tests: Suite B 192-bit RSA validation with 2048-bit client cert
Verify that unexpected 2048-bit RSA client certificate gets rejected by the RADIUS server if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
5d5ee699a5
commit
7fd583d62c
4 changed files with 196 additions and 0 deletions
|
@ -55,9 +55,23 @@ $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -no
|
||||||
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user.req -out rsa3072-user.pem -extensions ext_client -days 730 -md sha384
|
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user.req -out rsa3072-user.pem -extensions ext_client -days 730 -md sha384
|
||||||
rm rsa3072-ca-openssl.cnf.tmp
|
rm rsa3072-ca-openssl.cnf.tmp
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "---[ User RSA2048 ]-----------------------------------------------------"
|
||||||
|
echo
|
||||||
|
|
||||||
|
cat ec-ca-openssl.cnf |
|
||||||
|
sed "s/#@CN@/commonName_default = user-rsa3072-rsa2048/" |
|
||||||
|
sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072-rsa2048@w1.fi/" |
|
||||||
|
sed s%\./ec-ca$%./rsa3072-ca% \
|
||||||
|
> rsa3072-ca-openssl.cnf.tmp
|
||||||
|
$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout rsa3072-user-rsa2048.key -out rsa3072-user-rsa2048.req -outform PEM -extensions ext_client -sha384
|
||||||
|
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user-rsa2048.req -out rsa3072-user-rsa2048.pem -extensions ext_client -days 730 -md sha384
|
||||||
|
rm rsa3072-ca-openssl.cnf.tmp
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "---[ Verify ]-----------------------------------------------------------"
|
echo "---[ Verify ]-----------------------------------------------------------"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-server.pem
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-server.pem
|
||||||
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user.pem
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user.pem
|
||||||
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user-rsa2048.pem
|
||||||
|
|
28
tests/hwsim/auth_serv/rsa3072-user-rsa2048.key
Normal file
28
tests/hwsim/auth_serv/rsa3072-user-rsa2048.key
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDQUBuCtEBzXiET
|
||||||
|
GAIe5ofhmbD1/oSu3876x21OFNXfNiIztQanZUETDadSUVUEVJuogNzMgPqpcLp4
|
||||||
|
hjvBx1JGe3JOOQ9DQPa3NAk3zwCUVqVrhsRofEcgRfD8ngM1QpYuEoi3S0uEEZHa
|
||||||
|
8BY0Th04hJ7i1a/m5Jbbw/dp8VCsR5IdwPbzjxAtU6Fh2KzVUHn9yNHDg8fW+RLP
|
||||||
|
