From 6379bd6acf960e303112be28bcc123010358ce1d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 11 Aug 2019 11:04:13 +0300 Subject: [PATCH] tests: Server checking CRL with check_crl_strict=0 Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/ca-and-crl-expired.pem | 63 ++++++++++++++++++++ tests/hwsim/test_ap_eap.py | 23 +++++++ 2 files changed, 86 insertions(+) create mode 100644 tests/hwsim/auth_serv/ca-and-crl-expired.pem diff --git a/tests/hwsim/auth_serv/ca-and-crl-expired.pem b/tests/hwsim/auth_serv/ca-and-crl-expired.pem new file mode 100644 index 000000000..8c65fbe7e --- /dev/null +++ b/tests/hwsim/auth_serv/ca-and-crl-expired.pem @@ -0,0 +1,63 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15624081837803162817 (0xd8d3e3a6cbe3ccc1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=FI, O=w1.fi, CN=Root CA + Validity + Not Before: Jun 29 16:41:22 2013 GMT + Not After : Jun 27 16:41:22 2023 GMT + Subject: C=FI, O=w1.fi, CN=Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:be:1e:86:e4:79:03:c1:d1:94:d5:d4:b3:b1:28: + 90:76:fb:b8:a6:cd:6d:1c:d1:48:f4:08:9a:67:ff: + f9:a6:54:b1:19:29:df:29:1b:cd:f1:6f:66:01:e7: + db:79:ce:c0:39:2a:25:13:26:94:0c:2c:7b:5a:2c: + 81:0f:94:ee:51:d0:75:e6:46:db:17:46:a7:15:8b: + 0e:57:0f:b0:54:76:63:12:ca:86:18:bc:1a:c3:16: + c0:70:09:d6:6b:43:39:b8:98:29:46:ac:cb:6a:ad: + 38:88:3b:07:dc:81:cd:3a:f6:1d:f6:2f:ef:1d:d7: + ae:8a:b6:d1:e7:b3:15:02:b9 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 + X509v3 Authority Key Identifier: + keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 1a:cf:77:60:44:43:c4:55:0e:99:e0:89:aa:b9:d3:7b:32:b7: + 5c:9c:7c:ca:fe:8c:d4:94:c6:5e:f3:83:19:5f:29:59:68:a4: + 4f:dc:04:2e:b8:71:c0:6d:3b:ae:01:e4:b9:88:99:cc:ce:82: + be:6a:28:c2:ac:6a:94:c6:87:90:ed:85:3c:10:71:c5:ff:3c: + 70:64:e2:41:62:31:ea:86:7b:11:8c:93:ea:c6:f3:f3:4e:f9: + d4:f2:81:90:d7:f4:fa:a1:91:6e:d4:dd:15:3e:26:3b:ac:1e: + c3:c2:1f:ed:bb:34:bf:cb:b2:67:c6:c6:51:e8:51:22:b4:f3: + 92:e8 +-----BEGIN CERTIFICATE----- +MIICLDCCAZWgAwIBAgIJANjT46bL48zBMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV +BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xMzA2 +MjkxNjQxMjJaFw0yMzA2MjcxNjQxMjJaMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAvh6G5HkDwdGU1dSzsSiQdvu4ps1tHNFI9AiaZ//5plSxGSnfKRvN8W9m +Aefbec7AOSolEyaUDCx7WiyBD5TuUdB15kbbF0anFYsOVw+wVHZjEsqGGLwawxbA +cAnWa0M5uJgpRqzLaq04iDsH3IHNOvYd9i/vHdeuirbR57MVArkCAwEAAaNQME4w +HQYDVR0OBBYEFLiS3v2KGLMww59V8zNdtMgpikEUMB8GA1UdIwQYMBaAFLiS3v2K +GLMww59V8zNdtMgpikEUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA +Gs93YERDxFUOmeCJqrnTezK3XJx8yv6M1JTGXvODGV8pWWikT9wELrhxwG07rgHk +uYiZzM6CvmoowqxqlMaHkO2FPBBxxf88cGTiQWIx6oZ7EYyT6sbz80751PKBkNf0 ++qGRbtTdFT4mO6wew8If7bs0v8uyZ8bGUehRIrTzkug= +-----END CERTIFICATE----- +-----BEGIN X509 CRL----- +MIIBBjBxAgEBMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQRcNMTkwODExMDc1ODM0WhcNMTkwODEx +MDg1ODM0WqAOMAwwCgYDVR0UBAMCARIwDQYJKoZIhvcNAQELBQADgYEAOTijPynY +c8ACRpu0+uIRjI6xIXDZqRubRvp/qrQVWtWHJWP2d6CbtaQVhZIfYFJLrLVfKyJv +WyzkLNdLw/l6rbVN5ctb+fByjjV6H99IExeYiGIuoXN++m8CTUqt77cim0TA1WkQ +bEwEY9aIN8zsXqioLvg5OBlWUfxnKmi2sQI= +-----END X509 CRL----- diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 4fcb1e1df..f4a4cc4bd 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -5535,6 +5535,29 @@ def test_ap_wpa2_eap_tls_check_crl(dev, apdev): private_key="auth_serv/user.key") dev[0].request("REMOVE_NETWORK all") +def test_ap_wpa2_eap_tls_check_crl_not_strict(dev, apdev): + """EAP-TLS and server checking CRL with check_crl_strict=0""" + params = int_eap_server_params() + params['check_crl'] = '1' + params['ca_cert'] = "auth_serv/ca-and-crl-expired.pem" + hapd = hostapd.add_ap(apdev[0], params) + + # check_crl_strict=1 and expired CRL --> reject connection + eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem", + client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key", expect_failure=True) + dev[0].request("REMOVE_NETWORK all") + + hapd.disable() + hapd.set("check_crl_strict", "0") + hapd.enable() + + # check_crl_strict=0 --> accept + eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem", + client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key") + dev[0].request("REMOVE_NETWORK all") + def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params): """EAP-TLS and server reloading CRL from ca_cert""" ca_cert = os.path.join(params['logdir'],