tests: Complete Suite B 128-bit coverage

Enable BIP-GMAC-128 and enforce Suite B profile for TLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-01-24 22:24:10 +02:00
parent f918b95b9d
commit 4113a96bba
8 changed files with 334 additions and 10 deletions

View file

@ -0,0 +1,111 @@
# OpenSSL configuration file for Suite B
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./ec-ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = ext_client
name_opt = ca_default
cert_opt = ca_default
copy_extensions = copy
default_days = 365
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
#emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
#emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FI
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
localityName_default = Helsinki
0.organizationName = Organization Name (eg, company)
0.organizationName_default = w1.fi
commonName = Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max = 64
[ req_attributes ]
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
[ crl_ext ]
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ ext_client ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#@ALTNAME@
extendedKeyUsage = clientAuth
keyUsage = digitalSignature, keyEncipherment
[ ext_server ]
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#@ALTNAME@
extendedKeyUsage = critical, serverAuth
keyUsage = digitalSignature, keyEncipherment

View file

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICAjCCAaegAwIBAgIJANry4MnEh6ybMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTI1MDEy
MjExMjk1M1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD
VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxMjgtYml0IFJvb3QgQ0EwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASqUNEASvF83W/PA2xqq/2fhIgZeLdSnnLc
0yLcjku5WvpLHGy/pLhRsvghtjWjTsgqBqfeW8tq0ywsUdY0ylsNo2YwZDAdBgNV
HQ4EFgQU/IP6SzTrGV4cfeWF7Mf8IfXodWgwHwYDVR0jBBgwFoAU/IP6SzTrGV4c
feWF7Mf8IfXodWgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYw
CgYIKoZIzj0EAwIDSQAwRgIhAIfEWvUO4+28moKfVL8RXbKKexTZk82UCRL2yi01
c81AAiEAxBGPZU0vnwxjAaCOhRIH+5X9PDkdLSs25S4ua6BicT8=
-----END CERTIFICATE-----

View file

@ -0,0 +1,53 @@
#!/bin/sh
OPENSSL=openssl
CURVE=prime256v1
DIGEST="-sha256"
DIGEST_CA="-md sha256"
echo
echo "---[ Root CA ]----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = Suite B 128-bit Root CA/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec-ca.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec-ca.key -out ec-ca.pem -outform PEM -days 3650 $DIGEST
mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
touch ec-ca/index.txt
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ Server ]-----------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = server.w1.fi/" |
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec-server.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec-server.key -out ec-server.req -outform PEM $DIGEST
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec-ca.key -cert ec-ca.pem -create_serial -in ec-server.req -out ec-server.pem -extensions ext_server $DIGEST_CA
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ User ]-------------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = user/" |
sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec-user.key -name $CURVE -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec-user.key -out ec-user.req -outform PEM -extensions ext_client $DIGEST
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec-ca.key -cert ec-ca.pem -create_serial -in ec-user.req -out ec-user.pem -extensions ext_client $DIGEST_CA
rm ec-ca-openssl.cnf.tmp
echo
echo "---[ Verify ]-----------------------------------------------------------"
echo
$OPENSSL verify -CAfile ec-ca.pem ec-server.pem
$OPENSSL verify -CAfile ec-ca.pem ec-user.pem

View file

@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIN/qNiKLsQDpQWumSiRRF6LM7TP7GTwdS8vG7xP8vKz/oAoGCCqGSM49
AwEHoUQDQgAEvl8WCLIK1vIZbxQZ7yDyKzzgvoxlhl+VwbuQNuzcWTq6QJqdEXbH
gFohTPzAXxlSyHi45Uz6yWrR/uq2OldcmQ==
-----END EC PRIVATE KEY-----