CND/z9JOz9Ebjqkk+IDlZQ4m6vBxgVigYFuyBL9Bw0tpuOauXh2xGz4dkWm4gjKI
|
||||||
|
i02I6kecMBAbTNFf7Tgy1oBtK88TwfTXjuAwvykgPdV/FPATavlQone9e8iE0zuO
|
||||||
|
iSYGf5EdAgMBAAECggEAZehanQWLZiUNbybWmsFShjZG0QETbe2Fdz+qpIEi49C6
|
||||||
|
yKrtt2ScgjKywV2ShszRXYy098K9XbkNMDsS7siQ4nQvxj65zb/xMkzdmZTGBsug
|
||||||
|
n0rNuQPbU9mDfEHc9eg+Sgm9IlZOeiySOxYq9qmkN+sBQ50gMYdwmdBzsDtiqPRz
|
||||||
|
0tP+CyvJW+OXuAJl5JSH4SkTb2n/CO4lmJ0hMTGjXrsQlWQU+J/CYdyC8ts0LAqM
|
||||||
|
y/N29M2mdq6U770nZe/d+rP3igm5zkuA2Wb6vDFVAeIqOLgn2bk6vA1cNihN/kHZ
|
||||||
|
hJ1rXQ7EPX8tOxg0PSWOsVnPE5tAeXOJSVCCMDl/jQKBgQD5e6OR7NkLpkydShxR
|
||||||
|
b4tZFGxamxmTiCkUl43O0eZ+PpdbTW0uWGvhQYf8J/gr4hOQwrEgFvhyxt2OngFo
|
||||||
|
FljJ5e9O61sofBST4HK9cuSjzuPp6RXvKxzthq0+KsTEcLSmIrEXEb4Bn9Qq5NvF
|
||||||
|
DCBX81/rGbWciN2YEFgY2MdfrwKBgQDVwSczconv/kGq1YReWBa2nuM0L4STEFaO
|
||||||
|
am7+M0lbV7BXVOaKiAi5FScG3sKs3hK5PegwYojwY5LRj8Y5rzjzF+nsGRb2tsS9
|
||||||
|
kw6zVmMFLr4JB1dSO9TlLwfrlqVSVfPEFDyvVZ6OTbTB6GgjzrR8Xx3MzVcaVxkD
|
||||||
|
aERc1j2i8wKBgQDt6gxowreRNnvlm6E5v+fhgWp7VWGkobqbWpPvYZgvWD064rF1
|
||||||
|
+viWDcpCm1M9dhE2gZQsh/tSaXcr5F5vBrCRiWcXmbaK+xkclHSXWhPUax5KGO/D
|
||||||
|
7xddJIvdtyeCNgDwVjEPUOoj3mmUpj82wIOvm/Yi25enuZWoyB1bRI+NHQKBgQCE
|
||||||
|
+LhrL8iRTEkLffHvQrs2ddb/QsQlPFesFpffeIYc1Yr0ePNFoGRUxszVYEQYh7l8
|
||||||
|
FP/ZAaMQb9EInnkAr3ks+GZjoiP/7CiticruU0IcGjzLnw56MJA61iwGKVvEwYV4
|
||||||
|
J+KsbAXLnplguzP1eoQajo0aN28FCsObtAQ7AGetcwKBgQCRR6LWflnidMwyKPSu
|
||||||
|
93LYL2NQvg4yjV9rTH46Ss/SN9ZVVuaLMqWD9V1UR7aB9be8hzKnJcVeaXkgP5qT
|
||||||
|
I1H1j8KWxYov3BrQoWSWCoOliCwdAqM+1aU/TnOxgxgtrgJ/Byt0CWvp7TyAKmOf
|
||||||
|
LiWSf8rObz09oBtVWRnkz9dAmg==
|
||||||
|
-----END PRIVATE KEY-----
|
95
tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem
Normal file
95
tests/hwsim/auth_serv/rsa3072-user-rsa2048.pem
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 17810147094499836298 (0xf72a5a6b951e418a)
|
||||||
|
Signature Algorithm: sha384WithRSAEncryption
|
||||||
|
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B RSA 3k Root CA
|
||||||
|
Validity
|
||||||
|
Not Before: Jan 12 19:10:14 2018 GMT
|
||||||
|
Not After : Jan 12 19:10:14 2020 GMT
|
||||||
|
Subject: C=FI, O=w1.fi, CN=user-rsa3072-rsa2048
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
Public-Key: (2048 bit)
|
||||||
|
Modulus:
|
||||||
|
00:d0:50:1b:82:b4:40:73:5e:21:13:18:02:1e:e6:
|
||||||
|
87:e1:99:b0:f5:fe:84:ae:df:ce:fa:c7:6d:4e:14:
|
||||||
|
d5:df:36:22:33:b5:06:a7:65:41:13:0d:a7:52:51:
|
||||||
|
55:04:54:9b:a8:80:dc:cc:80:fa:a9:70:ba:78:86:
|
||||||
|
3b:c1:c7:52:46:7b:72:4e:39:0f:43:40:f6:b7:34:
|
||||||
|
09:37:cf:00:94:56:a5:6b:86:c4:68:7c:47:20:45:
|
||||||
|
f0:fc:9e:03:35:42:96:2e:12:88:b7:4b:4b:84:11:
|
||||||
|
91:da:f0:16:34:4e:1d:38:84:9e:e2:d5:af:e6:e4:
|
||||||
|
96:db:c3:f7:69:f1:50:ac:47:92:1d:c0:f6:f3:8f:
|
||||||
|
10:2d:53:a1:61:d8:ac:d5:50:79:fd:c8:d1:c3:83:
|
||||||
|
c7:d6:f9:12:cf:08:d0:ff:cf:d2:4e:cf:d1:1b:8e:
|
||||||
|
a9:24:f8:80:e5:65:0e:26:ea:f0:71:81:58:a0:60:
|
||||||
|
5b:b2:04:bf:41:c3:4b:69:b8:e6:ae:5e:1d:b1:1b:
|
||||||
|
3e:1d:91:69:b8:82:32:88:8b:4d:88:ea:47:9c:30:
|
||||||
|
10:1b:4c:d1:5f:ed:38:32:d6:80:6d:2b:cf:13:c1:
|
||||||
|
f4:d7:8e:e0:30:bf:29:20:3d:d5:7f:14:f0:13:6a:
|
||||||
|
f9:50:a2:77:bd:7b:c8:84:d3:3b:8e:89:26:06:7f:
|
||||||
|
91:1d
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:FALSE
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
DB:BE:D5:98:AD:BC:11:FA:AC:C7:EE:5A:B7:F6:82:D2:A6:7B:05:8A
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:21:F7:EF:DA:C3:34:3A:ED:CD:D5:50:C0:B3:BA:09:EE:3F:80:D7:70
|
||||||
|
|
||||||
|
X509v3 Subject Alternative Name:
|
||||||
|
email:user-rsa3072-rsa2048@w1.fi
|
||||||
|
X509v3 Extended Key Usage:
|
||||||
|
TLS Web Client Authentication
|
||||||
|
X509v3 Key Usage:
|
||||||
|
Digital Signature, Key Encipherment
|
||||||
|
Signature Algorithm: sha384WithRSAEncryption
|
||||||
|
ab:f4:bf:67:e3:e9:ef:cd:bd:86:9d:77:6f:75:ac:4d:f0:b6:
|
||||||
|
d2:9c:ec:62:87:3a:78:04:57:2e:79:51:61:35:e7:cb:8d:ed:
|
||||||
|
42:17:63:02:0e:9f:cf:75:40:ae:c4:7e:8e:62:dc:b7:b2:75:
|
||||||
|
e2:b2:eb:3d:5c:f9:1e:0a:81:5b:0b:7b:d0:cf:08:8c:59:bf:
|
||||||
|
87:44:a1:e8:2f:a4:09:20:52:44:8a:20:ee:66:4c:2c:ec:0e:
|
||||||
|
be:73:a0:5c:02:e3:06:13:a8:60:5d:ef:b9:ff:c2:c4:b2:68:
|
||||||
|
8d:ab:ed:99:89:e8:f2:37:21:f5:5c:f7:24:83:c1:e0:52:fb:
|
||||||
|
c7:21:47:60:d1:e6:b5:e7:34:a9:cd:d3:48:94:36:b6:03:0d:
|
||||||
|
1a:be:82:3e:e2:26:60:f6:fe:fd:77:8d:d2:92:8a:4d:9d:03:
|
||||||
|
ba:f1:88:16:16:19:89:fc:dd:75:71:6e:b1:9f:63:5c:79:aa:
|
||||||
|
3c:ec:3b:e8:83:5c:5f:fb:db:98:bb:54:9a:de:8d:95:c7:c1:
|
||||||
|
71:dc:3b:c5:ed:fe:7e:ec:ab:6e:3f:77:a9:82:4f:28:ff:e3:
|
||||||
|
c9:b2:cf:57:b5:b9:5b:4e:f2:09:d8:6a:2f:76:3d:e3:8c:98:
|
||||||
|
06:4e:05:6c:c2:c0:4a:0e:2d:bf:35:ec:31:70:ba:11:12:ae:
|
||||||
|
03:d9:1f:fe:01:cf:86:4b:0e:87:99:0a:57:11:0c:0e:21:de:
|
||||||
|
87:65:87:ea:c5:16:b2:c0:bd:91:52:f4:7b:90:66:0f:7c:93:
|
||||||
|
10:f0:8c:40:e6:c7:4f:f5:22:37:6e:db:c3:93:ad:a6:d8:bf:
|
||||||
|
