Allow configuring WiFi with KeyChain keys

Bug: 187808221
Test: manual
Change-Id: I3c802d384bb5b85c451ae5d2dd3849280604d17c

Author: Pavel Grafov

app/src/main/java/com/afwsamples/testdpc/policy/wifimanagement/WifiEapTlsCreateDialogFragment.java

@@ -1,22 +1,29 @@
 package com.afwsamples.testdpc.policy.wifimanagement;
 
+import static com.afwsamples.testdpc.common.Util.SDK_INT;
+
 import android.app.Activity;
 import android.app.AlertDialog;
 import android.app.Dialog;
 import android.app.DialogFragment;
+import android.app.admin.DevicePolicyManager;
 import android.content.ActivityNotFoundException;
 import android.content.DialogInterface;
 import android.content.Intent;
 import android.database.Cursor;
 import android.net.Uri;
 import android.net.wifi.WifiConfiguration;
 import android.net.wifi.WifiEnterpriseConfig;
+import android.os.Build.VERSION_CODES;
 import android.os.Bundle;
 import android.provider.MediaStore;
+import android.security.KeyChain;
+import android.security.KeyChainAliasCallback;
 import android.text.TextUtils;
 import android.util.Log;
 import android.view.LayoutInflater;
 import android.view.View;
+import android.widget.Button;
 import android.widget.EditText;
 import android.widget.TextView;
 import android.widget.Toast;
@@ -28,7 +35,6 @@
 import java.io.InputStream;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -45,9 +51,12 @@ public class WifiEapTlsCreateDialogFragment extends DialogFragment {
     private final static String ARG_CONFIG = "config";
     private static final String TAG = "wifi_eap_tls";
 
+    private DevicePolicyManager mDpm;
+
     private WifiConfiguration mWifiConfiguration;
     private Uri mCaCertUri;
     private Uri mUserCertUri;
+    private String mUserCertAlias;
 
     private EditText mSsidEditText;
     private TextView mCaCertTextView;
@@ -66,6 +75,7 @@ public static WifiEapTlsCreateDialogFragment newInstance(WifiConfiguration confi
     @Override
     public void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
+        mDpm = getActivity().getSystemService(DevicePolicyManager.class);
         mWifiConfiguration = getArguments().getParcelable(ARG_CONFIG);
         if (mWifiConfiguration == null) {
             mWifiConfiguration = new WifiConfiguration();
@@ -76,10 +86,19 @@ public void onCreate(Bundle savedInstanceState) {
     public Dialog onCreateDialog(Bundle savedInstanceState) {
         LayoutInflater inflater = LayoutInflater.from(getActivity());
         View rootView = inflater.inflate(R.layout.eap_tls_wifi_config_dialog, null);
+
         rootView.findViewById(R.id.import_ca_cert).setOnClickListener(
                 new ImportButtonOnClickListener(REQUEST_CA_CERT, "application/x-x509-ca-cert"));
         rootView.findViewById(R.id.import_user_cert).setOnClickListener(
                 new ImportButtonOnClickListener(REQUEST_USER_CERT, "application/x-pkcs12"));
+
+        final Button selectUserCertButton = rootView.findViewById(R.id.select_user_cert);
+        if (SDK_INT >= VERSION_CODES.S) {
+            selectUserCertButton.setOnClickListener(this::onSelectClientCertClicked);
+        } else {
+            // KeyChain keys aren't supported.
+            selectUserCertButton.setVisibility(View.GONE);
+        }
         mCaCertTextView = (TextView) rootView.findViewById(R.id.selected_ca_cert);
         mUserCertTextView = (TextView) rootView.findViewById(R.id.selected_user_cert);
         mSsidEditText = (EditText) rootView.findViewById(R.id.ssid);
@@ -110,6 +129,20 @@ public void onClick(View view) {
         return dialog;
     }
 
+    private void onSelectClientCertClicked(View view) {
+        KeyChain.choosePrivateKeyAlias(getActivity(), alias -> {
+            if (alias == null) {
+                // No value was chosen.
+                return;
+            }
+            mUserCertAlias = alias;
+            mUserCertUri = null;
+
+            getActivity().runOnUiThread(() ->
+                    updateSelectedCert(mUserCertTextView, /* uri= */ null, alias));
+        }, /* keyTypes[] */ null, /* issuers[] */ null, /* uri */ null, /* alias */ null);
+    }
+
     private void populateUi() {
         if (mWifiConfiguration == null) {
             return;
@@ -119,8 +152,8 @@ private void populateUi() {
         }
         mIdentityEditText.setText(mWifiConfiguration.enterpriseConfig.getIdentity());
         // Both ca cert and client are not populated in the WifiConfiguration object.
-        updateSelectedCert(mCaCertTextView, null);
-        updateSelectedCert(mUserCertTextView, null);
+        updateSelectedCert(mCaCertTextView, null, null);
+        updateSelectedCert(mUserCertTextView, null, null);
     }
 
