From 9ec824b9c176476050881f105967ce95d1e76496 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 12 Jan 2018 20:30:07 +0200 Subject: [PATCH] tests: Suite B 192-bit validation with p256 client cert Verify that unexpected p256 client certificate gets rejected if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/ec2-generate.sh | 14 +++++++ tests/hwsim/auth_serv/ec2-user-p256.key | 8 ++++ tests/hwsim/auth_serv/ec2-user-p256.pem | 56 +++++++++++++++++++++++++ tests/hwsim/test_suite_b.py | 42 +++++++++++++++++++ 4 files changed, 120 insertions(+) create mode 100644 tests/hwsim/auth_serv/ec2-user-p256.key create mode 100644 tests/hwsim/auth_serv/ec2-user-p256.pem diff --git a/tests/hwsim/auth_serv/ec2-generate.sh b/tests/hwsim/auth_serv/ec2-generate.sh index 5a8d2d224..b7287a90d 100755 --- a/tests/hwsim/auth_serv/ec2-generate.sh +++ b/tests/hwsim/auth_serv/ec2-generate.sh @@ -45,9 +45,23 @@ $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA rm ec-ca-openssl.cnf.tmp +echo +echo "---[ User p256 ]--------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = user-p256/" | + sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256 +$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256 +rm ec-ca-openssl.cnf.tmp + echo echo "---[ Verify ]-----------------------------------------------------------" echo $OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem $OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem +$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem diff --git a/tests/hwsim/auth_serv/ec2-user-p256.key b/tests/hwsim/auth_serv/ec2-user-p256.key new file mode 100644 index 000000000..08aae75dd --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-user-p256.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPrr8f6NDa+p9BbWuyoFWfshi7pBwZVSltEoE3JoKMfEoAoGCCqGSM49 +AwEHoUQDQgAEt4F55Q020CgCdvgNzw3I+K/eZiDJIODExC0Qti5YJWD/Ah5KG3lh +qmRWRLRLn+giBMgUEJeWDjWcHdzWBYhwEQ== +-----END EC PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ec2-user-p256.pem b/tests/hwsim/auth_serv/ec2-user-p256.pem new file mode 100644 index 000000000..7deb9c1b1 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-user-p256.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 12897810923590592256 (0xb2fe3ab310c52700) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA + Validity + Not Before: Jan 12 18:16:42 2018 GMT + Not After : Jan 10 18:16:42 2028 GMT + Subject: C=FI, O=w1.fi, CN=user-p256 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:b7:81:79:e5:0d:36:d0:28:02:76:f8:0d:cf:0d: + c8:f8:af:de:66:20:c9:20:e0:c4:c4:2d:10:b6:2e: + 58:25:60:ff:02:1e:4a:1b:79:61:aa:64:56:44:b4: + 4b:9f:e8:22:04:c8:14:10:97:96:0e:35:9c:1d:dc: + d6:05:88:70:11 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + EC:7E:B2:10:44:3E:D2:A1:98:E4:1E:8F:7E:32:49:2E:B2:59:3C:92 + X509v3 Authority Key Identifier: + keyid:B8:97:C9:BE:63:12:AB:F6:A0:8C:B6:5E:FB:97:6E:10:8E:DC:48:F5 + + X509v3 Subject Alternative Name: + email:user-p256@w1.fi + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: ecdsa-with-SHA256 + 30:65:02:31:00:c9:1e:c8:25:d5:69:1c:24:4f:09:b6:45:31: + c2:46:a0:44:84:ae:b1:e3:bb:34:19:f6:04:63:61:cf:37:7a: + 9b:a1:72:99:9d:86:36:26:35:a1:99:0a:3a:7c:06:26:3e:02: + 30:70:e8:c3:20:0a:c5:4f:f6:95:6c:0a:b1:7a:1b:5d:b0:d2: + c6:10:4d:2f:44:31:c7:1a:db:6c:25:07:4b:2d:94:0e:c9:b4: + b1:c8:8c:cb:ea:67:8f:37:20:f6:cc:64:fe +-----BEGIN CERTIFICATE----- +MIICJzCCAa2gAwIBAgIJALL+OrMQxScAMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE4MDExMjE4MTY0MloXDTI4MDEx +MDE4MTY0MlowMTELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRIwEAYDVQQD +DAl1c2VyLXAyNTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3gXnlDTbQKAJ2 ++A3PDcj4r95mIMkg4MTELRC2LlglYP8CHkobeWGqZFZEtEuf6CIEyBQQl5YONZwd +3NYFiHARo4GMMIGJMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOx+shBEPtKhmOQej34y +SS6yWTySMB8GA1UdIwQYMBaAFLiXyb5jEqv2oIy2XvuXbhCO3Ej1MBoGA1UdEQQT +MBGBD3VzZXItcDI1NkB3MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E +BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAMkeyCXVaRwkTwm2RTHCRqBEhK6x47s0 +GfYEY2HPN3qboXKZnYY2JjWhmQo6fAYmPgIwcOjDIArFT/aVbAqxehtdsNLGEE0v +RDHHGttsJQdLLZQOybSxyIzL6mePNyD2zGT+ +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index 450a627d0..f2be07d16 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -235,6 +235,48 @@ def test_suite_b_192_radius(dev, apdev): private_key="auth_serv/ec2-user.key", pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") +def test_suite_b_192_radius_and_p256_cert(dev, apdev): + """Suite B 192-bit level and p256 client cert""" + check_suite_b_192_capa(dev) + dev[0].flush_scan_cache() + params = suite_b_as_params() + params['ca_cert'] = 'auth_serv/ec2-ca.pem' + params['server_cert'] = 'auth_serv/ec2-server.pem' + params['private_key'] = 'auth_serv/ec2-server.key' + params['openssl_ciphers'] = 'SUITEB192' + hostapd.add_ap(apdev[1], params) + + params = { "ssid": "test-suite-b", + "wpa": "2", + "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", + "rsn_pairwise": "GCMP-256", + "group_mgmt_cipher": "BIP-GMAC-256", + "ieee80211w": "2", + "ieee8021x": "1", + 'auth_server_addr': "127.0.0.1", + 'auth_server_port': "18129", + 'auth_server_shared_secret': "radius", + 'nas_identifier': "nas.w1.fi" } + hapd = hostapd.add_ap(apdev[0], params) + + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", + ieee80211w="2", + #openssl_ciphers="SUITEB192", + eap="TLS", identity="tls user", + ca_cert="auth_serv/ec2-ca.pem", + client_cert="auth_serv/ec2-user-p256.pem", + private_key="auth_serv/ec2-user-p256.key", + pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", + wait_connect=False) + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) + if ev is None: + raise Exception("EAP-Failure not reported") + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) + if ev is None: + raise Exception("Disconnection not reported") + if "reason=23" not in ev: + raise Exception("Unexpected disconnection reason: " + ev); + def test_suite_b_pmkid_failure(dev, apdev): """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure""" check_suite_b_capa(dev)