7 files changed, 263 insertions, 21 deletions

diff --git a/service/Android.bp b/service/Android.bp
index f54e406e9..0d6e25301 100644
--- a/service/Android.bp
+++ b/service/Android.bp
@@ -105,6 +105,7 @@ java_library {
         "android.hardware.wifi.supplicant-V1.0-java",
         "android.hardware.wifi.supplicant-V1.1-java",
         "android.hardware.wifi.supplicant-V1.2-java",
+        "android.hardware.wifi.supplicant-V1.3-java",
         "android.hidl.manager-V1.2-java",
 	"androidx.annotation_annotation",
         "wifi_service_proto",
diff --git a/service/java/com/android/server/wifi/SupplicantStaNetworkHal.java b/service/java/com/android/server/wifi/SupplicantStaNetworkHal.java
index 9255fc231..696f60eeb 100644
--- a/service/java/com/android/server/wifi/SupplicantStaNetworkHal.java
+++ b/service/java/com/android/server/wifi/SupplicantStaNetworkHal.java
@@ -22,6 +22,7 @@ import android.hardware.wifi.supplicant.V1_0.SupplicantStatus;
 import android.hardware.wifi.supplicant.V1_0.SupplicantStatusCode;
 import android.net.wifi.WifiConfiguration;
 import android.net.wifi.WifiEnterpriseConfig;
+import android.net.wifi.WifiEnterpriseConfig.Ocsp;
 import android.os.HidlSupport.Mutable;
 import android.os.RemoteException;
 import android.text.TextUtils;
@@ -130,6 +131,7 @@ public class SupplicantStaNetworkHal {
     private boolean mEapEngine;
     private String mEapEngineID;
     private String mEapDomainSuffixMatch;
+    private @Ocsp int mOcsp;
 
     SupplicantStaNetworkHal(ISupplicantStaNetwork iSupplicantStaNetwork, String ifaceName,
             Context context, WifiMonitor monitor) {
@@ -504,6 +506,10 @@ public class SupplicantStaNetworkHal {
             if (getEapCACert() && !TextUtils.isEmpty(mEapCACert)) {
                 eapConfig.setFieldValue(WifiEnterpriseConfig.CA_CERT_KEY, mEapCACert);
             }
+            /** EAP OCSP type */
+            if (getOcsp()) {
+                eapConfig.setOcsp(mOcsp);
+            }
             /** EAP Subject Match */
             if (getEapSubjectMatch() && !TextUtils.isEmpty(mEapSubjectMatch)) {
                 eapConfig.setFieldValue(WifiEnterpriseConfig.SUBJECT_MATCH_KEY, mEapSubjectMatch);
@@ -694,6 +700,16 @@ public class SupplicantStaNetworkHal {
                 return false;
             }
 
+            /**
+             * OCSP (Online Certificate Status Protocol)
+             * For older HAL compatibility, omit this step to avoid breaking
+             * connection flow.
+             */
+            if (getV1_3StaNetwork() != null && !setOcsp(eapConfig.getOcsp())) {
+                Log.e(TAG, "failed to set ocsp");
+                return false;
+            }
+
             return true;
         }
     }
@@ -704,6 +720,12 @@ public class SupplicantStaNetworkHal {
         }
     }
 
+    private android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork getV1_3StaNetwork() {
+        synchronized (mLock) {
+            return getSupplicantStaNetworkForV1_3Mockable();
+        }
+    }
+
     /**
      * Maps WifiConfiguration Key Management BitSet to Supplicant HIDL bitmask int
      * TODO(b/32571829): Update mapping when fast transition keys are added
@@ -2839,6 +2861,19 @@ public class SupplicantStaNetworkHal {
     }
 
