeyStore); // Do not remove keys that were manually installed by the user if (config.isAppInstalledDeviceKeyAndCert()) { String client = config.getClientCertificateAlias(); // a valid client certificate is configured if (!TextUtils.isEmpty(client)) { if (mVerboseLoggingEnabled) { - Log.d(TAG, "removing client private key and user cert"); + Log.d(TAG, "removing client private key, user cert and CA cert)"); } - mKeyStore.delete(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID); - mKeyStore.delete(Credentials.USER_CERTIFICATE + client, Process.WIFI_UID); + // if there is only a single CA certificate, then that is also stored with + // the same alias, hence will be removed here. + removeEntryFromKeyStore(client); } } // Do not remove CA certs that were manually installed by the user if (config.isAppInstalledCaCert()) { String[] aliases = config.getCaCertificateAliases(); - // a valid ca certificate is configured - if (aliases != null) { + // only need remove CA certs here in case there are more than 1 CA certificate, + // otherwise the remove of priv key/user cert should already handle removal of the CA + // certificate as well. + if (aliases != null || aliases.length > 1) { for (String ca : aliases) { if (!TextUtils.isEmpty(ca)) { if (mVerboseLoggingEnabled) { Log.d(TAG, "removing CA cert: " + ca); } - mKeyStore.delete(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID); + removeEntryFromKeyStore(ca); } } } } } - - /** - * @param certData byte array of the certificate - */ - private X509Certificate buildCACertificate(byte[] certData) { - try { - CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); - InputStream inputStream = new ByteArrayInputStream(certData); - X509Certificate caCertificateX509 = (X509Certificate) certificateFactory - .generateCertificate(inputStream); - return caCertificateX509; - } catch (CertificateException e) { - return null; - } - } /** * Update/Install keys for given enterprise network. * @@ -277,6 +243,9 @@ public class WifiKeyStore { * @return true if successful, false otherwise. */ public boolean updateNetworkKeys(WifiConfiguration config, WifiConfiguration existingConfig) { + Preconditions.checkNotNull(mKeyStore); + Preconditions.checkNotNull(config.enterpriseConfig); + Preconditions.checkNotNull(existingConfig.enterpriseConfig); WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig; if (!needsKeyStore(enterpriseConfig)) { return true; @@ -288,8 +257,9 @@ public class WifiKeyStore { * fields from the currently tracked configuration */ String keyId = config.getKeyIdForCredentials(existingConfig); - if (!installKeys(existingConfig != null - ? existingConfig.enterpriseConfig : null, enterpriseConfig, keyId)) { + String existingKeyId = existingConfig.getKeyIdForCredentials(existingConfig); + if (!installKeys(existingConfig.enterpriseConfig, enterpriseConfig, + existingKeyId, keyId)) { Log.e(TAG, config.SSID + ": failed to install keys"); return false; } @@ -302,53 +272,48 @@ public class WifiKeyStore { // CA certificate type. Suite-B requires SHA384, reject other certs. if (config.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.SUITE_B_192)) { // Read the first CA certificate, and initialize - byte[] certData = mKeyStore.get( - Credentials.CA_CERTIFICATE + config.enterpriseConfig.getCaCertificateAlias(), - android.os.Process.WIFI_UID); - - if (certData == null) { + Certificate caCert = null; + try { + caCert = mKeyStore.getCertificate(config.enterpriseConfig.getCaCertificateAlias()); + } catch (KeyStoreException e) { + Log.e(TAG, "Failed to get Suite-B certificate", e); + } + if (caCert == null || !