tests: Valid OCSP response with revoked and unknown cert status

This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests/hwsim/auth_serv/index-revoked.txt

@@ -0,0 +1,8 @@
+V	230627164122Z		D8D3E3A6CBE3CCC1	unknown	/C=FI/O=w1.fi/CN=Root CA
+V	150215075930Z		D8D3E3A6CBE3CCC9	unknown	/C=FI/O=w1.fi/CN=server3.w1.fi
+V	140102000000Z		D8D3E3A6CBE3CCCA	unknown	/C=FI/O=w1.fi/CN=server4.w1.fi
+V	150215083008Z		D8D3E3A6CBE3CCCB	unknown	/C=FI/O=w1.fi/CN=server5.w1.fi
+V	150228224144Z		D8D3E3A6CBE3CCCC	unknown	/C=FI/O=w1.fi/CN=server6.w1.fi
+V	160111185024Z		D8D3E3A6CBE3CCCD	unknown	/C=FI/O=w1.fi/CN=ocsp.w1.fi
+R	150929211122Z	160111185024Z	D8D3E3A6CBE3CCD0	unknown	/C=FI/O=w1.fi/CN=server.w1.fi
+R	150929211300Z	160111185024Z	D8D3E3A6CBE3CCD1	unknown	/C=FI/O=w1.fi/CN=Test User

tests/hwsim/auth_serv/index-unknown.txt

@@ -0,0 +1 @@
+V	230627164122Z		D8D3E3A6CBE3CCC1	unknown	/C=FI/O=w1.fi/CN=Root CA

tests/hwsim/start.sh

@@ -134,6 +134,18 @@ openssl ocsp -index $DIR/auth_serv/index.txt \
 if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
     cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
 fi
+
+for i in unknown revoked; do
+    openssl ocsp -index $DIR/auth_serv/index-$i.txt \
+	-rsigner $DIR/auth_serv/ocsp-responder.pem \
+	-rkey $DIR/auth_serv/ocsp-responder.key \
+	-CA $DIR/auth_serv/ca.pem \
+	-issuer $DIR/auth_serv/ca.pem \
+	-verify_other $DIR/auth_serv/ca.pem -trust_other \
+	-ndays 7 \
+	-reqin $DIR/auth_serv/ocsp-req.der \
+	-respout $LOGDIR/ocsp-server-cache-$i.der >> $LOGDIR/ocsp.log 2>&1
+done
 touch $LOGDIR/hostapd.db
 sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
 

tests/hwsim/test_ap_eap.py

@@ -1980,6 +1980,77 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
     if ev is None:
         raise Exception("Timeout on EAP failure report")
 
+def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=2,
+                   wait_connect=False, scan_freq="2412")
+    count = 0
+    while True:
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
+        if ev is None:
+            raise Exception("Timeout on EAP status")
+        if 'bad certificate status response' in ev:
+            break
+        if 'certificate revoked' in ev:
+            break
+        count = count + 1
+        if count > 10:
+            raise Exception("Unexpected number of EAP status messages")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=2,
+                   wait_connect=False, scan_freq="2412")
+    count = 0
+    while True:
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
+        if ev is None:
+            raise Exception("Timeout on EAP status")
+        if 'bad certificate status response' in ev:
+            break
+        count = count + 1
+        if count > 10:
+            raise Exception("Unexpected number of EAP status messages")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=1, scan_freq="2412")
+
 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
     params = int_eap_server_params()