Search in sources :

Example 6 with HTTPHandler

use of com.android.hotspot2.osu.HTTPHandler in project android_frameworks_base by AOSPA.

the class OSUClient method provision.

public void provision(OSUManager osuManager, Network network, KeyManager km) throws IOException, GeneralSecurityException {
    try (HTTPHandler httpHandler = new HTTPHandler(StandardCharsets.UTF_8, OSUSocketFactory.getSocketFactory(mKeyStore, null, OSUManager.FLOW_PROVISIONING, network, mURL, km, true))) {
        SPVerifier spVerifier = new SPVerifier(mOSUInfo);
        spVerifier.verify(httpHandler.getOSUCertificate(mURL));
        URL redirectURL = osuManager.prepareUserInput(mOSUInfo.getName(Locale.getDefault()));
        OMADMAdapter omadmAdapter = osuManager.getOMADMAdapter();
        String regRequest = SOAPBuilder.buildPostDevDataResponse(RequestReason.SubRegistration, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
        Log.d(TAG, "Registration request: " + regRequest);
        OSUResponse osuResponse = httpHandler.exchangeSOAP(mURL, regRequest);
        Log.d(TAG, "Response: " + osuResponse);
        if (osuResponse.getMessageType() != OSUMessageType.PostDevData) {
            throw new IOException("Expected a PostDevDataResponse");
        }
        PostDevDataResponse regResponse = (PostDevDataResponse) osuResponse;
        String sessionID = regResponse.getSessionID();
        if (regResponse.getExecCommand() == ExecCommand.UseClientCertTLS) {
            ClientCertInfo ccInfo = (ClientCertInfo) regResponse.getCommandData();
            if (ccInfo.doesAcceptMfgCerts()) {
                throw new IOException("Mfg certs are not supported in Android");
            } else if (ccInfo.doesAcceptProviderCerts()) {
                ((WiFiKeyManager) km).enableClientAuth(ccInfo.getIssuerNames());
                httpHandler.renegotiate(null, null);
            } else {
                throw new IOException("Neither manufacturer nor provider cert specified");
            }
            regRequest = SOAPBuilder.buildPostDevDataResponse(RequestReason.SubRegistration, sessionID, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
            osuResponse = httpHandler.exchangeSOAP(mURL, regRequest);
            if (osuResponse.getMessageType() != OSUMessageType.PostDevData) {
                throw new IOException("Expected a PostDevDataResponse");
            }
            regResponse = (PostDevDataResponse) osuResponse;
        }
        if (regResponse.getExecCommand() != ExecCommand.Browser) {
            throw new IOException("Expected a launchBrowser command");
        }
        Log.d(TAG, "Exec: " + regResponse.getExecCommand() + ", for '" + regResponse.getCommandData() + "'");
        if (!osuResponse.getSessionID().equals(sessionID)) {
            throw new IOException("Mismatching session IDs");
        }
        String webURL = ((BrowserURI) regResponse.getCommandData()).getURI();
        if (webURL == null) {
            throw new IOException("No web-url");
        } else if (!webURL.contains(sessionID)) {
            throw new IOException("Bad or missing session ID in webURL");
        }
        if (!osuManager.startUserInput(new URL(webURL), network)) {
            throw new IOException("User session failed");
        }
        Log.d(TAG, " -- Sending user input complete:");
        String userComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.InputComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
        OSUResponse moResponse1 = httpHandler.exchangeSOAP(mURL, userComplete);
        if (moResponse1.getMessageType() != OSUMessageType.PostDevData) {
            throw new IOException("Bad user input complete response: " + moResponse1);
        }
        PostDevDataResponse provResponse = (PostDevDataResponse) moResponse1;
        GetCertData estData = checkResponse(provResponse);
        Map<OSUCertType, List<X509Certificate>> certs = new HashMap<>();
        PrivateKey clientKey = null;
        MOData moData;
        if (estData == null) {
            moData = (MOData) provResponse.getCommandData();
        } else {
            try (ESTHandler estHandler = new ESTHandler((GetCertData) provResponse.getCommandData(), network, osuManager.getOMADMAdapter(), km, mKeyStore, null, OSUManager.FLOW_PROVISIONING)) {
                estHandler.execute(false);
                certs.put(OSUCertType.CA, estHandler.getCACerts());
                certs.put(OSUCertType.Client, estHandler.getClientCerts());
                clientKey = estHandler.getClientKey();
            }
            Log.d(TAG, " -- Sending provisioning cert enrollment complete:");
            String certComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.CertEnrollmentComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
            OSUResponse moResponse2 = httpHandler.exchangeSOAP(mURL, certComplete);
            if (moResponse2.getMessageType() != OSUMessageType.PostDevData) {
                throw new IOException("Bad cert enrollment complete response: " + moResponse2);
            }
            PostDevDataResponse provComplete = (PostDevDataResponse) moResponse2;
            if (provComplete.getStatus() != OSUStatus.ProvComplete || provComplete.getOSUCommand() != OSUCommandID.AddMO) {
                throw new IOException("Expected addMO: " + provComplete);
            }
            moData = (MOData) provComplete.getCommandData();
        }
        // !!! How can an ExchangeComplete be sent w/o knowing the fate of the certs???
        String updateResponse = SOAPBuilder.buildUpdateResponse(sessionID, null);
        Log.d(TAG, " -- Sending updateResponse:");
        OSUResponse exComplete = httpHandler.exchangeSOAP(mURL, updateResponse);
        Log.d(TAG, "exComplete response: " + exComplete);
        if (exComplete.getMessageType() != OSUMessageType.ExchangeComplete) {
            throw new IOException("Expected ExchangeComplete: " + exComplete);
        } else if (exComplete.getStatus() != OSUStatus.ExchangeComplete) {
            throw new IOException("Bad ExchangeComplete status: " + exComplete);
        }
        retrieveCerts(moData.getMOTree().getRoot(), certs, network, km, mKeyStore);
        osuManager.provisioningComplete(mOSUInfo, moData, certs, clientKey, network);
    }
}
Also used : PrivateKey(java.security.PrivateKey) HashMap(java.util.HashMap) ESTHandler(com.android.hotspot2.est.ESTHandler) IOException(java.io.IOException) OMADMAdapter(com.android.hotspot2.OMADMAdapter) URL(java.net.URL) ClientCertInfo(com.android.hotspot2.osu.commands.ClientCertInfo) MOData(com.android.hotspot2.osu.commands.MOData) BrowserURI(com.android.hotspot2.osu.commands.BrowserURI) ArrayList(java.util.ArrayList) List(java.util.List) GetCertData(com.android.hotspot2.osu.commands.GetCertData)

