| package com.android.server.wifi.configparse; |
| |
| import android.content.Context; |
| import android.net.Uri; |
| import android.net.wifi.WifiConfiguration; |
| import android.net.wifi.WifiEnterpriseConfig; |
| import android.telephony.SubscriptionManager; |
| import android.telephony.TelephonyManager; |
| import android.util.Base64; |
| import android.util.Log; |
| |
| import com.android.server.wifi.anqp.eap.AuthParam; |
| import com.android.server.wifi.anqp.eap.EAP; |
| import com.android.server.wifi.anqp.eap.EAPMethod; |
| import com.android.server.wifi.anqp.eap.NonEAPInnerAuth; |
| import com.android.server.wifi.hotspot2.omadm.MOManager; |
| import com.android.server.wifi.hotspot2.pps.Credential; |
| import com.android.server.wifi.hotspot2.pps.HomeSP; |
| |
| import org.xml.sax.SAXException; |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.IOException; |
| import java.io.InputStreamReader; |
| import java.io.LineNumberReader; |
| import java.nio.charset.StandardCharsets; |
| import java.security.GeneralSecurityException; |
| import java.security.KeyStore; |
| import java.security.MessageDigest; |
| import java.security.PrivateKey; |
| import java.security.cert.CertPath; |
| import java.security.cert.CertPathValidator; |
| import java.security.cert.CertPathValidatorException; |
| import java.security.cert.CertPathValidatorResult; |
| import java.security.cert.Certificate; |
| import java.security.cert.CertificateFactory; |
| import java.security.cert.PKIXParameters; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.Arrays; |
| import java.util.Enumeration; |
| import java.util.List; |
| |
| public class ConfigBuilder { |
| public static final String WifiConfigType = "application/x-wifi-config"; |
| private static final String ProfileTag = "application/x-passpoint-profile"; |
| private static final String KeyTag = "application/x-pkcs12"; |
| private static final String CATag = "application/x-x509-ca-cert"; |
| |
| private static String X509 = "X.509"; |
| |
| private static final String TAG = "WCFG"; |
| |
| public static WifiConfiguration buildConfig(String uriString, byte[] data, Context context) |
| throws IOException, GeneralSecurityException, SAXException { |
| Log.d(TAG, "Content: " + (data != null ? data.length : -1)); |
| |
| byte[] b64 = Base64.decode(new String(data, StandardCharsets.ISO_8859_1), Base64.DEFAULT); |
| Log.d(TAG, "Decoded: " + b64.length + " bytes."); |
| |
| dropFile(Uri.parse(uriString), context); |
| |
| MIMEContainer mimeContainer = new |
| MIMEContainer(new LineNumberReader( |
| new InputStreamReader(new ByteArrayInputStream(b64), StandardCharsets.ISO_8859_1)), |
| null); |
| if (!mimeContainer.isBase64()) { |
| throw new IOException("Encoding for " + |
| mimeContainer.getContentType() + " is not base64"); |
| } |
| MIMEContainer inner; |
| if (mimeContainer.getContentType().equals(WifiConfigType)) { |
| byte[] wrappedContent = Base64.decode(mimeContainer.getText(), Base64.DEFAULT); |
| Log.d(TAG, "Building container from '" + new String(wrappedContent, StandardCharsets.ISO_8859_1) + "'"); |
| inner = new MIMEContainer(new LineNumberReader( |
| new InputStreamReader(new ByteArrayInputStream(wrappedContent), |
| StandardCharsets.ISO_8859_1)), null); |
| } |
| else { |
| inner = mimeContainer; |
| } |
| return parse(inner, context); |
| } |
| |
| private static void dropFile(Uri uri, Context context) { |
