[TOFU] Validate full cert chains before displaying dialog
When a full chain including a Root CA is provided by the server,
perform a full validation of the chain before displaying the
TOFU dialog.
If validation passes: Display a TOFU dialog and ask the user if
they trust this network. Saying yes means that the Root can be
installed safely for that network. They might say no - this is
possible if an attacker creates a full chain they control which
results in a different SHA-256 (everything else looks correct).
If they say no, we stop the connection.
If validation fails: Display an error message saying that the
validation failed, we stop the connection and won't display the
TOFU dialog.
Use server certificate pinning for servers that send only a leaf
or a partial chain with no Root CA.
Additionally: clean up the debug logs to reduce the noise and
focus only on the important details.
Bug: 277824547
Test: atest InsecureEapNetworkHandler
Test: Connect to various Enterprise networks
Negative test: Confirm verification fails for invalid chains
Merged-In: Ic27571be885997f9d5ce001aba1034034ec03a32
Change-Id: I052c1fb25b8d3517155cfc2e5978bd8f2b67efc5
3 files changed
