tests: Valid OCSP response with revoked and unknown cert status

This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-01-11 23:13:35 +02:00
parent 0eb2ed067f
commit 37b4a66ce6
4 changed files with 92 additions and 0 deletions

View file

@ -0,0 +1,8 @@
V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA
V 150215075930Z D8D3E3A6CBE3CCC9 unknown /C=FI/O=w1.fi/CN=server3.w1.fi
V 140102000000Z D8D3E3A6CBE3CCCA unknown /C=FI/O=w1.fi/CN=server4.w1.fi
V 150215083008Z D8D3E3A6CBE3CCCB unknown /C=FI/O=w1.fi/CN=server5.w1.fi
V 150228224144Z D8D3E3A6CBE3CCCC unknown /C=FI/O=w1.fi/CN=server6.w1.fi
V 160111185024Z D8D3E3A6CBE3CCCD unknown /C=FI/O=w1.fi/CN=ocsp.w1.fi
R 150929211122Z 160111185024Z D8D3E3A6CBE3CCD0 unknown /C=FI/O=w1.fi/CN=server.w1.fi
R 150929211300Z 160111185024Z D8D3E3A6CBE3CCD1 unknown /C=FI/O=w1.fi/CN=Test User

View file

@ -0,0 +1 @@
V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA

View file

@ -134,6 +134,18 @@ openssl ocsp -index $DIR/auth_serv/index.txt \
if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
fi fi
for i in unknown revoked; do
openssl ocsp -index $DIR/auth_serv/index-$i.txt \
-rsigner $DIR/auth_serv/ocsp-responder.pem \
-rkey $DIR/auth_serv/ocsp-responder.key \
-CA $DIR/auth_serv/ca.pem \
-issuer $DIR/auth_serv/ca.pem \
-verify_other $DIR/auth_serv/ca.pem -trust_other \
-ndays 7 \
-reqin $DIR/auth_serv/ocsp-req.der \
-respout $LOGDIR/ocsp-server-cache-$i.der >> $LOGDIR/ocsp.log 2>&1
done
touch $LOGDIR/hostapd.db touch $LOGDIR/hostapd.db
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv & sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &

View file

@ -1980,6 +1980,77 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
if ev is None: if ev is None:
raise Exception("Timeout on EAP failure report") raise Exception("Timeout on EAP failure report")
def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="pap user", ca_cert="auth_serv/ca.pem",
anonymous_identity="ttls", password="password",
phase2="auth=PAP", ocsp=2,
wait_connect=False, scan_freq="2412")
count = 0
while True:
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
if ev is None:
raise Exception("Timeout on EAP status")
if 'bad certificate status response' in ev:
break
if 'certificate revoked' in ev:
break
count = count + 1
if count > 10:
raise Exception("Unexpected number of EAP status messages")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
if ev is None:
raise Exception("Timeout on EAP failure report")
def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="pap user", ca_cert="auth_serv/ca.pem",
anonymous_identity="ttls", password="password",
phase2="auth=PAP", ocsp=2,
wait_connect=False, scan_freq="2412")
count = 0
while True:
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
if ev is None:
raise Exception("Timeout on EAP status")
if 'bad certificate status response' in ev:
break
count = count + 1
if count > 10:
raise Exception("Unexpected number of EAP status messages")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
if ev is None:
raise Exception("Timeout on EAP failure report")
def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="pap user", ca_cert="auth_serv/ca.pem",
anonymous_identity="ttls", password="password",
phase2="auth=PAP", ocsp=1, scan_freq="2412")
def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev): def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
"""WPA2-Enterprise using EAP-TLS and domain suffix match (CN)""" """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
params = int_eap_server_params() params = int_eap_server_params()