tests: GnuTLS configuration of intermediate CA certificate

GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-12-29 12:01:22 +02:00
parent 9acd0bebab
commit b4635f0a61
3 changed files with 116 additions and 81 deletions

View file

@ -1,73 +1,3 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FI, O=w1.fi, CN=Root CA
Validity
Not Before: Dec 23 19:37:36 2015 GMT
Not After : Dec 22 19:37:36 2025 GMT
Subject: C=FI, O=w1.fi, CN=User Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
fe:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
X509v3 Authority Key Identifier:
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
8f:fa
-----BEGIN CERTIFICATE-----
MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
4kDSzfuP+g==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
@ -152,3 +82,73 @@ sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FI, O=w1.fi, CN=Root CA
Validity
Not Before: Dec 23 19:37:36 2015 GMT
Not After : Dec 22 19:37:36 2025 GMT
Subject: C=FI, O=w1.fi, CN=User Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
fe:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
X509v3 Authority Key Identifier:
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
8f:fa
-----BEGIN CERTIFICATE-----
MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
4kDSzfuP+g==
-----END CERTIFICATE-----

View file

@ -72,7 +72,7 @@ cat ec-ca-openssl.cnf |
> openssl.cnf.tmp
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
cat iCA-user/cacert.pem iCA-user/user.pem > iCA-user/user_and_ica.pem
cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
rm openssl.cnf.tmp
echo

View file

@ -4100,10 +4100,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
params["server_cert"] = "auth_serv/iCA-server/server.pem"
params["private_key"] = "auth_serv/iCA-server/server.key"
hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library")
if "GnuTLS" in tls:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user_and_ica.pem"
else:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
ca_cert="auth_serv/iCA-user/ca-and-root.pem",
client_cert="auth_serv/iCA-user/user.pem",
ca_cert=ca_cert,
client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412")
@ -4201,10 +4208,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library")
if "GnuTLS" in tls:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user_and_ica.pem"
else:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
ca_cert="auth_serv/iCA-user/ca-and-root.pem",
client_cert="auth_serv/iCA-user/user.pem",
ca_cert=ca_cert,
client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=2)
finally:
@ -4229,10 +4243,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library")
if "GnuTLS" in tls:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user_and_ica.pem"
else:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
ca_cert="auth_serv/iCA-user/ca-and-root.pem",
client_cert="auth_serv/iCA-user/user.pem",
ca_cert=ca_cert,
client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=1, wait_connect=False)
count = 0
@ -4272,10 +4293,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, par
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library")
if "GnuTLS" in tls:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user_and_ica.pem"
else:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
ca_cert="auth_serv/iCA-user/ca-and-root.pem",
client_cert="auth_serv/iCA-user/user.pem",
ca_cert=ca_cert,
client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=3, wait_connect=False)
count = 0
@ -4332,10 +4360,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
params["ocsp_stapling_response_multi"] = fn3
hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library")
if "GnuTLS" in tls:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user_and_ica.pem"
else:
ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
ca_cert="auth_serv/iCA-user/ca-and-root.pem",
client_cert="auth_serv/iCA-user/user.pem",
ca_cert=ca_cert,
client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=3)
dev[0].request("REMOVE_NETWORK all")