WifiConfigController: set ca_path and ca_cert to null if unused
The WPA supplicant ca_cert and ca_path directives should not
both be non-null, since our EAP settings logic only allows one
or the other to be used.
Modify logic in getConfig() to explicitly set ca_path or ca_cert
to null if it is not used. This explicit null value is necessary
to override a previously non-null value saved in an existing
configuration.
Also, always set the domain_suffix_match directive, which
will lead to this directive to be reset when the Domain
field is hidden.
BUG: 27194668
TEST: 1) Install custom ca certificate onto device as "testcert"
TEST: 2) Configure an EAP-TLS network with CA certificate
"testcert", Domain "testdomain",
User certificate "Do not provide", identity empty, and save.
TEST: 3) Read network variables in data/misc/wifi/wpa_supplicant.conf
and ensure that ca_cert is "testcert", ca_path is not
present, and domain_suffix_match is "testdomain".
TEST: 4) Modify that same EAP-TLS network configured in step 2 with
CA certificate "Use system certificates", Domain "testdomain",
User certificate "Do not provide", identity empty, and save.
TEST: 5) Read network variables in data/misc/wifi/wpa_supplicant.eonf
and ensure that ca_cert is "keystore://CACERT_testcert",
ca_path is not present, and domain_suffix_match is
"testdomain".
TEST: 6) Modify that same EAP-TLS network configured in step 2 to be
an EAP-PWD network. Leave Identity and Password blank, and
save.
TEST: 7) Read network variables in data/misc/wifi/wpa_supplicant.eonf
and ensure that ca_cert, ca_path, and domain_suffix_match are
not present.
Change-Id: I547f3e359bc8e9b77e51e10e60356b857230636f
diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java
index 285b316..9aad701 100644
--- a/src/com/android/settings/wifi/WifiConfigController.java
+++ b/src/com/android/settings/wifi/WifiConfigController.java
@@ -517,30 +517,43 @@
config.enterpriseConfig.setPhase2Method(phase2Method);
break;
}
+
String caCert = (String) mEapCaCertSpinner.getSelectedItem();
+ config.enterpriseConfig.setCaCertificateAliases(null);
+ config.enterpriseConfig.setCaPath(null);
+ config.enterpriseConfig.setDomainSuffixMatch(mEapDomainView.getText().toString());
if (caCert.equals(mUnspecifiedCertString)
|| caCert.equals(mDoNotValidateEapServerString)) {
- // Note: |caCert| should not be able to take the value |unspecifiedCert|,
- // since we prevent such configurations from being saved.
- config.enterpriseConfig.setCaCertificateAliases(null);
- } else {
- config.enterpriseConfig.setDomainSuffixMatch(
- mEapDomainView.getText().toString());
- if (caCert.equals(mUseSystemCertsString)) {
- config.enterpriseConfig.setCaPath(SYSTEM_CA_STORE_PATH);
- } else if (caCert.equals(mMultipleCertSetString)) {
- if (mAccessPoint != null) {
- if (!mAccessPoint.isSaved()) {
- Log.e(TAG, "Multiple certs can only be set "
- + "when editing saved network");
- }
- config.enterpriseConfig.setCaCertificateAliases(
- mAccessPoint.getConfig().enterpriseConfig
- .getCaCertificateAliases());
+ // ca_cert already set to null, so do nothing.
+ } else if (caCert.equals(mUseSystemCertsString)) {
+ config.enterpriseConfig.setCaPath(SYSTEM_CA_STORE_PATH);
+ } else if (caCert.equals(mMultipleCertSetString)) {
+ if (mAccessPoint != null) {
+ if (!mAccessPoint.isSaved()) {
+ Log.e(TAG, "Multiple certs can only be set "
+ + "when editing saved network");
}
- } else {
- config.enterpriseConfig.setCaCertificateAliases(new String[] {caCert});
+ config.enterpriseConfig.setCaCertificateAliases(
+ mAccessPoint
+ .getConfig()
+ .enterpriseConfig
+ .getCaCertificateAliases());
}
+ } else {
+ config.enterpriseConfig.setCaCertificateAliases(new String[] {caCert});
+ }
+
+ // ca_cert or ca_path should not both be non-null, since we only intend to let
+ // the use either their own certificate, or the system certificates, not both.
+ // The variable that is not used must explicitly be set to null, so that a
+ // previously-set value on a saved configuration will be erased on an update.
+ if (config.enterpriseConfig.getCaCertificateAliases() != null
+ && config.enterpriseConfig.getCaPath() != null) {
+ Log.e(TAG, "ca_cert ("
+ + config.enterpriseConfig.getCaCertificateAliases()
+ + ") and ca_path ("
+ + config.enterpriseConfig.getCaPath()
+ + ") should not both be non-null");
}
String clientCert = (String) mEapUserCertSpinner.getSelectedItem();