shill: wifi: Enable use of hardware-backed certificate credentials
Enable use of hardware-backed certificates and keys by enabling
the pkcs11 module for wpa_supplicant. Bonus change: Enable use
of system CAs by default, although it is expected that Chrome
sets this explicitly in all interesting cases.
BUG=chromium-os:29462
TEST=New unit tests. Manual: Connect to EAP-TLS network using hardware
backed certs.
Change-Id: I9909f25be1007a56f2b9830a03f26cb6b7931968
Reviewed-on: https://gerrit.chromium.org/gerrit/20332
Commit-Ready: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
diff --git a/wifi_service_unittest.cc b/wifi_service_unittest.cc
index 1fbd064..173112b 100644
--- a/wifi_service_unittest.cc
+++ b/wifi_service_unittest.cc
@@ -811,6 +811,7 @@
false);
Service::EapCredentials eap;
eap.identity = "testidentity";
+ eap.pin = "xxxx";
service->set_eap(eap);
map<string, ::DBus::Variant> params;
service->Populate8021xProperties(¶ms);
@@ -819,6 +820,67 @@
wpa_supplicant::kNetworkPropertyEapIdentity));
EXPECT_FALSE(ContainsKey(params,
wpa_supplicant::kNetworkPropertyEapKeyId));
+ // Test that CA path is set by default.
+ EXPECT_TRUE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyCaPath));
+ // Test that hardware-backed security arguments are not set.
+ EXPECT_FALSE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEapPin));
+ EXPECT_FALSE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEngine));
+ EXPECT_FALSE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEngineId));
+}
+
+TEST_F(WiFiServiceTest, Populate8021xNoSystemCAs) {
+ vector<uint8_t> ssid(1, 'a');
+ WiFiServiceRefPtr service = new WiFiService(control_interface(),
+ dispatcher(),
+ metrics(),
+ manager(),
+ wifi(),
+ ssid,
+ flimflam::kModeManaged,
+ flimflam::kSecurityNone,
+ false);
+ Service::EapCredentials eap;
+ eap.identity = "testidentity";
+ eap.use_system_cas = false;
+ service->set_eap(eap);
+ map<string, ::DBus::Variant> params;
+ service->Populate8021xProperties(¶ms);
+ // Test that CA path is not set if use_system_cas is explicitly false.
+ EXPECT_FALSE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyCaPath));
+}
+
+TEST_F(WiFiServiceTest, Populate8021xUsingHardwareAuth) {
+ vector<uint8_t> ssid(1, 'a');
+ WiFiServiceRefPtr service = new WiFiService(control_interface(),
+ dispatcher(),
+ metrics(),
+ manager(),
+ wifi(),
+ ssid,
+ flimflam::kModeManaged,
+ flimflam::kSecurityNone,
+ false);
+ Service::EapCredentials eap;
+ eap.identity = "testidentity";
+ eap.key_id = "key_id";
+ eap.pin = "xxxx";
+ service->set_eap(eap);
+ map<string, ::DBus::Variant> params;
+ service->Populate8021xProperties(¶ms);
+ // Test that EAP engine parameters set if key_id is set.
+ EXPECT_TRUE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEapPin));
+ EXPECT_TRUE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEapKeyId));
+ EXPECT_TRUE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEngine));
+ EXPECT_TRUE(ContainsKey(params,
+ wpa_supplicant::kNetworkPropertyEngineId));
}
TEST_F(WiFiServiceTest, ClearWriteOnlyDerivedProperty) {