summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--wifi/java/android/net/wifi/WifiConfigStore.java320
-rw-r--r--wifi/java/android/net/wifi/WifiEnterpriseConfig.java394
2 files changed, 376 insertions, 338 deletions
diff --git a/wifi/java/android/net/wifi/WifiConfigStore.java b/wifi/java/android/net/wifi/WifiConfigStore.java
index a6ae215..ee38464 100644
--- a/wifi/java/android/net/wifi/WifiConfigStore.java
+++ b/wifi/java/android/net/wifi/WifiConfigStore.java
@@ -30,12 +30,15 @@ import android.net.wifi.WifiConfiguration.ProxySettings;
import android.net.wifi.WifiConfiguration.Status;
import android.net.wifi.NetworkUpdateResult;
import static android.net.wifi.WifiConfiguration.INVALID_NETWORK_ID;
+
import android.os.Environment;
import android.os.FileObserver;
-import android.os.Message;
import android.os.Handler;
import android.os.HandlerThread;
+import android.os.Process;
import android.os.UserHandle;
+import android.security.Credentials;
+import android.security.KeyChain;
import android.security.KeyStore;
import android.text.TextUtils;
import android.util.LocalLog;
@@ -57,7 +60,10 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.UnknownHostException;
+import java.security.PrivateKey;
import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.BitSet;
import java.util.Collection;
@@ -155,6 +161,61 @@ class WifiConfigStore {
private static final String EXCLUSION_LIST_KEY = "exclusionList";
private static final String EOS = "eos";
+
+ /* Enterprise configuration keys */
+ /**
+ * In old configurations, the "private_key" field was used. However, newer
+ * configurations use the key_id field with the engine_id set to "keystore".
+ * If this field is found in the configuration, the migration code is
+ * triggered.
+ */
+ public static final String OLD_PRIVATE_KEY_NAME = "private_key";
+
+ /**
+ * String representing the keystore OpenSSL ENGINE's ID.
+ */
+ public static final String ENGINE_ID_KEYSTORE = "keystore";
+
+ /**
+ * String representing the keystore URI used for wpa_supplicant.
+ */
+ public static final String KEYSTORE_URI = "keystore://";
+
+ /**
+ * String to set the engine value to when it should be enabled.
+ */
+ public static final String ENGINE_ENABLE = "1";
+
+ /**
+ * String to set the engine value to when it should be disabled.
+ */
+ public static final String ENGINE_DISABLE = "0";
+
+ public static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE;
+ public static final String CLIENT_CERT_PREFIX = KEYSTORE_URI + Credentials.USER_CERTIFICATE;
+ public static final String EAP_KEY = "eap";
+ public static final String PHASE2_KEY = "phase2";
+ public static final String IDENTITY_KEY = "identity";
+ public static final String ANON_IDENTITY_KEY = "anonymous_identity";
+ public static final String PASSWORD_KEY = "password";
+ public static final String CLIENT_CERT_KEY = "client_cert";
+ public static final String CA_CERT_KEY = "ca_cert";
+ public static final String SUBJECT_MATCH_KEY = "subject_match";
+ public static final String ENGINE_KEY = "engine";
+ public static final String ENGINE_ID_KEY = "engine_id";
+ public static final String PRIVATE_KEY_ID_KEY = "key_id";
+ public static final String OPP_KEY_CACHING = "proactive_key_caching";
+
+ /** This represents an empty value of an enterprise field.
+ * NULL is used at wpa_supplicant to indicate an empty value
+ */
+ static final String EMPTY_VALUE = "NULL";
+
+ /** Internal use only */
+ private static final String[] ENTERPRISE_CONFIG_SUPPLICANT_KEYS = new String[] { EAP_KEY,
+ PHASE2_KEY, IDENTITY_KEY, ANON_IDENTITY_KEY, PASSWORD_KEY, CLIENT_CERT_KEY,
+ CA_CERT_KEY, SUBJECT_MATCH_KEY, ENGINE_KEY, ENGINE_ID_KEY, PRIVATE_KEY_ID_KEY };
+
private final LocalLog mLocalLog;
private final WpaConfigFileObserver mFileObserver;
@@ -390,7 +451,7 @@ class WifiConfigStore {
if (config != null) {
// Remove any associated keys
if (config.enterpriseConfig != null) {
- config.enterpriseConfig.removeKeys(mKeyStore);
+ removeKeys(config.enterpriseConfig);
}
mConfiguredNetworks.remove(netId);
mNetworkIds.remove(configKey(config));
@@ -754,7 +815,7 @@ class WifiConfigStore {
if (config.allowedKeyManagement.get(KeyMgmt.WPA_EAP)
&& config.allowedKeyManagement.get(KeyMgmt.IEEE8021X)) {
- if (config.enterpriseConfig.needsSoftwareBackedKeyStore()) {
+ if (needsSoftwareBackedKeyStore(config.enterpriseConfig)) {
return true;
}
}
@@ -1239,7 +1300,7 @@ class WifiConfigStore {
WifiEnterpriseConfig enterpriseConfig = config.enterpriseConfig;
- if (enterpriseConfig.needsKeyStore()) {
+ if (needsKeyStore(enterpriseConfig)) {
/**
* Keyguard settings may eventually be controlled by device policy.
