From 3612d3ebc94aa1be984a2a5d8ba77ff7831426f6 Mon Sep 17 00:00:00 2001
From: Jimmy Chen <jimmycmchen@google.com>
Date: Wed, 24 Jul 2019 11:35:43 +0800
Subject: [PATCH] wifi: support OCSP in Wifi dialog for certifiate-based EAP
 type

Bug: 136720092
Test: tested with OCSP supported profile
Change-Id: Ieb0fec5026ea06f88d44361d0c579be2a18ed99a
---
 res/layout/wifi_dialog.xml                    | 19 +++++++++++++
 res/values/arrays.xml                         |  8 ++++++
 res/values/strings.xml                        |  2 ++
 .../settings/wifi/WifiConfigController.java   | 28 +++++++++++++++++++
 4 files changed, 57 insertions(+)

diff --git a/res/layout/wifi_dialog.xml b/res/layout/wifi_dialog.xml
index b9a910bd2fd..aa2303d581f 100644
--- a/res/layout/wifi_dialog.xml
+++ b/res/layout/wifi_dialog.xml
@@ -178,6 +178,25 @@
                             android:prompt="@string/wifi_eap_ca_cert" />
                 </LinearLayout>
 
+                <LinearLayout android:id="@+id/l_ocsp"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:visibility="gone"
+                        style="@style/wifi_item" >
+                    <TextView
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_label"
+                            android:text="@string/wifi_eap_ocsp" />
+
+                    <Spinner android:id="@+id/ocsp"
+                            android:layout_width="match_parent"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_spinner"
+                            android:prompt="@string/wifi_eap_ocsp"
+                            android:entries="@array/eap_ocsp_type" />
+                </LinearLayout>
+
                 <LinearLayout android:id="@+id/no_ca_cert_warning"
                         android:layout_width="match_parent"
                         android:layout_height="wrap_content"
diff --git a/res/values/arrays.xml b/res/values/arrays.xml
index fef8052b160..45b92748f9d 100644
--- a/res/values/arrays.xml
+++ b/res/values/arrays.xml
@@ -258,6 +258,14 @@
         <item>PWD</item>
     </string-array>
 
+    <!-- Type of OCSP -->
+    <string-array name="eap_ocsp_type" translatable="true">
+        <item>Do not validate</item>
+        <item>Request certificate status</item>
+        <item>Require certificate status</item>
+        <item>Require all non-trusted certificate statuses</item>
+    </string-array>
+
    <!-- Wi-Fi AP band settings.  Either Auto, 2.4GHz or 5GHz. -->
    <!-- Note that adding/removing/moving the items will need wifi settings code change. -->
     <string-array translatable="false" name="wifi_ap_band_config_full">
diff --git a/res/values/strings.xml b/res/values/strings.xml
index c88eec9f559..15584502afe 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -2133,6 +2133,8 @@
     <string name="please_select_phase2">Phase 2 authentication</string>
     <!-- Label for the EAP CA certificate of the network -->
     <string name="wifi_eap_ca_cert">CA certificate</string>
+    <!-- Label for the OCSP type of the network. [CHAR LIMIT=32] -->
+    <string name="wifi_eap_ocsp">Online Certificate Status</string>
     <!-- Label for the domain name that the EAP CA certificate(s) can be used to validate. -->
     <string name="wifi_eap_domain">Domain</string>
     <!-- Label for the EAP user certificate of the network -->
diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java
index 68ddb3ca640..78c2f0a7fd1 100644
--- a/src/com/android/settings/wifi/WifiConfigController.java
+++ b/src/com/android/settings/wifi/WifiConfigController.java
@@ -145,6 +145,7 @@ public class WifiConfigController implements TextWatcher,
     private Spinner mSecuritySpinner;
     private Spinner mEapMethodSpinner;
     private Spinner mEapCaCertSpinner;
+    private Spinner mEapOcspSpinner;
     private TextView mEapDomainView;
     private Spinner mPhase2Spinner;
     // Associated with mPhase2Spinner, one of mPhase2FullAdapter or mPhase2PeapAdapter
@@ -759,6 +760,14 @@ public class WifiConfigController implements TextWatcher,
                             + ") should not both be non-null");
                 }
 