     /**
+     * Method to mock out the V1_3 ISupplicantStaNetwork retrieval in unit tests.
+     *
+     * @return 1.3 ISupplicantStaNetwork object if the device is running the 1.3 supplicant hal
+     * service, null otherwise.
+     */
+    protected android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork
+            getSupplicantStaNetworkForV1_3Mockable() {
+        if (mISupplicantStaNetwork == null) return null;
+        return android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork.castFrom(
+                mISupplicantStaNetwork);
+    }
+
+    /**
      * Send eap identity response.
      *
      * @param identityStr          identity used for EAP-Identity
@@ -2891,6 +2926,99 @@ public class SupplicantStaNetworkHal {
         }
     }
 
+    /** See ISupplicantStaNetwork.hal for documentation */
+    private boolean setOcsp(@Ocsp int ocsp) {
+        synchronized (mLock) {
+            final String methodStr = "setOcsp";
+            if (!checkISupplicantStaNetworkAndLogFailure(methodStr)) return false;
+
+            int halOcspValue = android.hardware.wifi.supplicant.V1_3.OcspType.NONE;
+            switch (ocsp) {
+                case WifiEnterpriseConfig.OCSP_REQUEST_CERT_STATUS:
+                    halOcspValue = android.hardware.wifi.supplicant.V1_3
+                            .OcspType.REQUEST_CERT_STATUS;
+                    break;
+                case WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS:
+                    halOcspValue = android.hardware.wifi.supplicant.V1_3
+                            .OcspType.REQUIRE_CERT_STATUS;
+                    break;
+                case WifiEnterpriseConfig.OCSP_REQUIRE_ALL_NON_TRUSTED_CERTS_STATUS:
+                    halOcspValue = android.hardware.wifi.supplicant.V1_3
+                            .OcspType.REQUIRE_ALL_CERTS_STATUS;
+                    break;
+            }
+            try {
+                android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork
+                        iSupplicantStaNetworkV13;
+
+                iSupplicantStaNetworkV13 = getV1_3StaNetwork();
+                if (iSupplicantStaNetworkV13 != null) {
+                    /* Support for OCSP Requires HAL v1.3 or higher */
+                    SupplicantStatus status = iSupplicantStaNetworkV13
+                            .setOcsp(halOcspValue);
+                    return checkStatusAndLogFailure(status, methodStr);
+                } else {
+                    Log.e(TAG, "Cannot get ISupplicantStaNetwork V1.3");
+                    return false;
+                }
+            } catch (RemoteException e) {
+                handleRemoteException(e, methodStr);
+                return false;
+            }
+        }
+    }
+
+    /** See ISupplicantStaNetwork.hal for documentation */
+    private boolean getOcsp() {
+        synchronized (mLock) {
+            final String methodStr = "getOcsp";
+            if (!checkISupplicantStaNetworkAndLogFailure(methodStr)) return false;
+
+            try {
+                android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork
+                        iSupplicantStaNetworkV13;
+                iSupplicantStaNetworkV13 = getV1_3StaNetwork();
+                if (iSupplicantStaNetworkV13 != null) {
+                    MutableBoolean statusOk = new MutableBoolean(false);
+                    iSupplicantStaNetworkV13.getOcsp((SupplicantStatus status,
+                            int halOcspValue) -> {
+                        statusOk.value = status.code == SupplicantStatusCode.SUCCESS;
+                        if (statusOk.value) {
+                            mOcsp = WifiEnterpriseConfig.OCSP_NONE;
+                            switch (halOcspValue) {
+                                case android.hardware.wifi.supplicant.V1_3
+                                        .OcspType.REQUEST_CERT_STATUS:
+                                    mOcsp = WifiEnterpriseConfig.OCSP_REQUEST_CERT_STATUS;
+                                    break;
+                                case android.hardware.wifi.supplicant.V1_3
+                                        .OcspType.REQUIRE_CERT_STATUS:
+                                    mOcsp = WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS;
+                                    break;
+                                case android.hardware.wifi.supplicant.V1_3
+                                        .OcspType.REQUIRE_ALL_CERTS_STATUS:
+                                    mOcsp = WifiEnterpriseConfig
+                                            .OCSP_REQUIRE_ALL_NON_TRUSTED_CERTS_STATUS;
+                                    break;
+                                default:
+                                    Log.e(TAG, "Invalid HAL OCSP value " + halOcspValue);
+                                    break;
+                            }
+                        } else {
+                            checkStatusAndLogFailure(status, methodStr);
+                        }
+                    });
+                    return statusOk.value;
+                } else {
+                    Log.e(TAG, "Cannot get ISupplicantStaNetwork V1.3");
+                    return false;
+                }
+            } catch (RemoteException e) {
+                handleRemoteException(e, methodStr);
+                return false;
+            }
+        }
+    }
+
     /**
      * Retrieve the NFC token for this network.
      *
diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
index a797f5fcc..753b9a53e 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointProvider.java
@@ -418,6 +418,13 @@ public class PasspointProvider {
             enterpriseConfig.setCaCertificateAliases(new String[] {SYSTEM_CA_STORE_PATH});
         }
         wifiConfig.enterpriseConfig = enterpriseConfig;
+        // PPS MO Credential/CheckAAAServerCertStatus node contains a flag which indicates
+        // if the mobile device needs to check the AAA server certificate's revocation status
+        // during EAP authentication.
+        if (mConfig.getCredential().getCheckAaaServerCertStatus()) {
+            // Check server certificate using OCSP (Online Certificate Status Protocol).
+            wifiConfig.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS);
+        }
         wifiConfig.shared = mIsShared;
         return wifiConfig;
     }
diff --git a/service/java/com/android/server/wifi/util/XmlUtil.java b/service/java/com/android/server/wifi/util/XmlUtil.java
index 188d3b5c7..074330b44 100644
--- a/service/java/com/android/server/wifi/util/XmlUtil.java
+++ b/service/java/com/android/server/wifi/util/XmlUtil.java
@@ -1017,6 +1017,7 @@ public class XmlUtil {
         public static final String XML_TAG_PHASE2_METHOD = "Phase2Method";
         public static final String XML_TAG_PLMN = "PLMN";
         public static final String XML_TAG_REALM = "Realm";
+        public static final String XML_TAG_OCSP = "Ocsp";
 
