commit ea6eb5557d5cddeca1659ab7aa1d73ce161e80a2
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu May 18 22:22:52 2023 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu May 18 22:22:52 2023 +0000
tree 19295e983e952138d749ebca871d7c3055ca1019
parent 5db995d600c6290fa0edbc42c825edd9518a480c
parent 3d545468ee9be3ded581abf93e691ad0e36cdea9

[coastguard skipped] Merge sparse cherrypicks from sparse-10161073-L49900000960778179 into tm-qpr3-release.

COASTGUARD_SKIP: I8c1b858c8990c60cea48a59fc390f57a40ed86ba
COASTGUARD_SKIP: Ib64dbf2cc9e785d7cf51eed37cc9f610e37df423
COASTGUARD_SKIP: I224c80e2787497634d3e68760122dac5f177585a
COASTGUARD_SKIP: Iede626004a1ea46f47b185777c97794e4d3ded4e
COASTGUARD_SKIP: Id37e395f4f4f05b7901b718e3ea84c56b95cdfe7

Change-Id: Ib8f8546171128e4d2942b858881a7f64fbab1e3b

framework/java/android/net/wifi/WifiEnterpriseConfig.java

diff --git a/framework/java/android/net/wifi/WifiEnterpriseConfig.java b/framework/java/android/net/wifi/WifiEnterpriseConfig.java
index af51a8c..2a53e35 100644
--- a/framework/java/android/net/wifi/WifiEnterpriseConfig.java
+++ b/framework/java/android/net/wifi/WifiEnterpriseConfig.java
@@ -126,11 +126,6 @@
     public static final String KEYSTORES_URI = "keystores://";
 
     /**
-     * String representing a SHA-256 certificate hash used for wpa_supplicant.
-     */
-    private static final String CERT_HASH_PREFIX = "hash://server/sha256/";
-
-    /**
      * String to set the engine value to when it should be enabled.
      * @hide
      */
@@ -712,16 +707,6 @@
     }
 
     /**
-     * Set a server certificate hash instead of a CA certificate for a TOFU connection
-     *
-     * @param certHash Server certificate hash to match against in subsequent connections
-     * @hide
-     */
-    public void setServerCertificateHash(String certHash) {
-        setFieldValue(CA_CERT_KEY, certHash, CERT_HASH_PREFIX);
-    }
-
-    /**
      * Set CA certificate alias.
      *
      * <p> See the {@link android.security.KeyChain} for details on installing or choosing

framework/java/android/net/wifi/hotspot2/PasspointConfiguration.java

diff --git a/framework/java/android/net/wifi/hotspot2/PasspointConfiguration.java b/framework/java/android/net/wifi/hotspot2/PasspointConfiguration.java
index f9ebd2b..60c8133 100644
--- a/framework/java/android/net/wifi/hotspot2/PasspointConfiguration.java
+++ b/framework/java/android/net/wifi/hotspot2/PasspointConfiguration.java
@@ -996,12 +996,12 @@
             }
             String[] decoratedIdentityPrefixArray = mDecoratedIdentityPrefix.split("!");
             if (decoratedIdentityPrefixArray.length > MAX_NUMBER_OF_ENTRIES) {
-                Log.e(TAG, "too many decoratedIdentityPrefix");
+                Log.d(TAG, "too many decoratedIdentityPrefix");
                 return false;
             }
             for (String prefix : decoratedIdentityPrefixArray) {
                 if (prefix.length() > MAX_STRING_LENGTH) {
-                    Log.e(TAG, "The decoratedIdentityPrefix is too long: " + prefix);
+                    Log.d(TAG, "The decoratedIdentityPrefix is too long: " + prefix);
                     return false;
                 }
             }
@@ -1009,70 +1009,52 @@
 
         if (mAaaServerTrustedNames != null) {
             if (mAaaServerTrustedNames.length > MAX_NUMBER_OF_ENTRIES) {
-                Log.e(TAG, "Too many AaaServerTrustedNames");
+                Log.d(TAG, "Too many AaaServerTrustedNames");
                 return false;
             }
             for (String fqdn : mAaaServerTrustedNames) {
                 if (fqdn.getBytes(StandardCharsets.UTF_8).length > MAX_STRING_LENGTH) {
-                    Log.e(TAG, "AaaServerTrustedNames is too long");
+                    Log.d(TAG, "AaaServerTrustedNames is too long");
                     return false;
                 }
             }
         }
         if (mSubscriptionType != null) {
             if (mSubscriptionType.getBytes(StandardCharsets.UTF_8).length > MAX_STRING_LENGTH) {
-                Log.e(TAG, "SubscriptionType is too long");
+                Log.d(TAG, "SubscriptionType is too long");
                 return false;
             }
         }
 
         if (mTrustRootCertList != null) {
             if (mTrustRootCertList.size() > MAX_NUMBER_OF_ENTRIES) {
-                Log.e(TAG, "Too many TrustRootCert");
+                Log.d(TAG, "Too many TrustRootCert");
                 return false;
             }
             for (Map.Entry<String, byte[]> entry : mTrustRootCertList.entrySet()) {
                 String url = entry.getKey();
                 byte[] certFingerprint = entry.getValue();
                 if (TextUtils.isEmpty(url)) {
-                    Log.e(TAG, "Empty URL");
+                    Log.d(TAG, "Empty URL");
                     return false;
                 }
                 if (url.getBytes(StandardCharsets.UTF_8).length > MAX_URL_BYTES) {
-                    Log.e(TAG, "URL bytes exceeded the max: "
+                    Log.d(TAG, "URL bytes exceeded the max: "
                             + url.getBytes(StandardCharsets.UTF_8).length);
                     return false;
                 }
 
                 if (certFingerprint == null) {
-                    Log.e(TAG, "Fingerprint not specified");
+                    Log.d(TAG, "Fingerprint not specified");
                     return false;
                 }
                 if (certFingerprint.length != CERTIFICATE_SHA256_BYTES) {
-                    Log.e(TAG, "Incorrect size of trust root certificate SHA-256 fingerprint: "
+                    Log.d(TAG, "Incorrect size of trust root certificate SHA-256 fingerprint: "
                             + certFingerprint.length);
                     return false;
                 }
             }
         }
-
-        if (mServiceFriendlyNames != null) {
-            if (mServiceFriendlyNames.size() > MAX_NUMBER_OF_ENTRIES) {
-                Log.e(TAG, "ServiceFriendlyNames exceed the max!");
-                return false;
-            }
-            for (Map.Entry<String, String> names : mServiceFriendlyNames.entrySet()) {
-                if (names.getKey() == null || names.getValue() == null) {
-                    Log.e(TAG, "Service friendly name entry should not be null");
-                    return false;
-                }
-                if (names.getKey().length() > MAX_STRING_LENGTH
-                        || names.getValue().length() > MAX_STRING_LENGTH) {
-                    Log.e(TAG, "Service friendly name is to long");
-                    return false;
-                }
-            }
-        }
         return true;
     }
 

framework/java/android/net/wifi/hotspot2/pps/Policy.java

diff --git a/framework/java/android/net/wifi/hotspot2/pps/Policy.java b/framework/java/android/net/wifi/hotspot2/pps/Policy.java
index 4bdaceb..b0a2cc3 100644
--- a/framework/java/android/net/wifi/hotspot2/pps/Policy.java
+++ b/framework/java/android/net/wifi/hotspot2/pps/Policy.java
@@ -16,9 +16,6 @@
 
 package android.net.wifi.hotspot2.pps;
 
-import static android.net.wifi.hotspot2.PasspointConfiguration.MAX_NUMBER_OF_ENTRIES;
-import static android.net.wifi.hotspot2.PasspointConfiguration.MAX_STRING_LENGTH;
-
 import android.os.Parcel;
 import android.os.Parcelable;
 import android.text.TextUtils;
@@ -272,19 +269,11 @@
          */
         public boolean validate() {
             if (TextUtils.isEmpty(mFqdn)) {
-                Log.e(TAG, "Missing FQDN");
-                return false;
-            }
-            if (mFqdn.getBytes(StandardCharsets.UTF_8).length > MAX_STRING_LENGTH) {
-                Log.e(TAG, "FQDN is too long");
+                Log.d(TAG, "Missing FQDN");
                 return false;
             }
             if (TextUtils.isEmpty(mCountries)) {
-                Log.e(TAG, "Missing countries");
-                return false;
-            }
-            if (mCountries.getBytes(StandardCharsets.UTF_8).length > MAX_STRING_LENGTH) {
-                Log.e(TAG, "country is too long");
+                Log.d(TAG, "Missing countries");
                 return false;
             }
             return true;
@@ -460,7 +449,7 @@
             }
             for (String ssid : mExcludedSsidList) {
                 if (ssid.getBytes(StandardCharsets.UTF_8).length > MAX_SSID_BYTES) {
-                    Log.e(TAG, "Invalid SSID: " + ssid);
+                    Log.d(TAG, "Invalid SSID: " + ssid);
                     return false;
                 }
             }
@@ -468,24 +457,15 @@
         // Validate required protocol to port map.
         if (mRequiredProtoPortMap != null) {
             for (Map.Entry<Integer, String> entry : mRequiredProtoPortMap.entrySet()) {
-                int protocol = entry.getKey();
-                if (protocol < 0 || protocol > 255) {
-                    Log.e(TAG, "Invalid IP protocol: " + protocol);
-                    return false;
-                }
                 String portNumber = entry.getValue();
                 if (portNumber.getBytes(StandardCharsets.UTF_8).length > MAX_PORT_STRING_BYTES) {
-                    Log.e(TAG, "PortNumber string bytes exceeded the max: " + portNumber);
+                    Log.d(TAG, "PortNumber string bytes exceeded the max: " + portNumber);
                     return false;
                 }
             }
         }
         // Validate preferred roaming partner list.
         if (mPreferredRoamingPartnerList != null) {
-            if (mPreferredRoamingPartnerList.size() > MAX_NUMBER_OF_ENTRIES) {
-                Log.e(TAG, "Number of the Preferred Roaming Partner exceed the limit");
-                return false;
-            }
             for (RoamingPartner partner : mPreferredRoamingPartnerList) {
                 if (!partner.validate()) {
                     return false;

framework/tests/src/android/net/wifi/hotspot2/PasspointConfigurationTest.java

diff --git a/framework/tests/src/android/net/wifi/hotspot2/PasspointConfigurationTest.java b/framework/tests/src/android/net/wifi/hotspot2/PasspointConfigurationTest.java
index 4d80cf4..8318de3 100644
--- a/framework/tests/src/android/net/wifi/hotspot2/PasspointConfigurationTest.java
+++ b/framework/tests/src/android/net/wifi/hotspot2/PasspointConfigurationTest.java
@@ -741,12 +741,5 @@
         homeSp.setRoamingConsortiumOis(ois);
         assertFalse(homeSp.validate());
         homeSp.setRoamingConsortiumOis(null);
-        // ServiceFriendlyNames exceed the limit
-        HashMap<String, String> friendlyNames = new HashMap<>();
-        for (int i = 0; i < MAX_NUMBER_OF_ENTRIES + 1; i++) {
-            friendlyNames.put(String.valueOf(i), String.valueOf(i));
-        }
-        passpointConfiguration.setServiceFriendlyNames(friendlyNames);
-        assertFalse(passpointConfiguration.validate());
     }
 }

framework/tests/src/android/net/wifi/hotspot2/pps/PolicyTest.java

diff --git a/framework/tests/src/android/net/wifi/hotspot2/pps/PolicyTest.java b/framework/tests/src/android/net/wifi/hotspot2/pps/PolicyTest.java
index bd6864b..980b199 100644
--- a/framework/tests/src/android/net/wifi/hotspot2/pps/PolicyTest.java
+++ b/framework/tests/src/android/net/wifi/hotspot2/pps/PolicyTest.java
@@ -16,8 +16,6 @@
 
 package android.net.wifi.hotspot2.pps;
 
-import static android.net.wifi.hotspot2.PasspointConfiguration.MAX_NUMBER_OF_ENTRIES;
-
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
@@ -311,32 +309,4 @@
         policy.setExcludedSsidList(excludedSsidList);
         assertFalse(policy.validate());
     }
-
-    @Test
-    public void validatePolicyWithInvalidRequiredProtoPortMap() {
-        Policy policy = createPolicy();
-        Map<Integer, String> requiredProtoPortMap = new HashMap<>();
-        requiredProtoPortMap.put(-1, "23,342,123");
-        policy.setRequiredProtoPortMap(requiredProtoPortMap);
-        assertFalse(policy.validate());
-        requiredProtoPortMap.put(256, "23,342,123");
-        policy.setRequiredProtoPortMap(requiredProtoPortMap);
-        assertFalse(policy.validate());
-    }
-
-    @Test
-    public void validatePolicyWithPreferRoamingPartner() {
-        Policy policy = createPolicy();
-        List<Policy.RoamingPartner> preferredRoamingPartnerList = new ArrayList<>();
-        for (int i = 0; i < MAX_NUMBER_OF_ENTRIES + 1; i++) {
-            Policy.RoamingPartner partner = new Policy.RoamingPartner();
-            partner.setFqdn("partner1.com");
-            partner.setFqdnExactMatch(true);
-            partner.setPriority(12);
-            partner.setCountries("us,jp");
-            preferredRoamingPartnerList.add(partner);
-        }
-        policy.setPreferredRoamingPartnerList(preferredRoamingPartnerList);
-        assertFalse(policy.validate());
-    }
 }

service/java/com/android/server/wifi/CertificateEventInfo.java

diff --git a/service/java/com/android/server/wifi/CertificateEventInfo.java b/service/java/com/android/server/wifi/CertificateEventInfo.java
deleted file mode 100644
index f688e4d..0000000
--- a/service/java/com/android/server/wifi/CertificateEventInfo.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2023 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.server.wifi;
-
-import android.annotation.NonNull;
-
-import java.security.cert.X509Certificate;
-import java.util.Objects;
-
-/**
- * Stores supplicant certificate event information
- */
-public class CertificateEventInfo {
-    CertificateEventInfo(@NonNull X509Certificate cert, @NonNull String certHash) {
-        this.mCert = Objects.requireNonNull(cert);
-        this.mCertHash = Objects.requireNonNull(certHash);
-    }
-    @NonNull private final X509Certificate mCert;
-    @NonNull private final String mCertHash;
-
-    /**
-     * Get the X509 certificate stored in this object
-     *
-     * @return X509 certificate
-     */
-    public X509Certificate getCert() {
-        return mCert;
-    }
-
-    /**
-     * Get the certificate hash of the stored certificate
-     *
-     * @return certificate hash
-     */
-    public String getCertHash() {
-        return mCertHash;
-    }
-
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        sb.append(" Certificate Hash: ").append(mCertHash);
-        sb.append(" X509Certificate: ").append(mCert);
-        return sb.toString();
-    }
-}
-
-
-

service/java/com/android/server/wifi/ClientModeImpl.java

diff --git a/service/java/com/android/server/wifi/ClientModeImpl.java b/service/java/com/android/server/wifi/ClientModeImpl.java
index 987bb93..c4c0823 100644
--- a/service/java/com/android/server/wifi/ClientModeImpl.java
+++ b/service/java/com/android/server/wifi/ClientModeImpl.java
@@ -164,6 +164,7 @@
 import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.URL;
+import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -425,7 +426,6 @@
     private final RestrictedWifiNetworkFactory mRestrictedWifiNetworkFactory;
     @VisibleForTesting
     InsecureEapNetworkHandler mInsecureEapNetworkHandler;
-    boolean mLeafCertSent;
     @VisibleForTesting
     InsecureEapNetworkHandler.InsecureEapNetworkHandlerCallbacks
             mInsecureEapNetworkHandlerCallbacksImpl;
@@ -829,9 +829,9 @@
         mInsecureEapNetworkHandlerCallbacksImpl =
                 new InsecureEapNetworkHandler.InsecureEapNetworkHandlerCallbacks() {
                 @Override
-                public void onAccept(String ssid, int networkId) {
+                public void onAccept(String ssid) {
                     log("Accept Root CA cert for " + ssid);
-                    sendMessage(CMD_ACCEPT_EAP_SERVER_CERTIFICATE, networkId);
+                    sendMessage(CMD_ACCEPT_EAP_SERVER_CERTIFICATE, ssid);
                 }
 