* We check here if keystore is unlocked before installing
@@ -1259,7 +1320,7 @@ class WifiConfigStore {
WifiConfiguration currentConfig = mConfiguredNetworks.get(netId);
String keyId = config.getKeyIdForCredentials(currentConfig);
- if (!enterpriseConfig.installKeys(mKeyStore, keyId)) {
+ if (!installKeys(enterpriseConfig, keyId)) {
loge(config.SSID + ": failed to install keys");
break setVariables;
}
@@ -1276,7 +1337,7 @@ class WifiConfigStore {
netId,
key,
value)) {
- enterpriseConfig.removeKeys(mKeyStore);
+ removeKeys(enterpriseConfig);
loge(config.SSID + ": failed to set " + key +
": " + value);
break setVariables;
@@ -1589,21 +1650,21 @@ class WifiConfigStore {
config.enterpriseConfig = new WifiEnterpriseConfig();
}
HashMap<String, String> enterpriseFields = config.enterpriseConfig.getFields();
- for (String key : WifiEnterpriseConfig.getSupplicantKeys()) {
+ for (String key : ENTERPRISE_CONFIG_SUPPLICANT_KEYS) {
value = mWifiNative.getNetworkVariable(netId, key);
if (!TextUtils.isEmpty(value)) {
enterpriseFields.put(key, removeDoubleQuotes(value));
} else {
- enterpriseFields.put(key, WifiEnterpriseConfig.EMPTY_VALUE);
+ enterpriseFields.put(key, EMPTY_VALUE);
}
}
- if (config.enterpriseConfig.migrateOldEapTlsNative(mWifiNative, netId)) {
+ if (migrateOldEapTlsNative(config.enterpriseConfig, netId)) {
saveConfig();
}
- config.enterpriseConfig.migrateCerts(mKeyStore);
- config.enterpriseConfig.initializeSoftwareKeystoreFlag(mKeyStore);
+ migrateCerts(config.enterpriseConfig);
+ // initializeSoftwareKeystoreFlag(config.enterpriseConfig, mKeyStore);
}
private String removeDoubleQuotes(String string) {
@@ -1725,4 +1786,241 @@ class WifiConfigStore {
}
}
+ // Certificate and privake key management for EnterpriseConfig
+ boolean needsKeyStore(WifiEnterpriseConfig config) {
+ // Has no keys to be installed
+ if (config.getClientCertificate() == null && config.getCaCertificate() == null)
+ return false;
+ return true;
+ }
+
+ static boolean isHardwareBackedKey(PrivateKey key) {
+ return KeyChain.isBoundKeyAlgorithm(key.getAlgorithm());
+ }
+
+ static boolean hasHardwareBackedKey(Certificate certificate) {
+ return KeyChain.isBoundKeyAlgorithm(certificate.getPublicKey().getAlgorithm());
+ }
+
+ boolean needsSoftwareBackedKeyStore(WifiEnterpriseConfig config) {
+ String client = config.getClientCertificateAlias();
+ if (!TextUtils.isEmpty(client)) {
+ // a valid client certificate is configured
+
+ // BUGBUG: keyStore.get() never returns certBytes; because it is not
+ // taking WIFI_UID as a parameter. It always looks for certificate
+ // with SYSTEM_UID, and never finds any Wifi certificates. Assuming that
+ // all certificates need software keystore until we get the get() API
+ // fixed.
+
+ return true;
+ }
+
+ /*
+ try {
+
+ if (DBG) Slog.d(TAG, "Loading client certificate " + Credentials
+ .USER_CERTIFICATE + client);
+
+ CertificateFactory factory = CertificateFactory.getInstance("X.509");
+ if (factory == null) {
+ Slog.e(TAG, "Error getting certificate factory");
+ return;
+ }
+
+ byte[] certBytes = keyStore.get(Credentials.USER_CERTIFICATE + client);
+ if (certBytes != null) {
+ Certificate cert = (X509Certificate) factory.generateCertificate(
+ new ByteArrayInputStream(certBytes));
+
+ if (cert != null) {
+ mNeedsSoftwareKeystore = hasHardwareBackedKey(cert);
+
+ if (DBG) Slog.d(TAG, "Loaded client certificate " + Credentials
+ .USER_CERTIFICATE + client);
+ if (DBG) Slog.d(TAG, "It " + (mNeedsSoftwareKeystore ? "needs" :
+ "does not need" ) + " software key store");
+ } else {
+ Slog.d(TAG, "could not generate certificate");
+ }
+ } else {
+ Slog.e(TAG, "Could not load client certificate " + Credentials
+ .USER_CERTIFICATE + client);
+ mNeedsSoftwareKeystore = true;
+ }
+
+ } catch(CertificateException e) {
+ Slog.e(TAG, "Could not read certificates");
+ mCaCert = null;
+ mClientCertificate = null;
+ }
+ */
+
+ return false;
+ }
+
+ boolean installKeys(WifiEnterpriseConfig config, String name) {
+ boolean ret = true;
+ String privKeyName = Credentials.USER_PRIVATE_KEY + name;
+ String userCertName = Credentials.USER_CERTIFICATE + name;
+ String caCertName = Credentials.CA_CERTIFICATE + name;
+ if (config.getClientCertificate() != null) {
+ byte[] privKeyData = config.getClientPrivateKey().getEncoded();
+ if (isHardwareBackedKey(config.getClientPrivateKey())) {
+ // Hardware backed key store is secure enough to store keys un-encrypted, this
+ // removes the need for user to punch a PIN to get access to these keys
+ if (DBG) Log.d(TAG, "importing keys " + name + " in hardware backed store");
+ ret = mKeyStore.importKey(privKeyName, privKeyData, android.os.Process.WIFI_UID,
+ KeyStore.FLAG_NONE);
+ } else {
+ // Software backed key store is NOT secure enough to store keys un-encrypted.
