Google Git
Sign in
android / platform / packages / modules / Wifi / b8435c1b659371ed8088b84d93d5a858872ffb16 / . / service / tests / wifitests / src / com / android / server / wifi / WifiKeyStoreTest.java
blob: 279a35806c8f3a402609323886d63fbf10372fa6 [file] [log] [blame]
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.server.wifi;
import static com.android.server.wifi.WifiConfigurationTestUtil.TEST_UID;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
import static org.mockito.AdditionalMatchers.aryEq;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.validateMockitoUsage;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
import android.content.Context;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiEnterpriseConfig;
import android.os.UserHandle;
import androidx.test.filters.SmallTest;
import com.android.modules.utils.build.SdkLevel;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
/**
* Unit tests for {@link com.android.server.wifi.WifiConfigManager}.
*/
@SmallTest
public class WifiKeyStoreTest extends WifiBaseTest {
@Mock private WifiEnterpriseConfig mWifiEnterpriseConfig;
@Mock private WifiEnterpriseConfig mExistingWifiEnterpriseConfig;
@Mock private KeyStore mKeyStore;
@Mock private Context mContext;
@Mock private FrameworkFacade mFrameworkFacade;
private WifiKeyStore mWifiKeyStore;
private static final String TEST_KEY_ID = "blah";
private static final String USER_CERT_ALIAS = "aabbccddee";
private static final String USER_CA_CERT_ALIAS = "aacccddd";
private static final String USER_CA_CERT_ALIAS2 = "bbbccccaaa";
private static final String [] USER_CA_CERT_ALIASES = {"aacccddd", "bbbccccaaa"};
private static final String TEST_PACKAGE_NAME = "TestApp";
private static final String KEYCHAIN_ALIAS = "kc-alias";
private static final String KEYCHAIN_KEY_GRANT = "kc-grant";
public static final UserHandle TEST_USER_HANDLE = UserHandle.getUserHandleForUid(TEST_UID);
/**
* Setup the mocks and an instance of WifiConfigManager before each test.
*/
@Before
public void setUp() throws Exception {
MockitoAnnotations.initMocks(this);
mWifiKeyStore = new WifiKeyStore(mContext, mKeyStore, mFrameworkFacade);
when(mWifiEnterpriseConfig.getClientCertificateAlias()).thenReturn(USER_CERT_ALIAS);
when(mWifiEnterpriseConfig.getCaCertificateAlias()).thenReturn(USER_CA_CERT_ALIAS);
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(USER_CA_CERT_ALIASES);
when(mWifiEnterpriseConfig.getClientPrivateKey()).thenReturn(FakeKeys.RSA_KEY1);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(FakeKeys.CLIENT_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_CERT0);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[] {FakeKeys.CLIENT_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[] {FakeKeys.CA_CERT0});
when(mWifiEnterpriseConfig.getKeyId(any())).thenReturn(TEST_KEY_ID);
}
/**
* Called after each test
*/
@After
public void cleanup() {
validateMockitoUsage();
}
/**
* Verifies that keys and certs are removed when they were installed by an app.
*/
@Test
public void testRemoveKeysForAppInstalledCerts() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 4 times, user key, user cert, and 2 CA cert
verify(mKeyStore).deleteEntry(USER_CERT_ALIAS);
verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIASES[0]);
}
/**
* Verifies that keys and certs are removed when they were installed by an app and not removed
* when CA certs are installed by the user.
*/
@Test
public void testRemoveKeysForMixedInstalledCerts1() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#deleteEntry method: user key and user cert
verify(mKeyStore).deleteEntry(USER_CERT_ALIAS);
verifyNoMoreInteractions(mKeyStore);
}
/**
* Verifies that keys and certs are not removed when they were installed by the user and
* removed when CA certs are installed by the app.
*/
@Test
public void testRemoveKeysForMixedInstalledCerts2() throws Exception {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
// Method calls the KeyStore#delete method 2 times: 2 CA certs
verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIASES[0]);
verify(mKeyStore).deleteEntry(USER_CA_CERT_ALIASES[1]);
verifyNoMoreInteractions(mKeyStore);
}
/**
* Verifies that keys and certs are not removed when they were installed by the user.
*/
@Test
public void testRemoveKeysForUserInstalledCerts() {
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
mWifiKeyStore.removeKeys(mWifiEnterpriseConfig);
verifyNoMoreInteractions(mKeyStore);
}
/**
* Verifies that keys and certs are added when they were installed by an app and verifies the
* alias used.