| context.getContentResolver().delete(uri, null, null); |
| } |
| |
| private static WifiConfiguration parse(MIMEContainer root, Context context) |
| throws IOException, GeneralSecurityException, SAXException { |
| |
| if (root.getMimeContainers() == null) { |
| throw new IOException("Malformed MIME content: not multipart"); |
| } |
| |
| String moText = null; |
| X509Certificate caCert = null; |
| PrivateKey clientKey = null; |
| List<X509Certificate> clientChain = null; |
| |
| for (MIMEContainer subContainer : root.getMimeContainers()) { |
| Log.d(TAG, " + Content Type: " + subContainer.getContentType()); |
| switch (subContainer.getContentType()) { |
| case ProfileTag: |
| if (subContainer.isBase64()) { |
| byte[] octets = Base64.decode(subContainer.getText(), Base64.DEFAULT); |
| moText = new String(octets, StandardCharsets.UTF_8); |
| } else { |
| moText = subContainer.getText(); |
| } |
| Log.d(TAG, "OMA: " + moText); |
| break; |
| case CATag: { |
| if (!subContainer.isBase64()) { |
| throw new IOException("Can't read non base64 encoded cert"); |
| } |
| |
| byte[] octets = Base64.decode(subContainer.getText(), Base64.DEFAULT); |
| CertificateFactory factory = CertificateFactory.getInstance(X509); |
| caCert = (X509Certificate) factory.generateCertificate( |
| new ByteArrayInputStream(octets)); |
| Log.d(TAG, "Cert subject " + caCert.getSubjectX500Principal()); |
| Log.d(TAG, "Full Cert: " + caCert); |
| break; |
| } |
| case KeyTag: { |
| if (!subContainer.isBase64()) { |
| throw new IOException("Can't read non base64 encoded key"); |
| } |
| |
| byte[] octets = Base64.decode(subContainer.getText(), Base64.DEFAULT); |
| |
| KeyStore ks = KeyStore.getInstance("PKCS12"); |
| ByteArrayInputStream in = new ByteArrayInputStream(octets); |
| ks.load(in, new char[0]); |
| in.close(); |
| Log.d(TAG, "---- Start PKCS12 info " + octets.length + ", size " + ks.size()); |
| Enumeration<String> aliases = ks.aliases(); |
| while (aliases.hasMoreElements()) { |
| String alias = aliases.nextElement(); |
| clientKey = (PrivateKey) ks.getKey(alias, null); |
| Log.d(TAG, "Key: " + clientKey.getFormat()); |
| Certificate[] chain = ks.getCertificateChain(alias); |
| if (chain != null) { |
| clientChain = new ArrayList<>(); |
| for (Certificate certificate : chain) { |
| if (!(certificate instanceof X509Certificate)) { |
| Log.w(TAG, "Element in cert chain is not an X509Certificate: " + |
| certificate.getClass()); |
| } |
| clientChain.add((X509Certificate) certificate); |
| } |
| Log.d(TAG, "Chain: " + clientChain.size()); |
| } |
| } |
| Log.d(TAG, "---- End PKCS12 info."); |
| break; |
| } |
| } |
| } |
| |
| if (moText == null) { |
| throw new IOException("Missing profile"); |
| } |
| |
| return buildConfig(moText, caCert, clientChain, clientKey, context); |
| } |
| |
| private static WifiConfiguration buildConfig(String text, X509Certificate caCert, |
| List<X509Certificate> clientChain, PrivateKey key, |
| Context context) |
| throws IOException, SAXException, GeneralSecurityException { |
| |
| HomeSP homeSP = MOManager.buildSP(text); |
| Credential credential = homeSP.getCredential(); |
| |
| WifiConfiguration config; |
| |
| EAP.EAPMethodID eapMethodID = credential.getEAPMethod().getEAPMethodID(); |
| switch (eapMethodID) { |
| case EAP_TTLS: |
| if (key != null || clientChain != null) { |
| Log.w(TAG, "Client cert and/or key included with EAP-TTLS profile"); |
| } |