Example 7 with HTTPHandler

use of com.android.hotspot2.osu.HTTPHandler in project android_frameworks_base by AOSPA.

the class OSUClient method remediate.

public void remediate(OSUManager osuManager, Network network, KeyManager km, HomeSP homeSP, int flowType) throws IOException, GeneralSecurityException {
    try (HTTPHandler httpHandler = createHandler(network, homeSP, km, flowType)) {
        URL redirectURL = osuManager.prepareUserInput(homeSP.getFriendlyName());
        OMADMAdapter omadmAdapter = osuManager.getOMADMAdapter();
        String regRequest = SOAPBuilder.buildPostDevDataResponse(RequestReason.SubRemediation, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
        OSUResponse serverResponse = httpHandler.exchangeSOAP(mURL, regRequest);
        if (serverResponse.getMessageType() != OSUMessageType.PostDevData) {
            throw new IOException("Expected a PostDevDataResponse");
        }
        String sessionID = serverResponse.getSessionID();
        PostDevDataResponse pddResponse = (PostDevDataResponse) serverResponse;
        Log.d(TAG, "Remediation response: " + pddResponse);
        Map<OSUCertType, List<X509Certificate>> certs = null;
        PrivateKey clientKey = null;
        if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
            if (pddResponse.getExecCommand() == ExecCommand.UploadMO) {
                String ulMessage = SOAPBuilder.buildPostDevDataResponse(RequestReason.MOUpload, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN), osuManager.getMOTree(homeSP));
                Log.d(TAG, "Upload MO: " + ulMessage);
                OSUResponse ulResponse = httpHandler.exchangeSOAP(mURL, ulMessage);
                if (ulResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Expected a PostDevDataResponse to MOUpload");
                }
                pddResponse = (PostDevDataResponse) ulResponse;
            }
            if (pddResponse.getExecCommand() == ExecCommand.Browser) {
                if (flowType == OSUManager.FLOW_POLICY) {
                    throw new IOException("Browser launch requested in policy flow");
                }
                String webURL = ((BrowserURI) pddResponse.getCommandData()).getURI();
                if (webURL == null) {
                    throw new IOException("No web-url");
                } else if (!webURL.contains(sessionID)) {
                    throw new IOException("Bad or missing session ID in webURL");
                }
                if (!osuManager.startUserInput(new URL(webURL), network)) {
                    throw new IOException("User session failed");
                }
                Log.d(TAG, " -- Sending user input complete:");
                String userComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.InputComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
                OSUResponse udResponse = httpHandler.exchangeSOAP(mURL, userComplete);
                if (udResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Bad user input complete response: " + udResponse);
                }
                pddResponse = (PostDevDataResponse) udResponse;
            } else if (pddResponse.getExecCommand() == ExecCommand.GetCert) {
                certs = new HashMap<>();
                try (ESTHandler estHandler = new ESTHandler((GetCertData) pddResponse.getCommandData(), network, osuManager.getOMADMAdapter(), km, mKeyStore, homeSP, flowType)) {
                    estHandler.execute(true);
                    certs.put(OSUCertType.CA, estHandler.getCACerts());
                    certs.put(OSUCertType.Client, estHandler.getClientCerts());
                    clientKey = estHandler.getClientKey();
                }
                if (httpHandler.isHTTPAuthPerformed()) {
