1 /* 2 * Copyright (C) 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.ipsec.ike.cts; 18 19 import static android.net.ipsec.ike.IkeSessionParams.ESP_ENCAP_TYPE_UDP; 20 import static android.net.ipsec.ike.IkeSessionParams.ESP_IP_VERSION_IPV6; 21 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_ACCEPT_ANY_REMOTE_ID; 22 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_AUTOMATIC_KEEPALIVE_ON_OFF; 23 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_EAP_ONLY_AUTH; 24 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_FORCE_PORT_4500; 25 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_INITIAL_CONTACT; 26 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_MOBIKE; 27 import static android.net.ipsec.ike.IkeSessionParams.IKE_OPTION_REKEY_MOBILITY; 28 import static android.net.ipsec.ike.IkeSessionParams.IkeAuthConfig; 29 import static android.net.ipsec.ike.IkeSessionParams.IkeAuthDigitalSignLocalConfig; 30 import static android.net.ipsec.ike.IkeSessionParams.IkeAuthDigitalSignRemoteConfig; 31 import static android.net.ipsec.ike.IkeSessionParams.IkeAuthEapConfig; 32 import static android.net.ipsec.ike.IkeSessionParams.IkeAuthPskConfig; 33 import static android.net.ipsec.ike.ike3gpp.Ike3gppDataListenerTest.TestIke3gppDataListener; 34 import static android.os.Build.VERSION_CODES.R; 35 import static android.system.OsConstants.AF_INET; 36 import static android.system.OsConstants.AF_INET6; 37 import static android.telephony.TelephonyManager.APPTYPE_USIM; 38 39 import static org.junit.Assert.assertArrayEquals; 40 import static org.junit.Assert.assertEquals; 41 import static org.junit.Assert.assertFalse; 42 import static org.junit.Assert.assertTrue; 43 import static org.junit.Assert.fail; 44 45 import android.net.eap.EapSessionConfig; 46 import android.net.ipsec.ike.IkeFqdnIdentification; 47 import android.net.ipsec.ike.IkeIdentification; 48 import android.net.ipsec.ike.IkeSaProposal; 49 import android.net.ipsec.ike.IkeSessionParams; 50 import android.net.ipsec.ike.IkeSessionParams.ConfigRequestIpv4PcscfServer; 51 import android.net.ipsec.ike.IkeSessionParams.ConfigRequestIpv6PcscfServer; 52 import android.net.ipsec.ike.IkeSessionParams.IkeConfigRequest; 53 import android.net.ipsec.ike.ike3gpp.Ike3gppExtension; 54 import android.net.ipsec.ike.ike3gpp.Ike3gppParams; 55 import android.os.Build; 56 57 import androidx.test.ext.junit.runners.AndroidJUnit4; 58 import androidx.test.filters.SdkSuppress; 59 60 import com.android.internal.net.ipsec.test.ike.testutils.CertUtils; 61 import com.android.modules.utils.build.SdkLevel; 62 import com.android.testutils.DevSdkIgnoreRule; 63 import com.android.testutils.DevSdkIgnoreRule.IgnoreAfter; 64 import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo; 65 66 import org.junit.Before; 67 import org.junit.Rule; 68 import org.junit.Test; 69 import org.junit.runner.RunWith; 70 71 import java.net.InetAddress; 72 import java.security.cert.X509Certificate; 73 import java.security.interfaces.RSAPrivateKey; 74 import java.util.Arrays; 75 import java.util.Collections; 76 import java.util.HashMap; 77 import java.util.HashSet; 78 import java.util.List; 79 import java.util.Map; 