From 7fd583d62ca5c61e6a7124a4adb8cfa107b3a553 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 12 Jan 2018 22:40:55 +0200 Subject: [PATCH] tests: Suite B 192-bit RSA validation with 2048-bit client cert Verify that unexpected 2048-bit RSA client certificate gets rejected by the RADIUS server if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/rsa3072-generate.sh | 14 +++ .../hwsim/auth_serv/rsa3072-user-rsa2048.key | 28 ++++++ .../hwsim/auth_serv/rsa3072-user-rsa2048.pem | 95 +++++++++++++++++++ tests/hwsim/test_suite_b.py | 59 ++++++++++++ 4 files changed, 196 insertions(+) create mode 100644 tests/hwsim/auth_serv/rsa3072-user-rsa2048.key create mode 100644 tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem diff --git a/tests/hwsim/auth_serv/rsa3072-generate.sh b/tests/hwsim/auth_serv/rsa3072-generate.sh index 429f85334..ab3e9179f 100755 --- a/tests/hwsim/auth_serv/rsa3072-generate.sh +++ b/tests/hwsim/auth_serv/rsa3072-generate.sh @@ -55,9 +55,23 @@ $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -no $OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user.req -out rsa3072-user.pem -extensions ext_client -days 730 -md sha384 rm rsa3072-ca-openssl.cnf.tmp +echo +echo "---[ User RSA2048 ]-----------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = user-rsa3072-rsa2048/" | + sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072-rsa2048@w1.fi/" | + sed s%\./ec-ca$%./rsa3072-ca% \ + > rsa3072-ca-openssl.cnf.tmp +$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout rsa3072-user-rsa2048.key -out rsa3072-user-rsa2048.req -outform PEM -extensions ext_client -sha384 +$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user-rsa2048.req -out rsa3072-user-rsa2048.pem -extensions ext_client -days 730 -md sha384 +rm rsa3072-ca-openssl.cnf.tmp + echo echo "---[ Verify ]-----------------------------------------------------------" echo $OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-server.pem $OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user.pem +$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user-rsa2048.pem diff --git a/tests/hwsim/auth_serv/rsa3072-user-rsa2048.key b/tests/hwsim/auth_serv/rsa3072-user-rsa2048.key new file mode 100644 index 000000000..d2140ae34 --- /dev/null +++ b/tests/hwsim/auth_serv/rsa3072-user-rsa2048.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDQUBuCtEBzXiET +GAIe5ofhmbD1/oSu3876x21OFNXfNiIztQanZUETDadSUVUEVJuogNzMgPqpcLp4 +hjvBx1JGe3JOOQ9DQPa3NAk3zwCUVqVrhsRofEcgRfD8ngM1QpYuEoi3S0uEEZHa +8BY0Th04hJ7i1a/m5Jbbw/dp8VCsR5IdwPbzjxAtU6Fh2KzVUHn9yNHDg8fW+RLP +CND/z9JOz9Ebjqkk+IDlZQ4m6vBxgVigYFuyBL9Bw0tpuOauXh2xGz4dkWm4gjKI +i02I6kecMBAbTNFf7Tgy1oBtK88TwfTXjuAwvykgPdV/FPATavlQone9e8iE0zuO +iSYGf5EdAgMBAAECggEAZehanQWLZiUNbybWmsFShjZG0QETbe2Fdz+qpIEi49C6 +yKrtt2ScgjKywV2ShszRXYy098K9XbkNMDsS7siQ4nQvxj65zb/xMkzdmZTGBsug +n0rNuQPbU9mDfEHc9eg+Sgm9IlZOeiySOxYq9qmkN+sBQ50gMYdwmdBzsDtiqPRz +0tP+CyvJW+OXuAJl5JSH4SkTb2n/CO4lmJ0hMTGjXrsQlWQU+J/CYdyC8ts0LAqM +y/N29M2mdq6U770nZe/d+rP3igm5zkuA2Wb6vDFVAeIqOLgn2bk6vA1cNihN/kHZ +hJ1rXQ7EPX8tOxg0PSWOsVnPE5tAeXOJSVCCMDl/jQKBgQD5e6OR7NkLpkydShxR +b4tZFGxamxmTiCkUl43O0eZ+PpdbTW0uWGvhQYf8J/gr4hOQwrEgFvhyxt2OngFo +FljJ5e9O61sofBST4HK9cuSjzuPp6RXvKxzthq0+KsTEcLSmIrEXEb4Bn9Qq5NvF +DCBX81/rGbWciN2YEFgY2MdfrwKBgQDVwSczconv/kGq1YReWBa2nuM0L4STEFaO +am7+M0lbV7BXVOaKiAi5FScG3sKs3hK5PegwYojwY5LRj8Y5rzjzF+nsGRb2tsS9 +kw6zVmMFLr4JB1dSO9TlLwfrlqVSVfPEFDyvVZ6OTbTB6GgjzrR8Xx3MzVcaVxkD +aERc1j2i8wKBgQDt6gxowreRNnvlm6E5v+fhgWp7VWGkobqbWpPvYZgvWD064rF1 ++viWDcpCm1M9dhE2gZQsh/tSaXcr5F5vBrCRiWcXmbaK+xkclHSXWhPUax5KGO/D +7xddJIvdtyeCNgDwVjEPUOoj3mmUpj82wIOvm/Yi25enuZWoyB1bRI+NHQKBgQCE ++LhrL8iRTEkLffHvQrs2ddb/QsQlPFesFpffeIYc1Yr0ePNFoGRUxszVYEQYh7l8 +FP/ZAaMQb9EInnkAr3ks+GZjoiP/7CiticruU0IcGjzLnw56MJA61iwGKVvEwYV4 +J+KsbAXLnplguzP1eoQajo0aN28FCsObtAQ7AGetcwKBgQCRR6LWflnidMwyKPSu +93LYL2NQvg4yjV9rTH46Ss/SN9ZVVuaLMqWD9V1UR7aB9be8hzKnJcVeaXkgP5qT +I1H1j8KWxYov3BrQoWSWCoOliCwdAqM+1aU/TnOxgxgtrgJ/Byt0CWvp7TyAKmOf +LiWSf8rObz09oBtVWRnkz9dAmg== +-----END PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem b/tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem new file mode 100644 index 000000000..9a263e7f0 --- /dev/null +++ b/tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem @@ -0,0 +1,95 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17810147094499836298 (0xf72a5a6b951e418a) + Signature Algorithm: sha384WithRSAEncryption + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B RSA 3k Root CA + Validity + Not Before: Jan 12 19:10:14 2018 GMT + Not After : Jan 12 19:10:14 2020 GMT + Subject: C=FI, O=w1.fi, CN=user-rsa3072-rsa2048 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:50:1b:82:b4:40:73:5e:21:13:18:02:1e:e6: + 87:e1:99:b0:f5:fe:84:ae:df:ce:fa:c7:6d:4e:14: + d5:df:36:22:33:b5:06:a7:65:41:13:0d:a7:52:51: + 55:04:54:9b:a8:80:dc:cc:80:fa:a9:70:ba:78:86: + 3b:c1:c7:52:46:7b:72:4e:39:0f:43:40:f6:b7:34: + 09:37:cf:00:94:56:a5:6b:86:c4:68:7c:47:20:45: + f0:fc:9e:03:35:42:96:2e:12:88:b7:4b:4b:84:11: + 91:da:f0:16:34:4e:1d:38:84:9e:e2:d5:af:e6:e4: + 96:db:c3:f7:69:f1:50:ac:47:92:1d:c0:f6:f3:8f: + 10:2d:53:a1:61:d8:ac:d5:50:79:fd:c8:d1:c3:83: + c7:d6:f9:12:cf:08:d0:ff:cf:d2:4e:cf:d1:1b:8e: + a9:24:f8:80:e5:65:0e:26:ea:f0:71:81:58:a0:60: + 5b:b2:04:bf:41:c3:4b:69:b8:e6:ae:5e:1d:b1:1b: + 3e:1d:91:69:b8:82:32:88:8b:4d:88:ea:47:9c:30: + 10:1b:4c:d1:5f:ed:38:32:d6:80:6d:2b:cf:13:c1: + f4:d7:8e:e0:30:bf:29:20:3d:d5:7f:14:f0:13:6a: + f9:50:a2:77:bd:7b:c8:84:d3:3b:8e:89:26:06:7f: + 91:1d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + DB:BE:D5:98:AD:BC:11:FA:AC:C7:EE:5A:B7:F6:82:D2:A6:7B:05:8A + X509v3 Authority Key Identifier: + keyid:21:F7:EF:DA:C3:34:3A:ED:CD:D5:50:C0:B3:BA:09:EE:3F:80:D7:70 + + X509v3 Subject Alternative Name: + email:user-rsa3072-rsa2048@w1.fi + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: sha384WithRSAEncryption + ab:f4:bf:67:e3:e9:ef:cd:bd:86:9d:77:6f:75:ac:4d:f0:b6: + d2:9c:ec:62:87:3a:78:04:57:2e:79:51:61:35:e7:cb:8d:ed: + 42:17:63:02:0e:9f:cf:75:40:ae:c4:7e:8e:62:dc:b7:b2:75: + e2:b2:eb:3d:5c:f9:1e:0a:81:5b:0b:7b:d0:cf:08:8c:59:bf: + 87:44:a1:e8:2f:a4:09:20:52:44:8a:20:ee:66:4c:2c:ec:0e: + be:73:a0:5c:02:e3:06:13:a8:60:5d:ef:b9:ff:c2:c4:b2:68: + 8d:ab:ed:99:89:e8:f2:37:21:f5:5c:f7:24:83:c1:e0:52:fb: + c7:21:47:60:d1:e6:b5:e7:34:a9:cd:d3:48:94:36:b6:03:0d: + 1a:be:82:3e:e2:26:60:f6:fe:fd:77:8d:d2:92:8a:4d:9d:03: + ba:f1:88:16:16:19:89:fc:dd:75:71:6e:b1:9f:63:5c:79:aa: + 3c:ec:3b:e8:83:5c:5f:fb:db:98:bb:54:9a:de:8d:95:c7:c1: + 71:dc:3b:c5:ed:fe:7e:ec:ab:6e:3f:77:a9:82:4f:28:ff:e3: + c9:b2:cf:57:b5:b9:5b:4e:f2:09:d8:6a:2f:76:3d:e3:8c:98: + 06:4e:05:6c:c2:c0:4a:0e:2d:bf:35:ec:31:70:ba:11:12:ae: + 03:d9:1f:fe:01:cf:86:4b:0e:87:99:0a:57:11:0c:0e:21:de: + 87:65:87:ea:c5:16:b2:c0:bd:91:52:f4:7b:90:66:0f:7c:93: + 10:f0:8c:40:e6:c7:4f:f5:22:37:6e:db:c3:93:ad:a6:d8:bf: + e5:45:44:ff:9a:54:50:7e:59:ae:71:25:ae:96:41:da:45:d7: + f7:80:9a:b5:5e:8a:f0:5f:0c:22:b0:2a:f0:1f:ba:96:3b:7f: + f6:f0:52:55:cd:5d:94:2f:af:5f:18:49:03:3b:b1:1b:26:68: + 3e:d4:ea:7f:16:c8:73:6e:85:1f:7e:75:fd:98:fa:26:69:78: + 9c:86:c7:45:0d:39 +-----BEGIN CERTIFICATE----- +MIIEKDCCApCgAwIBAgIJAPcqWmuVHkGKMA0GCSqGSIb3DQEBDAUAMFExCzAJBgNV +BAYTAkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxHzAdBgNV +BAMMFlN1aXRlIEIgUlNBIDNrIFJvb3QgQ0EwHhcNMTgwMTEyMTkxMDE0WhcNMjAw +MTEyMTkxMDE0WjA8MQswCQYDVQQGEwJGSTEOMAwGA1UECgwFdzEuZmkxHTAbBgNV +BAMMFHVzZXItcnNhMzA3Mi1yc2EyMDQ4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA0FAbgrRAc14hExgCHuaH4Zmw9f6Ert/O+sdtThTV3zYiM7UGp2VB +Ew2nUlFVBFSbqIDczID6qXC6eIY7wcdSRntyTjkPQ0D2tzQJN88AlFala4bEaHxH +IEXw/J4DNUKWLhKIt0tLhBGR2vAWNE4dOISe4tWv5uSW28P3afFQrEeSHcD2848Q +LVOhYdis1VB5/cjRw4PH1vkSzwjQ/8/STs/RG46pJPiA5WUOJurwcYFYoGBbsgS/ +QcNLabjmrl4dsRs+HZFpuIIyiItNiOpHnDAQG0zRX+04MtaAbSvPE8H0147gML8p +ID3VfxTwE2r5UKJ3vXvIhNM7jokmBn+RHQIDAQABo4GXMIGUMAkGA1UdEwQCMAAw +HQYDVR0OBBYEFNu+1ZitvBH6rMfuWrf2gtKmewWKMB8GA1UdIwQYMBaAFCH379rD +NDrtzdVQwLO6Ce4/gNdwMCUGA1UdEQQeMByBGnVzZXItcnNhMzA3Mi1yc2EyMDQ4 +QHcxLmZpMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIFoDANBgkqhkiG +9w0BAQwFAAOCAYEAq/S/Z+Pp7829hp13b3WsTfC20pzsYoc6eARXLnlRYTXny43t +QhdjAg6fz3VArsR+jmLct7J14rLrPVz5HgqBWwt70M8IjFm/h0Sh6C+kCSBSRIog +7mZMLOwOvnOgXALjBhOoYF3vuf/CxLJojavtmYno8jch9Vz3JIPB4FL7xyFHYNHm +tec0qc3TSJQ2tgMNGr6CPuImYPb+/XeN0pKKTZ0DuvGIFhYZifzddXFusZ9jXHmq +POw76INcX/vbmLtUmt6NlcfBcdw7xe3+fuyrbj93qYJPKP/jybLPV7W5W07yCdhq +L3Y944yYBk4FbMLASg4tvzXsMXC6ERKuA9kf/gHPhksOh5kKVxEMDiHeh2WH6sUW +ssC9kVL0e5BmD3yTEPCMQObHT/UiN27bw5Otpti/5UVE/5pUUH5ZrnElrpZB2kXX +94CatV6K8F8MIrAq8B+6ljt/9vBSVc1dlC+vXxhJAzuxGyZoPtTqfxbIc26FH351 +/Zj6Jml4nIbHRQ05 +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index f2be07d16..4ace1a82b 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -525,3 +525,62 @@ def test_suite_b_192_rsa_radius(dev, apdev): if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \ tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD": raise Exception("Unexpected TLS cipher: " + tls_cipher) + +def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev): + """Suite B 192-bit level and RSA (ECDHE) and RSA2048 client""" + run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True) + +def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev): + """Suite B 192-bit level and RSA (DHE) and RSA2048 client""" + run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False) + +def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe): + check_suite_b_192_capa(dev) + dev[0].flush_scan_cache() + params = suite_b_as_params() + params['ca_cert'] = 'auth_serv/rsa3072-ca.pem' + params['server_cert'] = 'auth_serv/rsa3072-server.pem' + params['private_key'] = 'auth_serv/rsa3072-server.key' + del params['openssl_ciphers'] + if ecdhe: + params["tls_flags"] = "[SUITEB]" + ciphers = "ECDHE-RSA-AES256-GCM-SHA384" + else: + params["tls_flags"] = "[SUITEB-NO-ECDH]" + params["dh_file"] = "auth_serv/dh_param_3072.pem" + ciphers = "DHE-RSA-AES256-GCM-SHA384" + + hostapd.add_ap(apdev[1], params) + + params = { "ssid": "test-suite-b", + "wpa": "2", + "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", + "rsn_pairwise": "GCMP-256", + "group_mgmt_cipher": "BIP-GMAC-256", + "ieee80211w": "2", + "ieee8021x": "1", + 'auth_server_addr': "127.0.0.1", + 'auth_server_port': "18129", + 'auth_server_shared_secret': "radius", + 'nas_identifier': "nas.w1.fi" } + hapd = hostapd.add_ap(apdev[0], params) + + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", + ieee80211w="2", + openssl_ciphers=ciphers, + phase1="tls_suiteb=1", + eap="TLS", identity="tls user", + ca_cert="auth_serv/rsa3072-ca.pem", + client_cert="auth_serv/rsa3072-user-rsa2048.pem", + private_key="auth_serv/rsa3072-user-rsa2048.key", + pairwise="GCMP-256", group="GCMP-256", + group_mgmt="BIP-GMAC-256", scan_freq="2412", + wait_connect=False) + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) + if ev is None: + raise Exception("EAP-Failure not reported") + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) + if ev is None: + raise Exception("Disconnection not reported") + if "reason=23" not in ev: + raise Exception("Unexpected disconnection reason: " + ev);