         /**
          * Write the WifiEnterpriseConfig data elements from the provided config to the XML
@@ -1055,6 +1056,7 @@ public class XmlUtil {
             XmlUtil.writeNextValue(out, XML_TAG_PHASE2_METHOD, enterpriseConfig.getPhase2Method());
             XmlUtil.writeNextValue(out, XML_TAG_PLMN, enterpriseConfig.getPlmn());
             XmlUtil.writeNextValue(out, XML_TAG_REALM, enterpriseConfig.getRealm());
+            XmlUtil.writeNextValue(out, XML_TAG_OCSP, enterpriseConfig.getOcsp());
         }
 
         /**
@@ -1124,6 +1126,9 @@ public class XmlUtil {
                         enterpriseConfig.setFieldValue(
                                 WifiEnterpriseConfig.CA_PATH_KEY, (String) value);
                         break;
+                    case XML_TAG_OCSP:
+                        enterpriseConfig.setOcsp((int) value);
+                        break;
                     case XML_TAG_EAP_METHOD:
                         enterpriseConfig.setEapMethod((int) value);
                         break;
diff --git a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
index 7336c4119..87eff41e3 100644
--- a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
@@ -186,6 +186,7 @@ public class NetworkListStoreDataTest {
                     + "<int name=\"Phase2Method\" value=\"0\" />\n"
                     + "<string name=\"PLMN\"></string>\n"
                     + "<string name=\"Realm\"></string>\n"
+                    + "<int name=\"Ocsp\" value=\"0\" />\n"
                     + "</WifiEnterpriseConfiguration>\n"
                     + "</Network>\n";
 
