From 2d10eb0efddba94871e0ee330eea5774fef8f980 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Wed, 8 Jan 2014 17:18:22 +0200
Subject: [PATCH] tests: PKCS#12 use for EAP-TLS

Signed-hostap: Jouni Malinen <j@w1.fi>
---
 tests/hwsim/auth_serv/user.pkcs12 | Bin 0 -> 1702 bytes
 tests/hwsim/test_ap_eap.py        |  28 ++++++++++++++++++++++++++--
 tests/hwsim/wpasupplicant.py      |   6 +++++-
 3 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 tests/hwsim/auth_serv/user.pkcs12

diff --git a/tests/hwsim/auth_serv/user.pkcs12 b/tests/hwsim/auth_serv/user.pkcs12
new file mode 100644
index 0000000000000000000000000000000000000000..552476144e19b9419e0c155ac5fb0d0038b92cb3
GIT binary patch
literal 1702
zcmY+DdpHw}9>;ex%kYM|gt;cyG+~N3CD%0O7KwMActgpKnCt9#MhLBik;v_JNpxPC
zQCWHq8;!=^qTDa@x+O6)*UZuLoO3$okKglqp6}=R{r>uXP-JK&2na@zp<&QNM(Hl;
zn=(L2U^y9j8A68o9>ks~GT7<|f|irP1_#km5D;*%kUt0zr4E()_XlYp6eSCRU3W<u
zseEYb00O}PDP+(pB*Y|ycRr$~m43M{Mcweqt-Po$E{XQ`^GF45)VU#xqFl$E+0$T7
zhu|#3zK+m-U%key4o{&c5b7{&L%v;+Y^?@-%WZ`wj$Wd^(!8795uCb6G~~p1o6Eh-
zW3BBK_O4Z93h`ysaJAV_2?-O7KKN`zRi#s0|B)@pXS~2AB~Otb!WN4Z6Nj&6W#s4w
zW~g3~S0TpNP~zRT*3vHKw+05?{6Nj+E%NiNt1ae_p=(E17{Wn@o9s+&rJFtG!gB``
zpR}*>1<MNe<sO-SS|h;kW<QWC;?iPAj#y^S%iKN3bU!6VA8B_3dE;IGCVVG25w}(_
zd3$Q<lBV;*ACJ+eW0QSU`j5h{>C3n#+)y*A5}$vWw^p}7y-!1eIdTf|?4KKBC@R(}
z0|BFG>SPgx@9D!}tb@86ZSZpx<_krL(Ql&9k!#M`{5G=xfd3t?Gw|_>`PK0Rx2O#k
zzOpQQ_pKwu_x0+>sfQfmo+qJK+vlu-jWY0&y6%-*FIA;U?sNle!EXKuaPfYmpqM?V
zJ{)m)w-bwOw#0kDJCjdOj{&oVAG*p<T(r6V{t+V4v@50ubJ*F(iEAHvd1#ZV96Ci|
z_w>Fpkh#~el1eC>Y;-O(b@`d=oCe6vvi0Tis~jZZ=mL9t;^k+s<3xjEubv(&qhGBD
z`iwy<<s3oo*N;wT^v<g{&#>(0-td>DE?h6xf3>Ij<<mr9qscc>SZ{Lstafvf$VH;Y
znLQLU?0KR!B<S20*2wkvy8HON^%HujCQ>AU@E8~ie)6W3_u%np?B=YYIAhyuJpQ#1
zyzjeu8iNG=L#P8ASSIM37vmnP*ZQrTCD|9wzCF49@+aS?Vx<1x&$2@I>JdPlrNVVp
zt-m-b^D;U_T7<JRGF|&O|4^KtTQT57{&_(UhYz=oYoDP^)vhc@TLl+>Jm-=b<lPy^
zzBdx8&_wNUedgG^-6yC5ifz@?jGOfi69#iU!tH8~I~)ii|388pr~`(OLHj5&X!l??
zq459cA_WAMlR-5HVdei>1paQ(^HSRW8L8O9?-m`Lryv_NYlFDTA-sC;3@cM)+gyN}
zvXFWmt)WZz3YH!|G8st6Yf2kuOL$<3Y>%r0_U96rNF}>Hv0A#_SFioJ0ka~{fw1Y~
zyQX<IW8FB5_-OZeoRxHi`~J5!4C%8|ps0TsZS{#kvfIT8@7#*VUTfyK2MB$k_inFJ
z-z^v~cy+pGy~3d2hM94N+aFa~<+Q5c^(*pP=>iVVl~<NOcQPvVP#^b2-?8P)ik+cT
z^458XE@_0qqPg{>o1!gd93`U6wLCg)Nq;}NVgiC|^KAa|*OZ=_4HPU)&HSc#QKx!>
zojIns9{Yf`J(%Op$7pR$ey;sy{$-WxP=V#S$<%&Hba1@yL}30DS$)2v>BbGTAd^a!
zvV5N#ASusi2}s%j%eQGO`RM*G+r$C@^)9THDk%~zXgSr0&<cQGOHk(9hVAFGjVJv+
z9GeuhLkH6h@SvuC4K*g69xL4}OTGq3%)wdI^Y4uQ(<pV>wl~Oz&W^iiSn}?ufp_@f
znv}eq9ZRjTGlLjoR-ra_{F0<Fs$k1xU~yDM&TFGIEWGj_&M>#D_1UF-$f`;EpRDeR
zR05B*_2N`LtxL16n=dD-9|6psoRihpS5ELcer6#?YjwUv;E4LwML~p$7*1?1@tBAr
z`m1uW>ms7s)B=~LBsqj8?UW#CPnUWvDdP`{!71SOZdteTs)ZI4SaRe<FT|8(kAQbe
zk}$vBe=l26Vhw9)QPJq18#)G$8P$8DTk03&Pg@t`boec3Cm;N*-ld*}A|LDvEVffV
zd5qBh+QJM=8daTv|1zGH)VQ(PRMU`KPr<z*=r;wui)ZMj_9SI`Yg(Jxp_KpI>O%-K
zDGeBa0Eh<s0=SLR{Q(rslpu&(Zcoe1yL)sN*iUeniQwrD;q(~F45f`a1eGwB1%p&2
m01!kUr>d0WLv#^fdZ2ZTYWOVb1_%Np3jCSek@21Hwf`3!10R+E