                 @Override
@@ -905,7 +905,7 @@
             WifiMonitor.MBO_OCE_BSS_TM_HANDLING_DONE,
             WifiMonitor.TRANSITION_DISABLE_INDICATION,
             WifiMonitor.NETWORK_NOT_FOUND_EVENT,
-            WifiMonitor.TOFU_CERTIFICATE_EVENT,
+            WifiMonitor.TOFU_ROOT_CA_CERTIFICATE,
             WifiMonitor.AUXILIARY_SUPPLICANT_EVENT,
             WifiMonitor.QOS_POLICY_RESET_EVENT,
             WifiMonitor.QOS_POLICY_REQUEST_EVENT,
@@ -2307,8 +2307,8 @@
                 return "BLOCK_DISCOVERY";
             case WifiMonitor.NETWORK_NOT_FOUND_EVENT:
                 return "NETWORK_NOT_FOUND_EVENT";
-            case WifiMonitor.TOFU_CERTIFICATE_EVENT:
-                return "TOFU_CERTIFICATE_EVENT";
+            case WifiMonitor.TOFU_ROOT_CA_CERTIFICATE:
+                return "TOFU_ROOT_CA_CERTIFICATE";
             default:
                 return "what:" + what;
         }
@@ -4025,7 +4025,6 @@
 
                     // TOFU flow for devices that do not support this feature
                     mInsecureEapNetworkHandler.prepareConnection(mTargetWifiConfiguration);
-                    mLeafCertSent = false;
                     if (!isTrustOnFirstUseSupported()) {
                         mInsecureEapNetworkHandler.startUserApprovalIfNecessary(mIsUserSelected);
                     }
@@ -4272,13 +4271,6 @@
                     break;
                 }
                 case CMD_ACCEPT_EAP_SERVER_CERTIFICATE:
-                    // If TOFU is not supported, then we are already connected
-                    if (!isTrustOnFirstUseSupported()) break;
-                    // Got an approval for a TOFU network. Disconnect (if connected) and trigger
-                    // a connection to the new approved network.
-                    logd("User accepted TOFU provided certificate");
-                    startConnectToNetwork(message.arg1, Process.WIFI_UID, SUPPLICANT_BSSID_ANY);
-                    break;
                 case CMD_REJECT_EAP_INSECURE_CONNECTION:
                 case CMD_START_ROAM:
                 case CMD_START_RSSI_MONITORING_OFFLOAD:
@@ -5396,24 +5388,22 @@
                     handleStatus = NOT_HANDLED;
                     break;
                 }
-                case WifiMonitor.TOFU_CERTIFICATE_EVENT: {
+                case WifiMonitor.TOFU_ROOT_CA_CERTIFICATE:
                     if (null == mTargetWifiConfiguration) break;
-                    final int certificateDepth = message.arg2;
-                    final CertificateEventInfo eventInfo = (CertificateEventInfo) message.obj;
+                    int certificateDepth = message.arg2;
                     if (!mInsecureEapNetworkHandler.addPendingCertificate(
-                            mTargetWifiConfiguration.SSID, certificateDepth, eventInfo)) {
+                            mTargetWifiConfiguration.SSID, message.arg2,
+                            (X509Certificate) message.obj)) {
                         Log.d(TAG, "Cannot set pending cert.");
                     }
                     // Launch user approval upon receiving the server certificate and disconnect
-                    if (certificateDepth == 0 && !mLeafCertSent && mInsecureEapNetworkHandler
+                    if (certificateDepth == 0 && mInsecureEapNetworkHandler
                             .startUserApprovalIfNecessary(mIsUserSelected)) {
                         // In the TOFU flow, the user approval dialog is now displayed and the
                         // network remains disconnected and disabled until it is approved.
                         sendMessage(CMD_DISCONNECT, StaEvent.DISCONNECT_NETWORK_UNTRUSTED);
-                        mLeafCertSent = true;
                     }
                     break;
-                }
                 default: {
                     handleStatus = NOT_HANDLED;
                     break;
@@ -6429,6 +6419,12 @@
                     }
                     break;
                 }
+                case CMD_ACCEPT_EAP_SERVER_CERTIFICATE:
+                    // Got an approval for a TOFU network, trigger a scan to accelerate the
+                    // auto-connection.
+                    logd("User accepted TOFU provided certificate");
+                    mWifiConnectivityManager.forceConnectivityScan(ClientModeImpl.WIFI_WORK_SOURCE);
+                    break;
                 default: {
                     handleStatus = NOT_HANDLED;
                     break;

service/java/com/android/server/wifi/InsecureEapNetworkHandler.java

diff --git a/service/java/com/android/server/wifi/InsecureEapNetworkHandler.java b/service/java/com/android/server/wifi/InsecureEapNetworkHandler.java
index fa3bee7..ac43dcd 100644
--- a/service/java/com/android/server/wifi/InsecureEapNetworkHandler.java
+++ b/service/java/com/android/server/wifi/InsecureEapNetworkHandler.java
@@ -18,7 +18,6 @@
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
-import android.annotation.SuppressLint;
 import android.app.Notification;
 import android.app.PendingIntent;
 import android.content.BroadcastReceiver;
@@ -41,21 +40,13 @@
 import com.android.server.wifi.util.CertificateSubjectInfo;
 import com.android.wifi.resources.R;
 
-import java.security.InvalidAlgorithmParameterException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.PKIXParameters;
-import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Date;
-import java.util.LinkedList;
-import java.util.Set;
+import java.util.List;
 import java.util.StringJoiner;
 
 /** This class is used to handle insecure EAP networks. */
@@ -109,16 +100,9 @@
     // This is updated on setting a pending server cert.
     private CertificateSubjectInfo mPendingServerCertIssuerInfo = null;
     // Record the whole server cert chain from Root CA to the server cert.
-    // The order of the certificates in the chain required by the validation method is in the
-    // reverse order to the order we receive them from the lower layers. Therefore, we are using a
-    // LinkedList data type here, so that we could add certificates to the head, rather than
-    // using an ArrayList and then having to reverse it.
-    // Using SuppressLint here to avoid linter errors related to LinkedList usage.
-    @SuppressLint("JdkObsolete")
-    private LinkedList<X509Certificate> mServerCertChain = new LinkedList<>();
+    private List<X509Certificate> mServerCertChain = new ArrayList<>();
     private WifiDialogManager.DialogHandle mTofuAlertDialog = null;
     private boolean mIsCertNotificationReceiverRegistered = false;
-    private String mServerCertHash = null;
 
     BroadcastReceiver mCertNotificationReceiver = new BroadcastReceiver() {
         @Override
@@ -252,17 +236,19 @@
      * @param ssid the target network SSID.
      * @param depth the depth of this cert. The Root CA should be 0 or
      *        a positive number, and the server cert is 0.
-     * @param certInfo a certificate info object from the server.
+     * @param cert a certificate from the server.
      * @return true if the cert is cached; otherwise, false.
      */
     public boolean addPendingCertificate(@NonNull String ssid, int depth,
-            @NonNull CertificateEventInfo certInfo) {
+            @NonNull X509Certificate cert) {
         String configProfileKey = mCurrentTofuConfig != null
                 ? mCurrentTofuConfig.getProfileKey() : "null";
+        Log.d(TAG, "setPendingCertificate: " + "ssid=" + ssid + " depth=" + depth
+                + " current config=" + configProfileKey);
         if (TextUtils.isEmpty(ssid)) return false;
         if (null == mCurrentTofuConfig) return false;
         if (!TextUtils.equals(ssid, mCurrentTofuConfig.SSID)) return false;
-        if (null == certInfo) return false;
+        if (null == cert) return false;
         if (depth < 0) return false;
 
         // If TOFU is not supported return immediately, although this should not happen since
@@ -283,38 +269,36 @@
             putNetworkOnHold();
         }
 
-        if (!mServerCertChain.contains(certInfo.getCert())) {
-            mServerCertChain.addFirst(certInfo.getCert());
-            Log.d(TAG, "addPendingCertificate: " + "SSID=" + ssid + " depth=" + depth
-                    + " certHash=" + certInfo.getCertHash() + " current config=" + configProfileKey
-                    + "\ncertificate content:\n" + certInfo.getCert());
+        if (!mServerCertChain.contains(cert)) {
+            mServerCertChain.add(cert);
         }
 
         // 0 is the tail, i.e. the server cert.
         if (depth == 0 && null == mPendingServerCert) {
-            mPendingServerCert = certInfo.getCert();
+            mPendingServerCert = cert;
+            Log.d(TAG, "Pending server certificate: " + mPendingServerCert);
             mPendingServerCertSubjectInfo = CertificateSubjectInfo.parse(
-                    certInfo.getCert().getSubjectX500Principal().getName());
+                    cert.getSubjectX500Principal().getName());
             if (null == mPendingServerCertSubjectInfo) {
-                Log.e(TAG, "Cert has no valid subject.");
+                Log.e(TAG, "CA cert has no valid subject.");
                 return false;
             }
             mPendingServerCertIssuerInfo = CertificateSubjectInfo.parse(
-                    certInfo.getCert().getIssuerX500Principal().getName());
+                    cert.getIssuerX500Principal().getName());
             if (null == mPendingServerCertIssuerInfo) {
-                Log.e(TAG, "Cert has no valid issuer.");
+                Log.e(TAG, "CA cert has no valid issuer.");
                 return false;
             }
-            mServerCertHash = certInfo.getCertHash();
         }
 
         // Root or intermediate cert.
         if (depth < mPendingRootCaCertDepth) {
+            Log.d(TAG, "Ignore intermediate cert." + cert);
             return true;
         }
         mPendingRootCaCertDepth = depth;
-        mPendingRootCaCert = certInfo.getCert();
-
+        mPendingRootCaCert = cert;
+        Log.d(TAG, "Pending Root CA certificate: " + mPendingRootCaCert);
         return true;
     }
 
@@ -362,13 +346,7 @@
                 handleError(mCurrentTofuConfig.SSID);
                 return false;
             }
-
-            Log.d(TAG, "TOFU certificate chain:");
-            for (X509Certificate cert : mServerCertChain) {
-                Log.d(TAG, cert.getSubjectX500Principal().getName());
-            }
-
-            if (!configureServerValidationMethod()) {
+            if (!isServerCertChainValid()) {
                 Log.e(TAG, "Server cert chain is invalid.");
                 String ssid = mCurrentTofuConfig.SSID;
                 handleError(ssid);
@@ -380,6 +358,9 @@
             return false;
         }
 
+        Log.d(TAG, "startUserApprovalIfNecessaryForInsecureEapNetwork: mIsUserSelected="
+                + isUserSelected);
+
         if (isUserSelected) {
             askForUserApprovalForCaCertificate();
         } else {
@@ -460,76 +441,32 @@
         clearNativeData();
     }
 
-    /**
-     * Configure the server validation method based on the incoming server certificate chain.
-     * If a valid method is found, the method returns true, and the caller can continue the TOFU
-     * process.
-     *
-     * A valid method could be one of the following:
-     * 1. If only the leaf or a partial chain is provided, use server certificate pinning.
-     * 2. If a full chain is provided, use the provided Root CA, but only if we are able to
-     *    cryptographically validate it.
-     *
-     * If no certificates were received, or the certificates are invalid, or chain verification
-     * fails, the method returns false and the caller should abort the TOFU process.
-     */
-    private boolean configureServerValidationMethod() {
-        if (mServerCertChain.size() == 0) {
-            Log.e(TAG, "No certificate chain provided by the server.");
-            return false;
-        }
-        if (mServerCertChain.size() == 1) {
-            Log.i(TAG, "Only one certificate provided, use server certificate pinning");
-            return true;
-        }
-        if (mPendingRootCaCert.getSubjectX500Principal().getName()
-                .equals(mPendingRootCaCert.getIssuerX500Principal().getName())) {
-            if (mPendingRootCaCert.getVersion() >= 2
-                    && mPendingRootCaCert.getBasicConstraints() < 0) {
-                Log.i(TAG, "Root CA with no CA bit set in basic constraints, "
-                        + "use server certificate pinning");
-                return true;
-            }
-        } else {
-            // TODO: b/271921032 some deployments that use globally trusted Root CAs do not include
-            // the Root during the handshake, only an intermediate. We can start the handshake with
-            // the Android trust store and validate the connection with a Root CA rather than
-            // certificate pinning.
-            Log.i(TAG, "Root CA is not self-signed, use server certificate pinning");
-            return true;
-        }
+    private boolean isServerCertChainValid() {
+        if (mServerCertChain.size() == 0) return false;
 
-        CertPath certPath;
-        try {
-            certPath = CertificateFactory.getInstance("X.509").generateCertPath(mServerCertChain);
-        } catch (CertificateException e) {
-            Log.e(TAG, "Certificate chain is invalid.");
-            return false;
-        } catch (IllegalStateException e) {
-            Log.wtf(TAG, "Fail: " + e);
-            return false;
+        X509Certificate parentCert = null;
+        for (X509Certificate cert: mServerCertChain) {
+            String subject = cert.getSubjectX500Principal().getName();
+            String issuer = cert.getIssuerX500Principal().getName();
+            boolean isCa = cert.getBasicConstraints() >= 0;
+            Log.d(TAG, "Subject: " + subject + ", Issuer: " + issuer + ", isCA: " + isCa);
+
+            if (parentCert == null) {
+                // The root cert, it should be a CA cert or a self-signed cert.
+                if (!isCa && !subject.equals(issuer)) {
+                    Log.e(TAG, "The root cert is not a CA cert or a self-signed cert.");
+                    return false;
+                }
+            } else {
+                // The issuer of intermediate cert of the leaf cert should be
+                // the same as the subject of its parent cert.
+                if (!parentCert.getSubjectX500Principal().getName().equals(issuer)) {
+                    Log.e(TAG, "The issuer does not match the subject of its parent.");
+                    return false;
+                }
+            }
+            parentCert = cert;
         }
-        CertPathValidator certPathValidator;
-        try {
-            certPathValidator = CertPathValidator.getInstance("PKIX");
-        } catch (NoSuchAlgorithmException e) {
-            Log.wtf(TAG, "PKIX algorithm not supported.");
-            return false;
-        }
-        try {
-            Set<TrustAnchor> anchorSet = Set.of(new TrustAnchor(mPendingRootCaCert, null));
-            PKIXParameters params = new PKIXParameters(anchorSet);
-            params.setRevocationEnabled(false);
-            certPathValidator.validate(certPath, params);
-        } catch (InvalidAlgorithmParameterException e) {
-            Log.wtf(TAG, "Invalid algorithm exception.");
-            return false;
-        } catch (CertPathValidatorException e) {
-            Log.e(TAG, "Server certificate chain validation failed: " + e);
-            return false;
-        }
-        Log.i(TAG, "Server certificate chain validation succeeded, use Root CA");
-        mServerCertHash = null;
         return true;
     }
 
@@ -571,21 +508,19 @@
                 return;
             }
             if (!mWifiConfigManager.updateCaCertificate(
-                    mCurrentTofuConfig.networkId, mPendingRootCaCert, mPendingServerCert,
-                    mServerCertHash)) {
+                    mCurrentTofuConfig.networkId, mPendingRootCaCert, mPendingServerCert)) {
                 // The user approved this network,
                 // keep the connection regardless of the result.
                 Log.e(TAG, "Cannot update CA cert to network " + mCurrentTofuConfig.getProfileKey()
                         + ", CA cert = " + mPendingRootCaCert);
             }
         }
-        int networkId = mCurrentTofuConfig.networkId;
-        mWifiConfigManager.updateNetworkSelectionStatus(networkId,
+        mWifiConfigManager.updateNetworkSelectionStatus(mCurrentTofuConfig.networkId,
                 WifiConfiguration.NetworkSelectionStatus.DISABLED_NONE);
         dismissDialogAndNotification();
         clearInternalData();
 