                    // 8.4.3.6
                    httpHandler.renegotiate(certs, clientKey);
                }
                Log.d(TAG, " -- Sending remediation cert enrollment complete:");
                // 8.4.3.5 in the spec actually prescribes that an update URI is sent here,
                // but there is no remediation flow that defines user interaction after EST
                // so for now a null is passed.
                String certComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.CertEnrollmentComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
                OSUResponse ceResponse = httpHandler.exchangeSOAP(mURL, certComplete);
                if (ceResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Bad cert enrollment complete response: " + ceResponse);
                }
                pddResponse = (PostDevDataResponse) ceResponse;
            } else {
                throw new IOException("Unexpected command: " + pddResponse.getExecCommand());
            }
        }
        if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
            throw new IOException("Expected a PostDevDataResponse to MOUpload");
        }
        Log.d(TAG, "Remediation response: " + pddResponse);
        List<MOData> mods = new ArrayList<>();
        for (OSUCommand command : pddResponse.getCommands()) {
            if (command.getOSUCommand() == OSUCommandID.UpdateNode) {
                mods.add((MOData) command.getCommandData());
            } else if (command.getOSUCommand() != OSUCommandID.NoMOUpdate) {
                throw new IOException("Unexpected OSU response: " + command);
            }
        }
        // 1. Machine remediation: Remediation complete + replace node
        // 2a. User remediation with upload: ExecCommand.UploadMO
        // 2b. User remediation without upload: ExecCommand.Browser
        // 3. User remediation only: -> sppPostDevData user input complete
        //
        // 4. Update node
        // 5. -> Update response
        // 6. Exchange complete
        OSUError error = null;
        String updateResponse = SOAPBuilder.buildUpdateResponse(sessionID, error);
        Log.d(TAG, " -- Sending updateResponse:");
        OSUResponse exComplete = httpHandler.exchangeSOAP(mURL, updateResponse);
        Log.d(TAG, "exComplete response: " + exComplete);
        if (exComplete.getMessageType() != OSUMessageType.ExchangeComplete) {
            throw new IOException("Expected ExchangeComplete: " + exComplete);
        } else if (exComplete.getStatus() != OSUStatus.ExchangeComplete) {
            throw new IOException("Bad ExchangeComplete status: " + exComplete);
        }
        // the network is lost and the remediation flow fails.
        try {
            osuManager.remediationComplete(homeSP, mods, certs, clientKey);
        } catch (IOException | GeneralSecurityException e) {
            osuManager.provisioningFailed(homeSP.getFriendlyName(), e.getMessage(), homeSP, OSUManager.FLOW_REMEDIATION);
            error = OSUError.CommandFailed;
        }
    }
}
Also used : PrivateKey(java.security.PrivateKey) HashMap(java.util.HashMap) ESTHandler(com.android.hotspot2.est.ESTHandler) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) IOException(java.io.IOException) OMADMAdapter(com.android.hotspot2.OMADMAdapter) URL(java.net.URL) MOData(com.android.hotspot2.osu.commands.MOData) BrowserURI(com.android.hotspot2.osu.commands.BrowserURI) ArrayList(java.util.ArrayList) List(java.util.List) GetCertData(com.android.hotspot2.osu.commands.GetCertData)

Example 8 with HTTPHandler

use of com.android.hotspot2.osu.HTTPHandler in project android_frameworks_base by AOSPA.

the class ESTHandler method execute.

