Merge "Add test for IkeIdentification" into rvc-dev
diff --git a/tests/cts/net/ipsec/Android.bp b/tests/cts/net/ipsec/Android.bp
index 86969c3..1d9128b 100644
--- a/tests/cts/net/ipsec/Android.bp
+++ b/tests/cts/net/ipsec/Android.bp
@@ -26,6 +26,7 @@
srcs: [
"src/**/*.java",
+ ":ike-test-utils",
],
static_libs: [
diff --git a/tests/cts/net/ipsec/assets/key/client-a-private-key.key b/tests/cts/net/ipsec/assets/key/client-a-private-key.key
new file mode 100644
index 0000000..22736e9
--- /dev/null
+++ b/tests/cts/net/ipsec/assets/key/client-a-private-key.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCv3CvrCGokJSWL
+8ufg6u9LCW4EezztbktqpC0T+1m98+Ujb8/eJ0L2UaxZ9QBSBAqXxEoeZFBeoCXu
+7ezUd5qUPfIhKLAkQTAyU/KgfhHh4i+MJK5ghPbGDE8r2gKUXOkM6M5//ZCpmu0K
+Y/9uQL6D5bkxEaoWegEO+wSXm+hTTgKDtQKHvRibgdcZkcY0cA9JsLrC/nIkP+7i
+pbBT+VTuV6gAnKIV0nq8zvI3A/Z3nAb5Gt0g3qaqs59StDT0QtuXzJkuZEo3XSrS
+jon+8NjSNzqVbJj95B7+uiH+91VEbMtJYFz2MipKvJQDK7Zlxke7LxRj2xJfksJK
+a92/ncxfAgMBAAECggEAQztaMvW5lm35J8LKsWs/5qEJRX9T8LWs8W0oqq36Riub
+G2wgvR6ndAIPcSjAYZqX7iOl7m6NZ0+0kN63HxdGqovwKIskpAekBGmhpYftED1n
+zh0r6UyMB3UnQ22KdOv8UOokIDxxdNX8728BdUYdT9Ggdkj5jLRB+VcwD0IUlNvo
+zzTpURV9HEd87uiLqd4AAHXSI0lIHI5U43z24HI/J6/YbYHT3Rlh6CIa/LuwO6vL
+gFkgqg0/oy6yJtjrHtzNVA67F0UaH62hR4YFgbC0d955SJnDidWOv/0j2DMpfdCc
+9kFAcPwUSyykvUSLnGIKWSG4D+6gzIeAeUx4oO7kMQKBgQDVNRkX8AGTHyLg+NXf
+spUWWcodwVioXl30Q7h6+4bt8OI61UbhQ7wX61wvJ1cySpa2KOYa2UdagQVhGhhL
+ADu363R77uXF/jZgzVfmjjyJ2nfDqRgHWRTlSkuq/jCOQCz7VIPHRZg5WL/9D4ms
+TAqMjpzqeMfFZI+w4/+xpcJIuQKBgQDTKBy+ZuerWrVT9icWKvLU58o5EVj/2yFy
+GJvKm+wRAAX2WzjNnR4HVd4DmMREVz1BPYby0j5gqjvtDsxYYu39+NT7JvMioLLK
+QPj+7k5geYgNqVgCxB1vP89RhY2X1RLrN9sTXOodgFPeXOQWNYITkGp3eQpx4nTJ
++K/al3oB1wKBgAjnc8nVIyuyxDEjE0OJYMKTM2a0uXAmqMPXxC+Wq5bqVXhhidlE
+i+lv0eTCPtkB1nN7F8kNQ/aaps/cWCFhvBy9P5shagUvzbOTP9WIIS0cq53HRRKh
+fMbqqGhWv05hjb9dUzeSR341n6cA7B3++v3Nwu3j52vt/DZF/1q68nc5AoGAS0SU
+ImbKE/GsizZGLoe2sZ/CHN+LKwCwhlwxRGKaHmE0vuE7eUeVSaYZEo0lAPtb8WJ+
+NRYueASWgeTxgFwbW5mUScZTirdfo+rPFwhZVdhcYApKPgosN9i2DOgfVcz1BnWN
+mPRY25U/0BaqkyQVruWeneG+kGPZn5kPDktKiVcCgYEAkzwU9vCGhm7ZVALvx/zR
+wARz2zsL9ImBc0P4DK1ld8g90FEnHrEgeI9JEwz0zFHOCMLwlk7kG0Xev7vfjZ7G
+xSqtQYOH33Qp6rtBOgdt8hSyDFvakvDl6bqhAw52gelO3MTpAB1+ZsfZ5gFx13Jf
+idNFcaIrC52PtZIH7QCzdDY=
+-----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/cts/net/ipsec/assets/pem/client-a-end-cert.pem b/tests/cts/net/ipsec/assets/pem/client-a-end-cert.pem