80 import java.util.Set; 81 import java.util.concurrent.TimeUnit; 82 83 @RunWith(AndroidJUnit4.class) 84 public final class IkeSessionParamsTest extends IkeSessionTestBase { 85 @Rule public final DevSdkIgnoreRule ignoreRule = new DevSdkIgnoreRule(); 86 87 private static final int HARD_LIFETIME_SECONDS = (int) TimeUnit.HOURS.toSeconds(20L); 88 private static final int SOFT_LIFETIME_SECONDS = (int) TimeUnit.HOURS.toSeconds(10L); 89 private static final int DPD_DELAY_SECONDS = (int) TimeUnit.MINUTES.toSeconds(10L); 90 private static final int NATT_KEEPALIVE_DELAY_SECONDS = (int) TimeUnit.MINUTES.toSeconds(5L); 91 private static final int[] RETRANS_TIMEOUT_MS_LIST = new int[] {500, 500, 500, 500, 500, 500}; 92 private static final int[] LIVENESS_RETRANS_TIMEOUT_MS_LIST = 93 new int[] {500, 500, 500, 500, 500, 500}; 94 95 private static final int DSCP = 8; 96 97 private static final Map<Class<? extends IkeConfigRequest>, Integer> EXPECTED_REQ_COUNT = 98 new HashMap<>(); 99 private static final HashSet<InetAddress> EXPECTED_PCSCF_SERVERS = new HashSet<>(); 100 101 static { EXPECTED_REQ_COUNT.put(ConfigRequestIpv4PcscfServer.class, 3)102 EXPECTED_REQ_COUNT.put(ConfigRequestIpv4PcscfServer.class, 3); EXPECTED_REQ_COUNT.put(ConfigRequestIpv6PcscfServer.class, 3)103 EXPECTED_REQ_COUNT.put(ConfigRequestIpv6PcscfServer.class, 3); 104 105 EXPECTED_PCSCF_SERVERS.add(PCSCF_IPV4_ADDRESS_1); 106 EXPECTED_PCSCF_SERVERS.add(PCSCF_IPV4_ADDRESS_2); 107 EXPECTED_PCSCF_SERVERS.add(PCSCF_IPV6_ADDRESS_1); 108 EXPECTED_PCSCF_SERVERS.add(PCSCF_IPV6_ADDRESS_2); 109 } 110 111 private static final HashSet<Integer> EXPECTED_IKE_OPTIONS = new HashSet<>(); 112 113 static { 114 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_ACCEPT_ANY_REMOTE_ID); 115 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_EAP_ONLY_AUTH); 116 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_MOBIKE); 117 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_FORCE_PORT_4500); 118 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_INITIAL_CONTACT); 119 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_REKEY_MOBILITY); 120 EXPECTED_IKE_OPTIONS.add(IKE_OPTION_AUTOMATIC_KEEPALIVE_ON_OFF); 121 } 122 123 // Arbitrary proposal and remote ID. Local ID is chosen to match the client end cert in the 124 // following CL 125 private static final IkeSaProposal SA_PROPOSAL = 126 SaProposalTest.buildIkeSaProposalWithNormalModeCipher(); 127 private static final IkeIdentification LOCAL_ID = new IkeFqdnIdentification(LOCAL_HOSTNAME); 128 private static final IkeIdentification REMOTE_ID = new IkeFqdnIdentification(REMOTE_HOSTNAME); 129 130 private static final EapSessionConfig EAP_ALL_METHODS_CONFIG = 131 createEapOnlySafeMethodsBuilder() 132 .setEapMsChapV2Config(EAP_MSCHAPV2_USERNAME, EAP_MSCHAPV2_PASSWORD) 133 .build(); 134 private static final EapSessionConfig EAP_ONLY_SAFE_METHODS_CONFIG = 135 createEapOnlySafeMethodsBuilder().build(); 136 137 private X509Certificate mServerCaCert; 138 private X509Certificate mClientEndCert; 139 private X509Certificate mClientIntermediateCaCertOne; 140 private X509Certificate mClientIntermediateCaCertTwo; 141 private RSAPrivateKey