(caCert instanceof X509Certificate)) { Log.e(TAG, "Failed reading CA certificate for Suite-B"); return false; } + X509Certificate x509CaCert = (X509Certificate) caCert; + String sigAlgOid = x509CaCert.getSigAlgOID(); + if (mVerboseLoggingEnabled) { + Log.d(TAG, "Signature algorithm: " + sigAlgOid); + } + config.allowedSuiteBCiphers.clear(); - X509Certificate x509CaCert = buildCACertificate(certData); - - if (x509CaCert != null) { - String sigAlgOid = x509CaCert.getSigAlgOID(); + // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates + // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192 + // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term + // Suite-B was already coined in the IEEE 802.11-2016 specification for + // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates + // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally + // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments, + // we are supporting both types here. + if (sigAlgOid.equals("1.2.840.113549.1.1.12")) { + // sha384WithRSAEncryption + config.allowedSuiteBCiphers.set( + WifiConfiguration.SuiteBCipher.ECDHE_RSA); if (mVerboseLoggingEnabled) { - Log.d(TAG, "Signature algorithm: " + sigAlgOid); + Log.d(TAG, "Selecting Suite-B RSA"); } - config.allowedSuiteBCiphers.clear(); - - // Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072 certificates - // in WPA3-Enterprise 192-bit security networks, which are also known as Suite-B-192 - // networks, even though NSA Suite-B-192 mandates ECDSA only. The use of the term - // Suite-B was already coined in the IEEE 802.11-2016 specification for - // AKM 00-0F-AC but the test plan for WPA3-Enterprise 192-bit for APs mandates - // support for both RSA and ECDSA, and for STAs it mandates ECDSA and optionally - // RSA. In order to be compatible with all WPA3-Enterprise 192-bit deployments, - // we are supporting both types here. - if (sigAlgOid.equals("1.2.840.113549.1.1.12")) { - // sha384WithRSAEncryption - config.allowedSuiteBCiphers.set( - WifiConfiguration.SuiteBCipher.ECDHE_RSA); - if (mVerboseLoggingEnabled) { - Log.d(TAG, "Selecting Suite-B RSA"); - } - } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) { - // ecdsa-with-SHA384 - config.allowedSuiteBCiphers.set( - WifiConfiguration.SuiteBCipher.ECDHE_ECDSA); - if (mVerboseLoggingEnabled) { - Log.d(TAG, "Selecting Suite-B ECDSA"); - } - } else { - Log.e(TAG, "Invalid CA certificate type for Suite-B: " - + sigAlgOid); - return false; + } else if (sigAlgOid.equals("1.2.840.10045.4.3.3")) { + // ecdsa-with-SHA384 + config.allowedSuiteBCiphers.set( + WifiConfiguration.SuiteBCipher.ECDHE_ECDSA); + if (mVerboseLoggingEnabled) { + Log.d(TAG, "Selecting Suite-B ECDSA"); } } else { - Log.e(TAG, "Invalid CA certificate for Suite-B"); + Log.e(TAG, "Invalid CA certificate type for Suite-B: " + + sigAlgOid); return false; } } diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java b/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java index 83a22f96c..9e64417d0 100644 --- a/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java +++ b/service/java/com/android/server/wifi/hotspot2/PasspointConfigUserStoreData.java @@ -69,8 +69,7 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData { private static final String XML_TAG_PACKAGE_NAME = "PackageName"; private static final String XML_TAG_CA_CERTIFICATE_ALIASES = "CaCertificateAliases"; private static final String XML_TAG_CA_CERTIFICATE_ALIAS = "CaCertificateAlias"; - private static final String XML_TAG_CLIENT_CERTIFICATE_ALIAS = "ClientCertificateAlias"; - private static final String XML_TAG_CLIENT_PRIVATE_KEY_ALIAS = "ClientPrivateKeyAlias"; + private static final String XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "ClientPrivateKeyAlias"; private static final String XML_TAG_REMEDIATION_CA_CERTIFICATE_ALIAS = "RemediationCaCertificateAlias"; @@ -200,10 +199,8 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData { } XmlUtil.writeNextValue(out, XML_TAG_CA_CERTIFICATE_ALIASES, provider.getCaCertificateAliases()); - XmlUtil.writeNextValue(out, XML_TAG_CLIENT_CERTIFICATE_ALIAS, - provider.getClientCertificateAlias()); - XmlUtil.writeNextValue(out, XML_TAG_CLIENT_PRIVATE_KEY_ALIAS, - provider.getClientPrivateKeyAlias()); + XmlUtil.writeNextValue(out, XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, + provider.getClientPrivateKeyAndCertificateAlias()); XmlUtil.writeNextValue(out, XML_TAG_HAS_EVER_CONNECTED, provider.getHasEverConnected()); XmlUtil.writeNextValue(out, XML_TAG_IS_FROM_SUGGESTION, provider.isFromSuggestion()); if (provider.getConfig() != null) { @@ -273,8 +270,7 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData { int creatorUid = Integer.MIN_VALUE; List<String> caCertificateAliases = null; String