new file mode 100644
index 0000000..e82da85
--- /dev/null
+++ b/tests/cts/net/ipsec/assets/pem/client-a-end-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIIcorRI3n29E4wDQYJKoZIhvcNAQELBQAwQTELMAkGA1UE
+BhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxIDAeBgNVBAMTF3R3by5jYS50ZXN0LmFu
+ZHJvaWQubmV0MB4XDTIwMDQxNDA1MDM0OVoXDTIzMDQxNDA1MDM0OVowRTELMAkG
+A1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxJDAiBgNVBAMTG2NsaWVudC50ZXN0
+LmlrZS5hbmRyb2lkLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AK/cK+sIaiQlJYvy5+Dq70sJbgR7PO1uS2qkLRP7Wb3z5SNvz94nQvZRrFn1AFIE
+CpfESh5kUF6gJe7t7NR3mpQ98iEosCRBMDJT8qB+EeHiL4wkrmCE9sYMTyvaApRc
+6Qzozn/9kKma7Qpj/25AvoPluTERqhZ6AQ77BJeb6FNOAoO1Aoe9GJuB1xmRxjRw
+D0mwusL+ciQ/7uKlsFP5VO5XqACcohXSerzO8jcD9necBvka3SDepqqzn1K0NPRC
+25fMmS5kSjddKtKOif7w2NI3OpVsmP3kHv66If73VURsy0lgXPYyKkq8lAMrtmXG
+R7svFGPbEl+Swkpr3b+dzF8CAwEAAaNgMF4wHwYDVR0jBBgwFoAUcqSu1uRYT/DL
+bLoDNUz38nGvCKQwJgYDVR0RBB8wHYIbY2xpZW50LnRlc3QuaWtlLmFuZHJvaWQu
+bmV0MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCa53tK
+I9RM9/MutZ5KNG2Gfs2cqaPyv8ZRhs90HDWZhkFVu7prywJAxOd2hxxHPsvgurio
+4bKAxnT4EXevgz5YoCbj2TPIL9TdFYh59zZ97XXMxk+SRdypgF70M6ETqKPs3hDP
+ZRMMoHvvYaqaPvp4StSBX9A44gSyjHxVYJkrjDZ0uffKg5lFL5IPvqfdmSRSpGab
+SyGTP4OLTy0QiNV3pBsJGdl0h5BzuTPR9OTl4xgeqqBQy2bDjmfJBuiYyCSCkPi7
+T3ohDYCymhuSkuktHPNG1aKllUJaw0tuZuNydlgdAveXPYfM36uvK0sfd9qr9pAy
+rmkYV2MAWguFeckh
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-one.pem b/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-one.pem
new file mode 100644
index 0000000..707e575
--- /dev/null
+++ b/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-one.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIIIbjMyRn2770wDQYJKoZIhvcNAQELBQAwQjELMAkGA1UE
+BhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxITAfBgNVBAMTGHJvb3QuY2EudGVzdC5h
+bmRyb2lkLm5ldDAeFw0xOTA5MzAxODQzMThaFw0yNDA5MjgxODQzMThaMEExCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQKEwdBbmRyb2lkMSAwHgYDVQQDExdvbmUuY2EudGVz
+dC5hbmRyb2lkLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNN
+sRr5Z30rAEw2jrAh/BIekbEy/MvOucAr1w0lxH71p+ybRBx5Bj7G07UGXbL659gm
+meMV6nabY4HjQXNMq22POiJBZj+U+rw34br6waljBttxCmmJac1VvgqNsSspXjRy
+NbiVQdFjyKSX0NOPcEkwANk15mZbOgJBaYYc8jQCY2G/p8eARVBTLJCy8LEwEU6j
+XRv/4eYST79qpBFc7gQQj2FLmh9oppDIvcIVBHwtd1tBoVuehRSud1o8vQRkl/HJ
