From 64e05f96442b15c6e0e5baf3c84eaa814e3f0ea0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 15 Feb 2014 10:10:56 +0200 Subject: [PATCH] tests: Domain name suffix match against CN Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/server-no-dnsname.key | 16 ++++++ tests/hwsim/auth_serv/server-no-dnsname.pem | 62 +++++++++++++++++++++ tests/hwsim/test_ap_eap.py | 48 ++++++++++++++-- 3 files changed, 122 insertions(+), 4 deletions(-) create mode 100644 tests/hwsim/auth_serv/server-no-dnsname.key create mode 100644 tests/hwsim/auth_serv/server-no-dnsname.pem diff --git a/tests/hwsim/auth_serv/server-no-dnsname.key b/tests/hwsim/auth_serv/server-no-dnsname.key new file mode 100644 index 000000000..fd0ad39b1 --- /dev/null +++ b/tests/hwsim/auth_serv/server-no-dnsname.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANv8D6FIh2iGxJ56 ++Bgod22jWA/bvmvUQ0PEuhc3m6j/lqJzFBMcrhkPgVQ1EGSU42RlvpsLFtKekph3 +h+KamfwdVwyKDUwhL65n12Nh65FbWC+tZ2Zl5IMHymo2peYg9lyZJ9tj5YbYK3wd +kESBIiF3CgMFw+tjYbNMMsCHhzpHAgMBAAECgYEAu0p2MDWk+4xKGDfPxBmn3JOG +ZTIMhJeakTcLzLqOb6rzn+lkPQVdAH8f+AaZp1jP5OlvB2fAjZ9uZhrWeUpxMA3a +TTEJqvttF1R+PjQ7hxWByPf+cFtPfJnXmJg8DuCBpc4TbPd0MMqtu37K9m41iO7K +H5Lj6J+wp4lhv1Y4oaECQQDv0bvCgrGpSMLHigsdVcsFyjZr25+9y1J2Gnm1Hm/Z +dbUtS9cOihYh8qh3YyGAKS5psCVzdeMXGKDN05pOhEGxAkEA6tO8Bhh+YA/oG+pl +Ps9W9XjWwBCByVI+Hub6/Y9NcWckmBP+41DN1Oi7cKsSyMJ74WD5r+QYqS258tC6 +YDsBdwJBAJ8OEWN+XuqRsW26Joj8P7zFUrbSYO32Dej6wkHXwAMQSGuUYzvnZap6 +UDVub+eaaIf8JbqgM088LFqWvz7YBOECQHBlN7GTN6my812pKxyNEQoc9GypefVq +L+GKnMeQN3j37UP9DhqvKlWlr1GWED+XFsQhLmFJw6P2BvJ5hTtaArECQHBSy14H +6K7lnk1UNaz4By9MOJPbHkKUl1FCrwtQ1UhJsur1pUCbud2thz4YXQh3NyJ3X0m0 +G3R+tt7p2kJzdlU= +-----END PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/server-no-dnsname.pem b/tests/hwsim/auth_serv/server-no-dnsname.pem new file mode 100644 index 000000000..1c745c5cf --- /dev/null +++ b/tests/hwsim/auth_serv/server-no-dnsname.pem @@ -0,0 +1,62 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15624081837803162825 (0xd8d3e3a6cbe3ccc9) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=FI, O=w1.fi, CN=Root CA + Validity + Not Before: Feb 15 07:59:30 2014 GMT + Not After : Feb 15 07:59:30 2015 GMT + Subject: C=FI, O=w1.fi, CN=server3.w1.fi + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:db:fc:0f:a1:48:87:68:86:c4:9e:7a:f8:18:28: + 77:6d:a3:58:0f:db:be:6b:d4:43:43:c4:ba:17:37: + 9b:a8:ff:96:a2:73:14:13:1c:ae:19:0f:81:54:35: + 10:64:94:e3:64:65:be:9b:0b:16:d2:9e:92:98:77: + 87:e2:9a:99:fc:1d:57:0c:8a:0d:4c:21:2f:ae:67: + d7:63:61:eb:91:5b:58:2f:ad:67:66:65:e4:83:07: + ca:6a:36:a5:e6:20:f6:5c:99:27:db:63:e5:86:d8: + 2b:7c:1d:90:44:81:22:21:77:0a:03:05:c3:eb:63: + 61:b3:4c:32:c0:87:87:3a:47 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 8E:9A:4F:4D:46:AD:59:AC:7F:4C:9C:BE:6D:5B:D7:99:63:8D:C7:70 + X509v3 Authority Key Identifier: + keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 + + Authority Information Access: + OCSP - URI:http://server.w1.fi:8888/ + + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha1WithRSAEncryption + 64:1e:41:7e:12:b1:d2:2d:fb:da:11:29:77:a4:99:13:6a:ff: + 57:66:4f:30:fe:64:0e:b2:a1:5a:1a:55:37:4e:e1:1d:87:94: + b4:5d:9a:2e:2b:01:97:c6:22:b8:74:4b:58:22:83:db:c6:3e: + 77:b7:73:5b:3b:83:a0:23:a3:c6:1f:33:6c:cf:b5:d6:36:89: + fc:ad:92:49:fd:ee:fb:8e:69:6c:84:18:0d:cc:39:01:21:35: + f6:46:77:8c:61:f7:18:1c:f6:da:0e:4d:90:69:ca:bd:e6:8d: + 9b:e8:e6:b6:93:56:24:2d:da:59:0b:cd:cb:68:96:53:a3:16: + 1f:ae +-----BEGIN CERTIFICATE----- +MIICfTCCAeagAwIBAgIJANjT46bL48zJMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV +BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAy +MTUwNzU5MzBaFw0xNTAyMTUwNzU5MzBaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyMy53MS5maTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA2/wPoUiHaIbEnnr4GCh3baNYD9u+a9RDQ8S6FzebqP+WonMU +ExyuGQ+BVDUQZJTjZGW+mwsW0p6SmHeH4pqZ/B1XDIoNTCEvrmfXY2HrkVtYL61n +ZmXkgwfKajal5iD2XJkn22PlhtgrfB2QRIEiIXcKAwXD62Nhs0wywIeHOkcCAwEA +AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSOmk9NRq1ZrH9MnL5tW9eZY43H +cDAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp +MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l +BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAZB5BfhKx0i372hEpd6SZ +E2r/V2ZPMP5kDrKhWhpVN07hHYeUtF2aLisBl8YiuHRLWCKD28Y+d7dzWzuDoCOj +xh8zbM+11jaJ/K2SSf3u+45pbIQYDcw5ASE19kZ3jGH3GBz22g5NkGnKveaNm+jm +tpNWJC3aWQvNy2iWU6MWH64= +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 5afbd35a4..5131753a6 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -848,15 +848,19 @@ def test_ap_wpa2_eap_tls_ocsp(dev, apdev): private_key="auth_serv/user.pkcs12", private_key_passwd="whatever", ocsp=2) -def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): - """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response""" +def int_eap_server_params(): params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP", "rsn_pairwise": "CCMP", "ieee8021x": "1", "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "ca_cert": "auth_serv/ca.pem", "server_cert": "auth_serv/server.pem", - "private_key": "auth_serv/server.key", - "ocsp_stapling_response": "auth_serv/ocsp-server-cache.der-invalid" } + "private_key": "auth_serv/server.key" } + return params + +def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response""" + params = int_eap_server_params() + params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid" hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", ca_cert="auth_serv/ca.pem", @@ -877,3 +881,39 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) if ev is None: raise Exception("Timeout on EAP failure report") + +def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev): + """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)""" + params = int_eap_server_params() + params["server_cert"] = "auth_serv/server-no-dnsname.pem" + params["private_key"] = "auth_serv/server-no-dnsname.key" + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", + domain_suffix_match="server3.w1.fi", + scan_freq="2412") + dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", + domain_suffix_match="w1.fi", + scan_freq="2412") + +def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev): + """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)""" + params = int_eap_server_params() + params["server_cert"] = "auth_serv/server-no-dnsname.pem" + params["private_key"] = "auth_serv/server-no-dnsname.key" + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", + domain_suffix_match="example.com", + wait_connect=False, + scan_freq="2412") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report")