-        if (null != mCallbacks) mCallbacks.onAccept(ssid, networkId);
+        if (null != mCallbacks) mCallbacks.onAccept(ssid);
     }
 
     @VisibleForTesting
@@ -806,7 +741,6 @@
         mPendingServerCertSubjectInfo = null;
         mPendingServerCertIssuerInfo = null;
         mCurrentTofuConfig = null;
-        mServerCertHash = null;
     }
 
     private void clearNativeData() {
@@ -878,9 +812,8 @@
          * When a certificate is accepted, this callback is called.
          *
          * @param ssid SSID of the network.
-         * @param networkId  network ID
          */
-        public void onAccept(@NonNull String ssid, int networkId) {}
+        public void onAccept(@NonNull String ssid) {}
         /**
          * When a certificate is rejected, this callback is called.
          *

service/java/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImpl.java

diff --git a/service/java/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImpl.java b/service/java/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImpl.java
index 63a9e46..c8d9ff9 100644
--- a/service/java/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImpl.java
+++ b/service/java/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImpl.java
@@ -209,8 +209,7 @@
                     + " certHash=" + certHash
                     + " cert=" + cert);
             mWifiMonitor.broadcastCertificationEvent(
-                    mIfaceName, mFrameworkNetworkId, mSsid, depth,
-                    new CertificateEventInfo(cert, certHash));
+                    mIfaceName, mFrameworkNetworkId, mSsid, depth, cert);
         }
     }
 

service/java/com/android/server/wifi/WifiConfigManager.java

diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java
index dca3e6b..ee6fea7 100644
--- a/service/java/com/android/server/wifi/WifiConfigManager.java
+++ b/service/java/com/android/server/wifi/WifiConfigManager.java
@@ -4108,17 +4108,16 @@
     }
 
     /**
-     * This method updates the Root CA certificate and the domain name of the
+     * This method updates the Root CA certifiate and the domain name of the
      * server in the internal network.
      *
      * @param networkId networkId corresponding to the network to be updated.
      * @param caCert Root CA certificate to be updated.
      * @param serverCert Server certificate to be updated.
-     * @param certHash Server certificate hash (for TOFU case with no Root CA)
      * @return true if updating Root CA certificate successfully; otherwise, false.
      */
     public boolean updateCaCertificate(int networkId, @NonNull X509Certificate caCert,
-            @NonNull X509Certificate serverCert, String certHash) {
+            @NonNull X509Certificate serverCert) {
         WifiConfiguration internalConfig = getInternalConfiguredNetwork(networkId);
         if (internalConfig == null) {
             Log.e(TAG, "No network for network ID " + networkId);
@@ -4150,15 +4149,11 @@
         WifiConfiguration newConfig = new WifiConfiguration(internalConfig);
         try {
             if (newConfig.enterpriseConfig.isTrustOnFirstUseEnabled()) {
-                if (TextUtils.isEmpty(certHash)) {
-                    newConfig.enterpriseConfig.setCaCertificateForTrustOnFirstUse(caCert);
-                } else {
-                    newConfig.enterpriseConfig.setServerCertificateHash(certHash);
-                }
-                newConfig.enterpriseConfig.enableTrustOnFirstUse(false);
-            } else {
+                newConfig.enterpriseConfig.setCaCertificateForTrustOnFirstUse(caCert);
                 // setCaCertificate will mark that this CA certificate should be removed on
                 // removing this configuration.
+                newConfig.enterpriseConfig.enableTrustOnFirstUse(false);
+            } else {
                 newConfig.enterpriseConfig.setCaCertificate(caCert);
             }
         } catch (IllegalArgumentException ex) {
@@ -4180,7 +4175,7 @@
             newConfig.enterpriseConfig.setDomainSuffixMatch(serverCertInfo.commonName);
         }
         newConfig.enterpriseConfig.setUserApproveNoCaCert(false);
-        // Trigger an update to install CA certificate and the corresponding configuration.
+        // Trigger an update to install CA certifiate and the corresponding configuration.
         NetworkUpdateResult result = addOrUpdateNetwork(newConfig, internalConfig.creatorUid);
         if (!result.isSuccess()) {
             Log.e(TAG, "Failed to install CA cert for network " + internalConfig.SSID);

service/java/com/android/server/wifi/WifiConfigurationUtil.java

diff --git a/service/java/com/android/server/wifi/WifiConfigurationUtil.java b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
index 4a594b7..907ca72 100644
--- a/service/java/com/android/server/wifi/WifiConfigurationUtil.java
+++ b/service/java/com/android/server/wifi/WifiConfigurationUtil.java
@@ -720,10 +720,6 @@
                 && !validatePassword(config.preSharedKey, isAdd, true)) {
             return false;
         }
-        if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_WAPI_PSK)
-                && !validatePassword(config.preSharedKey, isAdd, false)) {
-            return false;
-        }
         if (config.isSecurityType(WifiConfiguration.SECURITY_TYPE_DPP)
                 && (supportedFeatureSet & WifiManager.WIFI_FEATURE_DPP_AKM) == 0) {
             Log.e(TAG, "DPP AKM is not supported");

service/java/com/android/server/wifi/WifiMonitor.java

diff --git a/service/java/com/android/server/wifi/WifiMonitor.java b/service/java/com/android/server/wifi/WifiMonitor.java
index 101fd2e..0fdb69b 100644
--- a/service/java/com/android/server/wifi/WifiMonitor.java
+++ b/service/java/com/android/server/wifi/WifiMonitor.java
@@ -40,6 +40,7 @@
 
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
+import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -108,8 +109,8 @@
     /* Transition Disable Indication */
     public static final int TRANSITION_DISABLE_INDICATION        = BASE + 72;
 
-    /* Trust On First Use incoming certificate event */
-    public static final int TOFU_CERTIFICATE_EVENT               = BASE + 73;
+    /* Trust On First Use Root CA Certification */
+    public static final int TOFU_ROOT_CA_CERTIFICATE             = BASE + 73;
 
     /* Auxiliary supplicant event */
     public static final int AUXILIARY_SUPPLICANT_EVENT           = BASE + 74;
@@ -618,11 +619,11 @@
      * @param networkId ID of the network in wpa_supplicant.
      * @param ssid SSID of the network.
      * @param depth the depth of this cert in the chain, 0 is the leaf, i.e. the server cert.
-     * @param certificateEventInfo the certificate data.
+     * @param cert the certificate data.
      */
     public void broadcastCertificationEvent(String iface, int networkId, String ssid,
-            int depth, CertificateEventInfo certificateEventInfo) {
-        sendMessage(iface, TOFU_CERTIFICATE_EVENT, networkId, depth, certificateEventInfo);
+            int depth, X509Certificate cert) {
+        sendMessage(iface, TOFU_ROOT_CA_CERTIFICATE, networkId, depth, cert);
     }
 
     /**

service/java/com/android/server/wifi/hotspot2/PasspointManager.java

diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
index d255e50..2422194 100644
--- a/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
+++ b/service/java/com/android/server/wifi/hotspot2/PasspointManager.java
@@ -24,7 +24,6 @@
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
-import android.app.ActivityManager;
 import android.app.AppOpsManager;
 import android.content.Context;
 import android.net.MacAddress;
@@ -137,7 +136,6 @@
     private final Clock mClock;
     private final WifiPermissionsUtil mWifiPermissionsUtil;
     private final WifiSettingsStore mSettingsStore;
-    private final boolean mIsLowMemory;
 
     /**
      * Map of package name of an app to the app ops changed listener for the app.
@@ -147,8 +145,7 @@
     // Counter used for assigning unique identifier to each provider.
     private long mProviderIndex;
     private boolean mVerboseLoggingEnabled = false;
-    // Set default value to false before receiving boot completed event.
-    private boolean mEnabled = false;
+    private boolean mEnabled;
 
     private class CallbackHandler implements PasspointEventHandler.Callbacks {
         private final Context mContext;
@@ -382,8 +379,6 @@
                 new SharedDataSourceHandler()));
         mPasspointProvisioner = objectFactory.makePasspointProvisioner(context, wifiNative,
                 this, wifiMetrics);
-        ActivityManager activityManager = context.getSystemService(ActivityManager.class);
-        mIsLowMemory = activityManager.isLowRamDevice();
         mAppOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
         sPasspointManager = this;
         mMacAddressUtil = macAddressUtil;
@@ -482,20 +477,10 @@
             Log.e(TAG, "Set isTrusted to false on a non suggestion passpoint is not allowed");
             return false;
         }
-        if (config.getServiceFriendlyNames() != null && isFromSuggestion) {
-            Log.e(TAG, "Passpoint from suggestion should not have ServiceFriendlyNames");
-            return false;
-        }
         if (!mWifiPermissionsUtil.doesUidBelongToCurrentUserOrDeviceOwner(uid)) {
             Log.e(TAG, "UID " + uid + " not visible to the current user");
             return false;
         }
-        if (getPasspointProviderWithPackage(packageName).size()
-                >= WifiManager.getMaxNumberOfNetworkSuggestionsPerApp(mIsLowMemory)) {
-            Log.e(TAG, "packageName " + packageName + " has too many passpoint with exceed the "
-                    + "limitation");
-            return false;
-        }
 
         mWifiCarrierInfoManager.tryUpdateCarrierIdForPasspoint(config);
         // Create a provider and install the necessary certificates and keys.

service/tests/wifitests/Android.bp

diff --git a/service/tests/wifitests/Android.bp b/service/tests/wifitests/Android.bp
index 03f30b6..479e3d9 100644
--- a/service/tests/wifitests/Android.bp
+++ b/service/tests/wifitests/Android.bp
@@ -114,9 +114,6 @@
             "com.android.server.wifi.ByteBufferReader",
             "com.android.server.wifi.ByteBufferReader$*",
             "com.android.server.wifi.ByteBufferReader.**",
-            "com.android.server.wifi.CertificateEventInfo",
-            "com.android.server.wifi.CertificateEventInfo*",
-            "com.android.server.wifi.CertificateEventInfo.**",
             "com.android.server.wifi.ClientMode",
             "com.android.server.wifi.ClientMode$*",
             "com.android.server.wifi.ClientMode.**",

service/tests/wifitests/src/com/android/server/wifi/CertificateEventInfoTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/CertificateEventInfoTest.java b/service/tests/wifitests/src/com/android/server/wifi/CertificateEventInfoTest.java
deleted file mode 100644
index 4c2662e..0000000
--- a/service/tests/wifitests/src/com/android/server/wifi/CertificateEventInfoTest.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2023 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.server.wifi;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.mock;
-
-import org.junit.Test;
-
-import java.security.cert.X509Certificate;
-
-public class CertificateEventInfoTest extends WifiBaseTest {
-    private static final String TEST_CERT_HASH = "1234567890";
-    CertificateEventInfo mCertificateEventInfo;
-
-    /**
-     * test the getCert() and getCertHash() methods
-     */
-    @Test
-    public void testGetMethods() throws Exception {
-        X509Certificate cert = mock(X509Certificate.class);
-        mCertificateEventInfo = new CertificateEventInfo(cert, TEST_CERT_HASH);
-        assertEquals(mCertificateEventInfo.getCert(), cert);
-        assertTrue(TEST_CERT_HASH.equals(mCertificateEventInfo.getCertHash()));
-    }
-
-    /**
-     * test that a null certificate throws an exception
-     */
-    @Test(expected = NullPointerException.class)
-    public void testCertNullInitializer() throws Exception {
-        mCertificateEventInfo = new CertificateEventInfo(null, TEST_CERT_HASH);
-    }
-
-    /**
-     * test that a null certificate hash throws an exception
-     */
-    @Test(expected = NullPointerException.class)
-    public void testCertHashNullInitializer() throws Exception {
-        X509Certificate cert = mock(X509Certificate.class);
-        mCertificateEventInfo = new CertificateEventInfo(cert, null);
-    }
-}

service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java b/service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
index bb16f49..cef996f 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java
@@ -7885,13 +7885,11 @@
                             SupplicantState.ASSOCIATED));
             mLooper.dispatchAll();
 
-            CertificateEventInfo certificateEventInfo =
-                    spy(new CertificateEventInfo(FakeKeys.CA_CERT0, "1234"));
-            mCmi.sendMessage(WifiMonitor.TOFU_CERTIFICATE_EVENT,
-                    FRAMEWORK_NETWORK_ID, 0, certificateEventInfo);
+            mCmi.sendMessage(WifiMonitor.TOFU_ROOT_CA_CERTIFICATE,
+                    FRAMEWORK_NETWORK_ID, 0, FakeKeys.CA_CERT0);
             mLooper.dispatchAll();
             verify(mInsecureEapNetworkHandler).addPendingCertificate(
-                    eq(eapTlsConfig.SSID), eq(0), eq(certificateEventInfo));
+                    eq(eapTlsConfig.SSID), eq(0), eq(FakeKeys.CA_CERT0));
 
             // Adding a certificate in depth 0 will cause a disconnection when TOFU is supported
             DisconnectEventInfo disconnectEventInfo =
@@ -7920,16 +7918,9 @@
         assumeTrue(SdkLevel.isAtLeastT());
         WifiConfiguration testConfig = setupTrustOnFirstUse(true, true, true);
 
-        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID,
-                testConfig.networkId);
+        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID);
         mLooper.dispatchAll();
-        ArgumentCaptor<WifiConfiguration> wifiConfigurationArgumentCaptor =
-                ArgumentCaptor.forClass(WifiConfiguration.class);
-
-        // TOFU will first connect to get the certificates, and then connect once approved
-        verify(mWifiNative, times(2)).connectToNetwork(eq(WIFI_IFACE_NAME),
-                wifiConfigurationArgumentCaptor.capture());
-        assertEquals(testConfig.networkId, wifiConfigurationArgumentCaptor.getValue().networkId);
+        verify(mWifiConnectivityManager).forceConnectivityScan(eq(ClientModeImpl.WIFI_WORK_SOURCE));
     }
 
     /**
@@ -7951,14 +7942,6 @@
                 eq(WifiMetricsProto.ConnectionEvent.HLF_NONE),
                 eq(WifiMetricsProto.ConnectionEvent.FAILURE_REASON_UNKNOWN),
                 anyInt());
-        ArgumentCaptor<WifiConfiguration> wifiConfigurationArgumentCaptor =
-                ArgumentCaptor.forClass(WifiConfiguration.class);
-
-        // TOFU will connect only once to get the certificates, but will not proceed
-        verify(mWifiNative).connectToNetwork(eq(WIFI_IFACE_NAME),
-                wifiConfigurationArgumentCaptor.capture());
-        assertEquals(testConfig.networkId, wifiConfigurationArgumentCaptor.getValue().networkId);
-
     }
 
     /**
@@ -7993,16 +7976,9 @@
         assumeTrue(SdkLevel.isAtLeastT());
         WifiConfiguration testConfig = setupTrustOnFirstUse(true, true, false);
 
-        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID,
-                testConfig.networkId);
+        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID);
         mLooper.dispatchAll();
-        ArgumentCaptor<WifiConfiguration> wifiConfigurationArgumentCaptor =
-                ArgumentCaptor.forClass(WifiConfiguration.class);
-
-        // TOFU will first connect to get the certificates, and then connect once approved
-        verify(mWifiNative, times(2)).connectToNetwork(eq(WIFI_IFACE_NAME),
-                wifiConfigurationArgumentCaptor.capture());
-        assertEquals(testConfig.networkId, wifiConfigurationArgumentCaptor.getValue().networkId);
+        verify(mWifiConnectivityManager).forceConnectivityScan(eq(ClientModeImpl.WIFI_WORK_SOURCE));
     }
 