+Mrwp24nO5YYhmVNSFRtBpmWMSu1KknFUwkOebINUNsKXXHebVa7cP4XIQUL8mRT3
+5X9rFJFSQJE01S3NjNMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
+Af8EBAMCAQYwHQYDVR0OBBYEFHK3FIm7g8dxEIwK9zMAO8EWhRYxMB8GA1UdIwQY
+MBaAFEmfqEeF14Nj91ekIpR+sVhCEoAaMA0GCSqGSIb3DQEBCwUAA4IBAQAeMlXT
+TnxZo8oz0204gKZ63RzlgDpJ7SqA3qFG+pV+TiqGfSuVkXuIdOskjxJnA9VxUzrr
+LdMTCn5e0FK6wCYjZ2GT/CD7oD3vSMkzGbLGNcNJhhDHUq8BOLPkPzz/rwQFPBSb
+zr6hsiVXphEt/psGoN7Eu9blPeQaIwMfWnaufAwF664S/3dmCRbNMWSam1qzzz8q
+jr0cDOIMa//ZIAcM16cvoBK6pFGnUmuoJYYRtfpY5MmfCWz0sCJxENIX/lxyhd7N
+FdRALA1ZP3E//Tn2vQoeFjbKaAba527RE26HgHJ9zZDo1nn8J8J/YwYRJdBWM/3S
+LYebNiMtcyB5nIkj
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-two.pem b/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-two.pem
new file mode 100644
index 0000000..39808f8
--- /dev/null
+++ b/tests/cts/net/ipsec/assets/pem/client-a-intermediate-ca-two.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIIKWCREnNCs+wwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UE
+BhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxIDAeBgNVBAMTF29uZS5jYS50ZXN0LmFu
+ZHJvaWQubmV0MB4XDTE5MDkzMDE4NDQwMloXDTI0MDkyODE4NDQwMlowQTELMAkG
+A1UEBhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxIDAeBgNVBAMTF3R3by5jYS50ZXN0
+LmFuZHJvaWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLUa
+RqkYl2m7lUmMnkooqO0DNNY1aN9r7mJc3ndYn5gjkpb3yLgOYPDNLcQerV6uWk/u
+qKudNHed2dInGonl3oxwwv7++6oUvvtrSWLDZlRg16GsdIE1Y98DSMQWkSxevYy9
+Nh6FGTdlBFQVMpiMa8qHEkrOyKsy85yCW1sgzlpGTIBwbDAqYtwe3rgbwyHwUtfy
+0EU++DBcR4ll/pDqB0OQtW5E3AOq2GH1iaGeFLKSUQ5KAbdI8y4/b8IkSDffvxcc
+kXig7S54aLrNlL/ZjQ+H4Chgjj2A5wMucd81+Fb60Udej73ICL9PpMPnXQ1+BVYd
+MJ/txjLNmrOJG9yEHQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
+/wQEAwIBBjAdBgNVHQ4EFgQUcqSu1uRYT/DLbLoDNUz38nGvCKQwHwYDVR0jBBgw
+FoAUcrcUibuDx3EQjAr3MwA7wRaFFjEwDQYJKoZIhvcNAQELBQADggEBADY461GT
+Rw0dGnD07xaGJcI0i0pV+WnGSrl1s1PAIdMYihJAqYnh10fXbFXLm2WMWVmv/pxs
+FI/xDJno+pd4mCa/sIhm63ar/Nv+lFQmcpIlvSlKnhhV4SLNBeqbVhPBGTCHfrG4
+aIyCwm1KJsnkWbf03crhSskR/2CXIjX6lcAy7K3fE2u1ELpAdH0kMJR7VXkLFLUm
+gqe9YCluR0weMpe2sCaOGzdVzQSmMMCzGP5cxeFR5U6K40kMOpiW11JNmQ06xI/m
+YVkMNwoiV/ITT0/C/g9FxJmkO0mVSLEqxaLS/hNiQNDlroVM0rbxhzviXLI3R3AO
+50VvlOQYGxWed/I=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/tests/cts/net/ipsec/assets/pem/server-a-self-signed-ca.pem b/tests/cts/net/ipsec/assets/pem/server-a-self-signed-ca.pem