caCertificateAlias = null; - String clientCertificateAlias = null; - String clientPrivateKeyAlias = null; + String clientPrivateKeyAndCertificateAlias = null; String remediationCaCertificateAlias = null; String packageName = null; boolean hasEverConnected = false; @@ -304,11 +300,8 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData { // uses this alias. caCertificateAlias = (String) value; break; - case XML_TAG_CLIENT_CERTIFICATE_ALIAS: - clientCertificateAlias = (String) value; - break; - case XML_TAG_CLIENT_PRIVATE_KEY_ALIAS: - clientPrivateKeyAlias = (String) value; + case XML_TAG_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS: + clientPrivateKeyAndCertificateAlias = (String) value; break; case XML_TAG_REMEDIATION_CA_CERTIFICATE_ALIAS: remediationCaCertificateAlias = (String) value; @@ -347,13 +340,13 @@ public class PasspointConfigUserStoreData implements WifiConfigStore.StoreData { if (caCertificateAlias != null) { caCertificateAliases = Arrays.asList(caCertificateAlias); } - if (config == null) { throw new XmlPullParserException("Missing Passpoint configuration"); } return new PasspointProvider(config, mKeyStore, mSimAccessor, providerId, creatorUid, - packageName, isFromSuggestion, caCertificateAliases, clientCertificateAlias, - clientPrivateKeyAlias, remediationCaCertificateAlias, hasEverConnected, shared); + packageName, isFromSuggestion, caCertificateAliases, + clientPrivateKeyAndCertificateAlias, remediationCaCertificateAlias, + hasEverConnected, shared); } } diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java index 9e7a184bb..bce2f6c69 100644 --- a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java +++ b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java @@ -957,7 +957,6 @@ public class PasspointManager { PasspointProvider provider = new PasspointProvider(passpointConfig, mKeyStore, mSimAccessor, mProviderIndex++, wifiConfig.creatorUid, null, false, Arrays.asList(enterpriseConfig.getCaCertificateAlias()), - enterpriseConfig.getClientCertificateAlias(), enterpriseConfig.getClientCertificateAlias(), null, false, false); mProviders.put(passpointConfig.getHomeSp().getFqdn(), provider); return true; diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java index 080903fa8..111048d2b 100644 --- a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java +++ b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java @@ -25,7 +25,6 @@ import android.net.wifi.hotspot2.pps.Credential; import android.net.wifi.hotspot2.pps.Credential.SimCredential; import android.net.wifi.hotspot2.pps.Credential.UserCredential; import android.net.wifi.hotspot2.pps.HomeSp; -import android.security.Credentials; import android.text.TextUtils; import android.util.Base64; import android.util.Log; @@ -47,6 +46,8 @@ import com.android.server.wifi.util.InformationElementUtil.RoamingConsortium; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -82,8 +83,7 @@ public class PasspointProvider { * This will be consistent with the usage of the term "alias" in {@link WifiEnterpriseConfig}. */ private List<String> mCaCertificateAliases; - private String mClientPrivateKeyAlias; - private String mClientCertificateAlias; + private String mClientPrivateKeyAndCertificateAlias; private String mRemediationCaCertificateAlias; private final long mProviderId; @@ -104,13 +104,13 @@ public class PasspointProvider { SIMAccessor simAccessor, long providerId, int creatorUid, String packageName, boolean isFromSuggestion) { this(config, keyStore, simAccessor, providerId, creatorUid, packageName, isFromSuggestion, - null, null, null, null, false, false); + null, null, null, false, false); } public PasspointProvider(PasspointConfiguration config, WifiKeyStore keyStore, SIMAccessor simAccessor, long providerId, int creatorUid, String packageName, boolean isFromSuggestion, List<String> caCertificateAliases, - String clientCertificateAlias, String clientPrivateKeyAlias, + String clientPrivateKeyAndCertificateAlias, String remediationCaCertificateAlias, boolean hasEverConnected, boolean isShared) { // Maintain a copy of the configuration to avoid it being updated by others. @@ -120,8 +120,7 @@ public class PasspointProvider { mCreatorUid = creatorUid; mPackageName = packageName; mCaCertificateAliases = caCertificateAliases; - mClientCertificateAlias = clientCertificateAlias; - mClientPrivateKeyAlias = clientPrivateKeyAlias; + mClientPrivateKeyAndCertificateAlias = clientPrivateKeyAndCertificateAlias; mRemediationCaCertificateAlias = remediationCaCertificateAlias; mHasEverConnected = hasEverConnected; mIsShared = isShared; @@ -157,12 +156,8 @@ public class PasspointProvider { return mCaCertificateAliases; } - public String getClientPrivateKeyAlias() { - return mClientPrivateKeyAlias; - } - - public String getClientCertificateAlias() { - return mClientCertificateAlias; + public String getClientPrivateKeyAndCertificateAlias() { + return mClientPrivateKeyAndCertificateAlias; } public String getRemediationCaCertificateAlias() { @@ -208,8 +203,7 @@ public class PasspointProvider { mCaCertificateAliases = new ArrayList<>(); for (int i = 0; i < x509Certificates.length; i++) { String alias = String.format("%s%s_%d", ALIAS_HS_TYPE, mProviderId, i); - if (!mKeyStore.putCertInKeyStore(Credentials.CA_CERTIFICATE + alias, - x509Certificates[i])) { + if (!mKeyStore.putCaCertInKeyStore(alias, x509Certificates[i])) { Log.e(TAG, "Failed to install CA Certificate"); uninstallCertsAndKeys(); return false; @@ -219,20 +213,11 @@ public class PasspointProvider { } } - // Install the client private key. - if (mConfig.getCredential().getClientPrivateKey() != null) { - String keyName = Credentials.USER_PRIVATE_KEY + ALIAS_HS_TYPE + mProviderId; - if (!mKeyStore.putKeyInKeyStore(keyName, - mConfig.getCredential().getClientPrivateKey())) { - Log.e(TAG, "Failed to install client private key"); - uninstallCertsAndKeys(); - return false; - } - mClientPrivateKeyAlias = ALIAS_HS_TYPE + mProviderId; - } - - // Install the client certificate. - if (mConfig.getCredential().getClientCertificateChain() != null) { + // Install the client private key & certificate. + if (mConfig.getCredential().getClientPrivateKey() != null + && mConfig.getCredential().getClientCertificateChain() != null) { + String keyName = ALIAS_HS_TYPE + mProviderId; + PrivateKey clientKey = mConfig.getCredential().getClientPrivateKey(); X509Certificate clientCert = getClientCertificate( mConfig.getCredential().getClientCertificateChain(), mConfig.getCredential().getCertCredential().getCertSha256Fingerprint()); @@ -241,13 +226,13 @@ public class PasspointProvider { uninstallCertsAndKeys(); return false; } - String certName = Credentials.USER_CERTIFICATE + ALIAS_HS_TYPE + mProviderId; - if (!mKeyStore.putCertInKeyStore(certName, clientCert)) { - Log.e(TAG, "Failed to install client certificate"); + if (!mKeyStore.putUserPrivKeyAndCertsInKeyStore( + keyName, clientKey, new Certificate[] {clientCert})) { + Log.e(TAG, "Failed to install client private key & certificate"); uninstallCertsAndKeys(); return false; } - mClientCertificateAlias = ALIAS_HS_TYPE + mProviderId; + mClientPrivateKeyAndCertificateAlias = keyName; } if (mConfig.getSubscriptionUpdate() != null) { @@ -257,15 +242,13 @@ public class PasspointProvider { uninstallCertsAndKeys(); return false; } - mRemediationCaCertificateAlias = - ALIAS_HS_TYPE + ALIAS_ALIAS_REMEDIATION_TYPE + mProviderId; - String certName = Credentials.CA_CERTIFICATE + mRemediationCaCertificateAlias; - if (!mKeyStore.putCertInKeyStore(certName, certificate)) { + String certName = ALIAS_HS_TYPE + ALIAS_ALIAS_REMEDIATION_TYPE + mProviderId; + if (!mKeyStore.putCaCertInKeyStore(certName, certificate)) { Log.e(TAG, "Failed to install CA certificate for remediation"); - mRemediationCaCertificateAlias = null; uninstallCertsAndKeys(); return false; } + mRemediationCaCertificateAlias = certName; } // Clear the keys and certificates in the configuration. @@ -284,31 +267,20 @@ public class PasspointProvider { public void uninstallCertsAndKeys() { if (mCaCertificateAliases != null) { for (String certificateAlias : mCaCertificateAliases) { - if (!mKeyStore.removeEntryFromKeyStore( - Credentials.CA_CERTIFICATE + certificateAlias)) { + if (!mKeyStore.removeEntryFromKeyStore(certificateAlias)) { Log.e(TAG, "Failed to remove entry: " + certificateAlias); } } mCaCertificateAliases = null; } - if (mClientPrivateKeyAlias != null) { - if (!mKeyStore.removeEntryFromKeyStore( - Credentials.USER_PRIVATE_KEY + mClientPrivateKeyAlias)) { - Log.e(TAG, "Failed to remove entry: " + mClientPrivateKeyAlias); + if (mClientPrivateKeyAndCertificateAlias != null) { + if (!mKeyStore.removeEntryFromKeyStore(mClientPrivateKeyAndCertificateAlias)) { + Log.e(TAG, "Failed to remove entry: " + mClientPrivateKeyAndCertificateAlias); } - mClientPrivateKeyAlias = null; + mClientPrivateKeyAndCertificateAlias = null; } - if (mClientCertificateAlias != null) { - if (!mKeyStore.removeEntryFromKeyStore( - Credentials.USER_CERTIFICATE + mClientCertificateAlias)) { - Log.e(TAG, "Failed to remove entry: " + mClientCertificateAlias); - } - mClientCertificateAlias = null; - } - if (mRemediationCaCertificateAlias != null) { - if (!mKeyStore.removeEntryFromKeyStore( - Credentials.CA_CERTIFICATE + mRemediationCaCertificateAlias)) { + if (!mKeyStore.removeEntryFromKeyStore(mRemediationCaCertificateAlias)) { Log.e(TAG, "Failed to remove entry: " + mRemediationCaCertificateAlias); } mRemediationCaCertificateAlias = null; @@ -505,8 +477,8 @@ public class PasspointProvider { return mProviderId == that.mProviderId && (mCaCertificateAliases == null ? that.mCaCertificateAliases == null : mCaCertificateAliases.equals(that.mCaCertificateAliases)) - && TextUtils.equals(mClientCertificateAlias, that.mClientCertificateAlias) - && TextUtils.equals(mClientPrivateKeyAlias, that.mClientPrivateKeyAlias) + && TextUtils.equals(mClientPrivateKeyAndCertificateAlias, + that.mClientPrivateKeyAndCertificateAlias) && (mConfig == null ? that.mConfig == null : mConfig.equals(that.mConfig)) && TextUtils.equals(mRemediationCaCertificateAlias, that.mRemediationCaCertificateAlias); @@ -514,8 +486,8 @@ public class PasspointProvider { @Override public int hashCode() { - return Objects.hash(mProviderId, mCaCertificateAliases, mClientCertificateAlias, - mClientPrivateKeyAlias, mConfig, mRemediationCaCertificateAlias); + return Objects.hash(mProviderId, mCaCertificateAliases, + mClientPrivateKeyAndCertificateAlias, mConfig, mRemediationCaCertificateAlias); } @Override @@ -667,7 +639,7 @@ public class PasspointProvider { */ private void buildEnterpriseConfigForCertCredential(WifiEnterpriseConfig config) { config.setEapMethod(WifiEnterpriseConfig.Eap.TLS); - config.setClientCertificateAlias(mClientCertificateAlias); + config.setClientCertificateAlias(mClientPrivateKeyAndCertificateAlias); if (!ArrayUtils.isEmpty(mCaCertificateAliases)) { config.setCaCertificateAliases(mCaCertificateAliases.toArray(new String[0])); } else { diff --git a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java index f26cf939d..2b3491b31 100644 --- a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java +++ b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java @@ -77,7 +77,6 @@ import android.os.Process; import android.os.UserManager; import android.os.test.TestLooper; import android.provider.Settings; -import android.security.KeyStore; import android.telephony.SubscriptionInfo; import android.telephony.SubscriptionManager; import android.telephony.TelephonyManager; @@ -421,7 +420,6 @@ public class ClientModeImplTest extends WifiBaseTest { when(mWifiInjector.getWifiLastResortWatchdog()).thenReturn(mWifiLastResortWatchdog); when(mWifiInjector.getPropertyService()).thenReturn(mPropertyService); when(mWifiInjector.getBuildProperties()).thenReturn(mBuildProperties); - when(mWifiInjector.getKeyStore()).thenReturn(mock(KeyStore.class)); when(mWifiInjector.getWifiBackupRestore()).thenReturn(mock(WifiBackupRestore.class)); when(mWifiInjector.getWifiDiagnostics()).thenReturn(mWifiDiagnostics); when(mWifiInjector.getWifiConfigManager()).thenReturn(mWifiConfigManager); diff --git a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java index 1cb432ef8..42eb52613 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java @@ -22,9 +22,6 @@ import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.when; import android.net.wifi.WifiEnterpriseConfig; -import android.os.Process; -import android.security.Credentials; -import android.security.KeyStore; import androidx.test.filters.SmallTest; @@ -34,6 +31,8 @@ import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; +import java.security.KeyStore; + /** * Unit tests for {@link com.android.server.wifi.WifiConfigManager}. */ @@ -71,18 +70,15 @@ public class WifiKeyStoreTest extends WifiBaseTest { * Verifies that keys and certs are removed when they were installed by an app. */ @Test - public void testRemoveKeysForAppInstalledCerts() { + public void testRemoveKeysForAppInstalledCerts() throws Exception { when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true); when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true); mWifiKeyStore.removeKeys(mWifiEnterpriseConfig); // Method calls the KeyStore#delete method 4 times, user key, user cert, and 2 CA cert - verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID); - verify(mKeyStore).delete(Credentials.USER_CERTIFICATE + USER_CERT_ALIAS, Process.WIFI_UID); - verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0], - Process.WIFI_UID); - verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[1], - Process.WIFI_UID); + verify(mKeyStore).deleteEntry(USER_CERT_ALIAS); + verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[0]); + verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[1]); } /** @@ -90,14 +86,13 @@ public class WifiKeyStoreTest extends WifiBaseTest { * when CA certs are installed by the user. */ @Test - public void testRemoveKeysForMixedInstalledCerts1() { + public void testRemoveKeysForMixedInstalledCerts1() throws Exception { when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true); when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false); mWifiKeyStore.removeKeys(mWifiEnterpriseConfig); - // Method calls the KeyStore#delete method 2 times: user key and user cert - verify(mKeyStore).delete(Credentials.USER_PRIVATE_KEY + USER_CERT_ALIAS, Process.WIFI_UID); - verify(mKeyStore).delete(Credentials.USER_CERTIFICATE + USER_CERT_ALIAS, Process.WIFI_UID); + // Method calls the KeyStore#deleteEntry method: user key and user cert + verify(mKeyStore).deleteEntry(USER_CERT_ALIAS); verifyNoMoreInteractions(mKeyStore); } @@ -106,16 +101,14 @@ public class WifiKeyStoreTest extends WifiBaseTest { * removed when CA certs are installed by the app. */ @Test - public void testRemoveKeysForMixedInstalledCerts2() { + public void testRemoveKeysForMixedInstalledCerts2() throws Exception { when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false); when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true); mWifiKeyStore.removeKeys(mWifiEnterpriseConfig); // Method calls the KeyStore#delete method 2 times: 2 CA certs - verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[0], - Process.WIFI_UID); - verify(mKeyStore).delete(Credentials.CA_CERTIFICATE + USER_CA_CERT_ALIAS[1], - Process.WIFI_UID); + verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[0]); + verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIAS[1]); verifyNoMoreInteractions(mKeyStore); } diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java index 563731965..5a30d7164 100644 --- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java +++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointConfigUserStoreDataTest.java @@ -61,8 +61,7 @@ import java.util.Map; public class PasspointConfigUserStoreDataTest extends WifiBaseTest { private static final String TEST_CA_CERTIFICATE_ALIAS = "CaCert"; private static final String TEST_CA_CERTIFICATE_ALIAS_2 = "CaCert_2"; - private static final String TEST_CLIENT_CERTIFICATE_ALIAS = "ClientCert"; - private static final String TEST_CLIENT_PRIVATE_KEY_ALIAS = "ClientPrivateKey"; + private static final String TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "ClientPrivateKeyAndCert"; private static final String TEST_REMEDIATION_CA_CERTIFICATE_ALIAS = "CaCert_3"; private static final String TEST_CREATOR_PACKAGE = "com.android.test"; private static final long TEST_PROVIDER_ID = 1; @@ -247,13 +246,13 @@ public class PasspointConfigUserStoreDataTest extends WifiBaseTest { List<PasspointProvider> providerList = new ArrayList<>(); providerList.add(new