jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

tests: Domain name suffix match against CN

Browse source 
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-02-15 10:10:56 +02:00
parent be24917df6
commit 64e05f9644
3 changed files with 122 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
tests/hwsim/auth_serv/server-no-dnsname.key Normal file
View file

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANv8D6FIh2iGxJ56
+Bgod22jWA/bvmvUQ0PEuhc3m6j/lqJzFBMcrhkPgVQ1EGSU42RlvpsLFtKekph3
h+KamfwdVwyKDUwhL65n12Nh65FbWC+tZ2Zl5IMHymo2peYg9lyZJ9tj5YbYK3wd
kESBIiF3CgMFw+tjYbNMMsCHhzpHAgMBAAECgYEAu0p2MDWk+4xKGDfPxBmn3JOG
ZTIMhJeakTcLzLqOb6rzn+lkPQVdAH8f+AaZp1jP5OlvB2fAjZ9uZhrWeUpxMA3a
TTEJqvttF1R+PjQ7hxWByPf+cFtPfJnXmJg8DuCBpc4TbPd0MMqtu37K9m41iO7K
H5Lj6J+wp4lhv1Y4oaECQQDv0bvCgrGpSMLHigsdVcsFyjZr25+9y1J2Gnm1Hm/Z
dbUtS9cOihYh8qh3YyGAKS5psCVzdeMXGKDN05pOhEGxAkEA6tO8Bhh+YA/oG+pl
Ps9W9XjWwBCByVI+Hub6/Y9NcWckmBP+41DN1Oi7cKsSyMJ74WD5r+QYqS258tC6
YDsBdwJBAJ8OEWN+XuqRsW26Joj8P7zFUrbSYO32Dej6wkHXwAMQSGuUYzvnZap6
UDVub+eaaIf8JbqgM088LFqWvz7YBOECQHBlN7GTN6my812pKxyNEQoc9GypefVq
L+GKnMeQN3j37UP9DhqvKlWlr1GWED+XFsQhLmFJw6P2BvJ5hTtaArECQHBSy14H
6K7lnk1UNaz4By9MOJPbHkKUl1FCrwtQ1UhJsur1pUCbud2thz4YXQh3NyJ3X0m0
G3R+tt7p2kJzdlU=
-----END PRIVATE KEY-----