new file mode 100644
index 0000000..972fd55
--- /dev/null
+++ b/tests/cts/net/ipsec/assets/pem/server-a-self-signed-ca.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIITJQJ6HC1rjwwDQYJKoZIhvcNAQELBQAwQjELMAkGA1UE
+BhMCVVMxEDAOBgNVBAoTB0FuZHJvaWQxITAfBgNVBAMTGHJvb3QuY2EudGVzdC5h
+bmRyb2lkLm5ldDAeFw0xOTA5MzAxNzU1NTJaFw0yOTA5MjcxNzU1NTJaMEIxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQKEwdBbmRyb2lkMSEwHwYDVQQDExhyb290LmNhLnRl
+c3QuYW5kcm9pZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT
+q3hGF+JvLaB1xW7KGKmaxiQ7BxX2Sn7cbp7ggoVYXsFlBUuPPv3+Vg5PfPCPhsJ8
+/7w4HyKo3uc/vHs5HpQ7rSd9blhAkfmJci2ULLq73FB8Mix4CzPwMx29RrN1X9bU
+z4G0vJMczIBGxbZ0uw7n8bKcXBV7AIeax+J8lseEZ3k8iSuBkUJqGIpPFKTqByFZ
+A1Lvt47xkON5SZh6c/Oe+o6291wXaCOJUSAKv6PAWZkq9HeD2fqKA/ck9dBaz1M3
+YvzQ9V/7so3/dECjAfKia388h1I6XSGNUM+d5hpxMXpAFgG42eUXHpJ10OjDvSwd
+7ZSC91/kRQewUomEKBK1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
+AQH/BAQDAgEGMB0GA1UdDgQWBBRJn6hHhdeDY/dXpCKUfrFYQhKAGjANBgkqhkiG
+9w0BAQsFAAOCAQEAig/94aGfHBhZuvbbhwAK4rUNpizmR567u0ZJ+QUEKyAlo9lT
+ZWYHSm7qTAZYvPEjzTQIptnAlxCHePXh3Cfwgo+r82lhG2rcdI03iRyvHWjM8gyk
+BXCJTi0Q08JHHpTP6GnAqpz58qEIFkk8P766zNXdhYrGPOydF+p7MFcb1Zv1gum3
+zmRLt0XUAMfjPUv1Bl8kTKFxH5lkMBLR1E0jnoJoTTfgRPrf9CuFSoh48n7YhoBT
+KV75xZY8b8+SuB0v6BvQmkpKZGoxBjuVsShyG7q1+4JTAtwhiP7BlkDvVkaBEi7t
+WIMFp2r2ZDisHgastNaeYFyzHYz9g1FCCrHQ4w==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionParamsTest.java b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionParamsTest.java
index 91ef778..6fc7cb3 100644
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionParamsTest.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionParamsTest.java
@@ -17,16 +17,23 @@
package android.net.ipsec.ike.cts;
import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_ACCEPT_ANY_REMOTE_ID;
+import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_EAP_ONLY_AUTH;
import static android.net.ipsec.ike.IkeSessionParams.IkeAuthConfig;
+import static android.net.ipsec.ike.IkeSessionParams.IkeAuthDigitalSignLocalConfig;
+import static android.net.ipsec.ike.IkeSessionParams.IkeAuthDigitalSignRemoteConfig;
+import static android.net.ipsec.ike.IkeSessionParams.IkeAuthEapConfig;
import static android.net.ipsec.ike.IkeSessionParams.IkeAuthPskConfig;
import static android.system.OsConstants.AF_INET;
import static android.system.OsConstants.AF_INET6;
+import static android.telephony.TelephonyManager.APPTYPE_USIM;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import android.net.eap.EapSessionConfig;
import android.net.ipsec.ike.IkeFqdnIdentification;
import android.net.ipsec.ike.IkeIdentification;
import android.net.ipsec.ike.IkeSaProposal;
@@ -37,13 +44,20 @@
import androidx.test.ext.junit.runners.AndroidJUnit4;
+import com.android.internal.net.ipsec.ike.testutils.CertUtils;
+
+import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import java.net.InetAddress;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
import java.util.Arrays;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
@@ -76,6 +90,39 @@
private static final IkeIdentification LOCAL_ID = new IkeFqdnIdentification(LOCAL_HOSTNAME);
private static final IkeIdentification REMOTE_ID = new IkeFqdnIdentification(REMOTE_HOSTNAME);
+ private static final EapSessionConfig EAP_ALL_METHODS_CONFIG =
+ createEapOnlySafeMethodsBuilder()
+ .setEapMsChapV2Config(EAP_MSCHAPV2_USERNAME, EAP_MSCHAPV2_PASSWORD)
+ .build();
+ private static final EapSessionConfig EAP_ONLY_SAFE_METHODS_CONFIG =
+ createEapOnlySafeMethodsBuilder().build();
+
+ private X509Certificate mServerCaCert;
+ private X509Certificate mClientEndCert;
+ private X509Certificate mClientIntermediateCaCertOne;
+ private X509Certificate mClientIntermediateCaCertTwo;
+ private RSAPrivateKey mClientPrivateKey;
+
+ @Before
+ public void setUp() throws Exception {
+ mServerCaCert = CertUtils.createCertFromPemFile("server-a-self-signed-ca.pem");
+ mClientEndCert = CertUtils.createCertFromPemFile("client-a-end-cert.pem");
+ mClientIntermediateCaCertOne =
+ CertUtils.createCertFromPemFile("client-a-intermediate-ca-one.pem");
+ mClientIntermediateCaCertTwo =
+ CertUtils.createCertFromPemFile("client-a-intermediate-ca-two.pem");
+ mClientPrivateKey = CertUtils.createRsaPrivateKeyFromKeyFile("client-a-private-key.key");
+ }
+
+ private static EapSessionConfig.Builder createEapOnlySafeMethodsBuilder() {
+ return new EapSessionConfig.Builder()
+ .setEapIdentity(EAP_IDENTITY)
+ .setEapSimConfig(SUB_ID, APPTYPE_USIM)
+ .setEapAkaConfig(SUB_ID, APPTYPE_USIM)
+ .setEapAkaPrimeConfig(
+ SUB_ID, APPTYPE_USIM, NETWORK_NAME, true /* allowMismatchedNetworkNames */);
+ }
+
/**
* Create a Builder that has minimum configurations to build an IkeSessionParams.