+ // Save keys encrypted so they are protected with user's PIN. User will
+ // have to unlock phone before being able to use these keys and connect to
+ // networks.
+ if (DBG) Log.d(TAG, "importing keys " + name + " in software backed store");
+ ret = mKeyStore.importKey(privKeyName, privKeyData, Process.WIFI_UID,
+ KeyStore.FLAG_ENCRYPTED);
+ }
+ if (ret == false) {
+ return ret;
+ }
+
+ ret = putCertInKeyStore(userCertName, config.getClientCertificate());
+ if (ret == false) {
+ // Remove private key installed
+ mKeyStore.delKey(privKeyName, Process.WIFI_UID);
+ return ret;
+ }
+ }
+
+ if (config.getCaCertificate() != null) {
+ ret = putCertInKeyStore(caCertName, config.getCaCertificate());
+ if (ret == false) {
+ if (config.getClientCertificate() != null) {
+ // Remove client key+cert
+ mKeyStore.delKey(privKeyName, Process.WIFI_UID);
+ mKeyStore.delete(userCertName, Process.WIFI_UID);
+ }
+ return ret;
+ }
+ }
+
+ // Set alias names
+ if (config.getClientCertificate() != null) {
+ config.setClientCertificateAlias(name);
+ config.resetClientKeyEntry();
+ }
+
+ if (config.getCaCertificate() != null) {
+ config.setCaCertificateAlias(name);
+ config.resetCaCertificate();
+ }
+
+ return ret;
+ }
+
+ private boolean putCertInKeyStore(String name, Certificate cert) {
+ try {
+ byte[] certData = Credentials.convertToPem(cert);
+ if (DBG) Log.d(TAG, "putting certificate " + name + " in keystore");
+ return mKeyStore.put(name, certData, Process.WIFI_UID, KeyStore.FLAG_NONE);
+
+ } catch (IOException e1) {
+ return false;
+ } catch (CertificateException e2) {
+ return false;
+ }
+ }
+
+ void removeKeys(WifiEnterpriseConfig config) {
+ String client = config.getClientCertificateAlias();
+ // a valid client certificate is configured
+ if (!TextUtils.isEmpty(client)) {
+ if (DBG) Log.d(TAG, "removing client private key and user cert");
+ mKeyStore.delKey(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID);
+ mKeyStore.delete(Credentials.USER_CERTIFICATE + client, Process.WIFI_UID);
+ }
+
+ String ca = config.getCaCertificateAlias();
+ // a valid ca certificate is configured
+ if (!TextUtils.isEmpty(ca)) {
+ if (DBG) Log.d(TAG, "removing CA cert");
+ mKeyStore.delete(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID);
+ }
+ }
+
+
+ /** Migrates the old style TLS config to the new config style. This should only be used
+ * when restoring an old wpa_supplicant.conf or upgrading from a previous
+ * platform version.
+ * @return true if the config was updated
+ * @hide
+ */
+ boolean migrateOldEapTlsNative(WifiEnterpriseConfig config, int netId) {
+ String oldPrivateKey = mWifiNative.getNetworkVariable(netId, OLD_PRIVATE_KEY_NAME);
+ /*
+ * If the old configuration value is not present, then there is nothing
+ * to do.
+ */
+ if (TextUtils.isEmpty(oldPrivateKey)) {
+ return false;
+ } else {
+ // Also ignore it if it's empty quotes.
+ oldPrivateKey = removeDoubleQuotes(oldPrivateKey);
+ if (TextUtils.isEmpty(oldPrivateKey)) {
+ return false;
+ }
+ }
+
+ config.setFieldValue(ENGINE_KEY, ENGINE_ENABLE);
+ config.setFieldValue(ENGINE_ID_KEY, ENGINE_ID_KEYSTORE);
+
+ /*
+ * The old key started with the keystore:// URI prefix, but we don't
+ * need that anymore. Trim it off if it exists.
+ */
+ final String keyName;
+ if (oldPrivateKey.startsWith(KEYSTORE_URI)) {
+ keyName = new String(oldPrivateKey.substring(KEYSTORE_URI.length()));
+ } else {
+ keyName = oldPrivateKey;
+ }
+ config.setFieldValue(PRIVATE_KEY_ID_KEY, keyName);
+
+ mWifiNative.setNetworkVariable(netId, ENGINE_KEY, config.getFieldValue(ENGINE_KEY, ""));
+
+ mWifiNative.setNetworkVariable(netId, ENGINE_ID_KEY,
+ config.getFieldValue(ENGINE_ID_KEY, ""));
+
+ mWifiNative.setNetworkVariable(netId, PRIVATE_KEY_ID_KEY,
+ config.getFieldValue(PRIVATE_KEY_ID_KEY, ""));
+
+ // Remove old private_key string so we don't run this again.
