1#!/usr/bin/env python3.4
2#
3#   Copyright 2020 - The Android Open Source Project
4#
5#   Licensed under the Apache License, Version 2.0 (the "License");
6#   you may not use this file except in compliance with the License.
7#   You may obtain a copy of the License at
8#
9#       http://www.apache.org/licenses/LICENSE-2.0
10#
11#   Unless required by applicable law or agreed to in writing, software
12#   distributed under the License is distributed on an "AS IS" BASIS,
13#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14#   See the License for the specific language governing permissions and
15#   limitations under the License.
16
17from acts import asserts
18from acts.test_decorators import test_tracker_info
19import acts_contrib.test_utils.wifi.wifi_test_utils as wutils
20from acts_contrib.test_utils.wifi.WifiBaseTest import WifiBaseTest
21
22WifiEnums = wutils.WifiEnums
23
24EAP = WifiEnums.Eap
25Ent = WifiEnums.Enterprise
26WPA3_SECURITY = "SUITE_B_192"
27
28
29class WifiWpa3EnterpriseTest(WifiBaseTest):
30  """Tests for WPA3 Enterprise."""
31
32  def setup_class(self):
33    super().setup_class()
34
35    self.dut = self.android_devices[0]
36    wutils.wifi_test_device_init(self.dut)
37    req_params = [
38        "ec2_ca_cert", "ec2_client_cert", "ec2_client_key", "rsa3072_ca_cert",
39        "rsa3072_client_cert", "rsa3072_client_key", "wpa3_ec2_network",
40        "wpa3_rsa3072_network", "rsa2048_client_cert", "rsa2048_client_key",
41        "rsa3072_client_cert_expired", "rsa3072_client_cert_corrupted",
42        "rsa3072_client_cert_unsigned", "rsa3072_client_key_unsigned",
43    ]
44    self.unpack_userparams(req_param_names=req_params,)
45
46  def setup_test(self):
47    super().setup_test()
48    for ad in self.android_devices:
49      ad.droid.wakeLockAcquireBright()
50      ad.droid.wakeUpNow()
51    wutils.wifi_toggle_state(self.dut, True)
52
53  def teardown_test(self):
54    super().teardown_test()
55    for ad in self.android_devices:
56      ad.droid.wakeLockRelease()
57      ad.droid.goToSleepNow()
58    wutils.reset_wifi(self.dut)
59
60  ### Tests ###
61
62  @test_tracker_info(uuid="404c6165-6e23-4ec1-bc2c-9dfdd5c7dc87")
63  def test_connect_to_wpa3_enterprise_ec2(self):
64    asserts.skip_if(
65        self.dut.build_info["build_id"].startswith("R"),
66        "No SL4A support for EC certs in R builds. Skipping this testcase")
67    config = {
68        Ent.EAP: int(EAP.TLS),
69        Ent.CA_CERT: self.ec2_ca_cert,
70        WifiEnums.SSID_KEY: self.wpa3_ec2_network[WifiEnums.SSID_KEY],
71        Ent.CLIENT_CERT: self.ec2_client_cert,
72        Ent.PRIVATE_KEY_ID: self.ec2_client_key,
73        WifiEnums.SECURITY: WPA3_SECURITY,
74        "identity": self.wpa3_ec2_network["identity"],
75        "domain_suffix_match": self.wpa3_ec2_network["domain"],
76        "cert_algo": self.wpa3_ec2_network["cert_algo"]
77    }
78    wutils.connect_to_wifi_network(self.dut, config)
79
80  @test_tracker_info(uuid="b6d22585-f7c1-418d-bd4b-b627af8c228c")
81  def test_connect_to_wpa3_enterprise_rsa3072(self):
82    config = {
83        Ent.EAP: int(EAP.TLS),
84        Ent.CA_CERT: self.rsa3072_ca_cert,
85        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
86        Ent.CLIENT_CERT: self.rsa3072_client_cert,
87        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
88        WifiEnums.SECURITY: WPA3_SECURITY,
89        "identity": self.wpa3_rsa3072_network["identity"],
90        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
91    }
92    # Synology AP is slow in sending out IP address after the connection.
93    # Increasing the wait time to receive IP address to 60s from 15s.
94    wutils.connect_to_wifi_network(self.dut, config, check_connectivity=False)
95    wutils.validate_connection(self.dut, wait_time=60)
96
97  @test_tracker_info(uuid="4779c662-1925-4c26-a4d6-3d729393796e")
98  def test_connect_to_wpa3_enterprise_insecure_rsa_cert(self):
99    config = {
100        Ent.EAP: int(EAP.TLS),
101        Ent.CA_CERT: self.rsa3072_ca_cert,
102        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
103        Ent.CLIENT_CERT: self.rsa2048_client_cert,
104        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
105        WifiEnums.SECURITY: WPA3_SECURITY,
106        "identity": self.wpa3_rsa3072_network["identity"],
107        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
108    }
109    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
110    try:
111      wutils.connect_to_wifi_network(self.dut, config)
112    except:
113      logcat_search = self.dut.search_logcat(logcat_msg)
114      self.log.info("Logcat search results: %s" % logcat_search)
115      asserts.assert_true(logcat_search, "No valid error msg in logcat")
116    else:
117      asserts.fail("WPA3 Ent worked with insecure RSA key. Expected to fail.")