*
@@ -112,23 +159,6 @@
assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) remoteConfig).getPsk());
}
- private void verifySpecificPcscfConfigReqs(
- HashSet<InetAddress> expectedAddresses, IkeSessionParams sessionParams) {
- Set<InetAddress> resultAddresses = new HashSet<>();
-
- for (IkeConfigRequest req : sessionParams.getConfigurationRequests()) {
- if (req instanceof ConfigRequestIpv4PcscfServer
- && ((ConfigRequestIpv4PcscfServer) req).getAddress() != null) {
- resultAddresses.add(((ConfigRequestIpv4PcscfServer) req).getAddress());
- } else if (req instanceof ConfigRequestIpv6PcscfServer
- && ((ConfigRequestIpv6PcscfServer) req).getAddress() != null) {
- resultAddresses.add(((ConfigRequestIpv6PcscfServer) req).getAddress());
- }
- }
-
- assertEquals(expectedAddresses, resultAddresses);
- }
-
@Test
public void testBuildWithMinimumSet() throws Exception {
IkeSessionParams sessionParams = createIkeParamsBuilderMinimum().build();
@@ -232,22 +262,39 @@
assertFalse(sessionParams.hasIkeOption(IKE_OPTION_ACCEPT_ANY_REMOTE_ID));
}
- @Test
- public void testBuildWithPsk() throws Exception {
- IkeSessionParams sessionParams =
- new IkeSessionParams.Builder(sContext)
- .setNetwork(sTunNetwork)
- .setServerHostname(IPV4_ADDRESS_REMOTE.getHostAddress())
- .addSaProposal(SA_PROPOSAL)
- .setLocalIdentification(LOCAL_ID)
- .setRemoteIdentification(REMOTE_ID)
- .setAuthPsk(IKE_PSK)
- .build();
+ /**
+ * Create a Builder that has minimum configurations to build an IkeSessionParams, except for
+ * authentication method.
+ */
+ private IkeSessionParams.Builder createIkeParamsBuilderMinimumWithoutAuth() {
+ return new IkeSessionParams.Builder(sContext)
+ .setNetwork(sTunNetwork)
+ .setServerHostname(IPV4_ADDRESS_REMOTE.getHostAddress())
+ .addSaProposal(SA_PROPOSAL)
+ .setLocalIdentification(LOCAL_ID)
+ .setRemoteIdentification(REMOTE_ID);
+ }
+
+ /**
+ * Verify the minimum configurations to build an IkeSessionParams, except for authentication
+ * method.
+ *
+ * @see #createIkeParamsBuilderMinimumWithoutAuth
+ */
+ private void verifyIkeParamsMinimumWithoutAuth(IkeSessionParams sessionParams) {
assertEquals(sTunNetwork, sessionParams.getNetwork());
assertEquals(IPV4_ADDRESS_REMOTE.getHostAddress(), sessionParams.getServerHostname());
assertEquals(Arrays.asList(SA_PROPOSAL), sessionParams.getSaProposals());
assertEquals(LOCAL_ID, sessionParams.getLocalIdentification());
assertEquals(REMOTE_ID, sessionParams.getRemoteIdentification());
+ }
+
+ @Test
+ public void testBuildWithPsk() throws Exception {
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth().setAuthPsk(IKE_PSK).build();
+
+ verifyIkeParamsMinimumWithoutAuth(sessionParams);
IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig();
assertTrue(localConfig instanceof IkeAuthPskConfig);
@@ -257,6 +304,102 @@
assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) remoteConfig).getPsk());
}
- // TODO(b/148689509): Add tests for building IkeSessionParams using EAP and
- // digital-signature-based authentication
+ @Test
+ public void testBuildWithEap() throws Exception {
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth()
+ .setAuthEap(mServerCaCert, EAP_ALL_METHODS_CONFIG)
+ .build();
+
+ verifyIkeParamsMinimumWithoutAuth(sessionParams);
+
+ IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig();
+ assertTrue(localConfig instanceof IkeAuthEapConfig);
+ assertEquals(EAP_ALL_METHODS_CONFIG, ((IkeAuthEapConfig) localConfig).getEapConfig());
+ IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig();
+ assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig);
+ assertEquals(
+ mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert());
+ }
+
+ @Test
+ public void testBuildWithEapOnlyAuth() throws Exception {
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth()