+ mWifiNative.setNetworkVariable(netId, OLD_PRIVATE_KEY_NAME, EMPTY_VALUE);
+
+ return true;
+ }
+
+ /** Migrate certs from global pool to wifi UID if not already done */
+ void migrateCerts(WifiEnterpriseConfig config) {
+ String client = config.getClientCertificateAlias();
+ // a valid client certificate is configured
+ if (!TextUtils.isEmpty(client)) {
+ if (!mKeyStore.contains(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID)) {
+ mKeyStore.duplicate(Credentials.USER_PRIVATE_KEY + client, -1,
+ Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID);
+ mKeyStore.duplicate(Credentials.USER_CERTIFICATE + client, -1,
+ Credentials.USER_CERTIFICATE + client, Process.WIFI_UID);
+ }
+ }
+
+ String ca = config.getCaCertificateAlias();
+ // a valid ca certificate is configured
+ if (!TextUtils.isEmpty(ca)) {
+ if (!mKeyStore.contains(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID)) {
+ mKeyStore.duplicate(Credentials.CA_CERTIFICATE + ca, -1,
+ Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID);
+ }
+ }
+ }
}
diff --git a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
index c7ebecb..452d84b 100644
--- a/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
+++ b/wifi/java/android/net/wifi/WifiEnterpriseConfig.java
@@ -17,19 +17,13 @@ package android.net.wifi;
import android.os.Parcel;
import android.os.Parcelable;
-import android.os.Process;
import android.security.Credentials;
-import android.security.KeyChain;
-import android.security.KeyStore;
import android.text.TextUtils;
-import android.util.Slog;
import java.io.ByteArrayInputStream;
-import java.io.IOException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
-import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
@@ -44,62 +38,11 @@ import java.util.Map;
* and any associated credentials.
*/
public class WifiEnterpriseConfig implements Parcelable {
- private static final String TAG = "WifiEnterpriseConfig";
- private static final boolean DBG = false;
- /**
- * In old configurations, the "private_key" field was used. However, newer
- * configurations use the key_id field with the engine_id set to "keystore".
- * If this field is found in the configuration, the migration code is
- * triggered.
- */
- private static final String OLD_PRIVATE_KEY_NAME = "private_key";
-
- /**
- * String representing the keystore OpenSSL ENGINE's ID.
- */
- private static final String ENGINE_ID_KEYSTORE = "keystore";
-
- /**
- * String representing the keystore URI used for wpa_supplicant.
- */
- private static final String KEYSTORE_URI = "keystore://";
-
- /**
- * String to set the engine value to when it should be enabled.
- */
- private static final String ENGINE_ENABLE = "1";
-
- /**
- * String to set the engine value to when it should be disabled.
- */
- private static final String ENGINE_DISABLE = "0";
-
- private static final String CA_CERT_PREFIX = KEYSTORE_URI + Credentials.CA_CERTIFICATE;
- private static final String CLIENT_CERT_PREFIX = KEYSTORE_URI + Credentials.USER_CERTIFICATE;
-
- private static final String EAP_KEY = "eap";
- private static final String PHASE2_KEY = "phase2";
- private static final String IDENTITY_KEY = "identity";
- private static final String ANON_IDENTITY_KEY = "anonymous_identity";
- private static final String PASSWORD_KEY = "password";
- private static final String CLIENT_CERT_KEY = "client_cert";
- private static final String CA_CERT_KEY = "ca_cert";
- private static final String SUBJECT_MATCH_KEY = "subject_match";
- private static final String ENGINE_KEY = "engine";
- private static final String ENGINE_ID_KEY = "engine_id";
- private static final String PRIVATE_KEY_ID_KEY = "key_id";
- private static final String OPP_KEY_CACHING = "proactive_key_caching";
private HashMap<String, String> mFields = new HashMap<String, String>();
private X509Certificate mCaCert;
private PrivateKey mClientPrivateKey;
private X509Certificate mClientCertificate;
- private boolean mNeedsSoftwareKeystore = false;
-
- /** This represents an empty value of an enterprise field.
- * NULL is used at wpa_supplicant to indicate an empty value
- */
- static final String EMPTY_VALUE = "NULL";
public WifiEnterpriseConfig() {
// Do not set defaults so that the enterprise fields that are not changed
@@ -246,7 +189,8 @@ public class WifiEnterpriseConfig implements Parcelable {
public static final int GTC = 4;
private static final String PREFIX = "auth=";
/** @hide */
- public static final String[] strings = {EMPTY_VALUE, "PAP", "MSCHAP", "MSCHAPV2", "GTC" };
+ public static final String[] strings = {WifiConfigStore.EMPTY_VALUE, "PAP", "MSCHAP",
+ "MSCHAPV2", "GTC" };
/** Prevent initialization */
private Phase2() {}
@@ -257,13 +201,6 @@ public class WifiEnterpriseConfig implements Parcelable {
return mFields;
}
- /** Internal use only */
- static String[] getSupplicantKeys() {
- return new String[] { EAP_KEY, PHASE2_KEY, IDENTITY_KEY, ANON_IDENTITY_KEY, PASSWORD_KEY,
- CLIENT_CERT_KEY, CA_CERT_KEY, SUBJECT_MATCH_KEY, ENGINE_KEY, ENGINE_ID_KEY,
- PRIVATE_KEY_ID_KEY };
- }
-
/**
* Set the EAP authentication method.
