wifi: support OCSP in Wifi dialog for certifiate-based EAP type

Bug: 136720092 Test: tested with OCSP supported profile Change-Id: Ieb0fec5026ea06f88d44361d0c579be2a18ed99a
2019-07-24 11:35:43 +08:00
parent 2cce2150c6
commit 3612d3ebc9
4 changed files with 57 additions and 0 deletions
--- a/res/layout/wifi_dialog.xml
+++ b/res/layout/wifi_dialog.xml
@@ -178,6 +178,25 @@
                            android:prompt="@string/wifi_eap_ca_cert" />
                </LinearLayout>

+                <LinearLayout android:id="@+id/l_ocsp"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:visibility="gone"
+                        style="@style/wifi_item" >
+                    <TextView
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_label"
+                            android:text="@string/wifi_eap_ocsp" />
+
+                    <Spinner android:id="@+id/ocsp"
+                            android:layout_width="match_parent"
+                            android:layout_height="wrap_content"
+                            style="@style/wifi_item_spinner"
+                            android:prompt="@string/wifi_eap_ocsp"
+                            android:entries="@array/eap_ocsp_type" />
+                </LinearLayout>
+
                <LinearLayout android:id="@+id/no_ca_cert_warning"
                        android:layout_width="match_parent"
                        android:layout_height="wrap_content"
--- a/res/values/arrays.xml
+++ b/res/values/arrays.xml
@@ -258,6 +258,14 @@
        <item>PWD</item>
    </string-array>

+    <!-- Type of OCSP -->
+    <string-array name="eap_ocsp_type" translatable="true">
+        <item>Do not validate</item>
+        <item>Request certificate status</item>
+        <item>Require certificate status</item>
+        <item>Require all non-trusted certificate statuses</item>
+    </string-array>
+
   <!-- Wi-Fi AP band settings.  Either Auto, 2.4GHz or 5GHz. -->
   <!-- Note that adding/removing/moving the items will need wifi settings code change. -->
    <string-array translatable="false" name="wifi_ap_band_config_full">
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -2133,6 +2133,8 @@
    <string name="please_select_phase2">Phase 2 authentication</string>
    <!-- Label for the EAP CA certificate of the network -->
    <string name="wifi_eap_ca_cert">CA certificate</string>
+    <!-- Label for the OCSP type of the network. [CHAR LIMIT=32] -->
+    <string name="wifi_eap_ocsp">Online Certificate Status</string>
    <!-- Label for the domain name that the EAP CA certificate(s) can be used to validate. -->
    <string name="wifi_eap_domain">Domain</string>
    <!-- Label for the EAP user certificate of the network -->
--- a/src/com/android/settings/wifi/WifiConfigController.java
+++ b/src/com/android/settings/wifi/WifiConfigController.java
@@ -145,6 +145,7 @@ public class WifiConfigController implements TextWatcher,
    private Spinner mSecuritySpinner;
    private Spinner mEapMethodSpinner;
    private Spinner mEapCaCertSpinner;
+    private Spinner mEapOcspSpinner;
    private TextView mEapDomainView;
    private Spinner mPhase2Spinner;
    // Associated with mPhase2Spinner, one of mPhase2FullAdapter or mPhase2PeapAdapter
@@ -759,6 +760,14 @@ public class WifiConfigController implements TextWatcher,
                            + ") should not both be non-null");
                }

+                // Only set OCSP option if there is a valid CA certificate.
+                if (caCert.equals(mUnspecifiedCertString)
+                        || caCert.equals(mDoNotValidateEapServerString)) {
+                    config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE);
+                } else {
+                    config.enterpriseConfig.setOcsp(mEapOcspSpinner.getSelectedItemPosition());
+                }
+
                String clientCert = (String) mEapUserCertSpinner.getSelectedItem();
                if (clientCert.equals(mUnspecifiedCertString)
                        || clientCert.equals(mDoNotProvideEapUserCertString)) {
@@ -993,6 +1002,7 @@ public class WifiConfigController implements TextWatcher,
            mPhase2Spinner.setOnItemSelectedListener(this);
            mEapCaCertSpinner = (Spinner) mView.findViewById(R.id.ca_cert);
            mEapCaCertSpinner.setOnItemSelectedListener(this);
+            mEapOcspSpinner = (Spinner) mView.findViewById(R.id.ocsp);
            mEapDomainView = (TextView) mView.findViewById(R.id.domain);
            mEapDomainView.addTextChangedListener(this);
            mEapUserCertSpinner = (Spinner) mView.findViewById(R.id.user_cert);
@@ -1034,6 +1044,11 @@ public class WifiConfigController implements TextWatcher,
                    mDoNotValidateEapServerString,
                    false,
                    true);
+            // To avoid the user connects to a non-secure network unexpectedly,
+            // request using system trusted certificates by default
+            // unless the user explicitly chooses "Do not validate" or other
+            // CA certificates.
+            setSelection(mEapCaCertSpinner, mUseSystemCertsString);
            loadCertificates(
                    mEapUserCertSpinner,
                    Credentials.USER_PRIVATE_KEY,
@@ -1098,6 +1113,7 @@ public class WifiConfigController implements TextWatcher,
                    setSelection(mEapCaCertSpinner, mMultipleCertSetString);
                }
            }
+            mEapOcspSpinner.setSelection(enterpriseConfig.getOcsp());
            mEapDomainView.setText(enterpriseConfig.getDomainSuffixMatch());
            String userCert = enterpriseConfig.getClientCertificateAlias();
            if (TextUtils.isEmpty(userCert)) {
@@ -1143,6 +1159,7 @@ public class WifiConfigController implements TextWatcher,
        // Defaults for most of the EAP methods and over-riden by
        // by certain EAP methods
        mView.findViewById(R.id.l_ca_cert).setVisibility(View.VISIBLE);
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.VISIBLE);
        mView.findViewById(R.id.password_layout).setVisibility(View.VISIBLE);
        mView.findViewById(R.id.show_password_layout).setVisibility(View.VISIBLE);

@@ -1151,6 +1168,7 @@ public class WifiConfigController implements TextWatcher,
            case WIFI_EAP_METHOD_PWD:
                setPhase2Invisible();
                setCaCertInvisible();
+                setOcspInvisible();
                setDomainInvisible();
                setAnonymousIdentInvisible();
                setUserCertInvisible();
@@ -1188,6 +1206,7 @@ public class WifiConfigController implements TextWatcher,
                setPhase2Invisible();
                setAnonymousIdentInvisible();
                setCaCertInvisible();
+                setOcspInvisible();
                setDomainInvisible();
                setUserCertInvisible();
                setPasswordInvisible();
@@ -1205,6 +1224,10 @@ public class WifiConfigController implements TextWatcher,
                // Domain suffix matching is not relevant if the user hasn't chosen a CA
                // certificate yet, or chooses not to validate the EAP server.
                setDomainInvisible();
+                // Ocsp is an additional validation step for a server certifidate.
+                // This field is not relevant if the user hasn't chosen a valid
+                // CA certificate yet.
+                setOcspInvisible();
            }
        }
    }
@@ -1239,6 +1262,11 @@ public class WifiConfigController implements TextWatcher,
        setSelection(mEapCaCertSpinner, mUnspecifiedCertString);
    }

+    private void setOcspInvisible() {
+        mView.findViewById(R.id.l_ocsp).setVisibility(View.GONE);
+        mEapOcspSpinner.setSelection(WifiEnterpriseConfig.OCSP_NONE);
+    }
+
    private void setDomainInvisible() {
        mView.findViewById(R.id.l_domain).setVisibility(View.GONE);
        mEapDomainView.setText("");