     private boolean extractInputDataAndSave() {
@@ -131,31 +164,18 @@ private boolean extractInputDataAndSave() {
         } else {
             mSsidEditText.setError(null);
         }
-        if (mCaCertUri == null) {
-            showToast(R.string.error_missing_ca_cert);
-            return false;
-        }
-        if (mUserCertUri == null) {
-            showToast(R.string.error_missing_client_cert);
-            return false;
-        }
-        X509Certificate caCert = parseX509Certificate(mCaCertUri);
-        String certPassword = mCertPasswordEditText.getText().toString();
-        CertificateUtil.PKCS12ParseInfo parseInfo = null;
-        try {
-            parseInfo = CertificateUtil.parsePKCS12Certificate(
-                    getActivity().getContentResolver(), mUserCertUri, certPassword);
-        } catch (KeyStoreException | NoSuchAlgorithmException | IOException |
-                CertificateException | UnrecoverableKeyException e) {
-            Log.e(TAG, "Fail to parse the input certificate: ", e);
-        }
-        if (parseInfo == null) {
-            showToast(R.string.error_missing_client_cert);
+
+        mWifiConfiguration.SSID = ssid;
+        mWifiConfiguration.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP);
+        mWifiConfiguration.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X);
+
+        mWifiConfiguration.enterpriseConfig = extractEnterpriseConfig();
+
+        if (mWifiConfiguration.enterpriseConfig == null) {
             return false;
         }
-        String identity = mIdentityEditText.getText().toString();
-        boolean success = saveWifiConfiguration(ssid, caCert, parseInfo.privateKey,
-                parseInfo.certificate, identity);
+
+        boolean success = WifiConfigUtil.saveWifiConfiguration(getActivity(), mWifiConfiguration);
         if (success) {
             showToast(R.string.wifi_configs_header);
             return true;
@@ -165,20 +185,48 @@ private boolean extractInputDataAndSave() {
         return false;
     }
 
-    private boolean saveWifiConfiguration(String ssid, X509Certificate caCert,
-            PrivateKey privateKey, X509Certificate userCert, String identity) {
-        mWifiConfiguration.SSID = ssid;
-        mWifiConfiguration.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP);
-        mWifiConfiguration.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X);
-        WifiEnterpriseConfig enterpriseConfig = new WifiEnterpriseConfig();
-        enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
-        enterpriseConfig.setCaCertificate(caCert);
-        enterpriseConfig.setClientKeyEntry(privateKey, userCert);
+    private WifiEnterpriseConfig extractEnterpriseConfig() {
+        WifiEnterpriseConfig config = new WifiEnterpriseConfig();
+        config.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
+        String identity = mIdentityEditText.getText().toString();
+
         if (!TextUtils.isEmpty(identity)) {
-            enterpriseConfig.setIdentity(identity);
+            config.setIdentity(identity);
+        }
+
+        if (mCaCertUri == null) {
+            showToast(R.string.error_missing_ca_cert);
+            return null;
         }
-        mWifiConfiguration.enterpriseConfig = enterpriseConfig;
-        return WifiConfigUtil.saveWifiConfiguration(getActivity(), mWifiConfiguration);
+        config.setCaCertificate(parseX509Certificate(mCaCertUri));
+
+        if (mUserCertUri != null) {
+            final String certPassword = mCertPasswordEditText.getText().toString();
+            CertificateUtil.PKCS12ParseInfo parseInfo = null;
+            try {
+                parseInfo = CertificateUtil.parsePKCS12Certificate(
+                        getActivity().getContentResolver(), mUserCertUri, certPassword);
+            } catch (KeyStoreException | NoSuchAlgorithmException | IOException |
+                    CertificateException | UnrecoverableKeyException e) {
+                Log.e(TAG, "Fail to parse the input certificate: ", e);
+            }
+            if (parseInfo == null) {
+                showToast(R.string.error_missing_client_cert);
+                return null;
+            }
+            config.setClientKeyEntry(parseInfo.privateKey, parseInfo.certificate);
+        } else if (mUserCertAlias != null) {
+            if (!mDpm.grantKeyPairToWifiAuth(mUserCertAlias)) {
+                showToast(R.string.error_cannot_grant_to_wifi);
+                return null;
+            }
+            config.setClientKeyPairAlias(mUserCertAlias);
+        } else {
+            showToast(R.string.error_missing_client_cert);
+            return null;
+        }
+
+        return config;
     }
 