| config = buildTTLSConfig(homeSP, caCert); |
| break; |
| case EAP_TLS: |
| config = buildTLSConfig(homeSP, caCert, clientChain, key); |
| break; |
| case EAP_AKA: |
| case EAP_AKAPrim: |
| case EAP_SIM: |
| if (key != null || clientChain != null || caCert != null) { |
| Log.i(TAG, "Client/CA cert and/or key included with " + |
| eapMethodID + " profile"); |
| } |
| config = buildSIMConfig(homeSP, context); |
| break; |
| default: |
| throw new IOException("Unsupported EAP Method: " + eapMethodID); |
| } |
| |
| WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig; |
| |
| if (caCert != null && (eapMethodID == EAP.EAPMethodID.EAP_TLS || |
| eapMethodID == EAP.EAPMethodID.EAP_TTLS)) { |
| CertificateFactory factory = CertificateFactory.getInstance(X509); |
| CertPathValidator validator = |
| CertPathValidator.getInstance(CertPathValidator.getDefaultType()); |
| CertPath path = factory.generateCertPath( |
| Arrays.asList(enterpriseConfig.getCaCertificate())); |
| Log.i(TAG, "Trying AndroidCAStore"); |
| KeyStore ks = KeyStore.getInstance("AndroidCAStore"); |
| ks.load(null, null); |
| PKIXParameters params = new PKIXParameters(ks); |
| params.setRevocationEnabled(false); |
| try { |
| validator.validate(path, params); |
| enterpriseConfig.setCaCertificate(caCert); |
| Log.d(TAG, "Cert validation succeeded"); |
| } |
| catch (CertPathValidatorException cpve) { |
| Log.d(TAG, "Cert validation failed: " + cpve); |
| enterpriseConfig.setCaCertificate(null); |
| } |
| } |
| |
| enterpriseConfig.setAnonymousIdentity("anonymous@" + credential.getRealm()); |
| enterpriseConfig.setRealm(credential.getRealm()); |
| enterpriseConfig.setDomainSuffixMatch(homeSP.getFQDN()); |
| |
| return config; |
| } |
| |
| private static WifiConfiguration buildTTLSConfig(HomeSP homeSP, X509Certificate caCert) |
| throws IOException { |
| Credential credential = homeSP.getCredential(); |
| |
| if (credential.getUserName() == null || credential.getPassword() == null) { |
| throw new IOException("EAP-TTLS provisioned without user name or password"); |
| } |
| |
| EAPMethod eapMethod = credential.getEAPMethod(); |
| |
| AuthParam authParam = eapMethod.getAuthParam(); |
| if (authParam == null || |
| authParam.getAuthInfoID() != EAP.AuthInfoID.NonEAPInnerAuthType) { |
| throw new IOException("Bad auth parameter for EAP-TTLS: " + authParam); |
| } |
| |
| WifiConfiguration config = buildBaseConfiguration(homeSP); |
| NonEAPInnerAuth ttlsParam = (NonEAPInnerAuth) authParam; |
| WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig; |
| enterpriseConfig.setPhase2Method(remapInnerMethod(ttlsParam.getType())); |
| enterpriseConfig.setIdentity(credential.getUserName()); |
| enterpriseConfig.setPassword(credential.getPassword()); |
| |
| return config; |
| } |
| |
| private static WifiConfiguration buildTLSConfig(HomeSP homeSP, X509Certificate caCert, |
| List<X509Certificate> clientChain, |
| PrivateKey clientKey) |
| throws IOException, GeneralSecurityException { |
| |
| Credential credential = homeSP.getCredential(); |
| |
| X509Certificate clientCertificate = null; |
| |
| if (clientKey == null || clientChain == null) { |
| throw new IOException("No key and/or cert passed for EAP-TLS"); |
| } |
| if (credential.getCertType() != Credential.CertType.x509v3) { |
| throw new IOException("Invalid certificate type for TLS: " + |
| credential.getCertType()); |
| } |
| |
| byte[] reference = credential.getFingerPrint(); |