     /**
@@ -8025,13 +8001,6 @@
                 eq(WifiMetricsProto.ConnectionEvent.HLF_NONE),
                 eq(WifiMetricsProto.ConnectionEvent.FAILURE_REASON_UNKNOWN),
                 anyInt());
-        ArgumentCaptor<WifiConfiguration> wifiConfigurationArgumentCaptor =
-                ArgumentCaptor.forClass(WifiConfiguration.class);
-
-        // TOFU will connect only once to get the certificates, but will not proceed
-        verify(mWifiNative).connectToNetwork(eq(WIFI_IFACE_NAME),
-                wifiConfigurationArgumentCaptor.capture());
-        assertEquals(testConfig.networkId, wifiConfigurationArgumentCaptor.getValue().networkId);
     }
 
     /**
@@ -8065,8 +8034,7 @@
         assumeFalse(SdkLevel.isAtLeastT());
         WifiConfiguration testConfig = setupLegacyEapNetworkTest(true);
 
-        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID,
-                testConfig.networkId);
+        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID);
         mLooper.dispatchAll();
         verify(mWifiMetrics, never()).endConnectionEvent(
                 any(), anyInt(), anyInt(), anyInt(), anyInt());
@@ -8099,8 +8067,7 @@
         assumeFalse(SdkLevel.isAtLeastT());
         WifiConfiguration testConfig = setupLegacyEapNetworkTest(false);
 
-        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID,
-                testConfig.networkId);
+        mCmi.mInsecureEapNetworkHandlerCallbacksImpl.onAccept(testConfig.SSID);
         mLooper.dispatchAll();
         verify(mWifiMetrics, never()).endConnectionEvent(
                 any(), anyInt(), anyInt(), anyInt(), anyInt());

service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java b/service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java
index 356737f..b83f6e7 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java
@@ -35,7 +35,6 @@
 import static org.mockito.Mockito.validateMockitoUsage;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
-import static org.mockito.Mockito.withSettings;
 
 import android.app.Notification;
 import android.content.BroadcastReceiver;
@@ -43,13 +42,12 @@
 import android.net.wifi.WifiConfiguration;
 import android.net.wifi.WifiContext;
 import android.net.wifi.WifiEnterpriseConfig;
+import android.net.wifi.util.HexEncoding;
 import android.os.Handler;
 import android.text.TextUtils;
-import android.text.format.DateFormat;
 
 import androidx.test.filters.SmallTest;
 
-import com.android.dx.mockito.inline.extended.ExtendedMockito;
 import com.android.modules.utils.build.SdkLevel;
 import com.android.server.wifi.util.CertificateSubjectInfo;
 import com.android.wifi.resources.R;
@@ -62,14 +60,13 @@
 import org.mockito.Captor;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
-import org.mockito.MockitoSession;
 import org.mockito.stubbing.Answer;
 
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import java.security.cert.CertificateFactory;
+import java.nio.charset.StandardCharsets;
 import java.security.cert.X509Certificate;
 
+import javax.security.auth.x500.X500Principal;
+
 /**
  * Unit tests for {@link com.android.server.wifi.InsecureEapNetworkHandlerTest}.
  */
@@ -84,192 +81,8 @@
     private static final String TEST_SSID = "\"test_ssid\"";
     private static final String TEST_IDENTITY = "userid";
     private static final String TEST_PASSWORD = "myPassWord!";
-    private static final String TEST_EXPECTED_SHA_256_SIGNATURE = "54:59:5D:FC:64:9C:17:72:C0:59:"
-            + "9D:25:BD:1F:04:18:E6:00:AB:F4:0A:F0:78:D8:9A:FF:56:C0:7C:89:96:2F";
-    private static final int TEST_GEN_CA_CERT = 0;
-    private static final int TEST_GEN_CA2_CERT = 1;
-    private static final int TEST_GEN_SERVER_CERT = 2;
-    private static final int TEST_GEN_SELF_SIGNED_CERT = 3;
-    private static final int TEST_GEN_FAKE_CA_CERT = 4;
-
-    private static final String TEST_SERVER_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
-            + "MIIGPjCCBCagAwIBAgIUN2Ss1JmvjveRe97iWoNh4V+Y5LYwDQYJKoZIhvcNAQEM\n"
-            + "BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQK\n"
-            + "DBJBbmRyb2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8\n"
-            + "MDoGA1UEAwwzQW5kcm9pZCBQYXJ0bmVyIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5k\n"
-            + "IGRldmVsb3BtZW50MB4XDTIzMDQxMzAyMTYwMVoXDTQzMDQwODAyMTYwMVowgYMx\n"
-            + "CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMR0wGwYDVQQKDBRBbmRy\n"
-            + "b2lkIFdpLUZpIFRlc3RlcjEYMBYGA1UECwwPYW5kcm9pZHdpZmkub2VtMSYwJAYD\n"
-            + "VQQDDB1BbmRyb2lkIFdpLUZpIE9FTSBUZXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcN\n"
-            + "AQEBBQADggIPADCCAgoCggIBAKveC9QnsxvM2TMzkUINabtM2Bi5M5gzV4v1MN0h\n"
-            + "n1XjXhfRXwwLMK9xtV05r91YQaOTPkHNgA6nhjmL7agcquGPlR7nuS04oxCaqfo4\n"
-            + "unbroyyqDMaXd8U6B1VlvWSbWAAhBEEAPYDhFXF9V83XHEGcp61Hs4VetGmlC3tW\n"
-            + "W1CLIk+o9JRYsZeK4Q1DurAY7YPU8U84QNxPG7OXg+ensGtspuLLNFEdnd9tSi45\n"
-            + "u5KyPpnSwTdRGSCfMVocxj0EINpdrLnWZyf9NX8Uo7tg/D0TFVBo+MbKjgItIdMg\n"
-            + "STLQwceOdOGHZTPiItzpFcP9EA5ug5gXobPjzDTJO2S3NhUt5NURfGr/wyepxR25\n"
-            + "PDRhBgc/xwc7JrtDGaqmknguZuf7Zai/m4iquC0Wh38bWKms8R0ND/H923aFppxp\n"
-            + "vzX/sWotsTYWiGMehh7v6iwIYADifsXBlJXTUhTZt6cnwttZYfp5oqymCsIhXKVU\n"
-            + "IXOE/PLcU71G9U+jCa7PNs5X5LgqorNPABOpkVL+fDpvopNCdhOEVvwCAIl4tIxl\n"
-            + "M0goFbBmY1wnFFYIUki91UfbeUimCUbBq/RSxuXn3liVB/X+dnyjJ3RnNxJ3Wy1m\n"
-            + "mcHFIVV5VxN6tC7XTXYgZAv0EJGCcVn0RN3ldPWGRLTEIQu7cXRSfqs89N4S31Et\n"
-            + "SjaxAgMBAAGjgZMwgZAwHQYDVR0OBBYEFHh9fcIU3LHamK7PdpasvHmzyRoLMB8G\n"
-            + "A1UdIwQYMBaAFH7ro7AWsBlMNpyRXHGW1hG4c1ocMAkGA1UdEwQCMAAwCwYDVR0P\n"
-            + "BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMCEGA1UdEQQaMBiCFnNlcnZlci5h\n"
-            + "bmRyb2lkd2lmaS5vZW0wDQYJKoZIhvcNAQEMBQADggIBAOIkOLyF8mmYvj8TeM2V\n"
-            + "d4YMj4sWf7L5C2lq9OGBJwZad1xytymWWZ7PpNf1MopabfUzxPjw5EfMC94MJmpf\n"
-            + "gqYOwFAye5fXQ8CLC39tb681u44tv/B5vqP74TKVhCR8O1YCsIssa8t8e5nIwcYr\n"
-            + "fj3SBu7iOLtL7zjfEXFo3oSEwVYnvS3lhZL8NTrrHscy/ZLFE3nGRq2d3jPbyuoH\n"
-            + "1FJwenxnD6a/AztERPkRNGk2oSFkWecNU9PC9w3bI5wF4I2AIaFgBOj20S7pVtq7\n"
-            + "7nhKnQFrZYVeWbqbInQcRAcSopI6D6tB/F/T9R1WCWBxvpwdciv7BeNgOtGKAszA\n"
-            + "z0sOxI6O4U77R+tFeb0vCwC0OhVL3W0zX3Fy2835D/hC2P1jmMBlxLVKYHY48RBC\n"
-            + "sG1I1qAMD4eXle8rG9MkB9cE5KfncjCrzSQjT8gs7QBTafb6B3WDdwzfaCaQTOOF\n"
-            + "Tsyrdq0TTJP71bt5qWTr6UZIBE5Tjel+DPpvQlPZPYygXPrI3WBcT12VLhti0II6\n"
-            + "1jgkS8fPLR0VypHR02V5fqCRmy9ln0rSyHXFwL3JpeXYD92eLOKdS1MhIUN4bDxZ\n"
-            + "fiXXVKpKU4gqqWAan2RjbBzQjsi6Eh3yuDm2SAqNZVacpOt7BIslqEZ+Og6KhTTk\n"
-            + "DCzyEOB87ySrUWu3PN3r2sJN\n"
-            + "-----END CERTIFICATE-----";
-
-    private static final String TEST_CA_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
-            + "MIIGADCCA+igAwIBAgIUFkmrYCj/UYNrizDdMATu6dE3lBIwDQYJKoZIhvcNAQEM\n"
-            + "BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQK\n"
-            + "DBJBbmRyb2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8\n"
-            + "MDoGA1UEAwwzQW5kcm9pZCBQYXJ0bmVyIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5k\n"
-            + "IGRldmVsb3BtZW50MB4XDTIzMDQxMzAyMTYwMVoXDTQzMDQwODAyMTYwMVowgZcx\n"
-            + "CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQKDBJBbmRy\n"
-            + "b2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8MDoGA1UE\n"
-            + "AwwzQW5kcm9pZCBQYXJ0bmVyIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5kIGRldmVs\n"
-            + "b3BtZW50MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9JERd2HVp/PI\n"
-            + "3WmaaHDKHDuWZoxUDlyVrTDd1Vu2zhH3A5KJ232QOMxJiLdZ/KxgcpGlAEllijae\n"
-            + "xihxhkHEYr7ff2/p6ZhUWr+0vuk8f4TZsKDAE0SoZoDBHTIbrJf8hHM5/+R//sx1\n"
-            + "/fTf8abOj20zyeWmXqvUNXoVKiRvjiZD69tcRHmfmTOMX0lAirOel8ZwwDFamH8d\n"
-            + "wov0IIyd58m6CV91WnScgg7TOzw/IGpccft73RbDw7cHU5i3G3KhOqamwJbErgya\n"
-            + "x97AsSVCqjBz7rEwm6pHjUagbgVAk9ULmI1McQzMINIrOWRF0Q8awWpvDNwPu86J\n"
-            + "W/LfyzAruWtriimycpl7wv0b/f7JhKerG0+44JUI0sgTz/kobAsU8nfYSyVu8+cX\n"
-            + "HwnDE2jBGB6co2Y00eVKxy6+gWTekpQTyHuPoCieNDukC/38Mj+U0KUZkgGv4CL7\n"
-            + "zaVBGzjSjtnAp47aXciaDvDbpST23ICS7TN5cUnXQ1fWfNUMNkEbIPy2mrlRoCxg\n"
-            + "OJ67UEvGIygE0IUvwDfFvF21+1yKk6D/kU9gMgd6DKtvWj1CIyKXWf+rQ01OHNhX\n"
-            + "YcOTkF5aF2WU558DuS+utGBzXWFsLxqBRe9nDb9W/SlrT2jajfwLelMddvtZmVsY\n"
-            + "NG8IeY8lDs5hcFBvm/BDr0SvBDhs9H0CAwEAAaNCMEAwHQYDVR0OBBYEFH7ro7AW\n"
-            + "sBlMNpyRXHGW1hG4c1ocMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG\n"
-            + "MA0GCSqGSIb3DQEBDAUAA4ICAQBINF6auWUhCO0l/AqO5pLgOqZ7BjAzHGDNapW+\n"
-            + "3nn2YicDD/X2eJASfsd3jN5JluBlbLqRBBWnIsNG/fyKxY8I4+IrR1x8ovwBjeJ3\n"
-            + "McQeCW2zedluVp2SW3LaNQS+aptXHATJ6O8EOny2LDM+obEtFyLuDC89a1TXjEdj\n"
-            + "XGIYmSJ8RwpKAi4u6ff4jhtNTSEa/eIUE5zUREV0916xtmu5y1vlmsEbpLEquOph\n"
-            + "ZWxpUVTqGEyc0hHaivAWyBG1dtRgov5olzHchM2TsEq/VufiRAw5uzRQ/sAyVjj4\n"
-            + "pcvWnLDLTYk/+uIG1zmbc0rNpAC7b3tplA4OqTtFb3yX0ppPFUg4OaxhMyu4WqS3\n"
-            + "roNiXc8BmtfzMqyWAG21QUfosLa8heiiHgnvkiUa9V2oJ4kWAhOTmLdU70aocu4N\n"
-            + "pcN5jcT5hSl/A91Lvfht0C9BLOrXU+RDCNAVIUnnWSrgduUPTydKVdUkLxau4G/+\n"
-            + "G8fKAyeCouFNq7bp4DEMkgqAWpx96Qe6FLxAS59Ig3tI8MZSieBZezJyjP4GWtuq\n"
-            + "QsnARbwD7z73FWQ+eqXOhkoqDoQc8E2lQGe8OGbacGuUwXo3PUgGaJobz+2Hqa9g\n"
-            + "6AnBkH6AbvooUwSWSCyYIf2LA+GvZotI+PXWuQL7dqWtkaNf98qqfnlZXjp51e+h\n"
-            + "B8nquw==\n"
-            + "-----END CERTIFICATE-----";
-
-    private static final String TEST_CA2_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
-            + "MIIGADCCA+igAwIBAgIUGm2nmrZw4ADU7h/TGKd67Uz5bJIwDQYJKoZIhvcNAQEM\n"
-            + "BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQK\n"
-            + "DBJBbmRyb2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8\n"
-            + "MDoGA1UEAwwzQW5vdGhlciBBbmRyb2lkIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5k\n"
-            + "IGRldmVsb3BtZW50MB4XDTIzMDQxMzAyMTkxOVoXDTQzMDQwODAyMTkxOVowgZcx\n"
-            + "CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQKDBJBbmRy\n"
-            + "b2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8MDoGA1UE\n"
-            + "AwwzQW5vdGhlciBBbmRyb2lkIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5kIGRldmVs\n"
-            + "b3BtZW50MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvv7PYhFHK+nC\n"
-            + "KoDiQI7dhDFTNU4RxTTsxMRSt1n/FJGZX/r8nnr76gB+oofFVjKQusYhuquKGPGq\n"
-            + "ZfrfmtsNhcVBMnNRjZkBWpNb3XO+7F+Qd/gT7yoiZ0L3Ef4QMCGqNrf10EWmXvVQ\n"
-            + "tpaM7RrkmlW6Zu2VbfP/iQQ7EVFrFWmnZfkCxpkLT+LK+pxwNxtJz5l7VRYkXelw\n"
-            + "9vFdq81C+obBpLWg62mNVNa25g6y46YrSOPyxhiemiRih+avIZ9Z6/7qRoVu7t8U\n"
-            + "NpxzMdsDL5bJREadsjpQWZr7A+umm0nlod1DB204K18Y5Z4GuOEGifdHIUmb+3c4\n"
-            + "Kz14FzBahyc3xsZL73AsGEVWLHIQQ/kjepomVl8HuSHdgw6SZR30JhWgU/bcVl01\n"
-            + "8qc6qH7x3e64Ip9xHdng42oPJHEKYipRed3AXzlCQ7Lc9MeAeR+nB9JuSNc6HW0L\n"
-            + "eh9Po0cDJa194UfNeqJ7SG2uNpeg/OUbM+M3iO3dmCRcV3GzirbT8eHZk3Cor3gb\n"
-            + "h9AzmJnHyRaRc9Xtj7AE8swJRvAoWVlCzcBcvaLAW0hn2DWXbWXHDf63Q8n5F4J5\n"
-            + "pf//2eXWaOXFLvkm9wYUj6kXOehcibB2O1F1YvqWE3XZ5GTDq/+E5wK55aifq+bz\n"
-            + "l1Mb1ILIB3cEEL9w+0ClHCno+2XGMOkCAwEAAaNCMEAwHQYDVR0OBBYEFH0KeaUK\n"
-            + "koS2PMYfpcanoTkRBTzmMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG\n"
-            + "MA0GCSqGSIb3DQEBDAUAA4ICAQCnnL83fEA3g8fiJHpeSNSVZ4R3VunQU2BDkwUj\n"
-            + "NgFWPMsZNQcKoChUA5mb8wOM/fk9tdjMsQR5fRO30B94Eoo9NM39HztBcvvLV9i7\n"
-            + "qNQCTjFE7zf4weX6K3tZICR8nZ1Ogccp3itEDkNpOylFLdQxkc29RrKcuculb3PM\n"
-            + "C7IMREKROKFzrAwWkFAaxJGfByTRfjOqWJFgdRq/GHU2yCKkCLN4zRLjr5ZaAk2J\n"
-            + "+8b+Y1/pIW4j2FAB7ebmq0ZbMbdc+EFdVf36WrsWf54L3DsZOuoaC+2wTsyWQ0b/\n"
-            + "8tqJ/XS39I4uo8KpI5//aQpM1usxP0/pWUm9sTXE618Yf2Ynh64eDQHPIAmt+Xoh\n"
-            + "BfIx+nXVkCl4DGGdwvOURUULdHN9wf6YPOXxaMEYxQRGMwmBAlmiDaH41xeaht/A\n"
-            + "+iv3y918rJFDAXWKvGia8oDi1xIL+IDZ1AGVByNp+C/AE5BTV2m9UHZyXsXrMiQA\n"
-            + "ezUrVpiWB6h4C4rUuaucQv1gO6gEPZGEDdvIG8TGJg8wvLL0oZiyaL3gQxlGs0CZ\n"
-            + "tbDGqugtlh4RLeJ1N/TTFkLzf4CAgDTxfqhMKXkFvpMvO6ZHOT7xC0sdaD2FbZRj\n"
-            + "h5ziC9nvWEdTA8RLr0i/r5nFb6GsxmEk6NYFmpnyo5pvlxf5xqOhsJZlcKnUJ8SQ\n"
-            + "NIGLmw==\n"
-            + "-----END CERTIFICATE-----";
-
-    private static final String TEST_SELF_SIGNED_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
-            + "MIIFxzCCA6+gAwIBAgIUB8Kqwhhhs1liW23ve7pZsFlv0zAwDQYJKoZIhvcNAQEM\n"
-            + "BQAwezELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGzAZBgNVBAoM\n"
-            + "EkFuZHJvaWQgV2ktRmkgVGVzdDEYMBYGA1UECwwPYW5kcm9pZHdpZmkuZGV2MSAw\n"
-            + "HgYDVQQDDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMzA0MTMwMjE0MTda\n"
-            + "Fw00MzA0MDgwMjE0MTdaMHsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y\n"
-            + "bmlhMRswGQYDVQQKDBJBbmRyb2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJv\n"
-            + "aWR3aWZpLmRldjEgMB4GA1UEAwwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggIi\n"
-            + "MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDD0oI2c+1D4D2wc4PnhkXbtA7g\n"
-            + "64Mp/JSbnVbl7PseJKnFD/pdos5joFXFbySFqu60S905T1a3AWNwbucKc7C7IwQw\n"
-            + "gtO7uMEPr35j7MhItyAbmj89dY729yXJ8gBnNnqc8PyYEIfZmnBvSry0Tsm60298\n"
-            + "GGZ9yCQfOOb4TJFX/CIKjniI170eLCiGybOrBvG11Rx6BwwHnk1cjkDspejrkhb0\n"
-            + "13RfkQ1S0cEnylrgnn/nRDAAnOscpHRerJ6Ud2vM64iIJy206ZyU/CrhcGeBWwi9\n"
-            + "C1F4ojzvgoFW7bJahXiyEaC5R3G5WdvX5qOr/eu/yMaCAner0LHUibHc5XA02F/c\n"
-            + "LO0LpN59tTT4dx9sLJVjZQGSUxyXnKHiR5TKkoAMWAZSO5hbE4drgivKLnYmYnhC\n"
-            + "Z1rGM5R0D0gB2llAvecItmynDJNApY6L1F8wnNA9NfGUYFpeqJ8uEOn7RxAvyYmB\n"
-            + "trmUFOqL7W84d1/XzORPGQ7n1wyPfBG3xyGIm2MMvanVsLs0/9NXAYAz2ZAHJPnS\n"
-            + "DsiV+7OHtMCdgTI5BJFmiJpXKgVE+IaewQdSjXDU7bgMlll3lTVoVAiKJmxpOmZ6\n"
-            + "FFz7mkd0pYhsO5jQpNGMfl+IaoIiTx4Zg9ZjwjTcPn9eGunBLJJ8SofkhM4boLrC\n"
-            + "KSen8NYuHVDPwAOwpQIDAQABo0MwQTAdBgNVHQ4EFgQU2IB1Q35ysx0HpRttAqMU\n"
-            + "FO9OhIAwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3\n"
-            + "DQEBDAUAA4ICAQBqf4zbooJ4hHeZs7Nd31G7i2WEr6/8OWTuEuDAmJkGW8WBeyUG\n"
-            + "JMrxF3U+kGxVGops4mSxMwVpcsqQa+IwkrP807dSqkuntLVGFqVo7rcQ+l8OcNUv\n"
-            + "oNQIFGPLlWPyMnjXvmWbfvgbgFoY9yUFoxFlHqsVf+1mEvTmW9ya4BGT2hlfvtb6\n"
-            + "Jfvrrocg9zGSnBs9oyI+GzP4Xdqd0riXfk6OuFH3R05/cQj7SlPm8LU1J7ZML/4H\n"
-            + "1AuMg+Ql8vxql4IzIk93CDR8Hq1jb3MhF/ae9UfttuNnHT4vu5X/6qLqWNKMs3zP\n"
-            + "DQQaYkqxWTUWiNlWV7i7pXn8e2J8ZkRHVELvrpdXLKIfL6RxjzKWY+TKiHY+F48I\n"
-            + "JwCAbL1FX+NzB2dS0RxXk/RTAxagenfmDcY1notHNsnDZB54cP9nv+N3wqkDoaKg\n"
-            + "nqOZTlIRWJ4agygqGaxieUuZRgy/AE/dSGpetlXAScKUvhCcO22qXL2jSjBAg5+k\n"
-            + "AynUuiZxdogXbvXrAwSWAVwlz8qEOK3NPFYnEKcjgNbTxiUHp3P/ULBgHQo55o9K\n"
-            + "DdUEbIurd02xG6usEDWxR5ds/RPy6VZ5c6bFUiTEsfMMmQotPL/btuPVXsSdJUR4\n"
-            + "xcxpcV7zx9IjFs/IylyQ1YEYDKWV+nH7iiOigO5WiZ5ck2Wa/Tk3uXg1Ew==\n"
-            + "-----END CERTIFICATE-----\n";
-
-    private static final String TEST_FAKE_CA_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
-            + "MIIGADCCA+igAwIBAgIUIxVGWM5Wrs86DpDA2+fo53UryqMwDQYJKoZIhvcNAQEM\n"
-            + "BQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQK\n"
-            + "DBJBbmRyb2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8\n"
-            + "MDoGA1UEAwwzQW5kcm9pZCBQYXJ0bmVyIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5k\n"
-            + "IGRldmVsb3BtZW50MB4XDTIzMDQxMzE1MzkyM1oXDTQzMDQwODE1MzkyM1owgZcx\n"
-            + "CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRswGQYDVQQKDBJBbmRy\n"
-            + "b2lkIFdpLUZpIFRlc3QxGDAWBgNVBAsMD2FuZHJvaWR3aWZpLm9lbTE8MDoGA1UE\n"
-            + "AwwzQW5kcm9pZCBQYXJ0bmVyIFJvb3QgQ0EgZm9yIHRlc3RpbmcgYW5kIGRldmVs\n"
-            + "b3BtZW50MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhTF8MJsucR5P\n"
-            + "6oN/Nho92EYz9b3m7n52m9KgI/G6/9bK9PSDZ6Z6U3qNxpG7nFML+5qyk+qeBHP8\n"
-            + "39lGNNoH1c2dQDXw3oLjOmd1UoN+zSZBznLwkDD8YQYafz1GWRcI34FYDgiPuSx7\n"
-            + "o4+O4hxcimrelhoNRQcRsrZFoUyJZjtPy2Z5DTZTB7udg1QwZ+7+pHCme3DB2Im/\n"
-            + "Eszsmm2TAG6yM3G/lxphLZMhUFy6kjeeIiuar56ED6dg7qEqdeIznt2gGKolXRWs\n"
-            + "vPW4a5NX1RUjsQxOcKEQnrXZXJ9mATptY1hOxuP6kg8Jzh0tN/NzyyERGFvnvhGz\n"
-            + "sN7CkTUhPOKUW3dVrKl9ZJ9PbYZ6xbpbOWOR/5znYQ/f3+bxxibbFI3WN/89VO50\n"
-            + "WEzwfmiGiWC6Bz0iBoAmGjCxySbJg8iDCjrbRexkFsOJ84jlY0fDrfaqY1+WuyYu\n"
-            + "vdk+w4lzk0wYRbp+oRuIXplMyZDsS15CPq+svoYeNCCOXlkRiMLuq/SpkdM8lRKp\n"
-            + "Mrsc1AckI+BGVqh8S9lyJoP67uDmba1FUw7X3IMCkZQwvFduLkJLNYwO6QDV2M6R\n"
-            + "nUCVCx+vxJdlIOLNQIAeKW9jzfASom4ehZY2HHErbUYGKzFQJJ/2+uQLLYn7PsaE\n"
-            + "gYTYA1naakQegCgbD2UsbKqrEfOiHEECAwEAAaNCMEAwHQYDVR0OBBYEFBiYeS/E\n"
-            + "IQ5+IoQ3bsXoibK3QuMzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG\n"
-            + "MA0GCSqGSIb3DQEBDAUAA4ICAQACOOZdfcQ53BF43glA/0VuFeXQ+VS+keR9aFBX\n"
-            + "caKrIbFXSns9EsnvKj1L/IoHem5k4LkMFoNgE1Skit2iktPYs6unV83p99PG6EQo\n"
-            + "RG1CeZ50cHzZK6N56MbwZUGRy/p6Zr9ak9d6XE8GpvSwMW8XebrLPtgSBvpI+WIZ\n"
-            + "epMVg7v8AIIRQuoR2VtZ7RZF/X1kwfU5t2aASVBnxTjlSy6KtBLuL+Vu4Aefa+Z0\n"
-            + "d9Ma2jZV+hwWp0X6piSrVKkMZIR5tlvwJootNBlO0J1Jn4J0ecGNEGXmFwz4adnK\n"
-            + "eYfpuNBJI4CKq7mv2Aszsvg0rQxfKlN8LV7gSNu3H6BjjkNUtHI6uwsajJfEmGKD\n"
-            + "YRpAFgZq7FzRwoI8uWr0Bucz6+qxpISi48t0pmceSVpn6UV1UdSebLo8CX5P283F\n"
-            + "yUqlw2hMpo22Gm3uW8GfPyHfMfsqfMU+7BCP38DDnhcGUO3CTINjREXUGtn6CuWS\n"
-            + "ImhmATld6KJNtRCql3zQnaEO84IvKdFVOkm5q9qQjNWDr1oYsLhxoZJZjKK2rP5F\n"
-            + "GRbMvqDhmzrV0yG+sIyW+aEjBl44bVjWQnFhGjtNr1BOOftSyjnseYiioLbiiaYG\n"
-            + "9Mqu78VmTWJzfxyOP2QPK5K00jnVBZ+jQH0NyIE9yf2Cg/llfYRoHsz80cfY/DNt\n"
-            + "jUR49A==\n"
-            + "-----END CERTIFICATE-----";
+    private static final String TEST_EXPECTED_SHA_256_SIGNATURE = "78:A6:27:31:03:D1:7C:39:A0:B6:12"
+            + ":6E:22:6C:EC:70:E3:33:37:F4:BC:6A:38:06:74:01:B5:4A:33:E7:8E:AD";
 
