From b4635f0a61d669b4919fea14bb5efd79dc4dd732 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 29 Dec 2017 12:01:22 +0200 Subject: [PATCH] tests: GnuTLS configuration of intermediate CA certificate GnuTLS seems to require the intermediate CA certificate to be included both in the ca_cert and client_cert file for the cases of server and client certificates using different intermediate CA certificates. Use the user_and_ica.pem file with GnuTLS builds and reorder the certificates in that file to make this work with GnuTLS. Signed-off-by: Jouni Malinen --- .../hwsim/auth_serv/iCA-user/user_and_ica.pem | 140 +++++++++--------- tests/hwsim/auth_serv/ica-generate.sh | 2 +- tests/hwsim/test_ap_eap.py | 55 +++++-- 3 files changed, 116 insertions(+), 81 deletions(-) diff --git a/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem b/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem index 5de2e9d29..0a5c955b9 100644 --- a/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem +++ b/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem @@ -1,73 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=FI, O=w1.fi, CN=Root CA - Validity - Not Before: Dec 23 19:37:36 2015 GMT - Not After : Dec 22 19:37:36 2025 GMT - Subject: C=FI, O=w1.fi, CN=User Intermediate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0: - f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59: - 67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db: - 9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d: - f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e: - 9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25: - ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d: - 10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1: - 11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74: - 67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3: - c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c: - e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d: - df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b: - 6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7: - 43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d: - 6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d: - 65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1: - fe:4f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1 - X509v3 Authority Key Identifier: - keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 - - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - Signature Algorithm: sha256WithRSAEncryption - 0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6: - 31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86: - 1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b: - 6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f: - 7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1: - 07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09: - 3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb: - 8f:fa ------BEGIN CERTIFICATE----- -MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV -BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy -MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK -DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX -kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc -Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv -9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI -2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg -rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk -MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79 -ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE -AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk -FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96 -5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM -4kDSzfuP+g== ------END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) @@ -152,3 +82,73 @@ sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A= -----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=FI, O=w1.fi, CN=Root CA + Validity + Not Before: Dec 23 19:37:36 2015 GMT + Not After : Dec 22 19:37:36 2025 GMT + Subject: C=FI, O=w1.fi, CN=User Intermediate CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0: + f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59: + 67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db: + 9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d: + f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e: + 9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25: + ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d: + 10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1: + 11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74: + 67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3: + c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c: + e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d: + df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b: + 6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7: + 43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d: + 6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d: + 65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1: + fe:4f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1 + X509v3 Authority Key Identifier: + keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6: + 31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86: + 1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b: + 6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f: + 7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1: + 07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09: + 3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb: + 8f:fa +-----BEGIN CERTIFICATE----- +MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV +BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy +MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX +kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc +Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv +9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI +2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg +rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk +MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79 +ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk +FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96 +5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM +4kDSzfuP+g== +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ica-generate.sh b/tests/hwsim/auth_serv/ica-generate.sh index 8d7708874..d3fe7b964 100755 --- a/tests/hwsim/auth_serv/ica-generate.sh +++ b/tests/hwsim/auth_serv/ica-generate.sh @@ -72,7 +72,7 @@ cat ec-ca-openssl.cnf | > openssl.cnf.tmp $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256 $OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256 -cat iCA-user/cacert.pem iCA-user/user.pem > iCA-user/user_and_ica.pem +cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem rm openssl.cnf.tmp echo diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 2c4c406b2..2d7e71205 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4100,10 +4100,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params): params["server_cert"] = "auth_serv/iCA-server/server.pem" params["private_key"] = "auth_serv/iCA-server/server.key" hostapd.add_ap(apdev[0], params) + tls = dev[0].request("GET tls_library") + if "GnuTLS" in tls: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", - ca_cert="auth_serv/iCA-user/ca-and-root.pem", - client_cert="auth_serv/iCA-user/user.pem", + ca_cert=ca_cert, + client_cert=client_cert, private_key="auth_serv/iCA-user/user.key", scan_freq="2412") @@ -4201,10 +4208,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md): params["ocsp_stapling_response"] = fn try: hostapd.add_ap(apdev[0], params) + tls = dev[0].request("GET tls_library") + if "GnuTLS" in tls: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", - ca_cert="auth_serv/iCA-user/ca-and-root.pem", - client_cert="auth_serv/iCA-user/user.pem", + ca_cert=ca_cert, + client_cert=client_cert, private_key="auth_serv/iCA-user/user.key", scan_freq="2412", ocsp=2) finally: @@ -4229,10 +4243,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md): params["ocsp_stapling_response"] = fn try: hostapd.add_ap(apdev[0], params) + tls = dev[0].request("GET tls_library") + if "GnuTLS" in tls: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", - ca_cert="auth_serv/iCA-user/ca-and-root.pem", - client_cert="auth_serv/iCA-user/user.pem", + ca_cert=ca_cert, + client_cert=client_cert, private_key="auth_serv/iCA-user/user.key", scan_freq="2412", ocsp=1, wait_connect=False) count = 0 @@ -4272,10 +4293,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, par params["ocsp_stapling_response"] = fn try: hostapd.add_ap(apdev[0], params) + tls = dev[0].request("GET tls_library") + if "GnuTLS" in tls: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", - ca_cert="auth_serv/iCA-user/ca-and-root.pem", - client_cert="auth_serv/iCA-user/user.pem", + ca_cert=ca_cert, + client_cert=client_cert, private_key="auth_serv/iCA-user/user.key", scan_freq="2412", ocsp=3, wait_connect=False) count = 0 @@ -4332,10 +4360,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params): params["ocsp_stapling_response_multi"] = fn3 hostapd.add_ap(apdev[0], params) + tls = dev[0].request("GET tls_library") + if "GnuTLS" in tls: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", - ca_cert="auth_serv/iCA-user/ca-and-root.pem", - client_cert="auth_serv/iCA-user/user.pem", + ca_cert=ca_cert, + client_cert=client_cert, private_key="auth_serv/iCA-user/user.key", scan_freq="2412", ocsp=3) dev[0].request("REMOVE_NETWORK all")