diff --git a/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkHalTest.java b/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkHalTest.java
index 796dce1df..0073695ba 100644
--- a/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkHalTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkHalTest.java
@@ -79,6 +79,8 @@ public class SupplicantStaNetworkHalTest {
     @Mock private ISupplicantStaNetwork mISupplicantStaNetworkMock;
     @Mock
     private android.hardware.wifi.supplicant.V1_2.ISupplicantStaNetwork mISupplicantStaNetworkV12;
+    @Mock
+    private android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork mISupplicantStaNetworkV13;
     @Mock private Context mContext;
     @Mock private WifiMonitor mWifiMonitor;
 
@@ -86,6 +88,12 @@ public class SupplicantStaNetworkHalTest {
     private MockResources mResources;
     private ISupplicantStaNetworkCallback mISupplicantStaNetworkCallback;
 
+    enum SupplicantStaNetworkVersion {
+        V1_0,
+        V1_2,
+        V1_3,
+    }
+
     /**
      * Spy used to return the V1_2 ISupplicantStaNetwork mock object to simulate the 1.2 HAL running
      * on the device.
@@ -104,6 +112,24 @@ public class SupplicantStaNetworkHalTest {
         }
     }
 
+    /**
+     * Spy used to return the V1_3 ISupplicantStaNetwork mock object to simulate the 1.3 HAL running
+     * on the device.
+     */
+    private class SupplicantStaNetworkHalSpyV1_3 extends SupplicantStaNetworkHalSpyV1_2 {
+        SupplicantStaNetworkHalSpyV1_3(ISupplicantStaNetwork iSupplicantStaNetwork,
+                String ifaceName,
+                Context context, WifiMonitor monitor) {
+            super(iSupplicantStaNetwork, ifaceName, context, monitor);
+        }
+
+        @Override
+        protected android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork
+                getSupplicantStaNetworkForV1_3Mockable() {
+            return mISupplicantStaNetworkV13;
+        }
+    }
+
     @Before
     public void setUp() throws Exception {
         MockitoAnnotations.initMocks(this);
@@ -114,7 +140,7 @@ public class SupplicantStaNetworkHalTest {
 
         mResources = new MockResources();
         when(mContext.getResources()).thenReturn(mResources);
-        createSupplicantStaNetwork();
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_0);
     }
 
     /**
@@ -123,8 +149,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testOweNetworkWifiConfigurationSaveLoad() throws Exception {
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createOweNetwork();
         config.updateIdentifier = "46";
@@ -147,8 +172,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testSaePasswordNetworkWifiConfigurationSaveLoad() throws Exception {
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createSaeNetwork();
         testWifiConfigurationSaveLoad(config);
@@ -257,6 +281,23 @@ public class SupplicantStaNetworkHalTest {
      * Tests the saving of WifiConfiguration to wpa_supplicant.
      */
     @Test
+    public void testEapTlsNoneClientCertNetworkWithOcspWifiConfigurationSaveLoad()
+            throws Exception {
+        // Now expose the V1.3 ISupplicantStaNetwork
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_3);
+
+        WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
+        config.enterpriseConfig =
+                WifiConfigurationTestUtil.createTLSWifiEnterpriseConfigWithNonePhase2();
+        config.enterpriseConfig.setClientCertificateAlias("test_alias");
+        config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS);
+        testWifiConfigurationSaveLoad(config);
+    }
+
+    /**
+     * Tests the saving of WifiConfiguration to wpa_supplicant.
+     */
+    @Test
     public void testEapTlsAkaNetworkWifiConfigurationSaveLoad() throws Exception {
         WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
         config.enterpriseConfig =
@@ -270,8 +311,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testEapSuiteBRsaNetworkWifiConfigurationSaveLoad() throws Exception {
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createEapSuiteBNetwork();
         config.allowedSuiteBCiphers.set(WifiConfiguration.SuiteBCipher.ECDHE_RSA);
@@ -297,8 +337,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testEapSuiteBEcdsaNetworkWifiConfigurationSaveLoad() throws Exception {
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createEapSuiteBNetwork();
         config.allowedSuiteBCiphers.set(WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
@@ -732,8 +771,7 @@ public class SupplicantStaNetworkHalTest {
                 any(ArrayList.class), any(ArrayList.class));
 