View file

@ -0,0 +1,53 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9573410140069116734 (0x84db95ccdff13b3e)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 128-bit Root CA
Validity
Not Before: Jan 25 11:29:53 2015 GMT
Not After : Jan 25 11:29:53 2016 GMT
Subject: C=FI, O=w1.fi, CN=server.w1.fi
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:be:5f:16:08:b2:0a:d6:f2:19:6f:14:19:ef:20:
f2:2b:3c:e0:be:8c:65:86:5f:95:c1:bb:90:36:ec:
dc:59:3a:ba:40:9a:9d:11:76:c7:80:5a:21:4c:fc:
c0:5f:19:52:c8:78:b8:e5:4c:fa:c9:6a:d1:fe:ea:
b6:3a:57:5c:99
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
6E:21:26:96:72:29:39:BF:8B:EF:EB:65:CD:E0:4E:97:6F:1A:2C:E5
X509v3 Authority Key Identifier:
keyid:FC:83:FA:4B:34:EB:19:5E:1C:7D:E5:85:EC:C7:FC:21:F5:E8:75:68
X509v3 Subject Alternative Name: critical
DNS:server.w1.fi
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:47:b1:5e:57:ae:6c:0b:df:78:11:79:5c:b2:60:
fd:0c:9c:37:18:19:fe:c1:b6:ca:f6:4f:62:63:13:ff:ff:64:
02:20:07:1f:3b:1d:c7:d8:fe:ff:26:0b:68:d0:85:bc:01:15:
62:e4:7f:f4:c7:e4:ad:d5:da:40:44:5a:0b:f5:72:9e
-----BEGIN CERTIFICATE-----
MIICDzCCAbagAwIBAgIJAITblczf8Ts+MAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTE2MDEy
NTExMjk1M1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD
DAxzZXJ2ZXIudzEuZmkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS+XxYIsgrW
8hlvFBnvIPIrPOC+jGWGX5XBu5A27NxZOrpAmp0RdseAWiFM/MBfGVLIeLjlTPrJ
atH+6rY6V1yZo4GSMIGPMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG4hJpZyKTm/
i+/rZc3gTpdvGizlMB8GA1UdIwQYMBaAFPyD+ks06xleHH3lhezH/CH16HVoMBoG
A1UdEQEB/wQQMA6CDHNlcnZlci53MS5maTAWBgNVHSUBAf8EDDAKBggrBgEFBQcD
ATALBgNVHQ8EBAMCBaAwCgYIKoZIzj0EAwIDRwAwRAIgR7FeV65sC994EXlcsmD9
DJw3GBn+wbbK9k9iYxP//2QCIAcfOx3H2P7/Jgto0IW8ARVi5H/0x+St1dpARFoL
9XKe
-----END CERTIFICATE-----

View file

@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIL52ZfaYm8GAzhot94BCQriTmQEq2+JPkS+HCwUpLuwaoAoGCCqGSM49
AwEHoUQDQgAEnE2sSN8ZOateUoi3Ao0VewSH+1ceTf+NkiJpoymO6U6q0CSlG2bp
dZyBk+6UIOD9WiCi2tN+QGbvPnPrlLfBOg==
-----END EC PRIVATE KEY-----

