tests: Suite B 192-bit validation with p256 client cert

Verify that unexpected p256 client certificate gets rejected if the
server is configured to use Suite B at 192-bit level.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2018-01-12 20:30:07 +02:00
parent 727e9aacbf
commit 9ec824b9c1
4 changed files with 120 additions and 0 deletions

View file

@ -45,9 +45,23 @@ $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
rm ec-ca-openssl.cnf.tmp rm ec-ca-openssl.cnf.tmp
echo
echo "---[ User p256 ]--------------------------------------------------------"
echo
cat ec-ca-openssl.cnf |
sed "s/#@CN@/commonName_default = user-p256/" |
sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \
> ec-ca-openssl.cnf.tmp
$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256
rm ec-ca-openssl.cnf.tmp
echo echo
echo "---[ Verify ]-----------------------------------------------------------" echo "---[ Verify ]-----------------------------------------------------------"
echo echo
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem $OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem $OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem

View file

@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPrr8f6NDa+p9BbWuyoFWfshi7pBwZVSltEoE3JoKMfEoAoGCCqGSM49
AwEHoUQDQgAEt4F55Q020CgCdvgNzw3I+K/eZiDJIODExC0Qti5YJWD/Ah5KG3lh
qmRWRLRLn+giBMgUEJeWDjWcHdzWBYhwEQ==
-----END EC PRIVATE KEY-----

View file

@ -0,0 +1,56 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12897810923590592256 (0xb2fe3ab310c52700)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
Validity
Not Before: Jan 12 18:16:42 2018 GMT
Not After : Jan 10 18:16:42 2028 GMT
Subject: C=FI, O=w1.fi, CN=user-p256
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b7:81:79:e5:0d:36:d0:28:02:76:f8:0d:cf:0d:
c8:f8:af:de:66:20:c9:20:e0:c4:c4:2d:10:b6:2e:
58:25:60:ff:02:1e:4a:1b:79:61:aa:64:56:44:b4:
4b:9f:e8:22:04:c8:14:10:97:96:0e:35:9c:1d:dc:
d6:05:88:70:11
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
EC:7E:B2:10:44:3E:D2:A1:98:E4:1E:8F:7E:32:49:2E:B2:59:3C:92
X509v3 Authority Key Identifier:
keyid:B8:97:C9:BE:63:12:AB:F6:A0:8C:B6:5E:FB:97:6E:10:8E:DC:48:F5
X509v3 Subject Alternative Name:
email:user-p256@w1.fi
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: ecdsa-with-SHA256
30:65:02:31:00:c9:1e:c8:25:d5:69:1c:24:4f:09:b6:45:31:
c2:46:a0:44:84:ae:b1:e3:bb:34:19:f6:04:63:61:cf:37:7a:
9b:a1:72:99:9d:86:36:26:35:a1:99:0a:3a:7c:06:26:3e:02:
30:70:e8:c3:20:0a:c5:4f:f6:95:6c:0a:b1:7a:1b:5d:b0:d2:
c6:10:4d:2f:44:31:c7:1a:db:6c:25:07:4b:2d:94:0e:c9:b4:
b1:c8:8c:cb:ea:67:8f:37:20:f6:cc:64:fe
-----BEGIN CERTIFICATE-----
MIICJzCCAa2gAwIBAgIJALL+OrMQxScAMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE4MDExMjE4MTY0MloXDTI4MDEx
MDE4MTY0MlowMTELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRIwEAYDVQQD
DAl1c2VyLXAyNTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3gXnlDTbQKAJ2
+A3PDcj4r95mIMkg4MTELRC2LlglYP8CHkobeWGqZFZEtEuf6CIEyBQQl5YONZwd
3NYFiHARo4GMMIGJMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOx+shBEPtKhmOQej34y
SS6yWTySMB8GA1UdIwQYMBaAFLiXyb5jEqv2oIy2XvuXbhCO3Ej1MBoGA1UdEQQT
MBGBD3VzZXItcDI1NkB3MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAMkeyCXVaRwkTwm2RTHCRqBEhK6x47s0
GfYEY2HPN3qboXKZnYY2JjWhmQo6fAYmPgIwcOjDIArFT/aVbAqxehtdsNLGEE0v
RDHHGttsJQdLLZQOybSxyIzL6mePNyD2zGT+
-----END CERTIFICATE-----

View file

@ -235,6 +235,48 @@ def test_suite_b_192_radius(dev, apdev):
private_key="auth_serv/ec2-user.key", private_key="auth_serv/ec2-user.key",
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
def test_suite_b_192_radius_and_p256_cert(dev, apdev):
"""Suite B 192-bit level and p256 client cert"""
check_suite_b_192_capa(dev)
dev[0].flush_scan_cache()
params = suite_b_as_params()
params['ca_cert'] = 'auth_serv/ec2-ca.pem'
params['server_cert'] = 'auth_serv/ec2-server.pem'
params['private_key'] = 'auth_serv/ec2-server.key'
params['openssl_ciphers'] = 'SUITEB192'
hostapd.add_ap(apdev[1], params)
params = { "ssid": "test-suite-b",
"wpa": "2",
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
"rsn_pairwise": "GCMP-256",
"group_mgmt_cipher": "BIP-GMAC-256",
"ieee80211w": "2",
"ieee8021x": "1",
'auth_server_addr': "127.0.0.1",
'auth_server_port': "18129",
'auth_server_shared_secret': "radius",
'nas_identifier': "nas.w1.fi" }
hapd = hostapd.add_ap(apdev[0], params)
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
ieee80211w="2",
#openssl_ciphers="SUITEB192",
eap="TLS", identity="tls user",
ca_cert="auth_serv/ec2-ca.pem",
client_cert="auth_serv/ec2-user-p256.pem",
private_key="auth_serv/ec2-user-p256.key",
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
if ev is None:
raise Exception("EAP-Failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
if ev is None:
raise Exception("Disconnection not reported")
if "reason=23" not in ev:
raise Exception("Unexpected disconnection reason: " + ev);
def test_suite_b_pmkid_failure(dev, apdev): def test_suite_b_pmkid_failure(dev, apdev):
"""WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure""" """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
check_suite_b_capa(dev) check_suite_b_capa(dev)