jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

tests: Suite B 192-bit profile

Browse source 
This adds a Suite B test case for 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-01-25 13:16:06 +02:00
parent 4113a96bba
commit 37551fe374
7 changed files with 259 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
tests/hwsim/auth_serv/ec2-ca.pem Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICPTCCAcSgAwIBAgIJAL63h7lu0KZpMAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTI1MDEy
MjExMzIwM1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD
VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxOTItYml0IFJvb3QgQ0EwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAAQjdOMC9bqcDR9/SaOhxNbmQLQTGZfhtmoxHkJL
5GG3bwW5hYA2jYHWU84H+mR6om6fg78G+IxjLly2OWiByYUeWDcsYqLGj3UHHaVv
rIitaRPyg3dExemnmK3zjgXnoaajZjBkMB0GA1UdDgQWBBSuBbynInvH0vn8IKZc
MbtBTo9svTAfBgNVHSMEGDAWgBSuBbynInvH0vn8IKZcMbtBTo9svTASBgNVHRMB
Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjBZ
vEbGRDQNvzAY3nfYrsrE2Dd11smT6zv0mIvDeQCktbISGpStRBQjAaFjcCyjDEkC
MH7ywcqJe+mpWDt5xFJvB52iZ7rX7rO0OX0qmjI38PC0IOo7euJdfcC1gHdSoAW3
bA==
-----END CERTIFICATE-----

53
tests/hwsim/auth_serv/ec2-generate.sh Executable file
View file

@ -0,0 +1,53 @@
#!/bin/sh
OPENSSL=openssl
CURVE=secp384r1
DIGEST="-sha384"
DIGEST_CA="-md sha384"
echo
echo "---[ Root CA ]----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST
mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
touch ec-ca/index.txt
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ Server ]-----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = server.w1.fi/" |
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ User ]-------------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = user/" |
sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ Verify ]-----------------------------------------------------------"
echo
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem

9
tests/hwsim/auth_serv/ec2-server.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDCjaz/zVDXqNO/XprtliomKOC6QjbBFgsF2YwUAtKB5ukL4miVGNyCu
jIlq9eUD1x6gBwYFK4EEACKhZANiAARWq1ut1b6ctOFBkEOjULL3VjJFP15g0gk+
sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZvRooiNyL0AH2wk0qzN5u
n02JOt9Q76TVYflE91C5DTxjgLOgxBw=
-----END EC PRIVATE KEY-----

58
tests/hwsim/auth_serv/ec2-server.pem Normal file
View file

@ -0,0 +1,58 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9347590364512421238 (0x81b94fe92ea08576)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
Validity
Not Before: Jan 25 11:32:03 2015 GMT
Not After : Jan 25 11:32:03 2016 GMT
Subject: C=FI, O=w1.fi, CN=server.w1.fi
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:56:ab:5b:ad:d5:be:9c:b4:e1:41:90:43:a3:50:
b2:f7:56:32:45:3f:5e:60:d2:09:3e:b0:14:cc:06:
88:14:e5:64:4d:ed:0a:1d:fe:37:de:9b:99:38:3b:
b1:4a:61:93:40:6a:b0:c5:32:1d:b2:0c:c5:d9:bd:
1a:28:88:dc:8b:d0:01:f6:c2:4d:2a:cc:de:6e:9f:
4d:89:3a:df:50:ef:a4:d5:61:f9:44:f7:50:b9:0d:
3c:63:80:b3:a0:c4:1c
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
19:D7:57:D0:3B:91:84:A4:AF:93:03:32:3C:AB:C4:F9:A7:B0:27:19
X509v3 Authority Key Identifier:
keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
X509v3 Subject Alternative Name: critical
DNS:server.w1.fi
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA384
30:65:02:30:79:68:37:af:eb:46:e8:77:35:13:77:d5:db:eb:
f9:75:40:cd:d4:3d:0a:03:ec:67:a0:22:fe:65:f5:d7:ca:53:
4a:85:f5:14:4b:41:f9:b9:98:a6:85:8b:ac:e0:c8:6c:02:31:
00:83:12:02:be:93:2b:c2:00:74:ec:cb:fc:5a:8c:a6:5e:52:
ee:20:76:3d:73:2b:fb:fe:60:4c:52:f3:bc:1e:4c:e8:f9:ea:
f6:e2:f6:ca:c6:a8:3b:2d:9a:17:eb:4d:0a
-----BEGIN CERTIFICATE-----
MIICTTCCAdOgAwIBAgIJAIG5T+kuoIV2MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
NTExMzIwM1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD
DAxzZXJ2ZXIudzEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARWq1ut1b6ctOFB
kEOjULL3VjJFP15g0gk+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZ
vRooiNyL0AH2wk0qzN5un02JOt9Q76TVYflE91C5DTxjgLOgxByjgZIwgY8wDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUGddX0DuRhKSvkwMyPKvE+aewJxkwHwYDVR0j
BBgwFoAUrgW8pyJ7x9L5/CCmXDG7QU6PbL0wGgYDVR0RAQH/BBAwDoIMc2VydmVy
LncxLmZpMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAKBggq
hkjOPQQDAwNoADBlAjB5aDev60bodzUTd9Xb6/l1QM3UPQoD7GegIv5l9dfKU0qF
9RRLQfm5mKaFi6zgyGwCMQCDEgK+kyvCAHTsy/xajKZeUu4gdj1zK/v+YExS87we
TOj56vbi9srGqDstmhfrTQo=
-----END CERTIFICATE-----