+ .setAuthEap(mServerCaCert, EAP_ONLY_SAFE_METHODS_CONFIG)
+ .addIkeOption(IKE_OPTION_EAP_ONLY_AUTH)
+ .build();
+
+ assertTrue(sessionParams.hasIkeOption(IKE_OPTION_EAP_ONLY_AUTH));
+ verifyIkeParamsMinimumWithoutAuth(sessionParams);
+
+ IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig();
+ assertTrue(localConfig instanceof IkeAuthEapConfig);
+ assertEquals(EAP_ONLY_SAFE_METHODS_CONFIG, ((IkeAuthEapConfig) localConfig).getEapConfig());
+ IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig();
+ assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig);
+ assertEquals(
+ mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert());
+ }
+
+ @Test
+ public void testThrowBuildEapOnlyAuthWithUnsafeMethod() throws Exception {
+ try {
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth()
+ .setAuthEap(mServerCaCert, EAP_ALL_METHODS_CONFIG)
+ .addIkeOption(IKE_OPTION_EAP_ONLY_AUTH)
+ .build();
+ fail("Expected to fail because EAP only unsafe method is proposed");
+ } catch (IllegalArgumentException expected) {
+ }
+ }
+
+ @Test
+ public void testBuildWithDigitalSignature() throws Exception {
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth()
+ .setAuthDigitalSignature(mServerCaCert, mClientEndCert, mClientPrivateKey)
+ .build();
+
+ verifyIkeParamsMinimumWithoutAuth(sessionParams);
+
+ IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig();
+ assertTrue(localConfig instanceof IkeAuthDigitalSignLocalConfig);
+ IkeAuthDigitalSignLocalConfig localSignConfig = (IkeAuthDigitalSignLocalConfig) localConfig;
+ assertEquals(mClientEndCert, localSignConfig.getClientEndCertificate());
+ assertEquals(Collections.EMPTY_LIST, localSignConfig.getIntermediateCertificates());
+ assertEquals(mClientPrivateKey, localSignConfig.getPrivateKey());
+
+ IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig();
+ assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig);
+ assertEquals(
+ mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert());
+ }
+
+ @Test
+ public void testBuildWithDigitalSignatureAndIntermediateCerts() throws Exception {
+ List<X509Certificate> intermediateCerts =
+ Arrays.asList(mClientIntermediateCaCertOne, mClientIntermediateCaCertTwo);
+
+ IkeSessionParams sessionParams =
+ createIkeParamsBuilderMinimumWithoutAuth()
+ .setAuthDigitalSignature(
+ mServerCaCert, mClientEndCert, intermediateCerts, mClientPrivateKey)
+ .build();
+
+ verifyIkeParamsMinimumWithoutAuth(sessionParams);
+
+ IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig();
+ assertTrue(localConfig instanceof IkeAuthDigitalSignLocalConfig);
+ IkeAuthDigitalSignLocalConfig localSignConfig = (IkeAuthDigitalSignLocalConfig) localConfig;
+ assertEquals(mClientEndCert, localSignConfig.getClientEndCertificate());
+ assertEquals(intermediateCerts, localSignConfig.getIntermediateCertificates());
+ assertEquals(mClientPrivateKey, localSignConfig.getPrivateKey());
+
+ IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig();
+ assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig);
+ assertEquals(
+ mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert());
+ }
}
diff --git a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java
index 0847744..bc2bec6 100644
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java
@@ -49,6 +49,12 @@
static final String LOCAL_RFC822_NAME = "client.test.ike@example.com";
static final byte[] LOCAL_KEY_ID = "Local Key ID".getBytes();
+ static final int SUB_ID = 1;
+ static final byte[] EAP_IDENTITY = "test@android.net".getBytes();
+ static final String NETWORK_NAME = "android.net";
+ static final String EAP_MSCHAPV2_USERNAME = "username";
+ static final String EAP_MSCHAPV2_PASSWORD = "password";
+
static final Inet4Address IPV4_ADDRESS_LOCAL =
(Inet4Address) (InetAddresses.parseNumericAddress("192.0.2.100"));
static final Inet4Address IPV4_ADDRESS_REMOTE =