View file

@ -0,0 +1,52 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9573410140069116735 (0x84db95ccdff13b3f)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 128-bit Root CA
Validity
Not Before: Jan 25 11:29:53 2015 GMT
Not After : Jan 25 11:29:53 2016 GMT
Subject: C=FI, O=w1.fi, CN=user
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:9c:4d:ac:48:df:19:39:ab:5e:52:88:b7:02:8d:
15:7b:04:87:fb:57:1e:4d:ff:8d:92:22:69:a3:29:
8e:e9:4e:aa:d0:24:a5:1b:66:e9:75:9c:81:93:ee:
94:20:e0:fd:5a:20:a2:da:d3:7e:40:66:ef:3e:73:
eb:94:b7:c1:3a
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
89:28:76:9A:42:DB:B6:F8:36:97:63:8F:7D:0A:EA:0B:FE:66:2B:CD
X509v3 Authority Key Identifier:
keyid:FC:83:FA:4B:34:EB:19:5E:1C:7D:E5:85:EC:C7:FC:21:F5:E8:75:68
X509v3 Subject Alternative Name:
email:user@w1.fi
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:26:84:14:f6:50:ac:ed:da:88:27:6d:18:d5:b3:
2c:c8:59:ea:2a:c3:ae:69:03:79:0d:66:5e:5f:a5:52:27:92:
02:21:00:db:8d:fd:58:e5:22:9b:17:32:57:34:e9:2e:30:da:
1d:77:4c:15:18:9b:7d:e4:5d:bc:64:cd:21:ff:57:df:16
-----BEGIN CERTIFICATE-----
MIIB/TCCAaOgAwIBAgIJAITblczf8Ts/MAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTE2MDEy
NTExMjk1M1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD
DAR1c2VyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnE2sSN8ZOateUoi3Ao0V
ewSH+1ceTf+NkiJpoymO6U6q0CSlG2bpdZyBk+6UIOD9WiCi2tN+QGbvPnPrlLfB
OqOBhzCBhDAJBgNVHRMEAjAAMB0GA1UdDgQWBBSJKHaaQtu2+DaXY499CuoL/mYr
zTAfBgNVHSMEGDAWgBT8g/pLNOsZXhx95YXsx/wh9eh1aDAVBgNVHREEDjAMgQp1
c2VyQHcxLmZpMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIFoDAKBggq
hkjOPQQDAgNIADBFAiAmhBT2UKzt2ognbRjVsyzIWeoqw65pA3kNZl5fpVInkgIh
ANuN/VjlIpsXMlc06S4w2h13TBUYm33kXbxkzSH/V98W
-----END CERTIFICATE-----

View file

@ -1,5 +1,5 @@
# Suite B tests
# Copyright (c) 2014, Jouni Malinen <j@w1.fi>
# Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
#
# This software may be distributed under the terms of the BSD license.
# See README for more details.
@ -12,19 +12,45 @@ import hostapd
from utils import HwsimSkip
def test_suite_b(dev, apdev):
"""WPA2-PSK/GCMP connection"""
"""WPA2-PSK/GCMP connection at Suite B 128-bit level"""
if "GCMP" not in dev[0].get_capability("pairwise"):
raise HwsimSkip("GCMP not supported")
params = hostapd.wpa2_eap_params(ssid="test-suite-b")
params["wpa_key_mgmt"] = "WPA-EAP-SUITE-B"
params['rsn_pairwise'] = "GCMP"
if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
raise HwsimSkip("BIP-GMAC-128 not supported")
if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
raise HwsimSkip("WPA-EAP-SUITE-B not supported")
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for Suite B: " + tls);
if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
params = { "ssid": "test-suite-b",
"wpa": "2",
"wpa_key_mgmt": "WPA-EAP-SUITE-B",
"rsn_pairwise": "GCMP",
"group_mgmt_cipher": "BIP-GMAC-128",
"ieee80211w": "2",
"ieee8021x": "1",
"openssl_ciphers": "SUITEB128",
#"dh_file": "auth_serv/dh.conf",
"eap_server": "1",
"eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ec-ca.pem",
"server_cert": "auth_serv/ec-server.pem",
"private_key": "auth_serv/ec-server.key" }
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
# TODO: Force Suite B configuration for TLS
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
eap="TLS", identity="tls user", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key",
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
openssl_ciphers="SUITEB128",
eap="TLS", identity="tls user",
ca_cert="auth_serv/ec-ca.pem",
client_cert="auth_serv/ec-user.pem",
private_key="auth_serv/ec-user.key",
pairwise="GCMP", group="GCMP", scan_freq="2412")
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256":
raise Exception("Unexpected TLS cipher: " + tls_cipher)
bss = dev[0].get_bss(apdev[0]['bssid'])
if 'flags' not in bss: