tests: Suite B 192-bit validation with p256 client cert

Verify that unexpected p256 client certificate gets rejected if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
6 years ago · 9ec824b9c1
parent 727e9aacbf
commit 9ec824b9c1
4 changed files with 120 additions and 0 deletions
--- a/tests/hwsim/auth_serv/ec2-generate.sh
+++ b/tests/hwsim/auth_serv/ec2-generate.sh
@ -45,9 +45,23 @@ $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key
 $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
 rm ec-ca-openssl.cnf.tmp

+echo
+echo "---[ User p256 ]--------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+	sed "s/#@CN@/commonName_default = user-p256/" |
+	sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \
+	> ec-ca-openssl.cnf.tmp
+$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256
+rm ec-ca-openssl.cnf.tmp
+
 echo
 echo "---[ Verify ]-----------------------------------------------------------"
 echo

 $OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
 $OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
+$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem
--- a/tests/hwsim/auth_serv/ec2-user-p256.key
+++ b/tests/hwsim/auth_serv/ec2-user-p256.key
@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPrr8f6NDa+p9BbWuyoFWfshi7pBwZVSltEoE3JoKMfEoAoGCCqGSM49
+AwEHoUQDQgAEt4F55Q020CgCdvgNzw3I+K/eZiDJIODExC0Qti5YJWD/Ah5KG3lh
+qmRWRLRLn+giBMgUEJeWDjWcHdzWBYhwEQ==
+-----END EC PRIVATE KEY-----
--- a/tests/hwsim/auth_serv/ec2-user-p256.pem
+++ b/tests/hwsim/auth_serv/ec2-user-p256.pem
@ -0,0 +1,56 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 12897810923590592256 (0xb2fe3ab310c52700)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
+        Validity
+            Not Before: Jan 12 18:16:42 2018 GMT
+            Not After : Jan 10 18:16:42 2028 GMT
+        Subject: C=FI, O=w1.fi, CN=user-p256
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub: 
+                    04:b7:81:79:e5:0d:36:d0:28:02:76:f8:0d:cf:0d:
+                    c8:f8:af:de:66:20:c9:20:e0:c4:c4:2d:10:b6:2e:
+                    58:25:60:ff:02:1e:4a:1b:79:61:aa:64:56:44:b4:
+                    4b:9f:e8:22:04:c8:14:10:97:96:0e:35:9c:1d:dc:
+                    d6:05:88:70:11
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                EC:7E:B2:10:44:3E:D2:A1:98:E4:1E:8F:7E:32:49:2E:B2:59:3C:92
+            X509v3 Authority Key Identifier: 
+                keyid:B8:97:C9:BE:63:12:AB:F6:A0:8C:B6:5E:FB:97:6E:10:8E:DC:48:F5
+
+            X509v3 Subject Alternative Name: 
+                email:user-p256@w1.fi
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: ecdsa-with-SHA256
+         30:65:02:31:00:c9:1e:c8:25:d5:69:1c:24:4f:09:b6:45:31:
+         c2:46:a0:44:84:ae:b1:e3:bb:34:19:f6:04:63:61:cf:37:7a:
+         9b:a1:72:99:9d:86:36:26:35:a1:99:0a:3a:7c:06:26:3e:02:
+         30:70:e8:c3:20:0a:c5:4f:f6:95:6c:0a:b1:7a:1b:5d:b0:d2:
+         c6:10:4d:2f:44:31:c7:1a:db:6c:25:07:4b:2d:94:0e:c9:b4:
+         b1:c8:8c:cb:ea:67:8f:37:20:f6:cc:64:fe
+-----BEGIN CERTIFICATE-----
+MIICJzCCAa2gAwIBAgIJALL+OrMQxScAMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE4MDExMjE4MTY0MloXDTI4MDEx
+MDE4MTY0MlowMTELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRIwEAYDVQQD
+DAl1c2VyLXAyNTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3gXnlDTbQKAJ2
+A3PDcj4r95mIMkg4MTELRC2LlglYP8CHkobeWGqZFZEtEuf6CIEyBQQl5YONZwd
+3NYFiHARo4GMMIGJMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOx+shBEPtKhmOQej34y
+SS6yWTySMB8GA1UdIwQYMBaAFLiXyb5jEqv2oIy2XvuXbhCO3Ej1MBoGA1UdEQQT
+MBGBD3VzZXItcDI1NkB3MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
+BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAMkeyCXVaRwkTwm2RTHCRqBEhK6x47s0
+GfYEY2HPN3qboXKZnYY2JjWhmQo6fAYmPgIwcOjDIArFT/aVbAqxehtdsNLGEE0v
+RDHHGttsJQdLLZQOybSxyIzL6mePNyD2zGT+
+-----END CERTIFICATE-----
--- a/tests/hwsim/test_suite_b.py
+++ b/tests/hwsim/test_suite_b.py
@ -235,6 +235,48 @@ def test_suite_b_192_radius(dev, apdev):
                   private_key="auth_serv/ec2-user.key",
                   pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")

+def test_suite_b_192_radius_and_p256_cert(dev, apdev):
+    """Suite B 192-bit level and p256 client cert"""
+    check_suite_b_192_capa(dev)
+    dev[0].flush_scan_cache()
+    params = suite_b_as_params()
+    params['ca_cert'] = 'auth_serv/ec2-ca.pem'
+    params['server_cert'] = 'auth_serv/ec2-server.pem'
+    params['private_key'] = 'auth_serv/ec2-server.key'
+    params['openssl_ciphers'] = 'SUITEB192'
+    hostapd.add_ap(apdev[1], params)
+
+    params = { "ssid": "test-suite-b",
+               "wpa": "2",
+               "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
+               "rsn_pairwise": "GCMP-256",
+               "group_mgmt_cipher": "BIP-GMAC-256",
+               "ieee80211w": "2",
+               "ieee8021x": "1",
+               'auth_server_addr': "127.0.0.1",
+               'auth_server_port': "18129",
+               'auth_server_shared_secret': "radius",
+               'nas_identifier': "nas.w1.fi" }
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
+                   ieee80211w="2",
+                   #openssl_ciphers="SUITEB192",
+                   eap="TLS", identity="tls user",
+                   ca_cert="auth_serv/ec2-ca.pem",
+                   client_cert="auth_serv/ec2-user-p256.pem",
+                   private_key="auth_serv/ec2-user-p256.key",
+                   pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
+                   wait_connect=False)
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
+    if ev is None:
+        raise Exception("EAP-Failure not reported")
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
+    if ev is None:
+        raise Exception("Disconnection not reported")
+    if "reason=23" not in ev:
+        raise Exception("Unexpected disconnection reason: " + ev);
+
 def test_suite_b_pmkid_failure(dev, apdev):
    """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
    check_suite_b_capa(dev)