Merge "wifi: support OCSP in Wifi dialog for certifiate-based EAP type"

res/layout/wifi_dialog.xml

@@ -178,6 +178,25 @@
                             android:prompt="@string/wifi_eap_ca_cert" />
                 </LinearLayout>
 
+                <LinearLayout android:id="@+id/l_ocsp"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:visibility="gone"
+                        style="@style/wifi_item" >
+                    <TextView
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_label"
+                            android:text="@string/wifi_eap_ocsp" />
+
+                    <Spinner android:id="@+id/ocsp"
+                            android:layout_width="match_parent"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_spinner"
+                            android:prompt="@string/wifi_eap_ocsp"
+                            android:entries="@array/eap_ocsp_type" />
+                </LinearLayout>
+
                 <LinearLayout android:id="@+id/no_ca_cert_warning"
                         android:layout_width="match_parent"
                         android:layout_height="wrap_content"

res/values/arrays.xml

@@ -258,6 +258,14 @@
         <item>PWD</item>
     </string-array>
 
+    <!-- Type of OCSP -->
+    <string-array name="eap_ocsp_type" translatable="true">
+        <item>Do not validate</item>
+        <item>Request certificate status</item>
+        <item>Require certificate status</item>
+        <item>Require all non-trusted certificate statuses</item>
+    </string-array>
+
    <!-- Wi-Fi AP band settings.  Either Auto, 2.4GHz or 5GHz. -->
    <!-- Note that adding/removing/moving the items will need wifi settings code change. -->
     <string-array translatable="false" name="wifi_ap_band_config_full">

res/values/strings.xml

@@ -2137,6 +2137,8 @@
     <string name="please_select_phase2">Phase 2 authentication</string>
     <!-- Label for the EAP CA certificate of the network -->
     <string name="wifi_eap_ca_cert">CA certificate</string>
+    <!-- Label for the OCSP type of the network. [CHAR LIMIT=32] -->
+    <string name="wifi_eap_ocsp">Online Certificate Status</string>
     <!-- Label for the domain name that the EAP CA certificate(s) can be used to validate. -->
     <string name="wifi_eap_domain">Domain</string>
     <!-- Label for the EAP user certificate of the network -->

src/com/android/settings/wifi/WifiConfigController.java

@@ -146,6 +146,7 @@ public class WifiConfigController implements TextWatcher,
     private Spinner mSecuritySpinner;
     private Spinner mEapMethodSpinner;
     private Spinner mEapCaCertSpinner;
+    private Spinner mEapOcspSpinner;
     private TextView mEapDomainView;
     private Spinner mPhase2Spinner;
     // Associated with mPhase2Spinner, one of mPhase2FullAdapter or mPhase2PeapAdapter
@@ -760,6 +761,14 @@ public class WifiConfigController implements TextWatcher,
                             + ") should not both be non-null");
                 }
 
+                // Only set OCSP option if there is a valid CA certificate.
+                if (caCert.equals(mUnspecifiedCertString)
+                        || caCert.equals(mDoNotValidateEapServerString)) {
+                    config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE);
+                } else {
+                    config.enterpriseConfig.setOcsp(mEapOcspSpinner.getSelectedItemPosition());
+                }
+
                 String clientCert = (String) mEapUserCertSpinner.getSelectedItem();
                 if (clientCert.equals(mUnspecifiedCertString)
                         || clientCert.equals(mDoNotProvideEapUserCertString)) {
@@ -1019,6 +1028,7 @@ public class WifiConfigController implements TextWatcher,
             mPhase2Spinner.setOnItemSelectedListener(this);
             mEapCaCertSpinner = (Spinner) mView.findViewById(R.id.ca_cert);
             mEapCaCertSpinner.setOnItemSelectedListener(this);
+            mEapOcspSpinner = (Spinner) mView.findViewById(R.id.ocsp);
             mEapDomainView = (TextView) mView.findViewById(R.id.domain);
             mEapDomainView.addTextChangedListener(this);
             mEapUserCertSpinner = (Spinner) mView.findViewById(R.id.user_cert);
@@ -1060,6 +1070,11 @@ public class WifiConfigController implements TextWatcher,
                     mDoNotValidateEapServerString,
                     false,
                     true);
+            // To avoid the user connects to a non-secure network unexpectedly,
+            // request using system trusted certificates by default
+            // unless the user explicitly chooses "Do not validate" or other
+            // CA certificates.
+            setSelection(mEapCaCertSpinner, mUseSystemCertsString);
             loadCertificates(
                     mEapUserCertSpinner,
                     Credentials.USER_PRIVATE_KEY,
@@ -1124,6 +1139,7 @@ public class WifiConfigController implements TextWatcher,
                     setSelection(mEapCaCertSpinner, mMultipleCertSetString);
                 }
             }
+            mEapOcspSpinner.setSelection(enterpriseConfig.getOcsp());
             mEapDomainView.setText(enterpriseConfig.getDomainSuffixMatch());
             String userCert = enterpriseConfig.getClientCertificateAlias();
             if (TextUtils.isEmpty(userCert)) {
@@ -1169,6 +1185,7 @@ public class WifiConfigController implements TextWatcher,
         // Defaults for most of the EAP methods and over-riden by
         // by certain EAP methods
         mView.findViewById(R.id.l_ca_cert).setVisibility(View.VISIBLE);
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.password_layout).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.show_password_layout).setVisibility(View.VISIBLE);
 
@@ -1177,6 +1194,7 @@ public class WifiConfigController implements TextWatcher,
             case WIFI_EAP_METHOD_PWD:
                 setPhase2Invisible();
                 setCaCertInvisible();
+                setOcspInvisible();
                 setDomainInvisible();
                 setAnonymousIdentInvisible();
                 setUserCertInvisible();
@@ -1214,6 +1232,7 @@ public class WifiConfigController implements TextWatcher,
                 setPhase2Invisible();
                 setAnonymousIdentInvisible();
                 setCaCertInvisible();
+                setOcspInvisible();
                 setDomainInvisible();
                 setUserCertInvisible();
                 setPasswordInvisible();
@@ -1231,6 +1250,10 @@ public class WifiConfigController implements TextWatcher,
                 // Domain suffix matching is not relevant if the user hasn't chosen a CA
                 // certificate yet, or chooses not to validate the EAP server.
                 setDomainInvisible();
+                // Ocsp is an additional validation step for a server certifidate.
+                // This field is not relevant if the user hasn't chosen a valid
+                // CA certificate yet.
+                setOcspInvisible();
             }
         }
     }
@@ -1265,6 +1288,11 @@ public class WifiConfigController implements TextWatcher,
         setSelection(mEapCaCertSpinner, mUnspecifiedCertString);
     }
 
+    private void setOcspInvisible() {
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.GONE);
+        mEapOcspSpinner.setSelection(WifiEnterpriseConfig.OCSP_NONE);
+    }
+
     private void setDomainInvisible() {
         mView.findViewById(R.id.l_domain).setVisibility(View.GONE);
         mEapDomainView.setText("");