public void execute(boolean reenroll) throws IOException, GeneralSecurityException {
    URL caURL = new URL(mURL.getProtocol(), mURL.getHost(), mURL.getPort(), mURL.getFile() + CACERT_PATH);
    HTTPResponse response;
    try (HTTPHandler httpHandler = new HTTPHandler(StandardCharsets.ISO_8859_1, mSocketFactory, mUser, mPassword)) {
        response = httpHandler.doGetHTTP(caURL);
        if (!"application/pkcs7-mime".equals(response.getHeaders().get(HTTPMessage.ContentTypeHeader))) {
            throw new IOException("Unexpected Content-Type: " + response.getHeaders().get(HTTPMessage.ContentTypeHeader));
        }
        ByteBuffer octetBuffer = response.getBinaryPayload();
        Collection<Asn1Object> pkcs7Content1 = Asn1Decoder.decode(octetBuffer);
        for (Asn1Object asn1Object : pkcs7Content1) {
            Log.d(TAG, "---");
            Log.d(TAG, asn1Object.toString());
        }
        Log.d(TAG, CACERT_PATH);
        mCACerts.addAll(unpackPkcs7(octetBuffer));
        for (X509Certificate certificate : mCACerts) {
            Log.d(TAG, "CA-Cert: " + certificate.getSubjectX500Principal());
        }
        /*
            byte[] octets = new byte[octetBuffer.remaining()];
            octetBuffer.duplicate().get(octets);
            for (byte b : octets) {
                System.out.printf("%02x ", b & 0xff);
            }
            Log.d(TAG, );
            */
        /* + BC
            try {
                byte[] octets = new byte[octetBuffer.remaining()];
                octetBuffer.duplicate().get(octets);
                ASN1InputStream asnin = new ASN1InputStream(octets);
                for (int n = 0; n < 100; n++) {
                    ASN1Primitive object = asnin.readObject();
                    if (object == null) {
                        break;
                    }
                    parseObject(object, 0);
                }
            }
            catch (Throwable t) {
                t.printStackTrace();
            }

            Collection<Asn1Object> pkcs7Content = Asn1Decoder.decode(octetBuffer);
            for (Asn1Object asn1Object : pkcs7Content) {
                Log.d(TAG, asn1Object);
            }

            if (pkcs7Content.size() != 1) {
                throw new IOException("Unexpected pkcs 7 container: " + pkcs7Content.size());
            }

            Asn1Constructed pkcs7Root = (Asn1Constructed) pkcs7Content.iterator().next();
            Iterator<Asn1ID> certPath = Arrays.asList(Pkcs7CertPath).iterator();
            Asn1Object certObject = pkcs7Root.findObject(certPath);
            if (certObject == null || certPath.hasNext()) {
                throw new IOException("Failed to find cert; returned object " + certObject +
                        ", path " + (certPath.hasNext() ? "short" : "exhausted"));
            }

            ByteBuffer certOctets = certObject.getPayload();
            if (certOctets == null) {
                throw new IOException("No cert payload in: " + certObject);
            }

            byte[] certBytes = new byte[certOctets.remaining()];
            certOctets.get(certBytes);

            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
            Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(certBytes));
            Log.d(TAG, "EST Cert: " + cert);
            */
        URL csrURL = new URL(mURL.getProtocol(), mURL.getHost(), mURL.getPort(), mURL.getFile() + CSR_PATH);
        response = httpHandler.doGetHTTP(csrURL);
        octetBuffer = response.getBinaryPayload();
        byte[] csrData = buildCSR(octetBuffer, mOMADMAdapter, httpHandler);
        /**/
        Collection<Asn1Object> o = Asn1Decoder.decode(ByteBuffer.wrap(csrData));
        Log.d(TAG, "CSR:");
        Log.d(TAG, o.iterator().next().toString());
        Log.d(TAG, "End CSR.");
        /**/
        URL enrollURL = new URL(mURL.getProtocol(), mURL.getHost(), mURL.getPort(), mURL.getFile() + (reenroll ? SIMPLE_REENROLL_PATH : SIMPLE_ENROLL_PATH));
        String data = Base64.encodeToString(csrData, Base64.DEFAULT);
        octetBuffer = httpHandler.exchangeBinary(enrollURL, data, "application/pkcs10");
        Collection<Asn1Object> pkcs7Content2 = Asn1Decoder.decode(octetBuffer);
        for (Asn1Object asn1Object : pkcs7Content2) {
            Log.d(TAG, "---");
            Log.d(TAG, asn1Object.toString());
        }
        mClientCerts.addAll(unpackPkcs7(octetBuffer));
        for (X509Certificate cert : mClientCerts) {
            Log.d(TAG, cert.toString());
        }
    }
}
Also used : HTTPHandler(com.android.hotspot2.osu.HTTPHandler) HTTPResponse(com.android.hotspot2.utils.HTTPResponse) IOException(java.io.IOException) DERBitString(com.android.org.bouncycastle.asn1.DERBitString) DERPrintableString(com.android.org.bouncycastle.asn1.DERPrintableString) DERIA5String(com.android.org.bouncycastle.asn1.DERIA5String) ByteBuffer(java.nio.ByteBuffer) URL(java.net.URL) X509Certificate(java.security.cert.X509Certificate) Asn1Object(com.android.hotspot2.asn1.Asn1Object)