     /**
@@ -217,28 +265,26 @@ public void onClick(View view) {
         }
     }
 
-    private void updateSelectedCert(TextView textView, Uri uri) {
-        String displayName = null;
-        if (uri == null) {
-            displayName = getString(R.string.selected_certificate_none);
-        } else {
+    private void updateSelectedCert(TextView textView, Uri uri, String alias) {
+        final String selectedText;
+        if (uri != null) {
+            String displayName = null;
             final String[] projection = {MediaStore.MediaColumns.DISPLAY_NAME};
-            Cursor cursor = getActivity().getContentResolver().query(uri, projection,
-                    null, null, null);
-            if (cursor != null) {
-                try {
-                    if (cursor.moveToFirst()) {
-                        displayName = cursor.getString(0);
-                    }
-                } finally {
-                    cursor.close();
+            try (Cursor cursor = getActivity().getContentResolver().query(
+                    uri, projection, null, null, null)) {
+                if (cursor != null && cursor.moveToFirst()) {
+                    displayName = cursor.getString(0);
                 }
             }
-            if (TextUtils.isEmpty(getString(R.string.wifi_unknown_cert))) {
+            if (TextUtils.isEmpty(displayName)) {
                 displayName = getString(R.string.wifi_unknown_cert);
             }
+            selectedText = getString(R.string.selected_certificate, displayName);
+        } else if (alias != null) {
+            selectedText = getString(R.string.selected_keychain_certificate, alias);
+        } else {
+            selectedText = getString(R.string.selected_certificate_none);
         }
-        String selectedText = getString(R.string.selected_certificate, displayName);
         textView.setText(selectedText);
     }
 
@@ -252,11 +298,12 @@ public void onActivityResult(int requestCode, int resultCode, Intent intent) {
             switch (requestCode) {
                 case REQUEST_CA_CERT:
                     mCaCertUri = intent.getData();
-                    updateSelectedCert(mCaCertTextView, mCaCertUri);
+                    updateSelectedCert(mCaCertTextView, mCaCertUri, /* alias= */ null);
                     break;
                 case REQUEST_USER_CERT:
                     mUserCertUri = intent.getData();
-                    updateSelectedCert(mUserCertTextView, mUserCertUri);
+                    mUserCertAlias = null;
+                    updateSelectedCert(mUserCertTextView, mUserCertUri, /* alias= */ null);
                     break;
             }
         }

app/src/main/res/layout/eap_tls_wifi_config_dialog.xml

@@ -76,6 +76,11 @@
                     android:layout_width="wrap_content"
                     android:layout_height="wrap_content"
                     android:text="@string/import_user_certificate"/>
+            <Button android:id="@+id/select_user_cert"
+                    style="@style/networking_item_content"
+                    android:layout_width="wrap_content"
+                    android:layout_height="wrap_content"
+                    android:text="@string/select_user_certificate"/>
             <TextView
                     android:id="@+id/selected_user_cert"
                     style="@style/networking_item_label"

app/src/main/res/values/strings.xml

@@ -344,11 +344,14 @@
     <string name="wifi_client_cert_password">Client certificate password (if any)</string>
     <string name="import_ca_certificate">Import CA certificate</string>
     <string name="import_user_certificate">Import user certificate</string>
+    <string name="select_user_certificate">Select user certificate</string>
     <string name="selected_certificate">Selected certificate: <xliff:g example="server certificate" id="certificate_alias">%1$s</xliff:g></string>
-    <string name="selected_certificate_none">None</string>
+    <string name="selected_keychain_certificate">Selected KeyChain alias: <xliff:g example="somealias" id="certificate_alias">%1$s</xliff:g></string>
+    <string name="selected_certificate_none">No certificate selected</string>
     <string name="error_missing_ssid">Missing SSID</string>
     <string name="error_missing_ca_cert">Missing CA cert</string>
     <string name="error_missing_client_cert">Missing client cert or invalid cert password</string>
+    <string name="error_cannot_grant_to_wifi">Failed to allow Wi-Fi auth with client key pair</string>
     <string name="wifi_eap_tls_dialog_message">EAP_TLS with X.509 CA certificate and PKCS12 client certificate</string>
     <string name="wifi_unknown_cert">Unknown cert</string>