62
tests/hwsim/auth_serv/server-no-dnsname.pem Normal file
View file

@ -0,0 +1,62 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15624081837803162825 (0xd8d3e3a6cbe3ccc9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FI, O=w1.fi, CN=Root CA
Validity
Not Before: Feb 15 07:59:30 2014 GMT
Not After : Feb 15 07:59:30 2015 GMT
Subject: C=FI, O=w1.fi, CN=server3.w1.fi
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:db:fc:0f:a1:48:87:68:86:c4:9e:7a:f8:18:28:
77:6d:a3:58:0f:db:be:6b:d4:43:43:c4:ba:17:37:
9b:a8:ff:96:a2:73:14:13:1c:ae:19:0f:81:54:35:
10:64:94:e3:64:65:be:9b:0b:16:d2:9e:92:98:77:
87:e2:9a:99:fc:1d:57:0c:8a:0d:4c:21:2f:ae:67:
d7:63:61:eb:91:5b:58:2f:ad:67:66:65:e4:83:07:
ca:6a:36:a5:e6:20:f6:5c:99:27:db:63:e5:86:d8:
2b:7c:1d:90:44:81:22:21:77:0a:03:05:c3:eb:63:
61:b3:4c:32:c0:87:87:3a:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
8E:9A:4F:4D:46:AD:59:AC:7F:4C:9C:BE:6D:5B:D7:99:63:8D:C7:70
X509v3 Authority Key Identifier:
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
Authority Information Access:
OCSP - URI:http://server.w1.fi:8888/
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha1WithRSAEncryption
64:1e:41:7e:12:b1:d2:2d:fb:da:11:29:77:a4:99:13:6a:ff:
57:66:4f:30:fe:64:0e:b2:a1:5a:1a:55:37:4e:e1:1d:87:94:
b4:5d:9a:2e:2b:01:97:c6:22:b8:74:4b:58:22:83:db:c6:3e:
77:b7:73:5b:3b:83:a0:23:a3:c6:1f:33:6c:cf:b5:d6:36:89:
fc:ad:92:49:fd:ee:fb:8e:69:6c:84:18:0d:cc:39:01:21:35:
f6:46:77:8c:61:f7:18:1c:f6:da:0e:4d:90:69:ca:bd:e6:8d:
9b:e8:e6:b6:93:56:24:2d:da:59:0b:cd:cb:68:96:53:a3:16:
1f:ae
-----BEGIN CERTIFICATE-----
MIICfTCCAeagAwIBAgIJANjT46bL48zJMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAy
MTUwNzU5MzBaFw0xNTAyMTUwNzU5MzBaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyMy53MS5maTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA2/wPoUiHaIbEnnr4GCh3baNYD9u+a9RDQ8S6FzebqP+WonMU
ExyuGQ+BVDUQZJTjZGW+mwsW0p6SmHeH4pqZ/B1XDIoNTCEvrmfXY2HrkVtYL61n
ZmXkgwfKajal5iD2XJkn22PlhtgrfB2QRIEiIXcKAwXD62Nhs0wywIeHOkcCAwEA
AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSOmk9NRq1ZrH9MnL5tW9eZY43H
cDAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp
MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAZB5BfhKx0i372hEpd6SZ
E2r/V2ZPMP5kDrKhWhpVN07hHYeUtF2aLisBl8YiuHRLWCKD28Y+d7dzWzuDoCOj
xh8zbM+11jaJ/K2SSf3u+45pbIQYDcw5ASE19kZ3jGH3GBz22g5NkGnKveaNm+jm
tpNWJC3aWQvNy2iWU6MWH64=
-----END CERTIFICATE-----

48
tests/hwsim/test_ap_eap.py
View file

@ -848,15 +848,19 @@ def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
private_key="auth_serv/user.pkcs12", private_key="auth_serv/user.pkcs12",
private_key_passwd="whatever", ocsp=2) private_key_passwd="whatever", ocsp=2)
def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): def int_eap_server_params():
"""WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP", params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
"rsn_pairwise": "CCMP", "ieee8021x": "1", "rsn_pairwise": "CCMP", "ieee8021x": "1",
"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ca.pem", "ca_cert": "auth_serv/ca.pem",
"server_cert": "auth_serv/server.pem", "server_cert": "auth_serv/server.pem",
"private_key": "auth_serv/server.key", "private_key": "auth_serv/server.key" }
"ocsp_stapling_response": "auth_serv/ocsp-server-cache.der-invalid" } return params
def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
"""WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
params = int_eap_server_params()
params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
hostapd.add_ap(apdev[0]['ifname'], params) hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user", ca_cert="auth_serv/ca.pem", identity="tls user", ca_cert="auth_serv/ca.pem",
@ -877,3 +881,39 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
if ev is None: if ev is None:
raise Exception("Timeout on EAP failure report") raise Exception("Timeout on EAP failure report")
def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
"""WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
params = int_eap_server_params()
params["server_cert"] = "auth_serv/server-no-dnsname.pem"
params["private_key"] = "auth_serv/server-no-dnsname.key"
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user", ca_cert="auth_serv/ca.pem",
private_key="auth_serv/user.pkcs12",
private_key_passwd="whatever",
domain_suffix_match="server3.w1.fi",
scan_freq="2412")
dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user", ca_cert="auth_serv/ca.pem",
private_key="auth_serv/user.pkcs12",
private_key_passwd="whatever",
domain_suffix_match="w1.fi",
scan_freq="2412")
def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
"""WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
params = int_eap_server_params()
params["server_cert"] = "auth_serv/server-no-dnsname.pem"
params["private_key"] = "auth_serv/server-no-dnsname.key"
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user", ca_cert="auth_serv/ca.pem",
private_key="auth_serv/user.pkcs12",
private_key_passwd="whatever",
domain_suffix_match="example.com",
wait_connect=False,
scan_freq="2412")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
if ev is None:
raise Exception("Timeout on EAP failure report")