PasspointProvider(createFullPasspointConfiguration(), mKeyStore, mSimAccessor, TEST_PROVIDER_ID, TEST_CREATOR_UID, TEST_CREATOR_PACKAGE, - false, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS), TEST_CLIENT_CERTIFICATE_ALIAS, - TEST_CLIENT_PRIVATE_KEY_ALIAS, null, TEST_HAS_EVER_CONNECTED, TEST_SHARED)); + false, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS), + TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, null, + TEST_HAS_EVER_CONNECTED, TEST_SHARED)); providerList.add(new PasspointProvider(createFullPasspointConfiguration(), mKeyStore, mSimAccessor, TEST_PROVIDER_ID_2, TEST_CREATOR_UID, TEST_CREATOR_PACKAGE, true, Arrays.asList(TEST_CA_CERTIFICATE_ALIAS, TEST_CA_CERTIFICATE_ALIAS_2), - TEST_CLIENT_CERTIFICATE_ALIAS, - TEST_CLIENT_PRIVATE_KEY_ALIAS, TEST_REMEDIATION_CA_CERTIFICATE_ALIAS, + TEST_CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, TEST_REMEDIATION_CA_CERTIFICATE_ALIAS, TEST_HAS_EVER_CONNECTED, TEST_SHARED)); // Serialize data for user store. diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java index ec0533214..beddb2199 100644 --- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java +++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java @@ -62,6 +62,7 @@ import org.mockito.Mock; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; +import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.BitSet; @@ -80,15 +81,10 @@ public class PasspointProviderTest extends WifiBaseTest { private static final long PROVIDER_ID = 12L; private static final int CREATOR_UID = 1234; private static final String CREATOR_PACKAGE = "com.android.test"; - private static final String CA_CERTIFICATE_NAME = "CACERT_HS2_12_0"; - private static final String CA_CERTIFICATE_NAME_2 = "CACERT_HS2_12_1"; - private static final String CLIENT_CERTIFICATE_NAME = "USRCERT_HS2_12"; - private static final String CLIENT_PRIVATE_KEY_NAME = "USRPKEY_HS2_12"; - private static final String REMEDIATION_CA_CERTIFICATE_NAME = "CACERT_HS2_REMEDIATION_12"; private static final String CA_CERTIFICATE_ALIAS = "HS2_12_0"; private static final String CA_CERTIFICATE_ALIAS_2 = "HS2_12_1"; private static final String CLIENT_CERTIFICATE_ALIAS = "HS2_12"; - private static final String CLIENT_PRIVATE_KEY_ALIAS = "HS2_12"; + private static final String CLIENT_PRIVATE_KEY_AND_CERT_ALIAS = "HS2_12"; private static final String REMEDIATION_CA_CERTIFICATE_ALIAS = "HS2_REMEDIATION_12"; private static final String SYSTEM_CA_STORE_PATH = "/system/etc/security/cacerts"; @@ -377,8 +373,6 @@ public class PasspointProviderTest extends WifiBaseTest { assertEquals("anonymous@" + credential.getRealm(), wifiEnterpriseConfig.getAnonymousIdentity()); assertEquals(WifiEnterpriseConfig.Eap.TLS, wifiEnterpriseConfig.getEapMethod()); - assertEquals(CLIENT_CERTIFICATE_ALIAS, - wifiEnterpriseConfig.getClientCertificateAlias()); assertEquals(WifiConfiguration.METERED_OVERRIDE_METERED, wifiConfig.meteredOverride); // Domain suffix match if (ArrayUtils.isEmpty(passpointConfig.getAaaServerTrustedNames())) { @@ -488,15 +482,15 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install client certificate and key to the keystore successfully. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1)) .thenReturn(true); - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) - .thenReturn(true); - when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); @@ -511,8 +505,10 @@ public class PasspointProviderTest extends WifiBaseTest { } assertTrue(mProvider.getCaCertificateAliases().equals( Arrays.asList(CA_CERTIFICATE_ALIAS, CA_CERTIFICATE_ALIAS_2))); - assertTrue(mProvider.getClientPrivateKeyAlias().equals(CLIENT_PRIVATE_KEY_ALIAS)); - assertTrue(mProvider.getClientCertificateAlias().equals(CLIENT_CERTIFICATE_ALIAS)); + assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() + .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS)); + assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() + .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS)); assertTrue(TextUtils.equals(mProvider.getRemediationCaCertificateAlias(), mExpectedResult)); } @@ -535,15 +531,15 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Failed to install client certificate to the keystore. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1)) .thenReturn(false); - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) - .