Example 9 with HTTPHandler

use of com.android.hotspot2.osu.HTTPHandler in project android_frameworks_base by ResurrectionRemix.

the class OSUClient method remediate.

public void remediate(OSUManager osuManager, Network network, KeyManager km, HomeSP homeSP, int flowType) throws IOException, GeneralSecurityException {
    try (HTTPHandler httpHandler = createHandler(network, homeSP, km, flowType)) {
        URL redirectURL = osuManager.prepareUserInput(homeSP.getFriendlyName());
        OMADMAdapter omadmAdapter = osuManager.getOMADMAdapter();
        String regRequest = SOAPBuilder.buildPostDevDataResponse(RequestReason.SubRemediation, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
        OSUResponse serverResponse = httpHandler.exchangeSOAP(mURL, regRequest);
        if (serverResponse.getMessageType() != OSUMessageType.PostDevData) {
            throw new IOException("Expected a PostDevDataResponse");
        }
        String sessionID = serverResponse.getSessionID();
        PostDevDataResponse pddResponse = (PostDevDataResponse) serverResponse;
        Log.d(TAG, "Remediation response: " + pddResponse);
        Map<OSUCertType, List<X509Certificate>> certs = null;
        PrivateKey clientKey = null;
        if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
            if (pddResponse.getExecCommand() == ExecCommand.UploadMO) {
                String ulMessage = SOAPBuilder.buildPostDevDataResponse(RequestReason.MOUpload, null, redirectURL.toString(), omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN), osuManager.getMOTree(homeSP));
                Log.d(TAG, "Upload MO: " + ulMessage);
                OSUResponse ulResponse = httpHandler.exchangeSOAP(mURL, ulMessage);
                if (ulResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Expected a PostDevDataResponse to MOUpload");
                }
                pddResponse = (PostDevDataResponse) ulResponse;
            }
            if (pddResponse.getExecCommand() == ExecCommand.Browser) {
                if (flowType == OSUManager.FLOW_POLICY) {
                    throw new IOException("Browser launch requested in policy flow");
                }
                String webURL = ((BrowserURI) pddResponse.getCommandData()).getURI();
                if (webURL == null) {
                    throw new IOException("No web-url");
                } else if (!webURL.contains(sessionID)) {
                    throw new IOException("Bad or missing session ID in webURL");
                }
                if (!osuManager.startUserInput(new URL(webURL), network)) {
                    throw new IOException("User session failed");
                }
                Log.d(TAG, " -- Sending user input complete:");
                String userComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.InputComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
                OSUResponse udResponse = httpHandler.exchangeSOAP(mURL, userComplete);
                if (udResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Bad user input complete response: " + udResponse);
                }
                pddResponse = (PostDevDataResponse) udResponse;
            } else if (pddResponse.getExecCommand() == ExecCommand.GetCert) {
                certs = new HashMap<>();
                try (ESTHandler estHandler = new ESTHandler((GetCertData) pddResponse.getCommandData(), network, osuManager.getOMADMAdapter(), km, mKeyStore, homeSP, flowType)) {
                    estHandler.execute(true);
                    certs.put(OSUCertType.CA, estHandler.getCACerts());
                    certs.put(OSUCertType.Client, estHandler.getClientCerts());
                    clientKey = estHandler.getClientKey();