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
         doAnswer(new AnswerWithArguments() {
             public SupplicantStatus answer(ArrayList<Byte> identity,
                     ArrayList<Byte> encryptedIdentity)
@@ -755,7 +793,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testAddFtPskFlags() throws Exception {
         mResources.setBoolean(R.bool.config_wifi_fast_bss_transition_enabled, true);
-        createSupplicantStaNetwork();
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_0);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createPskNetwork();
         assertTrue(mSupplicantNetwork.saveWifiConfiguration(config));
@@ -777,7 +815,7 @@ public class SupplicantStaNetworkHalTest {
     @Test
     public void testAddFtEapFlags() throws Exception {
         mResources.setBoolean(R.bool.config_wifi_fast_bss_transition_enabled, true);
-        createSupplicantStaNetwork();
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_0);
 
         WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
         assertTrue(mSupplicantNetwork.saveWifiConfiguration(config));
@@ -800,8 +838,7 @@ public class SupplicantStaNetworkHalTest {
     public void testAddPskSha256Flags() throws Exception {
         WifiConfiguration config = WifiConfigurationTestUtil.createPskNetwork();
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
         assertTrue(mSupplicantNetwork.saveWifiConfiguration(config));
 
         // Check the supplicant variables to ensure that we have added the SHA256 flags.
@@ -824,8 +861,7 @@ public class SupplicantStaNetworkHalTest {
     public void testAddEapSha256Flags() throws Exception {
         WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
         // Now expose the V1.2 ISupplicantStaNetwork
-        mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(mISupplicantStaNetworkMock,
-                IFACE_NAME, mContext, mWifiMonitor);
+        createSupplicantStaNetwork(SupplicantStaNetworkVersion.V1_2);
         assertTrue(mSupplicantNetwork.saveWifiConfiguration(config));
 
         // Check the supplicant variables to ensure that we have added the SHA256 flags.
@@ -872,6 +908,23 @@ public class SupplicantStaNetworkHalTest {
     }
 
     /**
+     * Tests OCSP status is ignored on HAL v1.2 or lower
+     */
+    @Test
+    public void testOcspStatusHal1_2OrLower() throws Exception {
+        WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
+        config.enterpriseConfig =
+                WifiConfigurationTestUtil.createTLSWifiEnterpriseConfigWithNonePhase2();
+        config.enterpriseConfig.setClientCertificateAlias("test_alias");
+        config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS);
+
+        assertTrue(mSupplicantNetwork.saveWifiConfiguration(config));
+
+        // Check the supplicant variables to ensure that we have NOT change the OCSP status.
+        assertEquals(WifiEnterpriseConfig.OCSP_NONE, mSupplicantVariables.ocsp);
+    }
+
+    /**
      * Tests the retrieval of WPS NFC token.
      */
     @Test
@@ -1565,6 +1618,24 @@ public class SupplicantStaNetworkHalTest {
                 return mStatusSuccess;
             }
         }).when(mISupplicantStaNetworkV12).enableSuiteBEapOpenSslCiphers();
+
+        /** OCSP */
+        doAnswer(new AnswerWithArguments() {
+            public SupplicantStatus answer(int ocsp) throws RemoteException {
+                mSupplicantVariables.ocsp = ocsp;
+                return mStatusSuccess;
+            }
+        }).when(mISupplicantStaNetworkV13).setOcsp(any(int.class));
+        doAnswer(new AnswerWithArguments() {
+            public void answer(
+                    android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork.getOcspCallback cb)
+                    throws RemoteException {
+                cb.onValues(mStatusSuccess, mSupplicantVariables.ocsp);
+            }
+        }).when(mISupplicantStaNetworkV13)
+                .getOcsp(any(android.hardware.wifi.supplicant.V1_3.ISupplicantStaNetwork
+                        .getOcspCallback.class));
+
     }
 