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); assertFalse(mProvider.installCertsAndKeys()); @@ -557,8 +553,7 @@ public class PasspointProviderTest extends WifiBaseTest { assertTrue(curConfig.getSubscriptionUpdate().getCaCertificate() != null); } assertTrue(mProvider.getCaCertificateAliases() == null); - assertTrue(mProvider.getClientPrivateKeyAlias() == null); - assertTrue(mProvider.getClientCertificateAlias() == null); + assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() == null); assertTrue(mProvider.getRemediationCaCertificateAlias() == null); } @@ -582,36 +577,35 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install client certificate and key to the keystore successfully. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) - .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME_2, FakeKeys.CA_CERT1)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS_2, FakeKeys.CA_CERT1)) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(REMEDIATION_CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); assertTrue(mProvider.getCaCertificateAliases().equals( Arrays.asList(CA_CERTIFICATE_ALIAS, CA_CERTIFICATE_ALIAS_2))); - assertTrue(mProvider.getClientPrivateKeyAlias().equals(CLIENT_PRIVATE_KEY_ALIAS)); - assertTrue(mProvider.getClientCertificateAlias().equals(CLIENT_CERTIFICATE_ALIAS)); + assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() + .equals(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS)); assertTrue(TextUtils.equals(mProvider.getRemediationCaCertificateAlias(), mExpectedResult)); // Uninstall certificates and key from the keystore. mProvider.uninstallCertsAndKeys(); - verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_NAME); - verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_NAME_2); - verify(mKeyStore).removeEntryFromKeyStore(CLIENT_CERTIFICATE_NAME); - verify(mKeyStore).removeEntryFromKeyStore(CLIENT_PRIVATE_KEY_NAME); + verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_ALIAS); + verify(mKeyStore).removeEntryFromKeyStore(CA_CERTIFICATE_ALIAS_2); + verify(mKeyStore).removeEntryFromKeyStore(CLIENT_CERTIFICATE_ALIAS); + verify(mKeyStore).removeEntryFromKeyStore(CLIENT_PRIVATE_KEY_AND_CERT_ALIAS); if (mRemediationCaCertificate != null) { - verify(mKeyStore).removeEntryFromKeyStore(REMEDIATION_CA_CERTIFICATE_NAME); + verify(mKeyStore).removeEntryFromKeyStore(REMEDIATION_CA_CERTIFICATE_ALIAS); } assertTrue(mProvider.getCaCertificateAliases() == null); - assertTrue(mProvider.getClientPrivateKeyAlias() == null); - assertTrue(mProvider.getClientCertificateAlias() == null); + assertTrue(mProvider.getClientPrivateKeyAndCertificateAlias() == null); assertTrue(mProvider.getRemediationCaCertificateAlias() == null); } @@ -1009,7 +1003,7 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install certificate. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); @@ -1042,7 +1036,7 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install certificate. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); @@ -1090,11 +1084,11 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install certificate. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) - .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); @@ -1118,11 +1112,11 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install certificate. - when(mKeyStore.putCertInKeyStore(CA_CERTIFICATE_NAME, FakeKeys.CA_CERT0)) - .thenReturn(true); - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) + when(mKeyStore.putCaCertInKeyStore(CA_CERTIFICATE_ALIAS, FakeKeys.CA_CERT0)) .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); @@ -1146,9 +1140,9 @@ public class PasspointProviderTest extends WifiBaseTest { mProvider = createProvider(config); // Install certificate. - when(mKeyStore.putKeyInKeyStore(CLIENT_PRIVATE_KEY_NAME, FakeKeys.RSA_KEY1)) - .thenReturn(true); - when(mKeyStore.putCertInKeyStore(CLIENT_CERTIFICATE_NAME, FakeKeys.CLIENT_CERT)) + when(mKeyStore.putUserPrivKeyAndCertsInKeyStore( + CLIENT_PRIVATE_KEY_AND_CERT_ALIAS, FakeKeys.RSA_KEY1, + new Certificate[] {FakeKeys.CLIENT_CERT})) .thenReturn(true); assertTrue(mProvider.installCertsAndKeys()); |