     @Mock WifiContext mContext;
     @Mock WifiConfigManager mWifiConfigManager;
@@ -282,14 +95,12 @@
 
     @Mock(answer = Answers.RETURNS_DEEP_STUBS) private Notification.Builder mNotificationBuilder;
     @Mock private WifiDialogManager.DialogHandle mTofuAlertDialog;
-    @Mock private java.text.DateFormat mDateFormat;
+
     @Captor ArgumentCaptor<BroadcastReceiver> mBroadcastReceiverCaptor;
 
     MockResources mResources;
     InsecureEapNetworkHandler mInsecureEapNetworkHandler;
 
-    private MockitoSession mSession;
-
     /**
      * Sets up for unit test
      */
@@ -331,19 +142,11 @@
 
         when(mFrameworkFacade.makeNotificationBuilder(any(), any()))
                 .thenReturn(mNotificationBuilder);
-
-        // static mocking
-        mSession = ExtendedMockito.mockitoSession()
-                .mockStatic(DateFormat.class, withSettings().lenient())
-                .startMocking();
-        when(DateFormat.getMediumDateFormat(any())).thenReturn(mDateFormat);
-        when(mDateFormat.format(any())).thenReturn("April 12, 2023");
     }
 
     @After
     public void cleanUp() throws Exception {
         validateMockitoUsage();
-        mSession.finishMocking();
     }
 
     /**
@@ -551,70 +354,35 @@
                 isTrustOnFirstUseSupported, isUserSelected, needUserApproval);
     }
 