                }
                if (httpHandler.isHTTPAuthPerformed()) {
                    // 8.4.3.6
                    httpHandler.renegotiate(certs, clientKey);
                }
                Log.d(TAG, " -- Sending remediation cert enrollment complete:");
                // 8.4.3.5 in the spec actually prescribes that an update URI is sent here,
                // but there is no remediation flow that defines user interaction after EST
                // so for now a null is passed.
                String certComplete = SOAPBuilder.buildPostDevDataResponse(RequestReason.CertEnrollmentComplete, sessionID, null, omadmAdapter.getMO(OMAConstants.DevInfoURN), omadmAdapter.getMO(OMAConstants.DevDetailURN));
                OSUResponse ceResponse = httpHandler.exchangeSOAP(mURL, certComplete);
                if (ceResponse.getMessageType() != OSUMessageType.PostDevData) {
                    throw new IOException("Bad cert enrollment complete response: " + ceResponse);
                }
                pddResponse = (PostDevDataResponse) ceResponse;
            } else {
                throw new IOException("Unexpected command: " + pddResponse.getExecCommand());
            }
        }
        if (pddResponse.getStatus() != OSUStatus.RemediationComplete) {
            throw new IOException("Expected a PostDevDataResponse to MOUpload");
        }
        Log.d(TAG, "Remediation response: " + pddResponse);
        List<MOData> mods = new ArrayList<>();
        for (OSUCommand command : pddResponse.getCommands()) {
            if (command.getOSUCommand() == OSUCommandID.UpdateNode) {
                mods.add((MOData) command.getCommandData());
            } else if (command.getOSUCommand() != OSUCommandID.NoMOUpdate) {
                throw new IOException("Unexpected OSU response: " + command);
            }
        }
        // 1. Machine remediation: Remediation complete + replace node
        // 2a. User remediation with upload: ExecCommand.UploadMO
        // 2b. User remediation without upload: ExecCommand.Browser
        // 3. User remediation only: -> sppPostDevData user input complete
        //
        // 4. Update node
        // 5. -> Update response
        // 6. Exchange complete
        OSUError error = null;
        String updateResponse = SOAPBuilder.buildUpdateResponse(sessionID, error);
        Log.d(TAG, " -- Sending updateResponse:");
        OSUResponse exComplete = httpHandler.exchangeSOAP(mURL, updateResponse);
        Log.d(TAG, "exComplete response: " + exComplete);
        if (exComplete.getMessageType() != OSUMessageType.ExchangeComplete) {
            throw new IOException("Expected ExchangeComplete: " + exComplete);
        } else if (exComplete.getStatus() != OSUStatus.ExchangeComplete) {
            throw new IOException("Bad ExchangeComplete status: " + exComplete);
        }
        // the network is lost and the remediation flow fails.
        try {
            osuManager.remediationComplete(homeSP, mods, certs, clientKey);
        } catch (IOException | GeneralSecurityException e) {
            osuManager.provisioningFailed(homeSP.getFriendlyName(), e.getMessage(), homeSP, OSUManager.FLOW_REMEDIATION);
            error = OSUError.CommandFailed;
        }
    }
}
Also used : PrivateKey(java.security.PrivateKey) HashMap(java.util.HashMap) ESTHandler(com.android.hotspot2.est.ESTHandler) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) IOException(java.io.IOException) OMADMAdapter(com.android.hotspot2.OMADMAdapter) URL(java.net.URL) MOData(com.android.hotspot2.osu.commands.MOData) BrowserURI(com.android.hotspot2.osu.commands.BrowserURI) ArrayList(java.util.ArrayList) List(java.util.List) GetCertData(com.android.hotspot2.osu.commands.GetCertData)

