tests: Domain name suffix match against CN
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
be24917df6
commit
64e05f9644
3 changed files with 122 additions and 4 deletions
16
tests/hwsim/auth_serv/server-no-dnsname.key
Normal file
16
tests/hwsim/auth_serv/server-no-dnsname.key
Normal file
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANv8D6FIh2iGxJ56
|
||||
+Bgod22jWA/bvmvUQ0PEuhc3m6j/lqJzFBMcrhkPgVQ1EGSU42RlvpsLFtKekph3
|
||||
h+KamfwdVwyKDUwhL65n12Nh65FbWC+tZ2Zl5IMHymo2peYg9lyZJ9tj5YbYK3wd
|
||||
kESBIiF3CgMFw+tjYbNMMsCHhzpHAgMBAAECgYEAu0p2MDWk+4xKGDfPxBmn3JOG
|
||||
ZTIMhJeakTcLzLqOb6rzn+lkPQVdAH8f+AaZp1jP5OlvB2fAjZ9uZhrWeUpxMA3a
|
||||
TTEJqvttF1R+PjQ7hxWByPf+cFtPfJnXmJg8DuCBpc4TbPd0MMqtu37K9m41iO7K
|
||||
H5Lj6J+wp4lhv1Y4oaECQQDv0bvCgrGpSMLHigsdVcsFyjZr25+9y1J2Gnm1Hm/Z
|
||||
dbUtS9cOihYh8qh3YyGAKS5psCVzdeMXGKDN05pOhEGxAkEA6tO8Bhh+YA/oG+pl
|
||||
Ps9W9XjWwBCByVI+Hub6/Y9NcWckmBP+41DN1Oi7cKsSyMJ74WD5r+QYqS258tC6
|
||||
YDsBdwJBAJ8OEWN+XuqRsW26Joj8P7zFUrbSYO32Dej6wkHXwAMQSGuUYzvnZap6
|
||||
UDVub+eaaIf8JbqgM088LFqWvz7YBOECQHBlN7GTN6my812pKxyNEQoc9GypefVq
|
||||
L+GKnMeQN3j37UP9DhqvKlWlr1GWED+XFsQhLmFJw6P2BvJ5hTtaArECQHBSy14H
|
||||
6K7lnk1UNaz4By9MOJPbHkKUl1FCrwtQ1UhJsur1pUCbud2thz4YXQh3NyJ3X0m0
|
||||
G3R+tt7p2kJzdlU=
|
||||
-----END PRIVATE KEY-----
|
62
tests/hwsim/auth_serv/server-no-dnsname.pem
Normal file
62
tests/hwsim/auth_serv/server-no-dnsname.pem
Normal file
|
@ -0,0 +1,62 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 15624081837803162825 (0xd8d3e3a6cbe3ccc9)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=FI, O=w1.fi, CN=Root CA
|
||||
Validity
|
||||
Not Before: Feb 15 07:59:30 2014 GMT
|
||||
Not After : Feb 15 07:59:30 2015 GMT
|
||||
Subject: C=FI, O=w1.fi, CN=server3.w1.fi
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (1024 bit)
|
||||
Modulus:
|
||||
00:db:fc:0f:a1:48:87:68:86:c4:9e:7a:f8:18:28:
|
||||
77:6d:a3:58:0f:db:be:6b:d4:43:43:c4:ba:17:37:
|
||||
9b:a8:ff:96:a2:73:14:13:1c:ae:19:0f:81:54:35:
|
||||
10:64:94:e3:64:65:be:9b:0b:16:d2:9e:92:98:77:
|
||||
87:e2:9a:99:fc:1d:57:0c:8a:0d:4c:21:2f:ae:67:
|
||||
d7:63:61:eb:91:5b:58:2f:ad:67:66:65:e4:83:07:
|
||||
ca:6a:36:a5:e6:20:f6:5c:99:27:db:63:e5:86:d8:
|
||||
2b:7c:1d:90:44:81:22:21:77:0a:03:05:c3:eb:63:
|
||||
61:b3:4c:32:c0:87:87:3a:47
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
8E:9A:4F:4D:46:AD:59:AC:7F:4C:9C:BE:6D:5B:D7:99:63:8D:C7:70
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
|
||||
|
||||
Authority Information Access:
|
||||
OCSP - URI:http://server.w1.fi:8888/
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
64:1e:41:7e:12:b1:d2:2d:fb:da:11:29:77:a4:99:13:6a:ff:
|
||||
57:66:4f:30:fe:64:0e:b2:a1:5a:1a:55:37:4e:e1:1d:87:94:
|
||||
b4:5d:9a:2e:2b:01:97:c6:22:b8:74:4b:58:22:83:db:c6:3e:
|
||||
77:b7:73:5b:3b:83:a0:23:a3:c6:1f:33:6c:cf:b5:d6:36:89:
|
||||
fc:ad:92:49:fd:ee:fb:8e:69:6c:84:18:0d:cc:39:01:21:35:
|
||||
f6:46:77:8c:61:f7:18:1c:f6:da:0e:4d:90:69:ca:bd:e6:8d:
|
||||
9b:e8:e6:b6:93:56:24:2d:da:59:0b:cd:cb:68:96:53:a3:16:
|
||||
1f:ae
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICfTCCAeagAwIBAgIJANjT46bL48zJMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
|
||||
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAy
|
||||
MTUwNzU5MzBaFw0xNTAyMTUwNzU5MzBaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
|
||||
DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyMy53MS5maTCBnzANBgkqhkiG9w0BAQEF
|
||||
AAOBjQAwgYkCgYEA2/wPoUiHaIbEnnr4GCh3baNYD9u+a9RDQ8S6FzebqP+WonMU
|
||||
ExyuGQ+BVDUQZJTjZGW+mwsW0p6SmHeH4pqZ/B1XDIoNTCEvrmfXY2HrkVtYL61n