literal 0
HcmV?d00001

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 3559f3b79..0c29a9379 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -23,7 +23,8 @@ def eap_connect(dev, ap, method, identity, anonymous_identity=None,
                 fragment_size=None, expect_failure=False,
                 local_error_report=False,
                 ca_cert2=None, client_cert2=None, private_key2=None,
-                pac_file=None, subject_match=None, altsubject_match=None):
+                pac_file=None, subject_match=None, altsubject_match=None,
+                private_key_passwd=None):
     hapd = hostapd.Hostapd(ap['ifname'])
     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
                      eap=method, identity=identity,
@@ -37,7 +38,8 @@ def eap_connect(dev, ap, method, identity, anonymous_identity=None,
                      ca_cert2=ca_cert2, client_cert2=client_cert2,
                      private_key2=private_key2, pac_file=pac_file,
                      subject_match=subject_match,
-                     altsubject_match=altsubject_match)
+                     altsubject_match=altsubject_match,
+                     private_key_passwd=private_key_passwd)
     eap_check_auth(dev, method, True, sha256=sha256,
                    expect_failure=expect_failure,
                    local_error_report=local_error_report)
@@ -325,6 +327,28 @@ def test_ap_wpa2_eap_tls(dev, apdev):
                 private_key="auth_serv/user.key")
     eap_reauth(dev[0], "TLS")
 
+def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
+    """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+                private_key="auth_serv/user.pkcs12",
+                private_key_passwd="whatever")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
+                   identity="tls user",
+                   ca_cert="auth_serv/ca.pem",
+                   private_key="auth_serv/user.pkcs12",
+                   wait_connect=False, scan_freq="2412")
+    ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
+    if ev is None:
+        raise Exception("Request for private key passphrase timed out")
+    id = ev.split(':')[0].split('-')[-1]
+    dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("Connection timed out")
+
 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
     """WPA2-Enterprise negative test - incorrect trust root"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py
index 366d2d925..6c1bb584a 100644
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@@ -572,7 +572,8 @@ class WpaSupplicant:
                 wait_connect=True, only_add_network=False,
                 ca_cert2=None, client_cert2=None, private_key2=None,
                 scan_ssid=None, raw_psk=None, pac_file=None,
-                subject_match=None, altsubject_match=None):
+                subject_match=None, altsubject_match=None,
+                private_key_passwd=None):
         logger.info("Connect STA " + self.ifname + " to AP")
         id = self.add_network()
         if ssid:
@@ -614,6 +615,9 @@ class WpaSupplicant:
             self.set_network_quoted(id, "client_cert", client_cert)
         if private_key:
             self.set_network_quoted(id, "private_key", private_key)
+        if private_key_passwd:
+            self.set_network_quoted(id, "private_key_passwd",
+                                    private_key_passwd)
         if ca_cert2:
             self.set_network_quoted(id, "ca_cert2", ca_cert2)
         if client_cert2: