From d147f0090ce28e1ad70f7a9b582dec91161139e8 Mon Sep 17 00:00:00 2001 From: Samuel Tan Date: Thu, 18 Feb 2016 14:56:10 -0800 Subject: [PATCH] WifiConfigController: set ca_path and ca_cert to null if unused The WPA supplicant ca_cert and ca_path directives should not both be non-null, since our EAP settings logic only allows one or the other to be used. Modify logic in getConfig() to explicitly set ca_path or ca_cert to null if it is not used. This explicit null value is necessary to override a previously non-null value saved in an existing configuration. Also, always set the domain_suffix_match directive, which will lead to this directive to be reset when the Domain field is hidden. BUG: 27194668 TEST: 1) Install custom ca certificate onto device as "testcert" TEST: 2) Configure an EAP-TLS network with CA certificate "testcert", Domain "testdomain", User certificate "Do not provide", identity empty, and save. TEST: 3) Read network variables in data/misc/wifi/wpa_supplicant.conf and ensure that ca_cert is "testcert", ca_path is not present, and domain_suffix_match is "testdomain". TEST: 4) Modify that same EAP-TLS network configured in step 2 with CA certificate "Use system certificates", Domain "testdomain", User certificate "Do not provide", identity empty, and save. TEST: 5) Read network variables in data/misc/wifi/wpa_supplicant.eonf and ensure that ca_cert is "keystore://CACERT_testcert", ca_path is not present, and domain_suffix_match is "testdomain". TEST: 6) Modify that same EAP-TLS network configured in step 2 to be an EAP-PWD network. Leave Identity and Password blank, and save. TEST: 7) Read network variables in data/misc/wifi/wpa_supplicant.eonf and ensure that ca_cert, ca_path, and domain_suffix_match are not present. Change-Id: I547f3e359bc8e9b77e51e10e60356b857230636f --- .../settings/wifi/WifiConfigController.java | 51 ++++++++++++------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java index 285b31605bd..9aad701c766 100644 --- a/src/com/android/settings/wifi/WifiConfigController.java +++ b/src/com/android/settings/wifi/WifiConfigController.java @@ -517,30 +517,43 @@ public class WifiConfigController config.enterpriseConfig.setPhase2Method(phase2Method); break; } + String caCert = (String) mEapCaCertSpinner.getSelectedItem(); + config.enterpriseConfig.setCaCertificateAliases(null); + config.enterpriseConfig.setCaPath(null); + config.enterpriseConfig.setDomainSuffixMatch(mEapDomainView.getText().toString()); if (caCert.equals(mUnspecifiedCertString) || caCert.equals(mDoNotValidateEapServerString)) { - // Note: |caCert| should not be able to take the value |unspecifiedCert|, - // since we prevent such configurations from being saved. - config.enterpriseConfig.setCaCertificateAliases(null); - } else { - config.enterpriseConfig.setDomainSuffixMatch( - mEapDomainView.getText().toString()); - if (caCert.equals(mUseSystemCertsString)) { - config.enterpriseConfig.setCaPath(SYSTEM_CA_STORE_PATH); - } else if (caCert.equals(mMultipleCertSetString)) { - if (mAccessPoint != null) { - if (!mAccessPoint.isSaved()) { - Log.e(TAG, "Multiple certs can only be set " - + "when editing saved network"); - } - config.enterpriseConfig.setCaCertificateAliases( - mAccessPoint.getConfig().enterpriseConfig - .getCaCertificateAliases()); + // ca_cert already set to null, so do nothing. + } else if (caCert.equals(mUseSystemCertsString)) { + config.enterpriseConfig.setCaPath(SYSTEM_CA_STORE_PATH); + } else if (caCert.equals(mMultipleCertSetString)) { + if (mAccessPoint != null) { + if (!mAccessPoint.isSaved()) { + Log.e(TAG, "Multiple certs can only be set " + + "when editing saved network"); } - } else { - config.enterpriseConfig.setCaCertificateAliases(new String[] {caCert}); + config.enterpriseConfig.setCaCertificateAliases( + mAccessPoint + .getConfig() + .enterpriseConfig + .getCaCertificateAliases()); } + } else { + config.enterpriseConfig.setCaCertificateAliases(new String[] {caCert}); + } + + // ca_cert or ca_path should not both be non-null, since we only intend to let + // the use either their own certificate, or the system certificates, not both. + // The variable that is not used must explicitly be set to null, so that a + // previously-set value on a saved configuration will be erased on an update. + if (config.enterpriseConfig.getCaCertificateAliases() != null + && config.enterpriseConfig.getCaPath() != null) { + Log.e(TAG, "ca_cert (" + + config.enterpriseConfig.getCaCertificateAliases() + + ") and ca_path (" + + config.enterpriseConfig.getCaPath() + + ") should not both be non-null"); } String clientCert = (String) mEapUserCertSpinner.getSelectedItem();