+                // Only set OCSP option if there is a valid CA certificate.
+                if (caCert.equals(mUnspecifiedCertString)
+                        || caCert.equals(mDoNotValidateEapServerString)) {
+                    config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE);
+                } else {
+                    config.enterpriseConfig.setOcsp(mEapOcspSpinner.getSelectedItemPosition());
+                }
+
                 String clientCert = (String) mEapUserCertSpinner.getSelectedItem();
                 if (clientCert.equals(mUnspecifiedCertString)
                         || clientCert.equals(mDoNotProvideEapUserCertString)) {
@@ -993,6 +1002,7 @@ public class WifiConfigController implements TextWatcher,
             mPhase2Spinner.setOnItemSelectedListener(this);
             mEapCaCertSpinner = (Spinner) mView.findViewById(R.id.ca_cert);
             mEapCaCertSpinner.setOnItemSelectedListener(this);
+            mEapOcspSpinner = (Spinner) mView.findViewById(R.id.ocsp);
             mEapDomainView = (TextView) mView.findViewById(R.id.domain);
             mEapDomainView.addTextChangedListener(this);
             mEapUserCertSpinner = (Spinner) mView.findViewById(R.id.user_cert);
@@ -1034,6 +1044,11 @@ public class WifiConfigController implements TextWatcher,
                     mDoNotValidateEapServerString,
                     false,
                     true);
+            // To avoid the user connects to a non-secure network unexpectedly,
+            // request using system trusted certificates by default
+            // unless the user explicitly chooses "Do not validate" or other
+            // CA certificates.
+            setSelection(mEapCaCertSpinner, mUseSystemCertsString);
             loadCertificates(
                     mEapUserCertSpinner,
                     Credentials.USER_PRIVATE_KEY,
@@ -1098,6 +1113,7 @@ public class WifiConfigController implements TextWatcher,
                     setSelection(mEapCaCertSpinner, mMultipleCertSetString);
                 }
             }
+            mEapOcspSpinner.setSelection(enterpriseConfig.getOcsp());
             mEapDomainView.setText(enterpriseConfig.getDomainSuffixMatch());
             String userCert = enterpriseConfig.getClientCertificateAlias();
             if (TextUtils.isEmpty(userCert)) {
@@ -1143,6 +1159,7 @@ public class WifiConfigController implements TextWatcher,
         // Defaults for most of the EAP methods and over-riden by
         // by certain EAP methods
         mView.findViewById(R.id.l_ca_cert).setVisibility(View.VISIBLE);
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.password_layout).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.show_password_layout).setVisibility(View.VISIBLE);
 
@@ -1151,6 +1168,7 @@ public class WifiConfigController implements TextWatcher,
             case WIFI_EAP_METHOD_PWD:
                 setPhase2Invisible();
                 setCaCertInvisible();
+                setOcspInvisible();
                 setDomainInvisible();
                 setAnonymousIdentInvisible();
                 setUserCertInvisible();
@@ -1188,6 +1206,7 @@ public class WifiConfigController implements TextWatcher,
                 setPhase2Invisible();
                 setAnonymousIdentInvisible();
                 setCaCertInvisible();
+                setOcspInvisible();
                 setDomainInvisible();
                 setUserCertInvisible();
                 setPasswordInvisible();
@@ -1205,6 +1224,10 @@ public class WifiConfigController implements TextWatcher,
                 // Domain suffix matching is not relevant if the user hasn't chosen a CA
                 // certificate yet, or chooses not to validate the EAP server.
                 setDomainInvisible();
+                // Ocsp is an additional validation step for a server certifidate.
+                // This field is not relevant if the user hasn't chosen a valid
+                // CA certificate yet.
+                setOcspInvisible();
             }
         }
     }
@@ -1239,6 +1262,11 @@ public class WifiConfigController implements TextWatcher,
         setSelection(mEapCaCertSpinner, mUnspecifiedCertString);
     }
 
+    private void setOcspInvisible() {
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.GONE);
+        mEapOcspSpinner.setSelection(WifiEnterpriseConfig.OCSP_NONE);
+    }
+
     private void setDomainInvisible() {
         mView.findViewById(R.id.l_domain).setVisibility(View.GONE);
         mEapDomainView.setText("");