[TOFU] Validate full cert chains before displaying dialog
When a full chain including a Root CA is provided by the server,
perform a full validation of the chain before displaying the
TOFU dialog.
If validation passes: Display a TOFU dialog and ask the user if
they trust this network. Saying yes means that the Root can be
installed safely for that network. They might say no - this is
possible if an attacker creates a full chain they control which
results in a different SHA-256 (everything else looks correct).
If they say no, we stop the connection.
If validation fails: Display an error message saying that the
validation failed, we stop the connection and won't display the
TOFU dialog.
Use server certificate pinning for servers that send only a leaf
or a partial chain with no Root CA.
Additionally: clean up the debug logs to reduce the noise and
focus only on the important details.
Bug: 277824547
Test: atest InsecureEapNetworkHandler
Test: Connect to various Enterprise networks
Negative test: Confirm verification fails for invalid chains
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0ee00ddf38bb677876a6cffb876e6f511e2c139)
Merged-In: I224c80e2787497634d3e68760122dac5f177585a
Change-Id: I224c80e2787497634d3e68760122dac5f177585a
14 files changed