-    /**
-     * Verify Trust On First Use flow with server certificate pinning
-     * - Single depth server certificate by signed by some unknown issuer, CA flag not set
-     * - This network is selected by a user.
-     * - Accept the connection.
-     */
-    @Test
-    public void verifyTrustOnFirstUseFlowWithServerCertPinning1() throws Exception {
-        assumeTrue(SdkLevel.isAtLeastT());
-        runServerCertPinningTest(TEST_GEN_SERVER_CERT);
-    }
-
-    /**
-     * Verify Trust On First Use flow with server certificate pinning
-     * - Single depth server certificate by signed by some unknown issuer, CA flag set
-     * - This network is selected by a user.
-     * - Accept the connection.
-     */
-    @Test
-    public void verifyTrustOnFirstUseFlowWithServerCertPinning2() throws Exception {
-        assumeTrue(SdkLevel.isAtLeastT());
-        runServerCertPinningTest(TEST_GEN_CA_CERT);
-    }
-
-    private void runServerCertPinningTest(int type)
-            throws Exception {
-        WifiConfiguration config = prepareWifiConfiguration(true);
-        setupTest(config, true, true);
-
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(type);
-        mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockServerCert);
-        verifyTrustOnFirstUseFlow(config, ACTION_ACCEPT, true,
-                true, false, null, mockServerCert.getCert());
-    }
-
-    private CertificateEventInfo generateMockCertEventInfo(int type) throws Exception {
-        CertificateEventInfo certificateEventInfo = mock(CertificateEventInfo.class);
-        X509Certificate cert = getCertificate(type);
-
-        when(certificateEventInfo.getCert()).thenReturn(cert);
-        when(certificateEventInfo.getCertHash()).thenReturn("12345678");
-        return certificateEventInfo;
-    }
-
-    private X509Certificate getCertificate(int type) throws Exception {
-        String certString;
-
-        if (type == TEST_GEN_CA_CERT) {
-            certString = TEST_CA_CERTIFICATE;
-        } else if (type == TEST_GEN_CA2_CERT) {
-            certString = TEST_CA2_CERTIFICATE;
-        } else if (type == TEST_GEN_SERVER_CERT) {
-            certString = TEST_SERVER_CERTIFICATE;
-        } else if (type == TEST_GEN_SELF_SIGNED_CERT) {
-            certString = TEST_SELF_SIGNED_CERTIFICATE;
-        } else if (type == TEST_GEN_FAKE_CA_CERT) {
-            certString = TEST_FAKE_CA_CERTIFICATE;
-        } else {
-            throw (new Exception());
+    private X509Certificate generateMockCert(String subject, String issuer, boolean isCa) {
+        X509Certificate mockCert = mock(X509Certificate.class);
+        X500Principal mockSubjectPrincipal = mock(X500Principal.class);
+        when(mockCert.getSubjectX500Principal()).thenReturn(mockSubjectPrincipal);
+        when(mockSubjectPrincipal.getName()).thenReturn("C=TW,ST=Taiwan,L=Taipei"
+                + ",O=" + subject + " Organization"
+                + ",CN=" + subject
+                + ",1.2.840.113549.1.9.1=#1614" + String.valueOf(HexEncoding.encode(
+                        (subject + "@email.com").getBytes(StandardCharsets.UTF_8))));
+        try {
+            when(mockCert.getEncoded()).thenReturn(new byte[]{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10});
+        } catch (Exception e) {
+            // nothing
         }
+        X500Principal mockIssuerX500Principal = mock(X500Principal.class);
+        when(mockCert.getIssuerX500Principal()).thenReturn(mockIssuerX500Principal);
+        when(mockIssuerX500Principal.getName()).thenReturn("C=TW,ST=Taiwan,L=Taipei"
+                + ",O=" + issuer + " Organization"
+                + ",CN=" + issuer
+                + ",1.2.840.113549.1.9.1=#1614" + String.valueOf(HexEncoding.encode(
+                (issuer + "@email.com").getBytes(StandardCharsets.UTF_8))));
 
-        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-        InputStream in = new ByteArrayInputStream(certString.getBytes());
-        return (X509Certificate) certFactory.generateCertificate(in);
+        when(mockCert.getSignature()).thenReturn(new byte[]{
+                (byte) 0xde, (byte) 0xad, (byte) 0xbe, (byte) 0xef,
+                (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0x78,
+                (byte) 0x90, (byte) 0xab, (byte) 0xcd, (byte) 0xef});
+
+        when(mockCert.getBasicConstraints()).thenReturn(isCa ? 99 : -1);
+        return mockCert;
     }
 
     private WifiConfiguration prepareWifiConfiguration(boolean isAtLeastT) {
@@ -707,13 +475,35 @@
         WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
         setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
 
-        CertificateEventInfo mockCaCert = generateMockCertEventInfo(TEST_GEN_CA_CERT);
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(TEST_GEN_SERVER_CERT);
+        X509Certificate mockCaCert = generateMockCert("ca", "ca", true);
+        X509Certificate mockServerCert = generateMockCert("server", "ca", false);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1, mockCaCert);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockServerCert);
 
         verifyTrustOnFirstUseFlow(config, ACTION_ACCEPT, isTrustOnFirstUseSupported,
-                isUserSelected, needUserApproval, mockCaCert.getCert(), mockServerCert.getCert());
+                isUserSelected, needUserApproval, mockCaCert, mockServerCert);
+    }
+
+    /**
+     * Verify Trust On First Use flow with a self-signed CA cert.
+     * - This network is selected by a user.
+     * - Accept the connection.
+     */
+    @Test
+    public void verifyTrustOnFirstUseAcceptWhenConnectByUserWithSelfSignedCaCert()
+            throws Exception {
+        assumeTrue(SdkLevel.isAtLeastT());
+        boolean isAtLeastT = true, isTrustOnFirstUseSupported = true, isUserSelected = true;
+        boolean needUserApproval = true;
+
+        WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
+        setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
+
+        X509Certificate mockSelfSignedCert = generateMockCert("self", "self", false);
+        mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockSelfSignedCert);
+
+        verifyTrustOnFirstUseFlow(config, ACTION_ACCEPT, isTrustOnFirstUseSupported,
+                isUserSelected, needUserApproval, mockSelfSignedCert, mockSelfSignedCert);
     }
 
     /**
@@ -754,9 +544,9 @@
         setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
 
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1,
-                generateMockCertEventInfo(TEST_GEN_CA_CERT));
+                generateMockCert("ca", "ca", true));
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0,
-                generateMockCertEventInfo(TEST_GEN_SERVER_CERT));
+                generateMockCert("server", "ca", false));
 
         mInsecureEapNetworkHandler.startUserApprovalIfNecessary(isUserSelected);
         assertTrue(config.enterpriseConfig.isTrustOnFirstUseEnabled());
@@ -782,15 +572,37 @@
                 isInsecureEnterpriseConfigurationAllowed);
 
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1,
-                generateMockCertEventInfo(TEST_GEN_CA_CERT));
+                generateMockCert("ca", "ca", true));
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0,
-                generateMockCertEventInfo(TEST_GEN_SERVER_CERT));
+                generateMockCert("server", "ca", false));
 
         mInsecureEapNetworkHandler.startUserApprovalIfNecessary(isUserSelected);
         verify(mCallbacks, never()).onError(any());
     }
 
     /**
+     * Verify that it reports errors if the cert chain is headless.
+     */
+    @Test
+    public void verifyOnErrorWithHeadlessCertChain() throws Exception {
+        assumeTrue(SdkLevel.isAtLeastT());
+        boolean isAtLeastT = true, isTrustOnFirstUseSupported = true, isUserSelected = true;
+
+        WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
+        setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
+
+        // Missing root CA cert.
+        mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0,
+                generateMockCert("server", "ca", false));
+
+        mInsecureEapNetworkHandler.startUserApprovalIfNecessary(isUserSelected);
+        verify(mCallbacks).onError(eq(config.SSID));
+        verify(mWifiConfigManager, atLeastOnce()).updateNetworkSelectionStatus(eq(config.networkId),
+                eq(WifiConfiguration.NetworkSelectionStatus
+                        .DISABLED_BY_WIFI_MANAGER));
+    }
+
+    /**
      * Verify that is reports errors if the server cert issuer does not match the parent subject.
      */
     @Test
@@ -801,35 +613,9 @@
         WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
         setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
 
-        CertificateEventInfo mockCaCert = generateMockCertEventInfo(TEST_GEN_CA2_CERT);
+        X509Certificate mockCaCert = generateMockCert("ca", "ca", true);
         // Missing intermediate cert.
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(TEST_GEN_SERVER_CERT);
-        mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1, mockCaCert);
-        mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockServerCert);
-
-        mInsecureEapNetworkHandler.startUserApprovalIfNecessary(isUserSelected);
-        verify(mCallbacks).onError(eq(config.SSID));
-        verify(mWifiConfigManager, atLeastOnce()).updateNetworkSelectionStatus(eq(config.networkId),
-                eq(WifiConfiguration.NetworkSelectionStatus
-                        .DISABLED_BY_WIFI_MANAGER));
-    }
-
-    /**
-     * Verify that it reports errors if the issuer is a fake Root CA with the same subject of the
-     * real Root CA. Simulates an attack where the leaf is copied from the real server but a fake
-     * Root CA that an attacker controls is attached.
-     */
-    @Test
-    public void verifyOnErrorWithFakeRootCaCertInTheChain() throws Exception {
-        assumeTrue(SdkLevel.isAtLeastT());
-        boolean isAtLeastT = true, isTrustOnFirstUseSupported = true, isUserSelected = true;
-
-        WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
-        setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
-
-        // Fake Root CA that didn't sign the server cert
-        CertificateEventInfo mockCaCert = generateMockCertEventInfo(TEST_GEN_FAKE_CA_CERT);
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(TEST_GEN_SERVER_CERT);
+        X509Certificate mockServerCert = generateMockCert("server", "intermediate", false);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1, mockCaCert);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockServerCert);
 
@@ -859,8 +645,7 @@
                 mCallbacks,
                 WIFI_IFACE_NAME,
                 mHandler);
-        CertificateEventInfo mockSelfSignedCert =
-                generateMockCertEventInfo(TEST_GEN_SELF_SIGNED_CERT);
+        X509Certificate mockSelfSignedCert = generateMockCert("self", "self", false);
         mInsecureEapNetworkHandler.addPendingCertificate("NotExist", 0, mockSelfSignedCert);
     }
 
@@ -874,13 +659,12 @@
 
         // Missing root CA cert.
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0,
-                generateMockCertEventInfo(TEST_GEN_SERVER_CERT));
+                generateMockCert("server", "ca", false));
 
         // The wrong cert chain should be cleared after this call.
         mInsecureEapNetworkHandler.prepareConnection(config);
 
-        CertificateEventInfo mockSelfSignedCert =
-                generateMockCertEventInfo(TEST_GEN_SELF_SIGNED_CERT);
+        X509Certificate mockSelfSignedCert = generateMockCert("self", "self", false);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockSelfSignedCert);
 
         mInsecureEapNetworkHandler.startUserApprovalIfNecessary(isUserSelected);
@@ -895,8 +679,7 @@
         WifiConfiguration config = prepareWifiConfiguration(isAtLeastT);
         setupTest(config, isAtLeastT, isTrustOnFirstUseSupported);
 
-        CertificateEventInfo mockSelfSignedCert =
-                generateMockCertEventInfo(TEST_GEN_SELF_SIGNED_CERT);
+        X509Certificate mockSelfSignedCert = generateMockCert("self", "self", false);
         mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockSelfSignedCert);
 
         // Pass another PSK config which is not the same as the current one.
@@ -918,14 +701,16 @@
     private void verifyTrustOnFirstUseFlowWithDefaultCerts(WifiConfiguration config,
             int action, boolean isTrustOnFirstUseSupported, boolean isUserSelected,
             boolean needUserApproval) throws Exception {
-        CertificateEventInfo mockCaCert = generateMockCertEventInfo(TEST_GEN_CA_CERT);
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(TEST_GEN_SERVER_CERT);
+        X509Certificate mockCaCert = generateMockCert("ca", "ca", true);
+        X509Certificate mockServerCert = generateMockCert("server", "middle", false);
         if (isTrustOnFirstUseSupported) {
-            mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1, mockCaCert);
+            mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 2, mockCaCert);
+            mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 1,
+                    generateMockCert("middle", "ca", false));
             mInsecureEapNetworkHandler.addPendingCertificate(config.SSID, 0, mockServerCert);
         }
         verifyTrustOnFirstUseFlow(config, action, isTrustOnFirstUseSupported,
-                isUserSelected, needUserApproval, mockCaCert.getCert(), mockServerCert.getCert());
+                isUserSelected, needUserApproval, mockCaCert, mockServerCert);
     }
 
     private void verifyTrustOnFirstUseFlow(WifiConfiguration config,
@@ -942,7 +727,7 @@
                     any(), dialogMessageCaptor.capture(), any(), anyInt(), anyInt(), any(), any(),
                     any(), dialogCallbackCaptor.capture(), any());
             if (isTrustOnFirstUseSupported) {
-                assertTofuDialogMessage(expectedServerCert,
+                assertTofuDialogMessage(expectedCaCert, expectedServerCert,
                         dialogMessageCaptor.getValue());
             }
             if (action == ACTION_ACCEPT) {
@@ -967,7 +752,7 @@
                 verify(mWifiDialogManager).createSimpleDialogWithUrl(
                         any(), dialogMessageCaptor.capture(), any(), anyInt(), anyInt(), any(),
                         any(), any(), dialogCallbackCaptor.capture(), any());
-                assertTofuDialogMessage(expectedServerCert,
+                assertTofuDialogMessage(expectedCaCert, expectedServerCert,
                         dialogMessageCaptor.getValue());
                 if (action == ACTION_ACCEPT) {
                     dialogCallbackCaptor.getValue().onPositiveButtonClicked();
@@ -992,7 +777,14 @@
         if (action == ACTION_ACCEPT) {
             verify(mWifiConfigManager).updateNetworkSelectionStatus(eq(config.networkId),
                     eq(WifiConfiguration.NetworkSelectionStatus.DISABLED_NONE));
-            verify(mCallbacks).onAccept(eq(config.SSID), eq(config.networkId));
+            if (isTrustOnFirstUseSupported) {
+                verify(mWifiConfigManager).updateCaCertificate(
+                        eq(config.networkId), eq(expectedCaCert), eq(expectedServerCert));
+            } else {
+                verify(mWifiConfigManager, never()).updateCaCertificate(
+                        anyInt(), any(), any());
+            }
+            verify(mCallbacks).onAccept(eq(config.SSID));
         } else if (action == ACTION_REJECT) {
             verify(mWifiConfigManager, atLeastOnce())
                     .updateNetworkSelectionStatus(eq(config.networkId),
@@ -1008,6 +800,7 @@
     }
 
     private void assertTofuDialogMessage(
+            X509Certificate rootCaCert,
             X509Certificate serverCert,
             String message) {
         CertificateSubjectInfo serverCertSubjectInfo =
@@ -1045,8 +838,8 @@
      */
     @Test
     public void verifyGetDigest() throws Exception {
-        CertificateEventInfo mockServerCert = generateMockCertEventInfo(TEST_GEN_SERVER_CERT);
-        assertEquals(TEST_EXPECTED_SHA_256_SIGNATURE,
-                mInsecureEapNetworkHandler.getDigest(mockServerCert.getCert(), "SHA256"));
+        X509Certificate mockServerCert = generateMockCert("server", "ca", false);
+        assertEquals(mInsecureEapNetworkHandler.getDigest(mockServerCert, "SHA256"),
+                TEST_EXPECTED_SHA_256_SIGNATURE);
     }
 }

service/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionStoreDataTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionStoreDataTest.java b/service/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionStoreDataTest.java
index a201086..de777a1 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionStoreDataTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionStoreDataTest.java
@@ -525,6 +525,11 @@
         homeSp.setFqdn(fqdn);
         homeSp.setFriendlyName(friendlyName);
         config.setHomeSp(homeSp);
+        Map<String, String> friendlyNames = new HashMap<>();
+        friendlyNames.put("en", friendlyName);
+        friendlyNames.put("kr", friendlyName + 1);
+        friendlyNames.put("jp", friendlyName + 2);
+        config.setServiceFriendlyNames(friendlyNames);
         Credential credential = new Credential();
         credential.setRealm(TEST_REALM);
         credential.setCaCertificate(FakeKeys.CA_CERT0);

service/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImplTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImplTest.java b/service/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImplTest.java
index 2c52db9..78b9316 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImplTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/SupplicantStaNetworkCallbackAidlImplTest.java
@@ -15,8 +15,6 @@
  */
 package com.android.server.wifi;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.anyInt;
@@ -34,7 +32,6 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
 import org.mockito.MockitoSession;
@@ -95,14 +92,9 @@
     public void testOnCertificateSuccess() throws Exception {
         mSupplicantStaNetworkCallbackAidlImpl.onServerCertificateAvailable(
                 0, "subject".getBytes(), "certHash".getBytes(), "cert".getBytes());
-        ArgumentCaptor<CertificateEventInfo> certificateEventInfoArgumentCaptor =
-                ArgumentCaptor.forClass(CertificateEventInfo.class);
         verify(mWifiMonitor).broadcastCertificationEvent(
-                eq(TEST_INTERFACE), eq(TEST_NETWORK_ID), eq(TEST_SSID), eq(0),
-                certificateEventInfoArgumentCaptor.capture());
-
-        assertEquals(mX509Certificate, certificateEventInfoArgumentCaptor.getValue().getCert());
-        assertTrue("certHash".equals(certificateEventInfoArgumentCaptor.getValue().getCertHash()));
+                eq(TEST_INTERFACE), eq(TEST_NETWORK_ID),
+                eq(TEST_SSID), eq(0), eq(mX509Certificate));
     }
 
