From 6a4d0dbe1cb70ffce207ae8c3a1e4de997514a8a Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 15 Feb 2014 10:28:22 +0200
Subject: [PATCH] tests: Expired server certificate

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 tests/hwsim/auth_serv/server-expired.key | 16 ++++++
 tests/hwsim/auth_serv/server-expired.pem | 62 ++++++++++++++++++++++++
 tests/hwsim/test_ap_eap.py               | 32 ++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 tests/hwsim/auth_serv/server-expired.key
 create mode 100644 tests/hwsim/auth_serv/server-expired.pem

diff --git a/tests/hwsim/auth_serv/server-expired.key b/tests/hwsim/auth_serv/server-expired.key
new file mode 100644
index 000000000..882d645f1
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-expired.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANA7a4aeP7QOYEhU
+Tcbci7lrddDkYPChQwuv+cR3aRGEUr6efXG0qoAf6+bAN95J9IVDrk1S8+swc67m
+GAQUj8JjMKQM6/XWy/SvHU/WOkN4FDLe5YilNL6rmqSj3muE43iTHBwpx/xrzGjX
+7sBd1z2RiIFWulQRnk7ogIPgbMrxAgMBAAECgYEArWSNSO+FRD2kVxY8HZeQkbm1
+xVgmkLj3x0elx79XMkrpS+lVs9UpFL+ABAmTe/pBLqcJAUJN8k3KRp066krk2QyQ
+uilRkugON0vBJzLse9HryXilx0aWEVl3xZBKu1E3G4mcCl2LoPaASCZtjQXd/XCd
+zdBR24qe123ofMpIo0ECQQDooUnHsruInBX9bRP11xXs7bI5298ZLCWHFAhGa/Tb
+KvVXkXnzPVYhRi2w0Leqb0lht/4GX9MB06xcHs5TLvltAkEA5SasURCjxXc7svGJ
+yP1s779DxYWoEBvGiRPygtyO40cnkOuupXKLaSkSuNUGag+6UxNzxGSUx9aiadse
+oxOJFQJAL6y2SSXZBxMt8oUDPTO6O5cvGmp0G12Px1IUrBH92VjBdRPMUUw1tZYD
+USRFL7mk6VDiz32d6dbukOaDVErhNQJASwnoAb/WMXLDHO0VtriudLAIbGVBTM0b
+rYXXs1yweeKyJTXYghtJZc1qcRZpPFAcLto+3cAmLG6vzsRPew2JpQJBAN8krD5c
+RYAGuXtslPkH7BWypJXI+K3brZkKBiyXVB/fbwnpXI1KTbzeBSly60JrjuymY9+X
+NKs5A4HSiCtQjSk=
+-----END PRIVATE KEY-----
diff --git a/tests/hwsim/auth_serv/server-expired.pem b/tests/hwsim/auth_serv/server-expired.pem
new file mode 100644
index 000000000..f279aae62
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-expired.pem
@@ -0,0 +1,62 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162826 (0xd8d3e3a6cbe3ccca)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Jan  1 00:00:00 2014 GMT
+            Not After : Jan  2 00:00:00 2014 GMT
+        Subject: C=FI, O=w1.fi, CN=server4.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:d0:3b:6b:86:9e:3f:b4:0e:60:48:54:4d:c6:dc:
+                    8b:b9:6b:75:d0:e4:60:f0:a1:43:0b:af:f9:c4:77:
+                    69:11:84:52:be:9e:7d:71:b4:aa:80:1f:eb:e6:c0:
+                    37:de:49:f4:85:43:ae:4d:52:f3:eb:30:73:ae:e6:
+                    18:04:14:8f:c2:63:30:a4:0c:eb:f5:d6:cb:f4:af:
+                    1d:4f:d6:3a:43:78:14:32:de:e5:88:a5:34:be:ab:
+                    9a:a4:a3:de:6b:84:e3:78:93:1c:1c:29:c7:fc:6b:
+                    cc:68:d7:ee:c0:5d:d7:3d:91:88:81:56:ba:54:11:
+                    9e:4e:e8:80:83:e0:6c:ca:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                75:B0:65:1F:2F:A9:BE:D7:D0:EE:9D:42:8F:8B:13:5F:D0:AD:13:7B
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            Authority Information Access: 
+                OCSP - URI:http://server.w1.fi:8888/
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: sha1WithRSAEncryption
+         12:e7:8a:e1:3d:d9:fd:36:ce:71:66:b3:74:48:c1:f0:38:75:
+         30:56:c7:2c:9c:0d:da:d0:68:19:47:a2:37:38:0d:db:4f:f9:
+         b9:cc:0d:25:b1:35:ed:df:19:8c:4b:bd:f0:08:11:13:4b:e9:
+         a7:d7:50:2e:fa:7a:16:e1:4f:0f:5a:b4:42:34:ff:43:08:5c:
+         3c:04:6a:f8:44:8d:f6:e5:a7:82:38:60:d0:5c:d1:59:f9:02:
+         84:7f:da:ae:6c:e9:55:c8:f5:0e:da:55:70:f3:77:48:30:1f:
+         ab:60:39:a1:77:49:29:e3:51:54:62:72:c7:78:ae:17:14:c5:
+         dd:2c
+-----BEGIN CERTIFICATE-----
+MIICfTCCAeagAwIBAgIJANjT46bL48zKMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAx
+MDEwMDAwMDBaFw0xNDAxMDIwMDAwMDBaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyNC53MS5maTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA0Dtrhp4/tA5gSFRNxtyLuWt10ORg8KFDC6/5xHdpEYRSvp59
+cbSqgB/r5sA33kn0hUOuTVLz6zBzruYYBBSPwmMwpAzr9dbL9K8dT9Y6Q3gUMt7l
+iKU0vquapKPea4TjeJMcHCnH/GvMaNfuwF3XPZGIgVa6VBGeTuiAg+BsyvECAwEA
+AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBR1sGUfL6m+19DunUKPixNf0K0T
+ezAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp
+MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAEueK4T3Z/TbOcWazdEjB
+8Dh1MFbHLJwN2tBoGUeiNzgN20/5ucwNJbE17d8ZjEu98AgRE0vpp9dQLvp6FuFP
+D1q0QjT/QwhcPARq+ESN9uWngjhg0FzRWfkChH/armzpVcj1DtpVcPN3SDAfq2A5
+oXdJKeNRVGJyx3iuFxTF3Sw=
+-----END CERTIFICATE-----
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 5131753a6..c10e6e584 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -917,3 +917,35 @@ def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
     if ev is None:
         raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
+    """WPA2-Enterprise using EAP-TTLS and expired certificate"""
+    params = int_eap_server_params()
+    params["server_cert"] = "auth_serv/server-expired.pem"
+    params["private_key"] = "auth_serv/server-expired.key"
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="mschap user", password="password",
+                   ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                   wait_connect=False,
+                   scan_freq="2412")
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
+    if ev is None:
+        raise Exception("Timeout on EAP certificate error report")
+    if "reason=4" not in ev or "certificate has expired" not in ev:
+        raise Exception("Unexpected failure reason: " + ev)
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
+    """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
+    params = int_eap_server_params()
+    params["server_cert"] = "auth_serv/server-expired.pem"
+    params["private_key"] = "auth_serv/server-expired.key"
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="mschap user", password="password",
+                   ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                   phase1="tls_disable_time_checks=1",
+                   scan_freq="2412")