mClientPrivateKey; 142 143 @Before setUp()144 public void setUp() throws Exception { 145 super.setUp(); 146 147 mServerCaCert = CertUtils.createCertFromPemFile("server-a-self-signed-ca.pem"); 148 mClientEndCert = CertUtils.createCertFromPemFile("client-a-end-cert.pem"); 149 mClientIntermediateCaCertOne = 150 CertUtils.createCertFromPemFile("client-a-intermediate-ca-one.pem"); 151 mClientIntermediateCaCertTwo = 152 CertUtils.createCertFromPemFile("client-a-intermediate-ca-two.pem"); 153 mClientPrivateKey = CertUtils.createRsaPrivateKeyFromKeyFile("client-a-private-key.key"); 154 } 155 createEapOnlySafeMethodsBuilder()156 private static EapSessionConfig.Builder createEapOnlySafeMethodsBuilder() { 157 return new EapSessionConfig.Builder() 158 .setEapIdentity(EAP_IDENTITY) 159 .setEapSimConfig(SUB_ID, APPTYPE_USIM) 160 .setEapAkaConfig(SUB_ID, APPTYPE_USIM) 161 .setEapAkaPrimeConfig( 162 SUB_ID, APPTYPE_USIM, NETWORK_NAME, true /* allowMismatchedNetworkNames */); 163 } 164 165 /** 166 * Create a Builder that has minimum configurations to build an IkeSessionParams. 167 * 168 * <p>Authentication method is arbitrarily selected. Using other method (e.g. setAuthEap) also 169 * works. 170 */ createIkeParamsBuilderMinimum(boolean useContext)171 private IkeSessionParams.Builder createIkeParamsBuilderMinimum(boolean useContext) { 172 final IkeSessionParams.Builder builder = 173 useContext 174 ? new IkeSessionParams.Builder(sContext) 175 : new IkeSessionParams.Builder(); 176 177 return builder.setNetwork(mTunNetworkContext.tunNetwork) 178 .setServerHostname(IPV4_ADDRESS_REMOTE.getHostAddress()) 179 .addSaProposal(SA_PROPOSAL) 180 .setLocalIdentification(LOCAL_ID) 181 .setRemoteIdentification(REMOTE_ID) 182 .setAuthPsk(IKE_PSK); 183 } 184 createIkeParamsBuilderMinimum()185 private IkeSessionParams.Builder createIkeParamsBuilderMinimum() { 186 return createIkeParamsBuilderMinimum(true /* useContext */); 187 } 188 189 /** 190 * Verify the minimum configurations to build an IkeSessionParams. 191 * 192 * @see #createIkeParamsBuilderMinimum 193 */ verifyIkeParamsMinimum(IkeSessionParams sessionParams)194 private void verifyIkeParamsMinimum(IkeSessionParams sessionParams) { 195 assertEquals(mTunNetworkContext.tunNetwork, sessionParams.getNetwork()); 196 assertEquals(IPV4_ADDRESS_REMOTE.getHostAddress(), sessionParams.getServerHostname()); 197 assertEquals(Arrays.asList(SA_PROPOSAL), sessionParams.getSaProposals()); 198 assertEquals(LOCAL_ID, sessionParams.getLocalIdentification()); 199 assertEquals(REMOTE_ID, sessionParams.getRemoteIdentification()); 200 201 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 202 assertTrue(localConfig instanceof IkeAuthPskConfig); 203 assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) localConfig).getPsk()); 204 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 205 assertTrue(remoteConfig instanceof IkeAuthPskConfig); 206 assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) remoteConfig).getPsk()); 207 } 208 209 @Test testBuildWithMinimumSet()210 public void testBuildWithMinimumSet() throws Exception { 211 IkeSessionParams sessionParams = createIkeParamsBuilderMinimum().build(); 212 213 