* @param eapMethod is one {@link Eap#PEAP}, {@link Eap#TLS}, {@link Eap#TTLS} or
@@ -277,8 +214,8 @@ public class WifiEnterpriseConfig implements Parcelable {
case Eap.PWD:
case Eap.TLS:
case Eap.TTLS:
- mFields.put(EAP_KEY, Eap.strings[eapMethod]);
- mFields.put(OPP_KEY_CACHING, "1");
+ mFields.put(WifiConfigStore.EAP_KEY, Eap.strings[eapMethod]);
+ mFields.put(WifiConfigStore.OPP_KEY_CACHING, "1");
break;
default:
throw new IllegalArgumentException("Unknown EAP method");
@@ -290,7 +227,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @return eap method configured
*/
public int getEapMethod() {
- String eapMethod = mFields.get(EAP_KEY);
+ String eapMethod = mFields.get(WifiConfigStore.EAP_KEY);
return getStringIndex(Eap.strings, eapMethod, Eap.NONE);
}
@@ -306,14 +243,14 @@ public class WifiEnterpriseConfig implements Parcelable {
public void setPhase2Method(int phase2Method) {
switch (phase2Method) {
case Phase2.NONE:
- mFields.put(PHASE2_KEY, EMPTY_VALUE);
+ mFields.put(WifiConfigStore.PHASE2_KEY, WifiConfigStore.EMPTY_VALUE);
break;
/** Valid methods */
case Phase2.PAP:
case Phase2.MSCHAP:
case Phase2.MSCHAPV2:
case Phase2.GTC:
- mFields.put(PHASE2_KEY, convertToQuotedString(
+ mFields.put(WifiConfigStore.PHASE2_KEY, convertToQuotedString(
Phase2.PREFIX + Phase2.strings[phase2Method]));
break;
default:
@@ -326,7 +263,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @return a phase 2 method defined at {@link Phase2}
* */
public int getPhase2Method() {
- String phase2Method = removeDoubleQuotes(mFields.get(PHASE2_KEY));
+ String phase2Method = removeDoubleQuotes(mFields.get(WifiConfigStore.PHASE2_KEY));
// Remove auth= prefix
if (phase2Method.startsWith(Phase2.PREFIX)) {
phase2Method = phase2Method.substring(Phase2.PREFIX.length());
@@ -339,7 +276,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @param identity
*/
public void setIdentity(String identity) {
- setFieldValue(IDENTITY_KEY, identity, "");
+ setFieldValue(WifiConfigStore.IDENTITY_KEY, identity, "");
}
/**
@@ -347,7 +284,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @return the identity
*/
public String getIdentity() {
- return getFieldValue(IDENTITY_KEY, "");
+ return getFieldValue(WifiConfigStore.IDENTITY_KEY, "");
}
/**
@@ -356,14 +293,14 @@ public class WifiEnterpriseConfig implements Parcelable {
* @param anonymousIdentity the anonymous identity
*/
public void setAnonymousIdentity(String anonymousIdentity) {
- setFieldValue(ANON_IDENTITY_KEY, anonymousIdentity, "");
+ setFieldValue(WifiConfigStore.ANON_IDENTITY_KEY, anonymousIdentity, "");
}
/** Get the anonymous identity
* @return anonymous identity
*/
public String getAnonymousIdentity() {
- return getFieldValue(ANON_IDENTITY_KEY, "");
+ return getFieldValue(WifiConfigStore.ANON_IDENTITY_KEY, "");
}
/**
@@ -371,7 +308,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @param password the password
*/
public void setPassword(String password) {
- setFieldValue(PASSWORD_KEY, password, "");
+ setFieldValue(WifiConfigStore.PASSWORD_KEY, password, "");
}
/**
@@ -381,7 +318,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* framework, returns "*".
*/
public String getPassword() {
- return getFieldValue(PASSWORD_KEY, "");
+ return getFieldValue(WifiConfigStore.PASSWORD_KEY, "");
}
/**
@@ -394,7 +331,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @hide
*/
public void setCaCertificateAlias(String alias) {
- setFieldValue(CA_CERT_KEY, alias, CA_CERT_PREFIX);
+ setFieldValue(WifiConfigStore.CA_CERT_KEY, alias, WifiConfigStore.CA_CERT_PREFIX);
}
/**
@@ -403,7 +340,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @hide
*/
public String getCaCertificateAlias() {
- return getFieldValue(CA_CERT_KEY, CA_CERT_PREFIX);
+ return getFieldValue(WifiConfigStore.CA_CERT_KEY, WifiConfigStore.CA_CERT_PREFIX);
}
/**
@@ -431,7 +368,6 @@ public class WifiEnterpriseConfig implements Parcelable {
/**
* Get CA certificate
- *
* @return X.509 CA certificate
*/
public X509Certificate getCaCertificate() {
@@ -439,6 +375,13 @@ public class WifiEnterpriseConfig implements Parcelable {
}
/**
+ * @hide
+ */
+ public void resetCaCertificate() {
+ mCaCert = null;
+ }
+
+ /**
* Set Client certificate alias.