*/
@Test
public void testAddKeysForAppInstalledCerts() throws Exception {
WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
config.enterpriseConfig = mWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(config, null));
String expectedAlias = config.getKeyIdForCredentials(null);
String expectedCaAlias = expectedAlias + "_0";
// Method calls the KeyStore#delete method 4 times, user key, user cert, and 2 CA cert
verify(mKeyStore).setKeyEntry(
eq(expectedAlias), eq(FakeKeys.RSA_KEY1), eq(null),
aryEq(new X509Certificate[] {FakeKeys.CLIENT_CERT}));
verify(mKeyStore).setCertificateEntry(eq(expectedCaAlias), eq(FakeKeys.CA_CERT0));
verify(mWifiEnterpriseConfig).setClientCertificateAlias(eq(expectedAlias));
verify(mWifiEnterpriseConfig).setCaCertificateAliases(
aryEq(new String[] {expectedCaAlias}));
}
/**
* Add two same network credential one is from user saved, the other is from suggestion.
* Both oh them should be installed successfully and has different alias, and will not override
* each other.
*/
@Test
public void testAddRemoveFromBothSavedAndSuggestionNetwork() throws Exception {
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapNetwork();
WifiConfiguration suggestionNetwork = new WifiConfiguration(savedNetwork);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
suggestionNetwork.enterpriseConfig = mWifiEnterpriseConfig;
suggestionNetwork.fromWifiNetworkSuggestion = true;
suggestionNetwork.creatorName = TEST_PACKAGE_NAME;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
assertTrue(mWifiKeyStore.updateNetworkKeys(suggestionNetwork, null));
String savedNetworkAlias = savedNetwork.getKeyIdForCredentials(null);
String savedNetworkCaAlias = savedNetworkAlias + "_0";
String suggestionNetworkAlias = suggestionNetwork.getKeyIdForCredentials(null);
String suggestionNetworkCaAlias = suggestionNetworkAlias + "_0";
assertNotEquals(savedNetworkAlias, suggestionNetworkAlias);
verify(mKeyStore).setKeyEntry(
eq(savedNetworkAlias), eq(FakeKeys.RSA_KEY1), eq(null),
aryEq(new X509Certificate[] {FakeKeys.CLIENT_CERT}));
verify(mKeyStore).setCertificateEntry(eq(savedNetworkCaAlias), eq(FakeKeys.CA_CERT0));
verify(mWifiEnterpriseConfig).setClientCertificateAlias(eq(savedNetworkAlias));
verify(mWifiEnterpriseConfig).setCaCertificateAliases(
aryEq(new String[] {savedNetworkCaAlias}));
verify(mKeyStore).setKeyEntry(
eq(suggestionNetworkAlias), eq(FakeKeys.RSA_KEY1), eq(null),
aryEq(new X509Certificate[] {FakeKeys.CLIENT_CERT}));
verify(mKeyStore).setCertificateEntry(eq(suggestionNetworkCaAlias), eq(FakeKeys.CA_CERT0));
verify(mWifiEnterpriseConfig).setClientCertificateAlias(eq(suggestionNetworkAlias));
verify(mWifiEnterpriseConfig).setCaCertificateAliases(
aryEq(new String[] {suggestionNetworkCaAlias}));
}
@Test
public void test_remove_empty_alias_enterprise_config() throws Exception {
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapNetwork();
WifiConfiguration suggestionNetwork = new WifiConfiguration(savedNetwork);
suggestionNetwork.fromWifiNetworkSuggestion = true;
suggestionNetwork.creatorName = TEST_PACKAGE_NAME;
mWifiKeyStore.removeKeys(savedNetwork.enterpriseConfig);
mWifiKeyStore.removeKeys(suggestionNetwork.enterpriseConfig);
verify(mKeyStore, never()).deleteEntry(any());
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 correctly when CA and client
* certificates are of RSA 3072 type and the network is Suite-B.
*/
@Test
public void testConfigureSuiteBRsa3072() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
assertTrue(savedNetwork.allowedSuiteBCiphers.get(WifiConfiguration.SuiteBCipher.ECDHE_RSA));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for ECDSA correctly when CA and client
* certificates are of ECDSA type and the network is Suite-B.
