tests: Suite B 192-bit validation with p256 client cert
Verify that unexpected p256 client certificate gets rejected if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
727e9aacbf
commit
9ec824b9c1
4 changed files with 120 additions and 0 deletions
|
@ -45,9 +45,23 @@ $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key
|
||||||
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
|
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
|
||||||
rm ec-ca-openssl.cnf.tmp
|
rm ec-ca-openssl.cnf.tmp
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "---[ User p256 ]--------------------------------------------------------"
|
||||||
|
echo
|
||||||
|
|
||||||
|
cat ec-ca-openssl.cnf |
|
||||||
|
sed "s/#@CN@/commonName_default = user-p256/" |
|
||||||
|
sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \
|
||||||
|
> ec-ca-openssl.cnf.tmp
|
||||||
|
$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey
|
||||||
|
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256
|
||||||
|
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256
|
||||||
|
rm ec-ca-openssl.cnf.tmp
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "---[ Verify ]-----------------------------------------------------------"
|
echo "---[ Verify ]-----------------------------------------------------------"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
|
||||||
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
|
||||||
|
$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem
|
||||||
|
|
8
tests/hwsim/auth_serv/ec2-user-p256.key
Normal file
8
tests/hwsim/auth_serv/ec2-user-p256.key
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN EC PARAMETERS-----
|
||||||
|
BggqhkjOPQMBBw==
|
||||||
|
-----END EC PARAMETERS-----
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIPrr8f6NDa+p9BbWuyoFWfshi7pBwZVSltEoE3JoKMfEoAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAEt4F55Q020CgCdvgNzw3I+K/eZiDJIODExC0Qti5YJWD/Ah5KG3lh
|
||||||
|
qmRWRLRLn+giBMgUEJeWDjWcHdzWBYhwEQ==
|
||||||
|
-----END EC PRIVATE KEY-----
|
56
tests/hwsim/auth_serv/ec2-user-p256.pem
Normal file
56
tests/hwsim/auth_serv/ec2-user-p256.pem
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 12897810923590592256 (0xb2fe3ab310c52700)
|
||||||
|
Signature Algorithm: ecdsa-with-SHA256
|
||||||
|
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
|
||||||
|
Validity
|
||||||
|
Not Before: Jan 12 18:16:42 2018 GMT
|
||||||
|
Not After : Jan 10 18:16:42 2028 GMT
|
||||||
|
Subject: C=FI, O=w1.fi, CN=user-p256
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: id-ecPublicKey
|
||||||
|
Public-Key: (256 bit)
|
||||||
|
pub:
|
||||||
|
04:b7:81:79:e5:0d:36:d0:28:02:76:f8:0d:cf:0d:
|
||||||
|
c8:f8:af:de:66:20:c9:20:e0:c4:c4:2d:10:b6:2e:
|
||||||
|
58:25:60:ff:02:1e:4a:1b:79:61:aa:64:56:44:b4:
|
||||||
|
4b:9f:e8:22:04:c8:14:10:97:96:0e:35:9c:1d:dc:
|
||||||
|
d6:05:88:70:11
|
||||||
|
ASN1 OID: prime256v1
|
||||||
|
NIST CURVE: P-256
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:FALSE
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
EC:7E:B2:10:44:3E:D2:A1:98:E4:1E:8F:7E:32:49:2E:B2:59:3C:92
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:B8:97:C9:BE:63:12:AB:F6:A0:8C:B6:5E:FB:97:6E:10:8E:DC:48:F5
|
||||||
|
|
||||||
|
X509v3 Subject Alternative Name:
|
||||||
|
email:user-p256@w1.fi
|
||||||
|
X509v3 Extended Key Usage:
|
||||||
|
TLS Web Client Authentication
|
||||||
|
X509v3 Key Usage:
|
||||||
|
Digital Signature, Key Encipherment
|
||||||
|
Signature Algorithm: ecdsa-with-SHA256
|
||||||
|
30:65:02:31:00:c9:1e:c8:25:d5:69:1c:24:4f:09:b6:45:31:
|
||||||
|