verifyIkeParamsMinimum(sessionParams); 214 215 // Verify default values that do not need explicit configuration. Do not do assertEquals 216 // to be avoid being a change-detector test 217 assertTrue(sessionParams.getHardLifetimeSeconds() > sessionParams.getSoftLifetimeSeconds()); 218 assertTrue(sessionParams.getSoftLifetimeSeconds() > 0); 219 assertTrue(sessionParams.getDpdDelaySeconds() > 0); 220 assertTrue(sessionParams.getRetransmissionTimeoutsMillis().length > 0); 221 for (int timeout : sessionParams.getRetransmissionTimeoutsMillis()) { 222 assertTrue(timeout > 0); 223 } 224 assertTrue(sessionParams.getConfigurationRequests().isEmpty()); 225 assertFalse(sessionParams.hasIkeOption(IKE_OPTION_ACCEPT_ANY_REMOTE_ID)); 226 } 227 228 @Test testBuildWithIkeSessionParams()229 public void testBuildWithIkeSessionParams() throws Exception { 230 IkeSessionParams sessionParams = 231 createIkeParamsBuilderMinimum(false /* useContext */).build(); 232 IkeSessionParams result = new IkeSessionParams.Builder(sessionParams).build(); 233 234 assertEquals(sessionParams, result); 235 } 236 237 @Test testSetLifetimes()238 public void testSetLifetimes() throws Exception { 239 IkeSessionParams sessionParams = 240 createIkeParamsBuilderMinimum() 241 .setLifetimeSeconds(HARD_LIFETIME_SECONDS, SOFT_LIFETIME_SECONDS) 242 .build(); 243 244 verifyIkeParamsMinimum(sessionParams); 245 assertEquals(HARD_LIFETIME_SECONDS, sessionParams.getHardLifetimeSeconds()); 246 assertEquals(SOFT_LIFETIME_SECONDS, sessionParams.getSoftLifetimeSeconds()); 247 } 248 249 @Test testSetDpdDelay()250 public void testSetDpdDelay() throws Exception { 251 IkeSessionParams sessionParams = 252 createIkeParamsBuilderMinimum().setDpdDelaySeconds(DPD_DELAY_SECONDS).build(); 253 254 verifyIkeParamsMinimum(sessionParams); 255 assertEquals(DPD_DELAY_SECONDS, sessionParams.getDpdDelaySeconds()); 256 } 257 258 @Test testSetNattKeepaliveDelay()259 public void testSetNattKeepaliveDelay() throws Exception { 260 IkeSessionParams sessionParams = 261 createIkeParamsBuilderMinimum() 262 .setNattKeepAliveDelaySeconds(NATT_KEEPALIVE_DELAY_SECONDS) 263 .build(); 264 265 verifyIkeParamsMinimum(sessionParams); 266 assertEquals(NATT_KEEPALIVE_DELAY_SECONDS, sessionParams.getNattKeepAliveDelaySeconds()); 267 } 268 269 @Test testSetRetransmissionTimeouts()270 public void testSetRetransmissionTimeouts() throws Exception { 271 IkeSessionParams sessionParams = 272 createIkeParamsBuilderMinimum() 273 .setRetransmissionTimeoutsMillis(RETRANS_TIMEOUT_MS_LIST) 274 .build(); 275 276 verifyIkeParamsMinimum(sessionParams); 277 assertArrayEquals(RETRANS_TIMEOUT_MS_LIST, sessionParams.getRetransmissionTimeoutsMillis()); 278 } 279 280 @Test testSetPcscfConfigRequests()281 public void testSetPcscfConfigRequests() throws Exception { 282 IkeSessionParams sessionParams = 283 createIkeParamsBuilderMinimum() 284 .setRetransmissionTimeoutsMillis(RETRANS_TIMEOUT_MS_LIST) 285 .addPcscfServerRequest(AF_INET) 286 .addPcscfServerRequest(PCSCF_IPV4_ADDRESS_1) 287 .addPcscfServerRequest(PCSCF_IPV6_ADDRESS_1) 288 .addPcscfServerRequest(AF_INET6) 289 .addPcscfServerRequest(PCSCF_IPV4_ADDRESS_2) 290 .addPcscfServerRequest(PCSCF_IPV6_ADDRESS_2) 