*/
@Test
public void testConfigureSuiteBEcdsa() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_ECC_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_ECDSA_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_ECDSA_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_ECDSA_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_ECDSA_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_ECDSA_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_ECDSA_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
assertTrue(
savedNetwork.allowedSuiteBCiphers.get(WifiConfiguration.SuiteBCipher.ECDHE_ECDSA));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 fails when CA and client
* certificates are not of the same type.
*/
@Test
public void testConfigurationFailureSuiteB() throws Exception {
// Create a configuration with RSA client cert and ECDSA CA cert
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_ECDSA_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_ECDSA_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_ECDSA_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 fails when CA is RSA but not
* with the required security
*/
@Test
public void testConfigurationFailureSuiteBNon3072Rsa() throws Exception {
// Create a configuration with RSA client cert and weak RSA CA cert
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_CERT0);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_CERT0});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_CERT0);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 fails when a client certificate
* key length is less than 3072 bits
*/
@Test
public void testConfigurationFailureSuiteB2048Rsa() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_BAD_SUITE_B_RSA2048_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_BAD_SUITE_B_RSA2048_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_BAD_SUITE_B_RSA2048_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 fails when one CA in the list
* is RSA but not with the required security
*/
@Test
public void testConfigurationFailureSuiteBNon3072RsaInList() throws Exception {
// Create a configuration with RSA client cert and weak RSA CA cert
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(
new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT, FakeKeys.CA_CERT0});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_CERT0);
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(USER_CA_CERT_ALIASES);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for RSA 3072 fails when one CA in the list
* is RSA and the other is ECDSA
*/
@Test
public void testConfigurationFailureSuiteBRsaAndEcdsaInList() throws Exception {
// Create a configuration with RSA client cert and weak RSA CA cert
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(
new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT,
FakeKeys.CA_SUITE_B_ECDSA_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_SUITE_B_ECDSA_CERT);
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(USER_CA_CERT_ALIASES);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test configuring WPA3-Enterprise in 192-bit mode for ECDSA fails when a client
* certificate key bit length is less than 384 bits.
*/
@Test
public void testConfigureFailureSuiteBEcdsa256() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_BAD_SUITE_B_ECC_256_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_BAD_SUITE_B_ECDSA_256_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_ECDSA_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_BAD_SUITE_B_ECDSA_256_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_ECDSA_CERT});
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_BAD_SUITE_B_ECDSA_256_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_ECDSA_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_ECDSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(savedNetwork, null));
}
/**
* Test to confirm that old CA alias was removed only if the certificate was installed
* by the app.
*/
@Test
public void testConfirmCaCertAliasRemoved() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(true);
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
mExistingWifiEnterpriseConfig = mWifiEnterpriseConfig;
when(mExistingWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS2});
WifiConfiguration existingNetwork = savedNetwork;
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
existingNetwork.enterpriseConfig = mExistingWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, existingNetwork));
verify(mKeyStore).deleteEntry(eq(USER_CA_CERT_ALIAS2));
}
/**
* Test to confirm that old CA alias was not removed when the certificate was not installed
* by the app.
*/
@Test
public void testConfirmCaCertAliasNotRemoved() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.isAppInstalledCaCert()).thenReturn(false);
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
mExistingWifiEnterpriseConfig = mWifiEnterpriseConfig;
when(mExistingWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS2});
WifiConfiguration existingNetwork = savedNetwork;
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
existingNetwork.enterpriseConfig = mExistingWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, existingNetwork));
verify(mKeyStore, never()).deleteEntry(eq(USER_CA_CERT_ALIAS2));
}
/**
* Test to confirm that old client certificate alias was removed only if the certificate was
* installed by the app.
*/
@Test
public void testConfirmClientCertAliasRemoved() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(true);
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
mExistingWifiEnterpriseConfig = mWifiEnterpriseConfig;
when(mExistingWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS2});
WifiConfiguration existingNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
existingNetwork.enterpriseConfig = mExistingWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, existingNetwork));
verify(mKeyStore).deleteEntry(eq(existingNetwork.getKeyIdForCredentials(existingNetwork)));
}
/**
* Test to confirm that old client certificate alias was not removed if the certificate was not
* installed by the app.