     /** verify onServerCertificateAvailable with illegal arguments. */

service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
index f5eaf3a..f8c9123 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
@@ -102,6 +102,8 @@
 import java.io.FileDescriptor;
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -483,7 +485,7 @@
     public void testAddWapiPskHexNetwork() {
         WifiConfiguration wapiPskNetwork = WifiConfigurationTestUtil.createWapiPskNetwork();
         wapiPskNetwork.preSharedKey =
-            "123456780abcdef0123456780abcdef0123456780abcdef0123456780abcdef0";
+            "123456780abcdef0123456780abcdef0";
         List<WifiConfiguration> networks = new ArrayList<>();
         networks.add(wapiPskNetwork);
 
@@ -7488,9 +7490,170 @@
     }
 
     @Test
+    public void testUpdateCaCertificateSuccess() throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        int openNetId = verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(prepareTofuEapConfig(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        int eapSimNetId = verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+        assertTrue(mWifiConfigManager.updateCaCertificate(eapPeapNetId, FakeKeys.CA_CERT0,
+                FakeKeys.CA_CERT1));
+        WifiConfiguration config = mWifiConfigManager.getConfiguredNetwork(eapPeapNetId);
+        assertFalse(config.enterpriseConfig.isTrustOnFirstUseEnabled());
+        assertFalse(config.enterpriseConfig.isUserApproveNoCaCert());
+        assertEquals(FakeKeys.CA_CERT0, config.enterpriseConfig.getCaCertificate());
+    }
+
+    @Test
+    public void testUpdateCaCertificateWithoutAltSubjectNames() throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(prepareTofuEapConfig(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+
+        X509Certificate mockServerCert = mock(X509Certificate.class);
+        Principal mockSubjectDn = mock(Principal.class);
+        when(mockServerCert.getSubjectDN()).thenReturn(mockSubjectDn);
+        when(mockSubjectDn.getName()).thenReturn(
+                "C=TW,ST=Taiwan,L=Taipei,O=Google,CN=mockServerCert");
+
+        assertTrue(mWifiConfigManager.updateCaCertificate(eapPeapNetId, FakeKeys.CA_CERT0,
+                mockServerCert));
+        WifiConfiguration config = mWifiConfigManager.getConfiguredNetwork(eapPeapNetId);
+        assertFalse(config.enterpriseConfig.isTrustOnFirstUseEnabled());
+        assertFalse(config.enterpriseConfig.isUserApproveNoCaCert());
+        assertEquals("mockServerCert", config.enterpriseConfig.getDomainSuffixMatch());
+        assertEquals("", config.enterpriseConfig.getAltSubjectMatch());
+    }
+
+    @Test
+    public void testUpdateCaCertificateWithAltSubjectNames() throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(prepareTofuEapConfig(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+
+        X509Certificate mockServerCert = mock(X509Certificate.class);
+        Principal mockSubjectDn = mock(Principal.class);
+        when(mockServerCert.getSubjectDN()).thenReturn(mockSubjectDn);
+        when(mockSubjectDn.getName()).thenReturn(
+                "C=TW,ST=Taiwan,L=Taipei,O=Google,CN=mockServerCert");
+        List<List<?>> altNames = new ArrayList<>();
+        // DNS name 1 with type 2
+        altNames.add(Arrays.asList(new Object[]{2, "wifi.android"}));
+        // EMail with type 1
+        altNames.add(Arrays.asList(new Object[]{1, "test@wifi.com"}));
+        // DNS name 2 with type 2
+        altNames.add(Arrays.asList(new Object[]{2, "network.android"}));
+        // RID name 2 with type 8, this one should be ignored.
+        altNames.add(Arrays.asList(new Object[]{8, "1.2.3.4"}));
+        // URI name with type 6
+        altNames.add(Arrays.asList(new Object[]{6, "http://test.android.com"}));
+        when(mockServerCert.getSubjectAlternativeNames()).thenReturn(altNames);
+
+        assertTrue(mWifiConfigManager.updateCaCertificate(eapPeapNetId, FakeKeys.CA_CERT0,
+                mockServerCert));
+        WifiConfiguration config = mWifiConfigManager.getConfiguredNetwork(eapPeapNetId);
+        assertFalse(config.enterpriseConfig.isTrustOnFirstUseEnabled());
+        assertFalse(config.enterpriseConfig.isUserApproveNoCaCert());
+        assertEquals("", config.enterpriseConfig.getDomainSuffixMatch());
+        assertEquals("DNS:wifi.android;EMAIL:test@wifi.com;DNS:network.android;"
+                + "URI:http://test.android.com",
+                config.enterpriseConfig.getAltSubjectMatch());
+    }
+
+    @Test
+    public void testUpdateCaCertificateFaiulreInvalidArgument() throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        int openNetId = verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(prepareTofuEapConfig(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        int eapSimNetId = verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+
+        // Invalid network id
+        assertFalse(mWifiConfigManager.updateCaCertificate(-1, FakeKeys.CA_CERT0,
+                FakeKeys.CA_CERT1));
+
+        // Not an enterprise network
+        assertFalse(mWifiConfigManager.updateCaCertificate(openNetId, FakeKeys.CA_CERT0,
+                FakeKeys.CA_CERT1));
+
+        // Not a certificate baseed enterprise network
+        assertFalse(mWifiConfigManager.updateCaCertificate(eapSimNetId, FakeKeys.CA_CERT0,
+                FakeKeys.CA_CERT1));
+
+        // No cert
+        assertFalse(mWifiConfigManager.updateCaCertificate(eapPeapNetId, null, null));
+
+        // No valid subject
+        X509Certificate mockServerCert = mock(X509Certificate.class);
+        Principal mockSubjectDn = mock(Principal.class);
+        when(mockServerCert.getSubjectDN()).thenReturn(mockSubjectDn);
+        when(mockSubjectDn.getName()).thenReturn("");
+        assertFalse(mWifiConfigManager.updateCaCertificate(eapPeapNetId, FakeKeys.CA_CERT0,
+                mockServerCert));
+    }
+
+    @Test
+    public void testUpdateCaCertificateSuccessWithSelfSignedCertificate() throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        int openNetId = verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(prepareTofuEapConfig(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        int eapSimNetId = verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+
+        X509Certificate mockCaCert = mock(X509Certificate.class);
+        when(mockCaCert.getBasicConstraints()).thenReturn(-1);
+        assertTrue(mWifiConfigManager.updateCaCertificate(eapPeapNetId, mockCaCert,
+                FakeKeys.CA_CERT1));
+        WifiConfiguration config = mWifiConfigManager.getConfiguredNetwork(eapPeapNetId);
+        assertFalse(config.enterpriseConfig.isTrustOnFirstUseEnabled());
+        assertFalse(config.enterpriseConfig.isUserApproveNoCaCert());
+        assertEquals(mockCaCert, config.enterpriseConfig.getCaCertificate());
+    }
+
+    @Test
+    public void testUpdateCaCertificateFailureWithSelfSignedCertificateAndTofuNotEnabled()
+            throws Exception {
+        when(mPrimaryClientModeManager.getSupportedFeatures()).thenReturn(
+                WifiManager.WIFI_FEATURE_TRUST_ON_FIRST_USE);
+
+        int openNetId = verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+        int eapPeapNetId = verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.PEAP, WifiEnterpriseConfig.Phase2.NONE), true);
+        int eapSimNetId = verifyAddNetwork(WifiConfigurationTestUtil.createEapNetwork(
+                WifiEnterpriseConfig.Eap.SIM, WifiEnterpriseConfig.Phase2.NONE), true);
+
+        X509Certificate mockCaCert = mock(X509Certificate.class);
+        when(mockCaCert.getBasicConstraints()).thenReturn(-1);
+        assertFalse(mWifiConfigManager.updateCaCertificate(eapPeapNetId, mockCaCert,
+                FakeKeys.CA_CERT1));
+        WifiConfiguration config = mWifiConfigManager.getConfiguredNetwork(eapPeapNetId);
+        assertEquals(null, config.enterpriseConfig.getCaCertificate());
+    }
+
+    @Test
     public void testUpdateNetworkWithCreatorOverride() {
         WifiConfiguration config = WifiConfigurationTestUtil.createOpenNetwork();
         int openNetId = verifyAddNetwork(WifiConfigurationTestUtil.createOpenNetwork(), true);
+
         assertEquals(TEST_CREATOR_UID, mWifiConfigManager
                 .getConfiguredNetwork(openNetId).creatorUid);
         config.networkId = openNetId;

service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
index 7cabcd8..e3b3253 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationUtilTest.java
@@ -369,21 +369,6 @@
                 WifiConfigurationUtil.VALIDATE_FOR_ADD));
     }
 
-    @Test
-    public void testValidateNegativeCases_BadAsciiPskLengthWapi() {
-        WifiConfiguration config = WifiConfigurationTestUtil.createWapiPskNetwork();
-        assertTrue(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-
-        config.preSharedKey = "\"abcdffeeretretyetreteteteabe34tetrertertrsraaaaaaaaaaa345eqwrweewq"
-                + "weqe\"";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-        config.preSharedKey = "\"454\"";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-    }
-
     /**
      * Verify that the validate method fails to validate WifiConfiguration with bad sae length.
      */
@@ -417,17 +402,6 @@
                 WifiConfigurationUtil.VALIDATE_FOR_ADD));
     }
 
-    @Test
-    public void testValidateNegativeCases_MalformedAsciiPskStringWapi() {
-        WifiConfiguration config = WifiConfigurationTestUtil.createWapiPskNetwork();
-        assertTrue(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-
-        config.preSharedKey = "\"abcdfefeeretrety";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-    }
-
     /**
      * Verify that the validate method fails to validate WifiConfiguration with malformed sae
      * string.
@@ -460,20 +434,6 @@
                 WifiConfigurationUtil.VALIDATE_FOR_ADD));
     }
 
-    @Test
-    public void testValidateNegativeCases_BadHexPskLengthWapi() {
-        WifiConfiguration config = WifiConfigurationTestUtil.createWapiPskNetwork();
-        assertTrue(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-
-        config.preSharedKey = "abcd123456788990013453445345465465476546";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-        config.preSharedKey = "";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-    }
-
     /**
      * Verify that the validate method fails to validate WifiConfiguration with malformed psk
      * string.
@@ -489,17 +449,6 @@
                 WifiConfigurationUtil.VALIDATE_FOR_ADD));
     }
 
-    @Test
-    public void testValidateNegativeCases_MalformedHexPskStringWapi() {
-        WifiConfiguration config = WifiConfigurationTestUtil.createWapiPskNetwork();
-        assertTrue(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-
-        config.preSharedKey = "adbdfgretrtyrtyrty";
-        assertFalse(WifiConfigurationUtil.validate(config, SUPPORTED_FEATURES_ALL,
-                WifiConfigurationUtil.VALIDATE_FOR_ADD));
-    }
-
     /**
      * Verify that the validate method fails to validate WifiConfiguration with malformed sae
      * string.

service/tests/wifitests/src/com/android/server/wifi/WifiMonitorTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiMonitorTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiMonitorTest.java
index 2a6404e..d6454b4 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiMonitorTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiMonitorTest.java
@@ -51,6 +51,7 @@
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
 
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -746,20 +747,18 @@
     public void testBroadcastCertificateEvent() {
         final int depth = 2;
         mWifiMonitor.registerHandler(
-                WLAN_IFACE_NAME, WifiMonitor.TOFU_CERTIFICATE_EVENT, mHandlerSpy);
+                WLAN_IFACE_NAME, WifiMonitor.TOFU_ROOT_CA_CERTIFICATE, mHandlerSpy);
         mWifiMonitor.broadcastCertificationEvent(
-                WLAN_IFACE_NAME, NETWORK_ID, SSID, depth,
-                new CertificateEventInfo(FakeKeys.CA_CERT0, "1234"));
+                WLAN_IFACE_NAME, NETWORK_ID, SSID, depth, FakeKeys.CA_CERT0);
         mLooper.dispatchAll();
 
         ArgumentCaptor<Message> messageCaptor = ArgumentCaptor.forClass(Message.class);
         verify(mHandlerSpy).handleMessage(messageCaptor.capture());
-        assertEquals(WifiMonitor.TOFU_CERTIFICATE_EVENT, messageCaptor.getValue().what);
+        assertEquals(WifiMonitor.TOFU_ROOT_CA_CERTIFICATE, messageCaptor.getValue().what);
         assertEquals(NETWORK_ID, messageCaptor.getValue().arg1);
         assertEquals(depth, messageCaptor.getValue().arg2);
-        CertificateEventInfo certEventInfo = (CertificateEventInfo) messageCaptor.getValue().obj;
-        assertEquals(FakeKeys.CA_CERT0, certEventInfo.getCert());
-        assertEquals("1234", certEventInfo.getCertHash());
+        X509Certificate cert = (X509Certificate) messageCaptor.getValue().obj;
+        assertEquals(FakeKeys.CA_CERT0, cert);
     }
 
     /**

service/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java b/service/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
index eeb3ad3..bfa1725 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
@@ -4921,6 +4921,11 @@
         homeSp.setFqdn(fqdn);
         homeSp.setFriendlyName(friendlyName);
         config.setHomeSp(homeSp);
+        Map<String, String> friendlyNames = new HashMap<>();
+        friendlyNames.put("en", friendlyName);
+        friendlyNames.put("kr", friendlyName + 1);
+        friendlyNames.put("jp", friendlyName + 2);
+        config.setServiceFriendlyNames(friendlyNames);
         Credential credential = new Credential();
         credential.setRealm(TEST_REALM);
         credential.setCaCertificate(FakeKeys.CA_CERT0);

service/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointManagerTest.java

diff --git a/service/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointManagerTest.java b/service/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointManagerTest.java
index 2acd185..8cafc9f 100644
--- a/service/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointManagerTest.java
+++ b/service/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointManagerTest.java
@@ -51,7 +51,6 @@
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
 
-import android.app.ActivityManager;
 import android.app.AppOpsManager;
 import android.content.Context;
 import android.content.Intent;
@@ -220,7 +219,6 @@
     @Mock WifiNetworkSuggestionsManager mWifiNetworkSuggestionsManager;
     @Mock MacAddressUtil mMacAddressUtil;
     @Mock WifiPermissionsUtil mWifiPermissionsUtil;
-    @Mock ActivityManager mActivityManager;
 
     Handler mHandler;
     TestLooper mLooper;
@@ -259,7 +257,6 @@
                 any(PasspointManager.class), any(WifiMetrics.class)))
                 .thenReturn(mPasspointProvisioner);
         when(mContext.getSystemService(Context.APP_OPS_SERVICE)).thenReturn(mAppOpsManager);
-        when(mContext.getSystemService(ActivityManager.class)).thenReturn(mActivityManager);
         when(mWifiInjector.getWifiNetworkSuggestionsManager())
                 .thenReturn(mWifiNetworkSuggestionsManager);
         when(mWifiPermissionsUtil.doesUidBelongToCurrentUserOrDeviceOwner(anyInt()))
@@ -372,6 +369,11 @@
         homeSp.setFqdn(fqdn);
         homeSp.setFriendlyName(friendlyName);
         config.setHomeSp(homeSp);
+        Map<String, String> friendlyNames = new HashMap<>();
+        friendlyNames.put("en", friendlyName);
+        friendlyNames.put("kr", friendlyName + 1);
+        friendlyNames.put("jp", friendlyName + 2);
+        config.setServiceFriendlyNames(friendlyNames);
         Credential credential = new Credential();
         credential.setRealm(realm != null ? realm : TEST_REALM);
         credential.setCaCertificate(FakeKeys.CA_CERT0);
@@ -408,14 +410,12 @@
     }
 
     private PasspointProvider addTestProvider(String fqdn, String friendlyName,
-            String packageName, boolean isSuggestion, String realm,
-            boolean addServiceFriendlyNames) {
+            String packageName, boolean isSuggestion, String realm) {
         WifiConfiguration wifiConfig = WifiConfigurationTestUtil.generateWifiConfig(-1, TEST_UID,
                 "\"PasspointTestSSID\"", true, true,
                 fqdn, friendlyName, SECURITY_EAP);
 