*
* <p> See the {@link android.security.KeyChain} for details on installing or choosing
@@ -448,15 +391,16 @@ public class WifiEnterpriseConfig implements Parcelable {
* @hide
*/
public void setClientCertificateAlias(String alias) {
- setFieldValue(CLIENT_CERT_KEY, alias, CLIENT_CERT_PREFIX);
- setFieldValue(PRIVATE_KEY_ID_KEY, alias, Credentials.USER_PRIVATE_KEY);
+ setFieldValue(WifiConfigStore.CLIENT_CERT_KEY, alias, WifiConfigStore.CLIENT_CERT_PREFIX);
+ setFieldValue(WifiConfigStore.PRIVATE_KEY_ID_KEY, alias, Credentials.USER_PRIVATE_KEY);
// Also, set engine parameters
if (TextUtils.isEmpty(alias)) {
- mFields.put(ENGINE_KEY, ENGINE_DISABLE);
- mFields.put(ENGINE_ID_KEY, EMPTY_VALUE);
+ mFields.put(WifiConfigStore.ENGINE_KEY, WifiConfigStore.ENGINE_DISABLE);
+ mFields.put(WifiConfigStore.ENGINE_ID_KEY, WifiConfigStore.EMPTY_VALUE);
} else {
- mFields.put(ENGINE_KEY, ENGINE_ENABLE);
- mFields.put(ENGINE_ID_KEY, convertToQuotedString(ENGINE_ID_KEYSTORE));
+ mFields.put(WifiConfigStore.ENGINE_KEY, WifiConfigStore.ENGINE_ENABLE);
+ mFields.put(WifiConfigStore.ENGINE_ID_KEY,
+ convertToQuotedString(WifiConfigStore.ENGINE_ID_KEYSTORE));
}
}
@@ -466,7 +410,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @hide
*/
public String getClientCertificateAlias() {
- return getFieldValue(CLIENT_CERT_KEY, CLIENT_CERT_PREFIX);
+ return getFieldValue(WifiConfigStore.CLIENT_CERT_KEY, WifiConfigStore.CLIENT_CERT_PREFIX);
}
/**
@@ -507,116 +451,19 @@ public class WifiEnterpriseConfig implements Parcelable {
return mClientCertificate;
}
- boolean needsKeyStore() {
- // Has no keys to be installed
- if (mClientCertificate == null && mCaCert == null) return false;
- return true;
- }
-
- static boolean isHardwareBackedKey(PrivateKey key) {
- return KeyChain.isBoundKeyAlgorithm(key.getAlgorithm());
- }
-
- static boolean hasHardwareBackedKey(Certificate certificate) {
- return KeyChain.isBoundKeyAlgorithm(certificate.getPublicKey().getAlgorithm());
- }
-
- boolean needsSoftwareBackedKeyStore() {
- return mNeedsSoftwareKeystore;
- }
-
- boolean installKeys(android.security.KeyStore keyStore, String name) {
- boolean ret = true;
- String privKeyName = Credentials.USER_PRIVATE_KEY + name;
- String userCertName = Credentials.USER_CERTIFICATE + name;
- String caCertName = Credentials.CA_CERTIFICATE + name;
- if (mClientCertificate != null) {
- byte[] privKeyData = mClientPrivateKey.getEncoded();
- if (isHardwareBackedKey(mClientPrivateKey)) {
- // Hardware backed key store is secure enough to store keys un-encrypted, this
- // removes the need for user to punch a PIN to get access to these keys
- if (DBG) Slog.d(TAG, "importing keys " + name + " in hardware backed " +
- "store");
- ret = keyStore.importKey(privKeyName, privKeyData, Process.WIFI_UID,
- KeyStore.FLAG_NONE);
- } else {
- // Software backed key store is NOT secure enough to store keys un-encrypted.
- // Save keys encrypted so they are protected with user's PIN. User will
- // have to unlock phone before being able to use these keys and connect to
- // networks.
- if (DBG) Slog.d(TAG, "importing keys " + name + " in software backed store");
- ret = keyStore.importKey(privKeyName, privKeyData, Process.WIFI_UID,
- KeyStore.FLAG_ENCRYPTED);
- mNeedsSoftwareKeystore = true;
- }
- if (ret == false) {
- return ret;
- }
-
- ret = putCertInKeyStore(keyStore, userCertName, mClientCertificate);
- if (ret == false) {
- // Remove private key installed
- keyStore.delKey(privKeyName, Process.WIFI_UID);
- return ret;
- }
- }
-
- if (mCaCert != null) {
- ret = putCertInKeyStore(keyStore, caCertName, mCaCert);
- if (ret == false) {
- if (mClientCertificate != null) {
- // Remove client key+cert
- keyStore.delKey(privKeyName, Process.WIFI_UID);
- keyStore.delete(userCertName, Process.WIFI_UID);
- }
- return ret;
- }
- }
-
- // Set alias names
- if (mClientCertificate != null) {
- setClientCertificateAlias(name);
- mClientPrivateKey = null;
- mClientCertificate = null;
- }
-
- if (mCaCert != null) {
- setCaCertificateAlias(name);
- mCaCert = null;
- }
-
- return ret;
- }
-
- private boolean putCertInKeyStore(android.security.KeyStore keyStore, String name,
- Certificate cert) {
- try {
- byte[] certData = Credentials.convertToPem(cert);
- if (DBG) Slog.d(TAG, "putting certificate " + name + " in keystore");
- return keyStore.put(name, certData, Process.WIFI_UID, KeyStore.FLAG_NONE);
-
- } catch (IOException e1) {
- return false;
- } catch (CertificateException e2) {
- return false;
- }
+ /**
+ * @hide
+ */
+ public void resetClientKeyEntry() {
+ mClientPrivateKey = null;
+ mClientCertificate = null;
}
- void removeKeys(KeyStore keyStore) {
- String client = getFieldValue(CLIENT_CERT_KEY, CLIENT_CERT_PREFIX);
- // a valid client certificate is configured
- if (!TextUtils.isEmpty(client)) {
- if (DBG) Slog.d(TAG, "removing client private key and user cert");
- keyStore.delKey(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID);
- keyStore.delete(Credentials.USER_CERTIFICATE + client, Process.WIFI_UID);
- }
-
- String ca = getFieldValue(CA_CERT_KEY, CA_CERT_PREFIX);
- // a valid ca certificate is configured
- if (!TextUtils.isEmpty(ca)) {
- if (DBG) Slog.d(TAG, "removing CA cert");
- keyStore.delete(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID);
- }
+ /**
+ * @hide
+ */
+ public PrivateKey getClientPrivateKey() {
+ return mClientPrivateKey;
}
/**
@@ -625,7 +472,7 @@ public class WifiEnterpriseConfig implements Parcelable {
* @param subjectMatch substring to be matched
*/
public void setSubjectMatch(String subjectMatch) {
- setFieldValue(SUBJECT_MATCH_KEY, subjectMatch, "");
+ setFieldValue(WifiConfigStore.SUBJECT_MATCH_KEY, subjectMatch, "");
}
/**
@@ -633,147 +480,24 @@ public class WifiEnterpriseConfig implements Parcelable {
* @return the subject match string
*/
public String getSubjectMatch() {
- return getFieldValue(SUBJECT_MATCH_KEY, "");
+ return getFieldValue(WifiConfigStore.SUBJECT_MATCH_KEY, "");
}
/** See {@link WifiConfiguration#getKeyIdForCredentials} @hide */
String getKeyId(WifiEnterpriseConfig current) {
- String eap = mFields.get(EAP_KEY);
- String phase2 = mFields.get(PHASE2_KEY);
+ String eap = mFields.get(WifiConfigStore.EAP_KEY);
+ String phase2 = mFields.get(WifiConfigStore.PHASE2_KEY);
// If either eap or phase2 are not initialized, use current config details
if (TextUtils.isEmpty((eap))) {
- eap = current.mFields.get(EAP_KEY);
+ eap = current.mFields.get(WifiConfigStore.EAP_KEY);
}
if (TextUtils.isEmpty(phase2)) {
- phase2 = current.mFields.get(PHASE2_KEY);
+ phase2 = current.mFields.get(WifiConfigStore.PHASE2_KEY);
}
return eap + "_" + phase2;
}
- /** Migrates the old style TLS config to the new config style. This should only be used
- * when restoring an old wpa_supplicant.conf or upgrading from a previous
- * platform version.
- * @return true if the config was updated
- * @hide
- */
- boolean migrateOldEapTlsNative(WifiNative wifiNative, int netId) {
- String oldPrivateKey = wifiNative.getNetworkVariable(netId, OLD_PRIVATE_KEY_NAME);
- /*
- * If the old configuration value is not present, then there is nothing
- * to do.
- */
- if (TextUtils.isEmpty(oldPrivateKey)) {
- return false;
- } else {
- // Also ignore it if it's empty quotes.
- oldPrivateKey = removeDoubleQuotes(oldPrivateKey);
- if (TextUtils.isEmpty(oldPrivateKey)) {
- return false;
- }
- }
-
- mFields.put(ENGINE_KEY, ENGINE_ENABLE);
- mFields.put(ENGINE_ID_KEY, convertToQuotedString(ENGINE_ID_KEYSTORE));
-
- /*
- * The old key started with the keystore:// URI prefix, but we don't
- * need that anymore. Trim it off if it exists.
- */
- final String keyName;
- if (oldPrivateKey.startsWith(KEYSTORE_URI)) {
- keyName = new String(oldPrivateKey.substring(KEYSTORE_URI.length()));
- } else {
- keyName = oldPrivateKey;
- }
- mFields.put(PRIVATE_KEY_ID_KEY, convertToQuotedString(keyName));
-
- wifiNative.setNetworkVariable(netId, ENGINE_KEY, mFields.get(ENGINE_KEY));
- wifiNative.setNetworkVariable(netId, ENGINE_ID_KEY, mFields.get(ENGINE_ID_KEY));
- wifiNative.setNetworkVariable(netId, PRIVATE_KEY_ID_KEY, mFields.get(PRIVATE_KEY_ID_KEY));
- // Remove old private_key string so we don't run this again.