*/
@Test
public void testConfirmClientCertAliasNotRemoved() throws Exception {
when(mWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS});
when(mWifiEnterpriseConfig.getClientPrivateKey())
.thenReturn(FakeKeys.CLIENT_SUITE_B_RSA3072_KEY);
when(mWifiEnterpriseConfig.getClientCertificate()).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getCaCertificate()).thenReturn(FakeKeys.CA_SUITE_B_RSA3072_CERT);
when(mWifiEnterpriseConfig.getClientCertificateChain())
.thenReturn(new X509Certificate[]{FakeKeys.CLIENT_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.getCaCertificates())
.thenReturn(new X509Certificate[]{FakeKeys.CA_SUITE_B_RSA3072_CERT});
when(mWifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()).thenReturn(false);
when(mKeyStore.getCertificate(eq(USER_CERT_ALIAS))).thenReturn(
FakeKeys.CLIENT_SUITE_B_RSA3072_CERT);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[0]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
WifiConfiguration savedNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
savedNetwork.enterpriseConfig = mWifiEnterpriseConfig;
mExistingWifiEnterpriseConfig = mWifiEnterpriseConfig;
when(mExistingWifiEnterpriseConfig.getCaCertificateAliases())
.thenReturn(new String[]{USER_CA_CERT_ALIAS2});
WifiConfiguration existingNetwork = WifiConfigurationTestUtil.createEapSuiteBNetwork(
WifiConfiguration.SuiteBCipher.ECDHE_RSA);
when(mKeyStore.getCertificate(eq(USER_CA_CERT_ALIASES[1]))).thenReturn(
FakeKeys.CA_SUITE_B_RSA3072_CERT);
existingNetwork.enterpriseConfig = mExistingWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(savedNetwork, existingNetwork));
verify(mKeyStore, never()).deleteEntry(eq(USER_CERT_ALIAS));
}
@Test
public void testUpdateKeysKeyChainAliasNotGranted() {
assumeTrue(SdkLevel.isAtLeastS());
final WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
when(mWifiEnterpriseConfig.getClientKeyPairAliasInternal()).thenReturn(KEYCHAIN_ALIAS);
when(mFrameworkFacade.getWifiKeyGrantAsUser(
any(Context.class), any(UserHandle.class), any(String.class))).thenReturn(null);
config.enterpriseConfig = mWifiEnterpriseConfig;
assertFalse(mWifiKeyStore.updateNetworkKeys(config, null));
}
@Test
public void testUpdateKeysKeyChainAliasGranted() {
assumeTrue(SdkLevel.isAtLeastS());
final WifiConfiguration config = WifiConfigurationTestUtil.createEapNetwork();
when(mWifiEnterpriseConfig.getClientKeyPairAliasInternal()).thenReturn(KEYCHAIN_ALIAS);
when(mFrameworkFacade.getWifiKeyGrantAsUser(
any(Context.class), eq(TEST_USER_HANDLE), eq(KEYCHAIN_ALIAS)))
.thenReturn(KEYCHAIN_KEY_GRANT);
config.enterpriseConfig = mWifiEnterpriseConfig;
assertTrue(mWifiKeyStore.updateNetworkKeys(config, null));
verify(mWifiEnterpriseConfig).setClientCertificateAlias(eq(KEYCHAIN_KEY_GRANT));
}
@Test
public void testValidateKeyChainAliasNotGranted() {
assumeTrue(SdkLevel.isAtLeastS());
when(mFrameworkFacade.hasWifiKeyGrantAsUser(
any(Context.class), any(UserHandle.class), any(String.class))).thenReturn(false);
assertFalse(mWifiKeyStore.validateKeyChainAlias(KEYCHAIN_ALIAS, TEST_UID));
}
@Test
public void testValidateKeyChainAliasEmpty() {
assumeTrue(SdkLevel.isAtLeastS());
when(mFrameworkFacade.hasWifiKeyGrantAsUser(
any(Context.class), any(UserHandle.class), any(String.class))).thenReturn(true);
assertFalse(mWifiKeyStore.validateKeyChainAlias("", TEST_UID));
}
@Test
public void testValidateKeyChainAliasGranted() {
assumeTrue(SdkLevel.isAtLeastS());
when(mFrameworkFacade.hasWifiKeyGrantAsUser(
any(Context.class), eq(TEST_USER_HANDLE), eq(KEYCHAIN_ALIAS))).thenReturn(true);
assertTrue(mWifiKeyStore.validateKeyChainAlias(KEYCHAIN_ALIAS, TEST_UID));
}
}