     private SupplicantStatus createSupplicantStatus(int code) {
@@ -1576,10 +1647,21 @@ public class SupplicantStaNetworkHalTest {
     /**
      * Need this for tests which wants to manipulate context before creating the instance.
      */
-    private void createSupplicantStaNetwork() {
-        mSupplicantNetwork =
-                new SupplicantStaNetworkHal(mISupplicantStaNetworkMock, IFACE_NAME, mContext,
-                        mWifiMonitor);
+    private void createSupplicantStaNetwork(SupplicantStaNetworkVersion version) {
+        switch (version) {
+            case V1_0:
+                mSupplicantNetwork = new SupplicantStaNetworkHal(
+                        mISupplicantStaNetworkMock, IFACE_NAME, mContext, mWifiMonitor);
+                break;
+            case V1_2:
+                mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_2(
+                        mISupplicantStaNetworkMock, IFACE_NAME, mContext, mWifiMonitor);
+                break;
+            case V1_3:
+                mSupplicantNetwork = new SupplicantStaNetworkHalSpyV1_3(
+                        mISupplicantStaNetworkMock, IFACE_NAME, mContext, mWifiMonitor);
+                break;
+        }
         mSupplicantNetwork.enableVerboseLogging(true);
     }
 
@@ -1616,5 +1698,6 @@ public class SupplicantStaNetworkHalTest {
         public String eapEngineID;
         public String eapDomainSuffixMatch;
         public boolean eapProactiveKeyCaching;
+        public int ocsp;
     }
 }
diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
index c73e0d105..6911db801 100644
--- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointProviderTest.java
@@ -364,6 +364,13 @@ public class PasspointProviderTest {
             } else {
                 assertEquals(CA_CERTIFICATE_ALIAS, wifiEnterpriseConfig.getCaCertificateAlias());
             }
+            if (passpointConfig.getCredential().getCheckAaaServerCertStatus()) {
+                assertEquals(wifiEnterpriseConfig.getOcsp(),
+                        WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS);
+            } else {
+                assertEquals(wifiEnterpriseConfig.getOcsp(),
+                        WifiEnterpriseConfig.OCSP_NONE);
+            }
         } else if (credential.getCertCredential() != null) {
             Credential.CertificateCredential certCredential = credential.getCertCredential();
             assertEquals("anonymous@" + credential.getRealm(),
@@ -391,6 +398,13 @@ public class PasspointProviderTest {
                 assertTrue(Arrays.equals(new String[] {SYSTEM_CA_STORE_PATH},
                         wifiEnterpriseConfig.getCaCertificateAliases()));
             }
+            if (passpointConfig.getCredential().getCheckAaaServerCertStatus()) {
+                assertEquals(wifiEnterpriseConfig.getOcsp(),
+                        WifiEnterpriseConfig.OCSP_REQUIRE_CERT_STATUS);
+            } else {
+                assertEquals(wifiEnterpriseConfig.getOcsp(),
+                        WifiEnterpriseConfig.OCSP_NONE);
+            }
         } else if (credential.getSimCredential() != null) {
             Credential.SimCredential simCredential = credential.getSimCredential();
             switch (simCredential.getEapType()) {
@@ -1021,6 +1035,9 @@ public class PasspointProviderTest {
         PasspointConfiguration config = generateTestPasspointConfiguration(
                 CredentialType.USER, false);
         config.setAaaServerTrustedNames(TEST_TRUSTED_NAME);
+        Credential credential = config.getCredential();
+        // OCSP (Online Certificate Status Protocol) is required.
+        credential.setCheckAaaServerCertStatus(true);
         mProvider = createProvider(config);
 
         // Install certificate.