9
tests/hwsim/auth_serv/ec2-user.key Normal file
View file

@ -0,0 +1,9 @@
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDB7tpaHBuZZG+MVYjRVpZvZvZxxFOu/reH2Ms3DiBH5DHW7dLP7T4Gs
X+yw8bQZwCqgBwYFK4EEACKhZANiAATJYVk5woo/LAFd+znRAoMOClGXtfO2yZlp
3n6jYUsG48W03XOlYd2/aCJVtGp6SwRVxumfYT4TejEj/Ky44vOlmQ9pasNfMYYN
kpHcAWJ8sV7mP7LM9YVksksfhon91+E=
-----END EC PRIVATE KEY-----

57
tests/hwsim/auth_serv/ec2-user.pem Normal file
View file

@ -0,0 +1,57 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9347590364512421239 (0x81b94fe92ea08577)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
Validity
Not Before: Jan 25 11:32:03 2015 GMT
Not After : Jan 25 11:32:03 2016 GMT
Subject: C=FI, O=w1.fi, CN=user
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:c9:61:59:39:c2:8a:3f:2c:01:5d:fb:39:d1:02:
83:0e:0a:51:97:b5:f3:b6:c9:99:69:de:7e:a3:61:
4b:06:e3:c5:b4:dd:73:a5:61:dd:bf:68:22:55:b4:
6a:7a:4b:04:55:c6:e9:9f:61:3e:13:7a:31:23:fc:
ac:b8:e2:f3:a5:99:0f:69:6a:c3:5f:31:86:0d:92:
91:dc:01:62:7c:b1:5e:e6:3f:b2:cc:f5:85:64:b2:
4b:1f:86:89:fd:d7:e1
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
75:EA:7B:CE:8A:99:D2:E7:77:B4:3B:80:68:59:E9:B6:88:B2:FA:F6
X509v3 Authority Key Identifier:
keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
X509v3 Subject Alternative Name:
email:user@w1.fi
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA384
30:65:02:31:00:c2:b7:35:4e:5e:d1:da:7f:35:a0:ac:54:92:
18:08:0d:9c:86:e9:4e:cf:3a:09:48:23:eb:4d:56:77:e5:d0:
e7:b0:55:b3:0e:91:2d:f8:3e:1c:4e:0d:b7:32:dc:11:1b:02:
30:49:c2:6b:63:39:3c:4b:d9:e9:8d:b9:ce:6e:8e:9f:88:43:
03:e0:5f:7e:75:44:12:66:f8:c6:ae:8e:f1:da:10:02:36:8c:
7b:a2:89:a0:05:3b:c6:39:d6:e1:7a:b7:85
-----BEGIN CERTIFICATE-----
MIICOjCCAcCgAwIBAgIJAIG5T+kuoIV3MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
NTExMzIwM1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD
DAR1c2VyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyWFZOcKKPywBXfs50QKDDgpR
l7XztsmZad5+o2FLBuPFtN1zpWHdv2giVbRqeksEVcbpn2E+E3oxI/ysuOLzpZkP
aWrDXzGGDZKR3AFifLFe5j+yzPWFZLJLH4aJ/dfho4GHMIGEMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFHXqe86KmdLnd7Q7gGhZ6baIsvr2MB8GA1UdIwQYMBaAFK4FvKci
e8fS+fwgplwxu0FOj2y9MBUGA1UdEQQOMAyBCnVzZXJAdzEuZmkwEwYDVR0lBAww
CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgWgMAoGCCqGSM49BAMDA2gAMGUCMQDCtzVO
XtHafzWgrFSSGAgNnIbpTs86CUgj601Wd+XQ57BVsw6RLfg+HE4NtzLcERsCMEnC
a2M5PEvZ6Y25zm6On4hDA+BffnVEEmb4xq6O8doQAjaMe6KJoAU7xjnW4Xq3hQ==
-----END CERTIFICATE-----

58
tests/hwsim/test_suite_b.py
View file

@ -68,3 +68,61 @@ def test_suite_b(dev, apdev):
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
def test_suite_b_192(dev, apdev):
"""WPA2-PSK/GCMP-256 connection at Suite B 192-bit level"""
if "GCMP-256" not in dev[0].get_capability("pairwise"):
raise HwsimSkip("GCMP-256 not supported")
if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
raise HwsimSkip("BIP-GMAC-256 not supported")
if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for Suite B: " + tls);
if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
params = { "ssid": "test-suite-b",
"wpa": "2",
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
"rsn_pairwise": "GCMP-256",
"group_mgmt_cipher": "BIP-GMAC-256",
"ieee80211w": "2",
"ieee8021x": "1",
"openssl_ciphers": "SUITEB192",
"eap_server": "1",
"eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ec2-ca.pem",
"server_cert": "auth_serv/ec2-server.pem",
"private_key": "auth_serv/ec2-server.key" }
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
ieee80211w="2",
openssl_ciphers="SUITEB192",
eap="TLS", identity="tls user",
ca_cert="auth_serv/ec2-ca.pem",
client_cert="auth_serv/ec2-user.pem",
private_key="auth_serv/ec2-user.key",
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
raise Exception("Unexpected TLS cipher: " + tls_cipher)
bss = dev[0].get_bss(apdev[0]['bssid'])
if 'flags' not in bss:
raise Exception("Could not get BSS flags from BSS table")
if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
raise Exception("Unexpected BSS flags: " + bss['flags'])
dev[0].request("DISCONNECT")
dev[0].wait_disconnected(timeout=20)
dev[0].dump_monitor()
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=20)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")