291 .build(); 292 293 verifyIkeParamsMinimum(sessionParams); 294 verifyConfigRequestTypes(EXPECTED_REQ_COUNT, sessionParams.getConfigurationRequests()); 295 296 Set<InetAddress> resultAddresses = new HashSet<>(); 297 for (IkeConfigRequest req : sessionParams.getConfigurationRequests()) { 298 if (req instanceof ConfigRequestIpv4PcscfServer 299 && ((ConfigRequestIpv4PcscfServer) req).getAddress() != null) { 300 resultAddresses.add(((ConfigRequestIpv4PcscfServer) req).getAddress()); 301 } else if (req instanceof ConfigRequestIpv6PcscfServer 302 && ((ConfigRequestIpv6PcscfServer) req).getAddress() != null) { 303 resultAddresses.add(((ConfigRequestIpv6PcscfServer) req).getAddress()); 304 } 305 } 306 assertEquals(EXPECTED_PCSCF_SERVERS, resultAddresses); 307 } 308 309 @Test testSetDscp()310 public void testSetDscp() throws Exception { 311 IkeSessionParams sessionParams = createIkeParamsBuilderMinimum().setDscp(DSCP).build(); 312 313 verifyIkeParamsMinimum(sessionParams); 314 assertEquals(DSCP, sessionParams.getDscp()); 315 } 316 317 @Test testAddIkeOption()318 public void testAddIkeOption() throws Exception { 319 verifyAddIkeOption(IKE_OPTION_ACCEPT_ANY_REMOTE_ID); 320 verifyAddIkeOption(IKE_OPTION_INITIAL_CONTACT); 321 } 322 323 @Test 324 @IgnoreUpTo(Build.VERSION_CODES.UPSIDE_DOWN_CAKE) testAddAndGetIkeOptions()325 public void testAddAndGetIkeOptions() throws Exception { 326 final IkeSessionParams.Builder builder = 327 createIkeParamsBuilderMinimumWithoutAuth() 328 .setAuthEap(mServerCaCert, EAP_ONLY_SAFE_METHODS_CONFIG); 329 for (int option : EXPECTED_IKE_OPTIONS) { 330 builder.addIkeOption(option); 331 } 332 final IkeSessionParams ikeParams = builder.build(); 333 334 assertEquals(EXPECTED_IKE_OPTIONS, ikeParams.getIkeOptions()); 335 } 336 verifyAddIkeOption(int ikeOption)337 private void verifyAddIkeOption(int ikeOption) { 338 IkeSessionParams sessionParams = 339 createIkeParamsBuilderMinimum().addIkeOption(ikeOption).build(); 340 341 verifyIkeParamsMinimum(sessionParams); 342 assertTrue(sessionParams.hasIkeOption(ikeOption)); 343 } 344 345 @Test testRemoveIkeOption()346 public void testRemoveIkeOption() throws Exception { 347 verifyRemoveIkeOption(IKE_OPTION_ACCEPT_ANY_REMOTE_ID); 348 verifyRemoveIkeOption(IKE_OPTION_INITIAL_CONTACT); 349 } 350 verifyRemoveIkeOption(int ikeOption)351 private void verifyRemoveIkeOption(int ikeOption) { 352 IkeSessionParams sessionParams = 353 createIkeParamsBuilderMinimum() 354 .addIkeOption(ikeOption) 355 .removeIkeOption(ikeOption) 356 .build(); 357 358 verifyIkeParamsMinimum(sessionParams); 359 assertFalse(sessionParams.hasIkeOption(ikeOption)); 360 } 361 362 @Test 363 @IgnoreUpTo(Build.VERSION_CODES.R) testAddIkeOptionMobike()364 public void testAddIkeOptionMobike() throws Exception { 365 IkeSessionParams sessionParams = 366 createIkeParamsBuilderMinimum().addIkeOption(IKE_OPTION_MOBIKE).build(); 367 368 verifyIkeParamsMinimum(sessionParams); 369 assertTrue(sessionParams.hasIkeOption(IKE_OPTION_MOBIKE)); 370 371 if (SdkLevel.isAtLeastT()) { 372 assertFalse(sessionParams.hasIkeOption(IKE_OPTION_REKEY_MOBILITY)); 373 } else { 374 assertTrue(sessionParams.hasIkeOption(IKE_OPTION_REKEY_MOBILITY)); 375 } 376 } 377 378 /** 379 * Create a Builder that has minimum configurations to build an IkeSessionParams, except for 380 * authentication method. 