-        return addTestProvider(fqdn, friendlyName, packageName, wifiConfig, isSuggestion, realm,
-                addServiceFriendlyNames);
+        return addTestProvider(fqdn, friendlyName, packageName, wifiConfig, isSuggestion, realm);
     }
 
     /**
@@ -425,18 +425,10 @@
      * @return {@link PasspointProvider}
      */
     private PasspointProvider addTestProvider(String fqdn, String friendlyName,
-            String packageName, WifiConfiguration wifiConfig, boolean isSuggestion, String realm,
-            boolean addServiceFriendlyNames) {
+            String packageName, WifiConfiguration wifiConfig, boolean isSuggestion, String realm) {
         PasspointConfiguration config =
                 createTestConfigWithUserCredentialAndRealm(fqdn, friendlyName, realm);
         wifiConfig.setPasspointUniqueId(config.getUniqueId());
-        if (addServiceFriendlyNames) {
-            Map<String, String> friendlyNames = new HashMap<>();
-            friendlyNames.put("en", friendlyName);
-            friendlyNames.put("kr", friendlyName + 1);
-            friendlyNames.put("jp", friendlyName + 2);
-            config.setServiceFriendlyNames(friendlyNames);
-        }
         PasspointProvider provider = createMockProvider(config, wifiConfig, isSuggestion);
         when(mObjectFactory.makePasspointProvider(eq(config), eq(mWifiKeyStore),
                 eq(mWifiCarrierInfoManager), anyLong(), eq(TEST_CREATOR_UID), eq(TEST_PACKAGE),
@@ -1053,7 +1045,7 @@
                 com.android.dx.mockito.inline.extended.ExtendedMockito.mockitoSession().mockStatic(
                         InformationElementUtil.class).startMocking();
         try {
-            addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+            addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
 
             when(mAnqpCache.getEntry(TEST_ANQP_KEY)).thenReturn(null);
             InformationElementUtil.Vsa vsa = new InformationElementUtil.Vsa();
@@ -1082,7 +1074,7 @@
     @Test
     public void matchProviderAsHomeProvider() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         ANQPData entry = new ANQPData(mClock, null);
 
         when(mAnqpCache.getEntry(TEST_ANQP_KEY)).thenReturn(entry);
@@ -1103,7 +1095,7 @@
     @Test
     public void matchProviderAsRoamingProvider() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         ANQPData entry = new ANQPData(mClock, null);
 
         when(mAnqpCache.getEntry(TEST_ANQP_KEY)).thenReturn(entry);
@@ -1124,7 +1116,7 @@
     @Test
     public void matchProviderWithNoMatch() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         ANQPData entry = new ANQPData(mClock, null);
 
         when(mAnqpCache.getEntry(TEST_ANQP_KEY)).thenReturn(entry);
@@ -1183,7 +1175,7 @@
                         InformationElementUtil.class).startMocking();
         try {
             PasspointProvider provider = addTestProvider(TEST_FQDN + 0, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             when(provider.tryUpdateCarrierId()).thenReturn(true);
             reset(mWifiConfigManager);
 
@@ -1217,15 +1209,15 @@
                         InformationElementUtil.class).startMocking();
         try {
             PasspointProvider providerHome = addTestProvider(TEST_FQDN + 0, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             providerHome.getWifiConfig().isHomeProviderNetwork = true;
             PasspointProvider providerRoaming = addTestProvider(TEST_FQDN + 1, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             WifiConfiguration wifiConfiguration = WifiConfigurationTestUtil.generateWifiConfig(-1,
                     TEST_UID, "\"PasspointTestSSID\"", true, true,
                     TEST_FQDN + 2, TEST_FRIENDLY_NAME, SECURITY_EAP);
             PasspointProvider providerNone = addTestProvider(TEST_FQDN + 2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, wifiConfiguration, false, null, false);
+                    TEST_PACKAGE, wifiConfiguration, false, null);
             ANQPData entry = new ANQPData(mClock, null);
             InformationElementUtil.Vsa vsa = new InformationElementUtil.Vsa();
             vsa.anqpDomainID = TEST_ANQP_DOMAIN_ID2;
@@ -1274,21 +1266,21 @@
     @Test
     public void getWifiConfigsForPasspointProfiles() {
         PasspointProvider provider1 = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, null, false);
+                TEST_PACKAGE, false, null);
         WifiConfiguration config1 = provider1.getWifiConfig();
         when(mWifiConfigManager.getConfiguredNetwork(provider1.getConfig().getUniqueId()))
                 .thenReturn(config1);
         PasspointProvider provider2 = addTestProvider(TEST_FQDN + 1, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, null, false);
+                TEST_PACKAGE, false, null);
         PasspointProvider provider3 = addTestProvider(TEST_FQDN + 2, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, true, null, false);
+                TEST_PACKAGE, true, null);
         when(mWifiNetworkSuggestionsManager
                 .isPasspointSuggestionSharedWithUser(provider3.getWifiConfig())).thenReturn(false);
         WifiConfiguration config3 = provider3.getWifiConfig();
         when(mWifiConfigManager.getConfiguredNetwork(provider3.getConfig().getUniqueId()))
                 .thenReturn(config3);
         PasspointProvider provider4 = addTestProvider(TEST_FQDN + 3, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, true, null, false);
+                TEST_PACKAGE, true, null);
         when(mWifiNetworkSuggestionsManager
                 .isPasspointSuggestionSharedWithUser(provider4.getWifiConfig())).thenReturn(true);
         WifiConfiguration config4 = provider4.getWifiConfig();
@@ -1318,7 +1310,7 @@
         when(mMacAddressUtil.calculatePersistentMac(any(), any())).thenReturn(randomizedMacAddress);
         when(mWifiConfigManager.shouldUseNonPersistentRandomization(any())).thenReturn(false);
         PasspointProvider provider = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, null, false);
+                TEST_PACKAGE, false, null);
         WifiConfiguration configuration = provider.getWifiConfig();
         when(mWifiConfigManager.getConfiguredNetwork(provider.getConfig().getUniqueId()))
                 .thenReturn(configuration);
@@ -1341,7 +1333,7 @@
         when(mMacAddressUtil.calculatePersistentMac(any(), any())).thenReturn(randomizedMacAddress);
         when(mWifiConfigManager.shouldUseNonPersistentRandomization(any())).thenReturn(true);
         PasspointProvider provider = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, null, false);
+                TEST_PACKAGE, false, null);
         WifiConfiguration configuration = provider.getWifiConfig();
         when(mWifiConfigManager.getConfiguredNetwork(provider.getConfig().getUniqueId()))
                 .thenReturn(configuration);
@@ -1544,9 +1536,9 @@
     @Test
     public void getMatchingPasspointConfigsForOsuProvidersWithMatch() {
         PasspointProvider provider1 =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, true);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         PasspointProvider provider2 =
-                addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME2, TEST_PACKAGE, false, null, true);
+                addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME2, TEST_PACKAGE, false, null);
 
         List<OsuProvider> osuProviders = new ArrayList<>();
         Map<String, String> friendlyNames = new HashMap<>();
@@ -1573,8 +1565,8 @@
      */
     @Test
     public void getMatchingPasspointConfigsForOsuProvidersWitNoMatch() {
-        addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
-        addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME2, TEST_PACKAGE, false, null, false);
+        addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
+        addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME2, TEST_PACKAGE, false, null);
 
         List<OsuProvider> osuProviders = new ArrayList<>();
 
@@ -1875,7 +1867,7 @@
     @Test
     public void providerNetworkConnectedFirstTime() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         when(provider.getHasEverConnected()).thenReturn(false);
         mManager.onPasspointNetworkConnected(provider.getConfig().getUniqueId());
         verify(provider).setHasEverConnected(eq(true));
@@ -1891,7 +1883,7 @@
     @Test
     public void providerNetworkConnectedNotFirstTime() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         when(provider.getHasEverConnected()).thenReturn(true);
         mManager.onPasspointNetworkConnected(TEST_FQDN);
         verify(provider, never()).setHasEverConnected(anyBoolean());
@@ -1906,7 +1898,7 @@
     @Test
     public void updateMetrics() {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         ArgumentCaptor<Map<String, PasspointProvider>> argCaptor = ArgumentCaptor.forClass(
                 Map.class);
         // Provider have not provided a successful network connection.
@@ -1953,7 +1945,7 @@
         WifiConfiguration currentConfiguration = WifiConfigurationTestUtil.createPasspointNetwork();
         currentConfiguration.FQDN = TEST_FQDN;
         PasspointProvider passpointProvider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         currentConfiguration.setPasspointUniqueId(passpointProvider.getConfig().getUniqueId());
         verify(mAppOpsManager).startWatchingMode(eq(OPSTR_CHANGE_WIFI_STATE), eq(TEST_PACKAGE),
                 mAppOpChangedListenerCaptor.capture());
@@ -2315,17 +2307,17 @@
                         InformationElementUtil.class).startMocking();
         try {
             PasspointProvider providerHome = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             providerHome.getConfig().setSubscriptionExpirationTimeInMillis(
                     System.currentTimeMillis() + 100000);
             providerHome.getWifiConfig().isHomeProviderNetwork = true;
             PasspointProvider providerRoaming = addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             WifiConfiguration wifiConfiguration = WifiConfigurationTestUtil.generateWifiConfig(-1,
                     TEST_UID, "\"PasspointTestSSID\"", true, true,
                     TEST_FQDN + 2, TEST_FRIENDLY_NAME, SECURITY_EAP);
             PasspointProvider providerNone = addTestProvider(TEST_FQDN + 2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, wifiConfiguration, false, null, false);
+                    TEST_PACKAGE, wifiConfiguration, false, null);
             ANQPData entry = new ANQPData(mClock, null);
             InformationElementUtil.Vsa vsa = new InformationElementUtil.Vsa();
             vsa.anqpDomainID = TEST_ANQP_DOMAIN_ID;
@@ -2365,17 +2357,17 @@
                         InformationElementUtil.class).startMocking();
         try {
             PasspointProvider providerHome = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             providerHome.getConfig().setSubscriptionExpirationTimeInMillis(
                     System.currentTimeMillis() - 10000);
             providerHome.getWifiConfig().isHomeProviderNetwork = true;
             PasspointProvider providerRoaming = addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             WifiConfiguration wifiConfiguration = WifiConfigurationTestUtil.generateWifiConfig(-1,
                     TEST_UID, "\"PasspointTestSSID\"", true, true,
                     TEST_FQDN + 2, TEST_FRIENDLY_NAME, SECURITY_EAP);
             PasspointProvider providerNone = addTestProvider(TEST_FQDN + 2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, wifiConfiguration, false, null, false);
+                    TEST_PACKAGE, wifiConfiguration, false, null);
             ANQPData entry = new ANQPData(mClock, null);
             InformationElementUtil.Vsa vsa = new InformationElementUtil.Vsa();
             vsa.anqpDomainID = TEST_ANQP_DOMAIN_ID;
@@ -2415,19 +2407,19 @@
                         InformationElementUtil.class).startMocking();
         try {
             PasspointProvider providerHome = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             providerHome.getConfig().setSubscriptionExpirationTimeInMillis(
                     System.currentTimeMillis() - 10000);
             providerHome.getWifiConfig().isHomeProviderNetwork = true;
             PasspointProvider providerRoaming = addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, false, null, false);
+                    TEST_PACKAGE, false, null);
             providerRoaming.getConfig().setSubscriptionExpirationTimeInMillis(
                     System.currentTimeMillis() + 100000);
             WifiConfiguration wifiConfiguration = WifiConfigurationTestUtil.generateWifiConfig(-1,
                     TEST_UID, "\"PasspointTestSSID\"", true, true,
                     TEST_FQDN + 2, TEST_FRIENDLY_NAME, SECURITY_EAP);
             PasspointProvider providerNone = addTestProvider(TEST_FQDN + 2, TEST_FRIENDLY_NAME,
-                    TEST_PACKAGE, wifiConfiguration, false, null, false);
+                    TEST_PACKAGE, wifiConfiguration, false, null);
             ANQPData entry = new ANQPData(mClock, null);
             InformationElementUtil.Vsa vsa = new InformationElementUtil.Vsa();
             vsa.anqpDomainID = TEST_ANQP_DOMAIN_ID;
@@ -2578,11 +2570,11 @@
     @Test
     public void removeAllProvidersWithSameFqdn() {
         PasspointProvider provider1 = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, TEST_REALM, false);
+                TEST_PACKAGE, false, TEST_REALM);
         PasspointProvider provider2 = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, TEST_REALM2, false);
+                TEST_PACKAGE, false, TEST_REALM2);
         PasspointProvider provider3 = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, TEST_REALM3, false);
+                TEST_PACKAGE, false, TEST_REALM3);
 
         List<PasspointProvider> providers = mUserDataSource.getProviders();
         assertEquals(3, providers.size());
@@ -2721,7 +2713,7 @@
 
         PasspointProvider provider =
                 addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, wifiConfig, false,
-                        null, false);
+                        null);
         WnmData event = WnmData.createDeauthImminentEvent(Utils.parseMac(TEST_BSSID_STRING), "",
                 true, 30);
 
@@ -2741,7 +2733,7 @@
 
         PasspointProvider provider =
                 addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, wifiConfig, false,
-                        null, false);
+                        null);
 
         wifiConfig.enterpriseConfig.setAnonymousIdentity(TEST_ANONYMOUS_IDENTITY);
         mManager.setAnonymousIdentity(wifiConfig);
@@ -2764,7 +2756,7 @@
 
         PasspointProvider provider =
                 addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, wifiConfig, false,
-                        null, false);
+                        null);
 
         WifiConfiguration wifiConfig2 = WifiConfigurationTestUtil.generateWifiConfig(11, TEST_UID,
                 "\"PasspointTestSSID\"", true, true, TEST_FQDN2,
@@ -2772,7 +2764,7 @@
 
         PasspointProvider provider2 =
                 addTestProvider(TEST_FQDN2, TEST_FRIENDLY_NAME, TEST_PACKAGE, wifiConfig2, false,
-                        null, false);
+                        null);
 
         WifiConfigManager.OnNetworkUpdateListener listener = mNetworkListenerCaptor.getValue();
         reset(mWifiConfigManager);
@@ -2976,7 +2968,7 @@
     public void testHandleTermsAndConditionsEvent() throws Exception {
         WifiConfiguration config = WifiConfigurationTestUtil.createPasspointNetwork();
         PasspointProvider passpointProvider = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, config, false, null, false);
+                TEST_PACKAGE, config, false, null);
         assertEquals(TEST_TERMS_AND_CONDITIONS_URL, mManager.handleTermsAndConditionsEvent(
                 WnmData.createTermsAndConditionsAccetanceRequiredEvent(TEST_BSSID,
                         TEST_TERMS_AND_CONDITIONS_URL), config).toString());
@@ -3017,7 +3009,7 @@
     @Test
     public void testClearAnqpRequestsAndFlushCache() throws Exception {
         PasspointProvider provider = addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME,
-                TEST_PACKAGE, false, TEST_REALM, false);
+                TEST_PACKAGE, false, TEST_REALM);
 
         mManager.clearAnqpRequestsAndFlushCache();
         verify(mAnqpRequestManager).clear();
@@ -3056,7 +3048,7 @@
     @Test
     public void testPasspointEnableDisable() throws Exception {
         PasspointProvider provider =
-                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null, false);
+                addTestProvider(TEST_FQDN, TEST_FRIENDLY_NAME, TEST_PACKAGE, false, null);
         ANQPData entry = new ANQPData(mClock, null);
 
         when(mAnqpCache.getEntry(TEST_ANQP_KEY)).thenReturn(entry);