118
119  @test_tracker_info(uuid="897957f3-de25-4f9e-b6fc-9d7798ea1e6f")
120  def test_connect_to_wpa3_enterprise_expired_rsa_cert(self):
121    config = {
122        Ent.EAP: int(EAP.TLS),
123        Ent.CA_CERT: self.rsa3072_ca_cert,
124        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
125        Ent.CLIENT_CERT: self.rsa3072_client_cert_expired,
126        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
127        WifiEnums.SECURITY: WPA3_SECURITY,
128        "identity": self.wpa3_rsa3072_network["identity"],
129        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
130    }
131    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
132    try:
133      wutils.connect_to_wifi_network(self.dut, config)
134    except:
135      logcat_search = self.dut.search_logcat(logcat_msg)
136      self.log.info("Logcat search results: %s" % logcat_search)
137      asserts.assert_true(logcat_search, "No valid error msg in logcat")
138    else:
139      asserts.fail("WPA3 Ent worked with expired cert. Expected to fail.")
140
141  @test_tracker_info(uuid="f7ab30e2-f2b5-488a-8667-e45920fc24d1")
142  def test_connect_to_wpa3_enterprise_corrupted_rsa_cert(self):
143    config = {
144        Ent.EAP: int(EAP.TLS),
145        Ent.CA_CERT: self.rsa3072_ca_cert,
146        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
147        Ent.CLIENT_CERT: self.rsa3072_client_cert_corrupted,
148        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
149        WifiEnums.SECURITY: WPA3_SECURITY,
150        "identity": self.wpa3_rsa3072_network["identity"],
151        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
152    }
153    try:
154      wutils.connect_to_wifi_network(self.dut, config)
155    except:
156      asserts.explicit_pass("Connection failed as expected.")
157    else:
158      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
159
160  @test_tracker_info(uuid="f934f388-dc0b-4c78-a493-026b798c15ca")
161  def test_connect_to_wpa3_enterprise_unsigned_rsa_cert(self):
162    config = {
163        Ent.EAP: int(EAP.TLS),
164        Ent.CA_CERT: self.rsa3072_ca_cert,
165        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
166        Ent.CLIENT_CERT: self.rsa3072_client_cert_unsigned,
167        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key_unsigned,
168        WifiEnums.SECURITY: WPA3_SECURITY,
169        "identity": self.wpa3_rsa3072_network["identity"],
170        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
171    }
172    try:
173      wutils.connect_to_wifi_network(self.dut, config)
174    except:
175      asserts.explicit_pass("Connection failed as expected.")
176    else:
177      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
178
179  @test_tracker_info(uuid="7082dc90-5eb8-4055-8b48-b555a98a837a")
180  def test_connect_to_wpa3_enterprise_wrong_domain_rsa_cert(self):
181    config = {
182        Ent.EAP: int(EAP.TLS),
183        Ent.CA_CERT: self.rsa3072_ca_cert,
184        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
185        Ent.CLIENT_CERT: self.rsa3072_client_cert,
186        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
187        WifiEnums.SECURITY: WPA3_SECURITY,
188        "identity": self.wpa3_rsa3072_network["identity"],
189        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
190    }
191    try:
192      wutils.connect_to_wifi_network(self.dut, config)
193    except:
194      asserts.explicit_pass("Connection failed as expected.")
195    else:
196      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
197
198  @test_tracker_info(uuid="9ad5fd82-f115-42c3-b8e8-520144485ea1")
199  def test_network_selection_status_for_wpa3_ent_wrong_domain_rsa_cert(self):
200    config = {
201        Ent.EAP: int(EAP.TLS),
202        Ent.CA_CERT: self.rsa3072_ca_cert,
203        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
204        Ent.CLIENT_CERT: self.rsa3072_client_cert,
205        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
206        WifiEnums.SECURITY: WPA3_SECURITY,
207        "identity": self.wpa3_rsa3072_network["identity"],
208        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
209    }
210    try:
211      wutils.connect_to_wifi_network(self.dut, config)
212    except:
213      asserts.assert_true(
214          self.dut.droid.wifiIsNetworkTemporaryDisabledForNetwork(config),
215          "WiFi network is not temporary disabled.")
216      asserts.explicit_pass(
217          "Connection failed with correct network selection status.")
218    else:
219      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
220