Google Git
Sign in
android / platform / packages / apps / Settings / 2b16cd3
commit2b16cd3920f95b2cd5c2426d81b5e1584ffc682d[log] [tgz]
authorSamuel Tan <samueltan@google.com>Tue Feb 02 15:54:37 2016 -0800
committerSamuel Tan <samueltan@google.com>Mon Feb 08 08:54:42 2016 -0800
tree6a552431856967a120587242f9e79e78a8c0883e
parent3d8cdb10f6103a794e4cb68adb5de03a325d1c8f [diff]
Allow trusted system certificates to be used in EAP network configs

Add an option to the "CA certificate" field of the EAP network
configuration menu, "Use system certificates". Choosing this option
will cause the trusted, pre-installed, system CA certificates
to be used to validate EAP servers during the authentication process.
This only applies to EAP-TLS, EAP-TTLS, and EAP-PEAP network
configurations, where the CA certificate option is available.

If the user selects "Use system certificates" and leaves the
"Domain" field empty, display a warning and prevent the
EAP network configuration from being saved. Such a configuration
would be insecure--the user should constrain the domain that
the system certificates can be used to validate.

BUG: 26879191
TEST: 1)  Set up AP connected to test RADIUS server.
TEST: 2)  Generate a self-signed cert (Cert 1)
TEST: 3)  Use Cert 1 to sign another cert (Cert 2) with common name
          "sub1.sub2.domain.com"
TEST: 4)  Setup RADIUS server, and configure it to present Cert 2 to EAP peer.
TEST: 5)  Build angler image with Cert 1 installed in
          /system/etc/security/cacerts/
TEST: 6)  Set up an AP connected to the RADIUS server to broadcast
          a WPA-Enterprise network.
TEST: 7)  On Angler, connect to this WPA-Enterprise network with settings:
            Network name: (AP SSID)
            Security: 802.1x EAP
            EAP method: TLS
            CA certificate: Use system certificates
            Domain: domain.com
            User certificate: (test certificate from RADIUS setup)
            Identity: (identity used for RADIUS setup)
TEST: 8)  Verify that we connect successfully to the AP.
TEST: 9)  Verify that connection still succeeds if Domain is set to
          "sub2.domain.com" and "sub1.sub2.domain.com".
TEST: 10) Verify that connection fails if Domain is set to
          "sub0.sub1.domain.com" and "otherdomain.com".
TEST: 11) Verify that network configuration cannot be saved, and an
          warning message "Must specify a domain" is displayed if Domain
          is left blank in the configuration in step 7
TEST: 12) Verify that the "Do not validate" option still appears in the
          CA certificate dropdown menu.

Change-Id: I346d4d301305719033b84ec4599bf3d57d9d4ee5
3 files changed
tree: 6a552431856967a120587242f9e79e78a8c0883e
  1. res/
  2. src/
  3. tests/
  4. Android.mk
  5. AndroidManifest.xml
  6. CleanSpec.mk
  7. MODULE_LICENSE_APACHE2
  8. NOTICE
  9. proguard.flags
  10. wrap_alpha.py