381 */ createIkeParamsBuilderMinimumWithoutAuth()382 private IkeSessionParams.Builder createIkeParamsBuilderMinimumWithoutAuth() { 383 return new IkeSessionParams.Builder(sContext) 384 .setNetwork(mTunNetworkContext.tunNetwork) 385 .setServerHostname(IPV4_ADDRESS_REMOTE.getHostAddress()) 386 .addSaProposal(SA_PROPOSAL) 387 .setLocalIdentification(LOCAL_ID) 388 .setRemoteIdentification(REMOTE_ID); 389 } 390 391 /** 392 * Verify the minimum configurations to build an IkeSessionParams, except for authentication 393 * method. 394 * 395 * @see #createIkeParamsBuilderMinimumWithoutAuth 396 */ verifyIkeParamsMinimumWithoutAuth(IkeSessionParams sessionParams)397 private void verifyIkeParamsMinimumWithoutAuth(IkeSessionParams sessionParams) { 398 assertEquals(mTunNetworkContext.tunNetwork, sessionParams.getNetwork()); 399 assertEquals(IPV4_ADDRESS_REMOTE.getHostAddress(), sessionParams.getServerHostname()); 400 assertEquals(Arrays.asList(SA_PROPOSAL), sessionParams.getSaProposals()); 401 assertEquals(LOCAL_ID, sessionParams.getLocalIdentification()); 402 assertEquals(REMOTE_ID, sessionParams.getRemoteIdentification()); 403 } 404 verifyIkeParamsWithPsk(IkeSessionParams sessionParams)405 private void verifyIkeParamsWithPsk(IkeSessionParams sessionParams) { 406 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 407 assertTrue(localConfig instanceof IkeAuthPskConfig); 408 assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) localConfig).getPsk()); 409 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 410 assertTrue(remoteConfig instanceof IkeAuthPskConfig); 411 assertArrayEquals(IKE_PSK, ((IkeAuthPskConfig) remoteConfig).getPsk()); 412 } 413 414 @Test testBuildWithPsk()415 public void testBuildWithPsk() throws Exception { 416 IkeSessionParams sessionParams = 417 createIkeParamsBuilderMinimumWithoutAuth().setAuthPsk(IKE_PSK).build(); 418 419 verifyIkeParamsMinimumWithoutAuth(sessionParams); 420 421 verifyIkeParamsWithPsk(sessionParams); 422 } 423 424 @Test 425 @SdkSuppress(minSdkVersion = 31, codeName = "S") testBuildWithPskMobikeEnabled()426 public void testBuildWithPskMobikeEnabled() throws Exception { 427 IkeSessionParams sessionParams = 428 createIkeParamsBuilderMinimumWithoutAuth() 429 .setAuthPsk(IKE_PSK) 430 .addIkeOption(IkeSessionParams.IKE_OPTION_MOBIKE) 431 .build(); 432 433 verifyIkeParamsMinimumWithoutAuth(sessionParams); 434 435 verifyIkeParamsWithPsk(sessionParams); 436 assertTrue(sessionParams.hasIkeOption(IkeSessionParams.IKE_OPTION_MOBIKE)); 437 } 438 439 @Test testBuildWithEap()440 public void testBuildWithEap() throws Exception { 441 IkeSessionParams sessionParams = 442 createIkeParamsBuilderMinimumWithoutAuth() 443 .setAuthEap(mServerCaCert, EAP_ALL_METHODS_CONFIG) 444 .build(); 445 446 verifyIkeParamsMinimumWithoutAuth(sessionParams); 447 448 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 449 assertTrue(localConfig instanceof IkeAuthEapConfig); 450 assertEquals(EAP_ALL_METHODS_CONFIG, ((IkeAuthEapConfig) localConfig).getEapConfig()); 