e5:45:44:ff:9a:54:50:7e:59:ae:71:25:ae:96:41:da:45:d7:
|
||||||
|
f7:80:9a:b5:5e:8a:f0:5f:0c:22:b0:2a:f0:1f:ba:96:3b:7f:
|
||||||
|
f6:f0:52:55:cd:5d:94:2f:af:5f:18:49:03:3b:b1:1b:26:68:
|
||||||
|
3e:d4:ea:7f:16:c8:73:6e:85:1f:7e:75:fd:98:fa:26:69:78:
|
||||||
|
9c:86:c7:45:0d:39
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEKDCCApCgAwIBAgIJAPcqWmuVHkGKMA0GCSqGSIb3DQEBDAUAMFExCzAJBgNV
|
||||||
|
BAYTAkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxHzAdBgNV
|
||||||
|
BAMMFlN1aXRlIEIgUlNBIDNrIFJvb3QgQ0EwHhcNMTgwMTEyMTkxMDE0WhcNMjAw
|
||||||
|
MTEyMTkxMDE0WjA8MQswCQYDVQQGEwJGSTEOMAwGA1UECgwFdzEuZmkxHTAbBgNV
|
||||||
|
BAMMFHVzZXItcnNhMzA3Mi1yc2EyMDQ4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||||
|
MIIBCgKCAQEA0FAbgrRAc14hExgCHuaH4Zmw9f6Ert/O+sdtThTV3zYiM7UGp2VB
|
||||||
|
Ew2nUlFVBFSbqIDczID6qXC6eIY7wcdSRntyTjkPQ0D2tzQJN88AlFala4bEaHxH
|
||||||
|
IEXw/J4DNUKWLhKIt0tLhBGR2vAWNE4dOISe4tWv5uSW28P3afFQrEeSHcD2848Q
|
||||||
|
LVOhYdis1VB5/cjRw4PH1vkSzwjQ/8/STs/RG46pJPiA5WUOJurwcYFYoGBbsgS/
|
||||||
|
QcNLabjmrl4dsRs+HZFpuIIyiItNiOpHnDAQG0zRX+04MtaAbSvPE8H0147gML8p
|
||||||
|
ID3VfxTwE2r5UKJ3vXvIhNM7jokmBn+RHQIDAQABo4GXMIGUMAkGA1UdEwQCMAAw
|
||||||
|
HQYDVR0OBBYEFNu+1ZitvBH6rMfuWrf2gtKmewWKMB8GA1UdIwQYMBaAFCH379rD
|
||||||
|
NDrtzdVQwLO6Ce4/gNdwMCUGA1UdEQQeMByBGnVzZXItcnNhMzA3Mi1yc2EyMDQ4
|
||||||
|
QHcxLmZpMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIFoDANBgkqhkiG
|
||||||
|
9w0BAQwFAAOCAYEAq/S/Z+Pp7829hp13b3WsTfC20pzsYoc6eARXLnlRYTXny43t
|
||||||
|
QhdjAg6fz3VArsR+jmLct7J14rLrPVz5HgqBWwt70M8IjFm/h0Sh6C+kCSBSRIog
|
||||||
|
7mZMLOwOvnOgXALjBhOoYF3vuf/CxLJojavtmYno8jch9Vz3JIPB4FL7xyFHYNHm
|
||||||
|
tec0qc3TSJQ2tgMNGr6CPuImYPb+/XeN0pKKTZ0DuvGIFhYZifzddXFusZ9jXHmq
|
||||||
|
POw76INcX/vbmLtUmt6NlcfBcdw7xe3+fuyrbj93qYJPKP/jybLPV7W5W07yCdhq
|
||||||
|
L3Y944yYBk4FbMLASg4tvzXsMXC6ERKuA9kf/gHPhksOh5kKVxEMDiHeh2WH6sUW
|
||||||
|
ssC9kVL0e5BmD3yTEPCMQObHT/UiN27bw5Otpti/5UVE/5pUUH5ZrnElrpZB2kXX
|
||||||
|
94CatV6K8F8MIrAq8B+6ljt/9vBSVc1dlC+vXxhJAzuxGyZoPtTqfxbIc26FH351
|
||||||
|
/Zj6Jml4nIbHRQ05
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -525,3 +525,62 @@ def test_suite_b_192_rsa_radius(dev, apdev):
|
||||||
if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
|
if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
|
||||||
tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD":
|
tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD":
|
||||||
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
||||||
|
|
||||||
|