|
||||
ZmXkgwfKajal5iD2XJkn22PlhtgrfB2QRIEiIXcKAwXD62Nhs0wywIeHOkcCAwEA
|
||||
AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSOmk9NRq1ZrH9MnL5tW9eZY43H
|
||||
cDAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp
|
||||
MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l
|
||||
BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAZB5BfhKx0i372hEpd6SZ
|
||||
E2r/V2ZPMP5kDrKhWhpVN07hHYeUtF2aLisBl8YiuHRLWCKD28Y+d7dzWzuDoCOj
|
||||
xh8zbM+11jaJ/K2SSf3u+45pbIQYDcw5ASE19kZ3jGH3GBz22g5NkGnKveaNm+jm
|
||||
tpNWJC3aWQvNy2iWU6MWH64=
|
||||
-----END CERTIFICATE-----
|
|
@ -848,15 +848,19 @@ def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
|
|||
private_key="auth_serv/user.pkcs12",
|
||||
private_key_passwd="whatever", ocsp=2)
|
||||
|
||||
def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
|
||||
"""WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
|
||||
def int_eap_server_params():
|
||||
params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
|
||||
"rsn_pairwise": "CCMP", "ieee8021x": "1",
|
||||
"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
|
||||
"ca_cert": "auth_serv/ca.pem",
|
||||
"server_cert": "auth_serv/server.pem",
|
||||
"private_key": "auth_serv/server.key",
|
||||
"ocsp_stapling_response": "auth_serv/ocsp-server-cache.der-invalid" }
|
||||
"private_key": "auth_serv/server.key" }
|
||||
return params
|
||||
|
||||
def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
|
||||
"""WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
|
||||
params = int_eap_server_params()
|
||||
params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
|
||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
|
||||
identity="tls user", ca_cert="auth_serv/ca.pem",
|
||||
|
@ -877,3 +881,39 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
|
|||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
|
||||
if ev is None:
|
||||
raise Exception("Timeout on EAP failure report")
|
||||
|
||||
def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
|
||||
"""WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
|
||||
params = int_eap_server_params()
|
||||
params["server_cert"] = "auth_serv/server-no-dnsname.pem"
|
||||
params["private_key"] = "auth_serv/server-no-dnsname.key"
|
||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
|
||||
identity="tls user", ca_cert="auth_serv/ca.pem",
|
||||
private_key="auth_serv/user.pkcs12",
|
||||
private_key_passwd="whatever",
|
||||
domain_suffix_match="server3.w1.fi",
|
||||
scan_freq="2412")
|
||||
dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
|
||||
identity="tls user", ca_cert="auth_serv/ca.pem",
|
||||
private_key="auth_serv/user.pkcs12",
|
||||
private_key_passwd="whatever",
|
||||
domain_suffix_match="w1.fi",
|
||||
scan_freq="2412")
|
||||
|
||||
def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
|
||||
"""WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
|
||||
params = int_eap_server_params()
|
||||
params["server_cert"] = "auth_serv/server-no-dnsname.pem"
|
||||
params["private_key"] = "auth_serv/server-no-dnsname.key"
|
||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
|
||||
identity="tls user", ca_cert="auth_serv/ca.pem",
|
||||
private_key="auth_serv/user.pkcs12",
|
||||
private_key_passwd="whatever",
|
||||
domain_suffix_match="example.com",
|
||||
wait_connect=False,
|
||||
scan_freq="2412")
|
||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
|
||||
if ev is None:
|
||||
raise Exception("Timeout on EAP failure report")
|
||||
|
|
Loading…
Reference in a new issue