451 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 452 assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig); 453 assertEquals( 454 mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert()); 455 } 456 457 @Test testBuildWithEapOnlyAuth()458 public void testBuildWithEapOnlyAuth() throws Exception { 459 IkeSessionParams sessionParams = 460 createIkeParamsBuilderMinimumWithoutAuth() 461 .setAuthEap(mServerCaCert, EAP_ONLY_SAFE_METHODS_CONFIG) 462 .addIkeOption(IKE_OPTION_EAP_ONLY_AUTH) 463 .build(); 464 465 assertTrue(sessionParams.hasIkeOption(IKE_OPTION_EAP_ONLY_AUTH)); 466 verifyIkeParamsMinimumWithoutAuth(sessionParams); 467 468 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 469 assertTrue(localConfig instanceof IkeAuthEapConfig); 470 assertEquals(EAP_ONLY_SAFE_METHODS_CONFIG, ((IkeAuthEapConfig) localConfig).getEapConfig()); 471 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 472 assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig); 473 assertEquals( 474 mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert()); 475 } 476 477 @Test testThrowBuildEapOnlyAuthWithUnsafeMethod()478 public void testThrowBuildEapOnlyAuthWithUnsafeMethod() throws Exception { 479 try { 480 IkeSessionParams sessionParams = 481 createIkeParamsBuilderMinimumWithoutAuth() 482 .setAuthEap(mServerCaCert, EAP_ALL_METHODS_CONFIG) 483 .addIkeOption(IKE_OPTION_EAP_ONLY_AUTH) 484 .build(); 485 fail("Expected to fail because EAP only unsafe method is proposed"); 486 } catch (IllegalArgumentException expected) { 487 } 488 } 489 490 @Test testBuildWithDigitalSignature()491 public void testBuildWithDigitalSignature() throws Exception { 492 IkeSessionParams sessionParams = 493 createIkeParamsBuilderMinimumWithoutAuth() 494 .setAuthDigitalSignature(mServerCaCert, mClientEndCert, mClientPrivateKey) 495 .build(); 496 497 verifyIkeParamsMinimumWithoutAuth(sessionParams); 498 499 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 500 assertTrue(localConfig instanceof IkeAuthDigitalSignLocalConfig); 501 IkeAuthDigitalSignLocalConfig localSignConfig = (IkeAuthDigitalSignLocalConfig) localConfig; 502 assertEquals(mClientEndCert, localSignConfig.getClientEndCertificate()); 503 assertEquals(Collections.EMPTY_LIST, localSignConfig.getIntermediateCertificates()); 504 assertEquals(mClientPrivateKey, localSignConfig.getPrivateKey()); 505 506 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 507 assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig); 508 assertEquals( 509 mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert()); 510 } 511 512 @Test testBuildWithDigitalSignatureAndIntermediateCerts()513 public void testBuildWithDigitalSignatureAndIntermediateCerts() throws Exception { 514 List<X509Certificate> intermediateCerts = 515 Arrays.asList(mClientIntermediateCaCertOne, mClientIntermediateCaCertTwo); 516 517 IkeSessionParams sessionParams = 518 createIkeParamsBuilderMinimumWithoutAuth() 519 .setAuthDigitalSignature( 520 mServerCaCert, mClientEndCert, intermediateCerts, mClientPrivateKey) 521 .build(); 522 523 verifyIkeParamsMinimumWithoutAuth(sessionParams); 524 525 IkeAuthConfig localConfig = sessionParams.getLocalAuthConfig(); 526 assertTrue(localConfig instanceof IkeAuthDigitalSignLocalConfig); 527 IkeAuthDigitalSignLocalConfig localSignConfig = (IkeAuthDigitalSignLocalConfig) localConfig; 528 assertEquals(mClientEndCert, localSignConfig.getClientEndCertificate()); 529 assertEquals(intermediateCerts, localSignConfig.getIntermediateCertificates()); 530 assertEquals(mClientPrivateKey, localSignConfig.getPrivateKey()); 531 532 IkeAuthConfig remoteConfig = sessionParams.getRemoteAuthConfig(); 533 assertTrue(remoteConfig instanceof IkeAuthDigitalSignRemoteConfig); 534 assertEquals( 535 mServerCaCert, ((IkeAuthDigitalSignRemoteConfig) remoteConfig).getRemoteCaCert()); 536 } 537 538 @Test testBuildWithIke3gppExtension()539 public void testBuildWithIke3gppExtension() throws Exception { 540 Ike3gppExtension ike3gppExtension = 541 new Ike3gppExtension( 542 new Ike3gppParams.Builder().build(), new TestIke3gppDataListener()); 543 IkeSessionParams sessionParams = 544 createIkeParamsBuilderMinimum().setIke3gppExtension(ike3gppExtension).build(); 545 546 verifyIkeParamsMinimumWithoutAuth(sessionParams); 547 assertEquals(ike3gppExtension, sessionParams.getIke3gppExtension()); 548 } 549 550 @Test 551 @IgnoreAfter(R) testBuildWithMobikeOptionPreS()552 public void testBuildWithMobikeOptionPreS() throws Exception { 553 try { 554 new IkeSessionParams.Builder().addIkeOption(IkeSessionParams.IKE_OPTION_MOBIKE); 555 fail("Expected UnsupportedOperationException for setting IKE_OPTION_MOBIKE before S"); 556 } catch (UnsupportedOperationException expected) { 557 } 558 } 559 560 @Test 561 @IgnoreUpTo(Build.VERSION_CODES.TIRAMISU) testSetIpVersion()562 public void testSetIpVersion() throws Exception { 563 final IkeSessionParams sessionParams = createIkeParamsBuilderMinimum() 564 .setIpVersion(ESP_IP_VERSION_IPV6) 565 .build(); 566 567 verifyIkeParamsMinimum(sessionParams); 568 assertEquals(ESP_IP_VERSION_IPV6, sessionParams.getIpVersion()); 569 } 570 571 @Test 572 @IgnoreUpTo(Build.VERSION_CODES.TIRAMISU) testSetEncapType()573 public void testSetEncapType() throws Exception { 574 final IkeSessionParams sessionParams = createIkeParamsBuilderMinimum() 575 .setEncapType(ESP_ENCAP_TYPE_UDP) 576 .build(); 577 578 verifyIkeParamsMinimum(sessionParams); 579 assertEquals(ESP_ENCAP_TYPE_UDP, sessionParams.getEncapType()); 580 } 581 582 /** 583 * Test Liveness Retransmission Timeouts. Test coverage up to Android U is ignored because the 584 * Liveness APIs are not available in versions below, including SDK 34. 585 * 586 * @throws java.lang.NoSuchMethodError if sdk {@code VERSION_CODES.UPSIDE_DOWN_CAKE} or less 587 */ 588 @Test 589 @IgnoreUpTo(Build.VERSION_CODES.UPSIDE_DOWN_CAKE) testSetLivenessRetransmissionTimeouts()590 public void testSetLivenessRetransmissionTimeouts() throws Exception { 591 IkeSessionParams sessionParams = 592 createIkeParamsBuilderMinimum() 593 .setLivenessRetransmissionTimeoutsMillis(LIVENESS_RETRANS_TIMEOUT_MS_LIST) 594 .build(); 595 596 verifyIkeParamsMinimum(sessionParams); 597 assertArrayEquals( 598 LIVENESS_RETRANS_TIMEOUT_MS_LIST, 599 sessionParams.getLivenessRetransmissionTimeoutsMillis()); 600 } 601 } 602