def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev):
|
||||||
|
"""Suite B 192-bit level and RSA (ECDHE) and RSA2048 client"""
|
||||||
|
run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True)
|
||||||
|
|
||||||
|
def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev):
|
||||||
|
"""Suite B 192-bit level and RSA (DHE) and RSA2048 client"""
|
||||||
|
run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False)
|
||||||
|
|
||||||
|
def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe):
|
||||||
|
check_suite_b_192_capa(dev)
|
||||||
|
dev[0].flush_scan_cache()
|
||||||
|
params = suite_b_as_params()
|
||||||
|
params['ca_cert'] = 'auth_serv/rsa3072-ca.pem'
|
||||||
|
params['server_cert'] = 'auth_serv/rsa3072-server.pem'
|
||||||
|
params['private_key'] = 'auth_serv/rsa3072-server.key'
|
||||||
|
del params['openssl_ciphers']
|
||||||
|
if ecdhe:
|
||||||
|
params["tls_flags"] = "[SUITEB]"
|
||||||
|
ciphers = "ECDHE-RSA-AES256-GCM-SHA384"
|
||||||
|
else:
|
||||||
|
params["tls_flags"] = "[SUITEB-NO-ECDH]"
|
||||||
|
params["dh_file"] = "auth_serv/dh_param_3072.pem"
|
||||||
|
ciphers = "DHE-RSA-AES256-GCM-SHA384"
|
||||||
|
|
||||||
|
hostapd.add_ap(apdev[1], params)
|
||||||
|
|
||||||
|
params = { "ssid": "test-suite-b",
|
||||||
|
"wpa": "2",
|
||||||
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
||||||
|
"rsn_pairwise": "GCMP-256",
|
||||||
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
||||||
|
"ieee80211w": "2",
|
||||||
|
"ieee8021x": "1",
|
||||||
|
'auth_server_addr': "127.0.0.1",
|
||||||
|
'auth_server_port': "18129",
|
||||||
|
'auth_server_shared_secret': "radius",
|
||||||
|
'nas_identifier': "nas.w1.fi" }
|
||||||
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
||||||
|
ieee80211w="2",
|
||||||
|
openssl_ciphers=ciphers,
|
||||||
|
phase1="tls_suiteb=1",
|
||||||
|
eap="TLS", identity="tls user",
|
||||||
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
||||||
|
client_cert="auth_serv/rsa3072-user-rsa2048.pem",
|
||||||
|
private_key="auth_serv/rsa3072-user-rsa2048.key",
|
||||||
|
pairwise="GCMP-256", group="GCMP-256",
|
||||||
|
group_mgmt="BIP-GMAC-256", scan_freq="2412",
|
||||||
|
wait_connect=False)
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP-Failure not reported")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Disconnection not reported")
|
||||||
|
if "reason=23" not in ev:
|
||||||
|
raise Exception("Unexpected disconnection reason: " + ev);
|
||||||
|
|
Loading…
Reference in a new issue