unplugged-system/tools/test/connectivity/acts_tests/tests/google/wifi/WifiWpa3EnterpriseTest.py

#!/usr/bin/env python3.4
#
#   Copyright 2020 - The Android Open Source Project
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

from acts import asserts
from acts.test_decorators import test_tracker_info
import acts_contrib.test_utils.wifi.wifi_test_utils as wutils
from acts_contrib.test_utils.wifi.WifiBaseTest import WifiBaseTest

WifiEnums = wutils.WifiEnums

EAP = WifiEnums.Eap
Ent = WifiEnums.Enterprise
WPA3_SECURITY = "SUITE_B_192"


class WifiWpa3EnterpriseTest(WifiBaseTest):
  """Tests for WPA3 Enterprise."""

  def setup_class(self):
    super().setup_class()

    self.dut = self.android_devices[0]
    wutils.wifi_test_device_init(self.dut)
    req_params = [
        "ec2_ca_cert", "ec2_client_cert", "ec2_client_key", "rsa3072_ca_cert",
        "rsa3072_client_cert", "rsa3072_client_key", "wpa3_ec2_network",
        "wpa3_rsa3072_network", "rsa2048_client_cert", "rsa2048_client_key",
        "rsa3072_client_cert_expired", "rsa3072_client_cert_corrupted",
        "rsa3072_client_cert_unsigned", "rsa3072_client_key_unsigned",
    ]
    self.unpack_userparams(req_param_names=req_params,)

  def setup_test(self):
    super().setup_test()
    for ad in self.android_devices:
      ad.droid.wakeLockAcquireBright()
      ad.droid.wakeUpNow()
    wutils.wifi_toggle_state(self.dut, True)

  def teardown_test(self):
    super().teardown_test()
    for ad in self.android_devices:
      ad.droid.wakeLockRelease()
      ad.droid.goToSleepNow()
    wutils.reset_wifi(self.dut)

  ### Tests ###

  @test_tracker_info(uuid="404c6165-6e23-4ec1-bc2c-9dfdd5c7dc87")
  def test_connect_to_wpa3_enterprise_ec2(self):
    asserts.skip_if(
        self.dut.build_info["build_id"].startswith("R"),
        "No SL4A support for EC certs in R builds. Skipping this testcase")
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.ec2_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_ec2_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.ec2_client_cert,
        Ent.PRIVATE_KEY_ID: self.ec2_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_ec2_network["identity"],
        "domain_suffix_match": self.wpa3_ec2_network["domain"],
        "cert_algo": self.wpa3_ec2_network["cert_algo"]
    }
    wutils.connect_to_wifi_network(self.dut, config)

  @test_tracker_info(uuid="b6d22585-f7c1-418d-bd4b-b627af8c228c")
  def test_connect_to_wpa3_enterprise_rsa3072(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert,
        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
    }
    # Synology AP is slow in sending out IP address after the connection.
    # Increasing the wait time to receive IP address to 60s from 15s.
    wutils.connect_to_wifi_network(self.dut, config, check_connectivity=False)
    wutils.validate_connection(self.dut, wait_time=60)

  @test_tracker_info(uuid="4779c662-1925-4c26-a4d6-3d729393796e")
  def test_connect_to_wpa3_enterprise_insecure_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa2048_client_cert,
        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
    }
    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with insecure RSA key. Expected to fail.")
    except:
      logcat_search = self.dut.search_logcat(logcat_msg)
      self.log.info("Logcat search results: %s" % logcat_search)
      asserts.assert_true(logcat_search, "No valid error msg in logcat")

  @test_tracker_info(uuid="897957f3-de25-4f9e-b6fc-9d7798ea1e6f")
  def test_connect_to_wpa3_enterprise_expired_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert_expired,
        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
    }
    logcat_msg = "E WifiKeyStore: Invalid certificate type for Suite-B"
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with expired cert. Expected to fail.")
    except:
      logcat_search = self.dut.search_logcat(logcat_msg)
      self.log.info("Logcat search results: %s" % logcat_search)
      asserts.assert_true(logcat_search, "No valid error msg in logcat")

  @test_tracker_info(uuid="f7ab30e2-f2b5-488a-8667-e45920fc24d1")
  def test_connect_to_wpa3_enterprise_corrupted_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert_corrupted,
        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
    }
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
    except:
      asserts.explicit_pass("Connection failed as expected.")

  @test_tracker_info(uuid="f934f388-dc0b-4c78-a493-026b798c15ca")
  def test_connect_to_wpa3_enterprise_unsigned_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert_unsigned,
        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key_unsigned,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]
    }
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
    except:
      asserts.explicit_pass("Connection failed as expected.")

  @test_tracker_info(uuid="7082dc90-5eb8-4055-8b48-b555a98a837a")
  def test_connect_to_wpa3_enterprise_wrong_domain_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert,
        Ent.PRIVATE_KEY_ID: self.rsa3072_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
    }
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with unsigned cert. Expected to fail.")
    except:
      asserts.explicit_pass("Connection failed as expected.")

  @test_tracker_info(uuid="9ad5fd82-f115-42c3-b8e8-520144485ea1")
  def test_network_selection_status_for_wpa3_ent_wrong_domain_rsa_cert(self):
    config = {
        Ent.EAP: int(EAP.TLS),
        Ent.CA_CERT: self.rsa3072_ca_cert,
        WifiEnums.SSID_KEY: self.wpa3_rsa3072_network[WifiEnums.SSID_KEY],
        Ent.CLIENT_CERT: self.rsa3072_client_cert,
        Ent.PRIVATE_KEY_ID: self.rsa2048_client_key,
        WifiEnums.SECURITY: WPA3_SECURITY,
        "identity": self.wpa3_rsa3072_network["identity"],
        "domain_suffix_match": self.wpa3_rsa3072_network["domain"]+"_wrong"
    }
    try:
      wutils.connect_to_wifi_network(self.dut, config)
      asserts.fail("WPA3 Ent worked with corrupted cert. Expected to fail.")
    except:
      asserts.assert_true(
          self.dut.droid.wifiIsNetworkTemporaryDisabledForNetwork(config),
          "WiFi network is not temporary disabled.")
      asserts.explicit_pass(
          "Connection failed with correct network selection status.")