| MessageDigest digester = MessageDigest.getInstance("SHA-256"); |
| for (X509Certificate certificate : clientChain) { |
| digester.reset(); |
| byte[] fingerprint = digester.digest(certificate.getEncoded()); |
| if (Arrays.equals(reference, fingerprint)) { |
| clientCertificate = certificate; |
| break; |
| } |
| } |
| if (clientCertificate == null) { |
| throw new IOException("No certificate in chain matches supplied fingerprint"); |
| } |
| |
| String alias = Base64.encodeToString(reference, Base64.DEFAULT); |
| |
| WifiConfiguration config = buildBaseConfiguration(homeSP); |
| WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig; |
| enterpriseConfig.setClientCertificateAlias(alias); |
| enterpriseConfig.setClientKeyEntry(clientKey, clientCertificate); |
| |
| return config; |
| } |
| |
| private static WifiConfiguration buildSIMConfig(HomeSP homeSP, Context context) |
| throws IOException { |
| |
| Credential credential = homeSP.getCredential(); |
| String credImsi = credential.getImsi(); |
| |
| TelephonyManager tm = TelephonyManager.from(context); |
| SubscriptionManager sub = SubscriptionManager.from(context); |
| boolean match = false; |
| |
| for (int subId : sub.getActiveSubscriptionIdList()) { |
| String imsi = tm.getSubscriberId(subId); |
| Log.d(TAG, "Checking imsi '" + imsi + "'"); |
| if (credImsi.equals(imsi)) { |
| match = true; |
| break; |
| } |
| } |
| if (!match) { |
| throw new IOException("Supplied IMSI does not match any SIM card"); |
| } |
| |
| WifiConfiguration config = buildBaseConfiguration(homeSP); |
| config.enterpriseConfig.setPlmn(credImsi); |
| return config; |
| } |
| |
| private static WifiConfiguration buildBaseConfiguration(HomeSP homeSP) throws IOException { |
| EAP.EAPMethodID eapMethodID = homeSP.getCredential().getEAPMethod().getEAPMethodID(); |
| |
| WifiConfiguration config = new WifiConfiguration(); |
| |
| config.FQDN = homeSP.getFQDN(); |
| config.roamingConsortiumIds = homeSP.getRoamingConsortiums(); |
| config.providerFriendlyName = homeSP.getFriendlyName(); |
| |
| config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP); |
| config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X); |
| |
| WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig(); |
| enterpriseConfig.setEapMethod(remapEAPMethod(eapMethodID)); |
| enterpriseConfig.setRealm(homeSP.getCredential().getRealm()); |
| config.enterpriseConfig = enterpriseConfig; |
| |
| return config; |
| } |
| |
| private static int remapEAPMethod(EAP.EAPMethodID eapMethodID) throws IOException { |
| switch (eapMethodID) { |
| case EAP_TTLS: |
| return WifiEnterpriseConfig.Eap.TTLS; |
| case EAP_TLS: |
| return WifiEnterpriseConfig.Eap.TLS; |
| case EAP_SIM: |
| return WifiEnterpriseConfig.Eap.SIM; |
| case EAP_AKA: |
| return WifiEnterpriseConfig.Eap.AKA; |
| case EAP_AKAPrim: |
| return WifiEnterpriseConfig.Eap.AKA_PRIME; |
| default: |
| throw new IOException("Bad EAP method: " + eapMethodID); |
| } |
| } |
| |
| private static int remapInnerMethod(NonEAPInnerAuth.NonEAPType type) throws IOException { |
| switch (type) { |
| case PAP: |
| return WifiEnterpriseConfig.Phase2.PAP; |
| case MSCHAP: |
| return WifiEnterpriseConfig.Phase2.MSCHAP; |
| case MSCHAPv2: |
| return WifiEnterpriseConfig.Phase2.MSCHAPV2; |
| case CHAP: |
| default: |
| throw new IOException("Inner method " + type + " not supported"); |
| } |
| } |
| } |