Example 10 with HTTPHandler

use of com.android.hotspot2.osu.HTTPHandler in project android_frameworks_base by ResurrectionRemix.

the class ESTHandler method buildCSR.

private byte[] buildCSR(ByteBuffer octetBuffer, OMADMAdapter omadmAdapter, HTTPHandler httpHandler) throws IOException, GeneralSecurityException {
    //Security.addProvider(new BouncyCastleProvider());
    Log.d(TAG, "/csrattrs:");
    /*
        byte[] octets = new byte[octetBuffer.remaining()];
        octetBuffer.duplicate().get(octets);
        for (byte b : octets) {
            System.out.printf("%02x ", b & 0xff);
        }
        */
    Collection<Asn1Object> csrs = Asn1Decoder.decode(octetBuffer);
    for (Asn1Object asn1Object : csrs) {
        Log.d(TAG, asn1Object.toString());
    }
    if (csrs.size() != 1) {
        throw new IOException("Unexpected object count in CSR attributes response: " + csrs.size());
    }
    Asn1Object sequence = csrs.iterator().next();
    if (sequence.getClass() != Asn1Constructed.class) {
        throw new IOException("Unexpected CSR attribute container: " + sequence);
    }
    String keyAlgo = null;
    Asn1Oid keyAlgoOID = null;
    String sigAlgo = null;
    String curveName = null;
    Asn1Oid pubCrypto = null;
    int keySize = -1;
    Map<Asn1Oid, ASN1Encodable> idAttributes = new HashMap<>();
    for (Asn1Object child : sequence.getChildren()) {
        if (child.getTag() == Asn1Decoder.TAG_OID) {
            Asn1Oid oid = (Asn1Oid) child;
            OidMappings.SigEntry sigEntry = OidMappings.getSigEntry(oid);
            if (sigEntry != null) {
                sigAlgo = sigEntry.getSigAlgo();
                keyAlgoOID = sigEntry.getKeyAlgo();
                keyAlgo = OidMappings.getJCEName(keyAlgoOID);
            } else if (oid.equals(OidMappings.sPkcs9AtChallengePassword)) {
                byte[] tlsUnique = httpHandler.getTLSUnique();
                if (tlsUnique != null) {
                    idAttributes.put(oid, new DERPrintableString(Base64.encodeToString(tlsUnique, Base64.DEFAULT)));
                } else {
                    Log.w(TAG, "Cannot retrieve TLS unique channel binding");
                }
            }
        } else if (child.getTag() == Asn1Decoder.TAG_SEQ) {
            Asn1Oid oid = null;
            Set<Asn1Oid> oidValues = new HashSet<>();
            List<Asn1Object> values = new ArrayList<>();
            for (Asn1Object attributeSeq : child.getChildren()) {
                if (attributeSeq.getTag() == Asn1Decoder.TAG_OID) {
                    oid = (Asn1Oid) attributeSeq;
                } else if (attributeSeq.getTag() == Asn1Decoder.TAG_SET) {
                    for (Asn1Object value : attributeSeq.getChildren()) {
                        if (value.getTag() == Asn1Decoder.TAG_OID) {
                            oidValues.add((Asn1Oid) value);
                        } else {
                            values.add(value);
                        }
                    }
                }
            }
            if (oid == null) {
                throw new IOException("Invalid attribute, no OID");
            }
            if (oid.equals(OidMappings.sExtensionRequest)) {
                for (Asn1Oid subOid : oidValues) {
                    if (OidMappings.isIDAttribute(subOid)) {
                        if (subOid.equals(OidMappings.sMAC)) {
                            idAttributes.put(subOid, new DERIA5String(omadmAdapter.getMAC()));
                        } else if (subOid.equals(OidMappings.sIMEI)) {
                            idAttributes.put(subOid, new DERIA5String(omadmAdapter.getImei()));
                        } else if (subOid.equals(OidMappings.sMEID)) {
                            idAttributes.put(subOid, new DERBitString(omadmAdapter.getMeid()));
                        } else if (subOid.equals(OidMappings.sDevID)) {
                            idAttributes.put(subOid, new DERPrintableString(omadmAdapter.getDevID()));
                        }
                    }
                }
            } else if (OidMappings.getCryptoID(oid) != null) {
                pubCrypto = oid;
                if (!values.isEmpty()) {
                    for (Asn1Object value : values) {
                        if (value.getTag() == Asn1Decoder.TAG_INTEGER) {
                            keySize = (int) ((Asn1Integer) value).getValue();
                        }
                    }
                }
                if (oid.equals(OidMappings.sAlgo_EC)) {
                    if (oidValues.isEmpty()) {
                        throw new IOException("No ECC curve name provided");
                    }
                    for (Asn1Oid value : oidValues) {
                        curveName = OidMappings.getJCEName(value);
                        if (curveName != null) {
                            break;
                        }
                    }
                    if (curveName == null) {
                        throw new IOException("Found no ECC curve for " + oidValues);
                    }
                }
            }
        }
    }
    if (keyAlgoOID == null) {
        throw new IOException("No public key algorithm specified");
    }
    if (pubCrypto != null && !pubCrypto.equals(keyAlgoOID)) {
        throw new IOException("Mismatching key algorithms");
    }
    if (keyAlgoOID.equals(OidMappings.sAlgo_RSA)) {
        if (keySize < MinRSAKeySize) {
            if (keySize >= 0) {
                Log.i(TAG, "Upgrading suggested RSA key size from " + keySize + " to " + MinRSAKeySize);
            }
            keySize = MinRSAKeySize;
        }
    }
    Log.d(TAG, String.format("pub key '%s', signature '%s', ECC curve '%s', id-atts %s", keyAlgo, sigAlgo, curveName, idAttributes));
    /*
          Ruckus:
            SEQUENCE:
              OID=1.2.840.113549.1.1.11 (algo_id_sha256WithRSAEncryption)

          RFC-7030:
            SEQUENCE:
              OID=1.2.840.113549.1.9.7 (challengePassword)
              SEQUENCE:
                OID=1.2.840.10045.2.1 (algo_id_ecPublicKey)
                SET:
                  OID=1.3.132.0.34 (secp384r1)
              SEQUENCE:
                OID=1.2.840.113549.1.9.14 (extensionRequest)
                SET:
                  OID=1.3.6.1.1.1.1.22 (mac-address)
              OID=1.2.840.10045.4.3.3 (eccdaWithSHA384)