c2:46:a0:44:84:ae:b1:e3:bb:34:19:f6:04:63:61:cf:37:7a:
|
||||||
|
9b:a1:72:99:9d:86:36:26:35:a1:99:0a:3a:7c:06:26:3e:02:
|
||||||
|
30:70:e8:c3:20:0a:c5:4f:f6:95:6c:0a:b1:7a:1b:5d:b0:d2:
|
||||||
|
c6:10:4d:2f:44:31:c7:1a:db:6c:25:07:4b:2d:94:0e:c9:b4:
|
||||||
|
b1:c8:8c:cb:ea:67:8f:37:20:f6:cc:64:fe
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICJzCCAa2gAwIBAgIJALL+OrMQxScAMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
|
||||||
|
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
|
||||||
|
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE4MDExMjE4MTY0MloXDTI4MDEx
|
||||||
|
MDE4MTY0MlowMTELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRIwEAYDVQQD
|
||||||
|
DAl1c2VyLXAyNTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3gXnlDTbQKAJ2
|
||||||
|
+A3PDcj4r95mIMkg4MTELRC2LlglYP8CHkobeWGqZFZEtEuf6CIEyBQQl5YONZwd
|
||||||
|
3NYFiHARo4GMMIGJMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOx+shBEPtKhmOQej34y
|
||||||
|
SS6yWTySMB8GA1UdIwQYMBaAFLiXyb5jEqv2oIy2XvuXbhCO3Ej1MBoGA1UdEQQT
|
||||||
|
MBGBD3VzZXItcDI1NkB3MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
|
||||||
|
BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAMkeyCXVaRwkTwm2RTHCRqBEhK6x47s0
|
||||||
|
GfYEY2HPN3qboXKZnYY2JjWhmQo6fAYmPgIwcOjDIArFT/aVbAqxehtdsNLGEE0v
|
||||||
|
RDHHGttsJQdLLZQOybSxyIzL6mePNyD2zGT+
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -235,6 +235,48 @@ def test_suite_b_192_radius(dev, apdev):
|
||||||
private_key="auth_serv/ec2-user.key",
|
private_key="auth_serv/ec2-user.key",
|
||||||
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
||||||
|
|
||||||
|
def test_suite_b_192_radius_and_p256_cert(dev, apdev):
|
||||||
|
"""Suite B 192-bit level and p256 client cert"""
|
||||||
|
check_suite_b_192_capa(dev)
|
||||||
|
dev[0].flush_scan_cache()
|
||||||
|
params = suite_b_as_params()
|
||||||
|
params['ca_cert'] = 'auth_serv/ec2-ca.pem'
|
||||||
|
params['server_cert'] = 'auth_serv/ec2-server.pem'
|
||||||
|
params['private_key'] = 'auth_serv/ec2-server.key'
|
||||||
|
params['openssl_ciphers'] = 'SUITEB192'
|
||||||
|
hostapd.add_ap(apdev[1], params)
|
||||||
|
|
||||||
|
params = { "ssid": "test-suite-b",
|
||||||
|
"wpa": "2",
|
||||||
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
||||||
|
"rsn_pairwise": "GCMP-256",
|
||||||
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
||||||
|
"ieee80211w": "2",
|
||||||
|
"ieee8021x": "1",
|
||||||
|
'auth_server_addr': "127.0.0.1",
|
||||||
|
'auth_server_port': "18129",
|
||||||
|
'auth_server_shared_secret': "radius",
|
||||||
|
'nas_identifier': "nas.w1.fi" }
|
||||||
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
||||||
|
ieee80211w="2",
|
||||||
|
#openssl_ciphers="SUITEB192",
|
||||||
|
eap="TLS", identity="tls user",
|
||||||
|
ca_cert="auth_serv/ec2-ca.pem",
|
||||||
|
client_cert="auth_serv/ec2-user-p256.pem",
|
||||||
|
private_key="auth_serv/ec2-user-p256.key",
|
||||||
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
||||||
|
wait_connect=False)
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP-Failure not reported")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Disconnection not reported")
|
||||||
|
if "reason=23" not in ev:
|
||||||
|
raise Exception("Unexpected disconnection reason: " + ev);
|
||||||
|
|
||||||
def test_suite_b_pmkid_failure(dev, apdev):
|
def test_suite_b_pmkid_failure(dev, apdev):
|
||||||
"""WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
|
"""WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
|
||||||
check_suite_b_capa(dev)
|
check_suite_b_capa(dev)
|
||||||
|
|
Loading…
Reference in a new issue