- wifiNative.setNetworkVariable(netId, OLD_PRIVATE_KEY_NAME, EMPTY_VALUE);
- return true;
- }
-
- /** Migrate certs from global pool to wifi UID if not already done */
- void migrateCerts(android.security.KeyStore keyStore) {
- String client = getFieldValue(CLIENT_CERT_KEY, CLIENT_CERT_PREFIX);
- // a valid client certificate is configured
- if (!TextUtils.isEmpty(client)) {
- if (!keyStore.contains(Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID)) {
- keyStore.duplicate(Credentials.USER_PRIVATE_KEY + client, -1,
- Credentials.USER_PRIVATE_KEY + client, Process.WIFI_UID);
- keyStore.duplicate(Credentials.USER_CERTIFICATE + client, -1,
- Credentials.USER_CERTIFICATE + client, Process.WIFI_UID);
- }
- }
-
- String ca = getFieldValue(CA_CERT_KEY, CA_CERT_PREFIX);
- // a valid ca certificate is configured
- if (!TextUtils.isEmpty(ca)) {
- if (!keyStore.contains(Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID)) {
- keyStore.duplicate(Credentials.CA_CERTIFICATE + ca, -1,
- Credentials.CA_CERTIFICATE + ca, Process.WIFI_UID);
- }
- }
- }
-
- void initializeSoftwareKeystoreFlag(android.security.KeyStore keyStore) {
- String client = getFieldValue(CLIENT_CERT_KEY, CLIENT_CERT_PREFIX);
- if (!TextUtils.isEmpty(client)) {
- // a valid client certificate is configured
-
- // BUGBUG: keyStore.get() never returns certBytes; because it is not
- // taking WIFI_UID as a parameter. It always looks for certificate
- // with SYSTEM_UID, and never finds any Wifi certificates. Assuming that
- // all certificates need software keystore until we get the get() API
- // fixed.
-
- mNeedsSoftwareKeystore = true;
-
- /*
- try {
-
- if (DBG) Slog.d(TAG, "Loading client certificate " + Credentials
- .USER_CERTIFICATE + client);
-
- CertificateFactory factory = CertificateFactory.getInstance("X.509");
- if (factory == null) {
- Slog.e(TAG, "Error getting certificate factory");
- return;
- }
-
- byte[] certBytes = keyStore.get(Credentials.USER_CERTIFICATE + client);
- if (certBytes != null) {
- Certificate cert = (X509Certificate) factory.generateCertificate(
- new ByteArrayInputStream(certBytes));
-
- if (cert != null) {
- mNeedsSoftwareKeystore = hasHardwareBackedKey(cert);
-
- if (DBG) Slog.d(TAG, "Loaded client certificate " + Credentials
- .USER_CERTIFICATE + client);
- if (DBG) Slog.d(TAG, "It " + (mNeedsSoftwareKeystore ? "needs" :
- "does not need" ) + " software key store");
- } else {
- Slog.d(TAG, "could not generate certificate");
- }
- } else {
- Slog.e(TAG, "Could not load client certificate " + Credentials
- .USER_CERTIFICATE + client);
- mNeedsSoftwareKeystore = true;
- }
-
- } catch(CertificateException e) {
- Slog.e(TAG, "Could not read certificates");
- mCaCert = null;
- mClientCertificate = null;
- }
- */
- }
- }
-
private String removeDoubleQuotes(String string) {
if (TextUtils.isEmpty(string)) return "";
int length = string.length();
@@ -806,11 +530,12 @@ public class WifiEnterpriseConfig implements Parcelable {
* @param key into the hash
* @param prefix is the prefix that the value may have
* @return value
+ * @hide
*/
- private String getFieldValue(String key, String prefix) {
+ String getFieldValue(String key, String prefix) {
String value = mFields.get(key);
// Uninitialized or known to be empty after reading from supplicant
- if (TextUtils.isEmpty(value) || EMPTY_VALUE.equals(value)) return "";
+ if (TextUtils.isEmpty(value) || WifiConfigStore.EMPTY_VALUE.equals(value)) return "";
value = removeDoubleQuotes(value);
if (value.startsWith(prefix)) {
@@ -827,12 +552,27 @@ public class WifiEnterpriseConfig implements Parcelable {
*/
private void setFieldValue(String key, String value, String prefix) {
if (TextUtils.isEmpty(value)) {
- mFields.put(key, EMPTY_VALUE);
+ mFields.put(key, WifiConfigStore.EMPTY_VALUE);
} else {
mFields.put(key, convertToQuotedString(prefix + value));
}
}
+
+ /** Set a value with an optional prefix at key
+ * @param key into the hash
+ * @param value to be set
+ * @param prefix an optional value to be prefixed to actual value
+ * @hide
+ */
+ public void setFieldValue(String key, String value) {
+ if (TextUtils.isEmpty(value)) {
+ mFields.put(key, WifiConfigStore.EMPTY_VALUE);
+ } else {
+ mFields.put(key, convertToQuotedString(value));
+ }
+ }
+
@Override
public String toString() {
StringBuffer sb = new StringBuffer();