              1L, 3L, 6L, 1L, 1L, 1L, 1L, 22
         */
    // ECC Does not appear to be supported currently
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo);
    if (curveName != null) {
        AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(keyAlgo);
        algorithmParameters.init(new ECNamedCurveGenParameterSpec(curveName));
        kpg.initialize(algorithmParameters.getParameterSpec(ECNamedCurveGenParameterSpec.class));
    } else {
        kpg.initialize(keySize);
    }
    KeyPair kp = kpg.generateKeyPair();
    X500Principal subject = new X500Principal("CN=Android, O=Google, C=US");
    mClientKey = kp.getPrivate();
    // !!! Map the idAttributes into an ASN1Set of values to pass to
    // the PKCS10CertificationRequest - this code is using outdated BC classes and
    // has *not* been tested.
    ASN1Set attributes;
    if (!idAttributes.isEmpty()) {
        ASN1EncodableVector payload = new DEREncodableVector();
        for (Map.Entry<Asn1Oid, ASN1Encodable> entry : idAttributes.entrySet()) {
            DERObjectIdentifier type = new DERObjectIdentifier(entry.getKey().toOIDString());
            ASN1Set values = new DERSet(entry.getValue());
            Attribute attribute = new Attribute(type, values);
            payload.add(attribute);
        }
        attributes = new DERSet(payload);
    } else {
        attributes = null;
    }
    return new PKCS10CertificationRequest(sigAlgo, subject, kp.getPublic(), attributes, mClientKey).getEncoded();
}
Also used : DERSet(com.android.org.bouncycastle.asn1.DERSet) ASN1Set(com.android.org.bouncycastle.asn1.ASN1Set) Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Attribute(com.android.org.bouncycastle.asn1.x509.Attribute) DERBitString(com.android.org.bouncycastle.asn1.DERBitString) DERPrintableString(com.android.org.bouncycastle.asn1.DERPrintableString) DERIA5String(com.android.org.bouncycastle.asn1.DERIA5String) DERSet(com.android.org.bouncycastle.asn1.DERSet) DERIA5String(com.android.org.bouncycastle.asn1.DERIA5String) Asn1Integer(com.android.hotspot2.asn1.Asn1Integer) DERPrintableString(com.android.org.bouncycastle.asn1.DERPrintableString) ASN1EncodableVector(com.android.org.bouncycastle.asn1.ASN1EncodableVector) List(java.util.List) ArrayList(java.util.ArrayList) ASN1Encodable(com.android.org.bouncycastle.asn1.ASN1Encodable) PKCS10CertificationRequest(com.android.org.bouncycastle.jce.PKCS10CertificationRequest) Asn1Oid(com.android.hotspot2.asn1.Asn1Oid) KeyPair(java.security.KeyPair) ECNamedCurveGenParameterSpec(com.android.org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec) DEREncodableVector(com.android.org.bouncycastle.asn1.DEREncodableVector) DERBitString(com.android.org.bouncycastle.asn1.DERBitString) IOException(java.io.IOException) KeyPairGenerator(java.security.KeyPairGenerator) DERObjectIdentifier(com.android.org.bouncycastle.asn1.DERObjectIdentifier) Asn1Object(com.android.hotspot2.asn1.Asn1Object) OidMappings(com.android.hotspot2.asn1.OidMappings) ASN1Set(com.android.org.bouncycastle.asn1.ASN1Set) X500Principal(javax.security.auth.x500.X500Principal) Map(java.util.Map) HashMap(java.util.HashMap) AlgorithmParameters(java.security.AlgorithmParameters)

Aggregations

IOException (java.io.IOException)25 URL (java.net.URL)15 ArrayList (java.util.ArrayList)15 HashMap (java.util.HashMap)15 List (java.util.List)15 OMADMAdapter (com.android.hotspot2.OMADMAdapter)10 Asn1Object (com.android.hotspot2.asn1.Asn1Object)10 ESTHandler (com.android.hotspot2.est.ESTHandler)10 BrowserURI (com.android.hotspot2.osu.commands.BrowserURI)10 GetCertData (com.android.hotspot2.osu.commands.GetCertData)10 MOData (com.android.hotspot2.osu.commands.MOData)10 DERBitString (com.android.org.bouncycastle.asn1.DERBitString)10 DERIA5String (com.android.org.bouncycastle.asn1.DERIA5String)10 DERPrintableString (com.android.org.bouncycastle.asn1.DERPrintableString)10 PrivateKey (java.security.PrivateKey)10 Asn1Integer (com.android.hotspot2.asn1.Asn1Integer)5 Asn1Oid (com.android.hotspot2.asn1.Asn1Oid)5 OidMappings (com.android.hotspot2.asn1.OidMappings)5 HTTPHandler (com.android.hotspot2.osu.HTTPHandler)5 HTTPResponse (com.android.hotspot2.utils.HTTPResponse)5