tests: GnuTLS configuration of intermediate CA certificate

GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests/hwsim/auth_serv/iCA-user/user_and_ica.pem

@@ -1,73 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=FI, O=w1.fi, CN=Root CA
-        Validity
-            Not Before: Dec 23 19:37:36 2015 GMT
-            Not After : Dec 22 19:37:36 2025 GMT
-        Subject: C=FI, O=w1.fi, CN=User Intermediate CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
-                    f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
-                    67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
-                    9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
-                    f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
-                    9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
-                    ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
-                    10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
-                    11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
-                    67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
-                    c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
-                    e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
-                    df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
-                    6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
-                    43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
-                    6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
-                    65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
-                    fe:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
-            X509v3 Authority Key Identifier: 
-                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
-         31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
-         1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
-         6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
-         7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
-         07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
-         3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
-         8f:fa
------BEGIN CERTIFICATE-----
-MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
-BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
-MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
-DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
-kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
-Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
-9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
-2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
-rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
-MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
-ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
-FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
-5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
-4kDSzfuP+g==
------END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
@@ -152,3 +82,73 @@ sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
 yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
 PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
 -----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Dec 23 19:37:36 2015 GMT
+            Not After : Dec 22 19:37:36 2025 GMT
+        Subject: C=FI, O=w1.fi, CN=User Intermediate CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
+                    f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
+                    67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
+                    9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
+                    f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
+                    9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
+                    ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
+                    10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
+                    11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
+                    67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
+                    c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
+                    e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
+                    df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
+                    6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
+                    43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
+                    6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
+                    65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
+                    fe:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
+         31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
+         1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
+         6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
+         7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
+         07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
+         3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
+         8f:fa
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
+kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
+Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
+9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
+2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
+rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
+MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
+ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
+FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
+5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
+4kDSzfuP+g==
+-----END CERTIFICATE-----

tests/hwsim/auth_serv/ica-generate.sh

@@ -72,7 +72,7 @@ cat ec-ca-openssl.cnf |
 	> openssl.cnf.tmp
 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
 $OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
-cat iCA-user/cacert.pem iCA-user/user.pem > iCA-user/user_and_ica.pem
+cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
 rm openssl.cnf.tmp
 
 echo

tests/hwsim/test_ap_eap.py

@@ -4100,10 +4100,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
     params["server_cert"] = "auth_serv/iCA-server/server.pem"
     params["private_key"] = "auth_serv/iCA-server/server.key"
     hostapd.add_ap(apdev[0], params)
+    tls = dev[0].request("GET tls_library")
+    if "GnuTLS" in tls:
+        ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+        client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+    else:
+        ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+        client_cert = "auth_serv/iCA-user/user.pem"
     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
                    identity="tls user",
-                   ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                   ca_cert=ca_cert,
-                   client_cert="auth_serv/iCA-user/user.pem",
+                   client_cert=client_cert,
                    private_key="auth_serv/iCA-user/user.key",
                    scan_freq="2412")
 
@@ -4201,10 +4208,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
     params["ocsp_stapling_response"] = fn
     try:
         hostapd.add_ap(apdev[0], params)
+        tls = dev[0].request("GET tls_library")
+        if "GnuTLS" in tls:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+        else:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user.pem"
         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
                        identity="tls user",
-                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       ca_cert=ca_cert,
-                       client_cert="auth_serv/iCA-user/user.pem",
+                       client_cert=client_cert,
                        private_key="auth_serv/iCA-user/user.key",
                        scan_freq="2412", ocsp=2)
     finally:
@@ -4229,10 +4243,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
     params["ocsp_stapling_response"] = fn
     try:
         hostapd.add_ap(apdev[0], params)
+        tls = dev[0].request("GET tls_library")
+        if "GnuTLS" in tls:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+        else:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user.pem"
         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
                        identity="tls user",
-                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       ca_cert=ca_cert,
-                       client_cert="auth_serv/iCA-user/user.pem",
+                       client_cert=client_cert,
                        private_key="auth_serv/iCA-user/user.key",
                        scan_freq="2412", ocsp=1, wait_connect=False)
         count = 0
@@ -4272,10 +4293,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, par
     params["ocsp_stapling_response"] = fn
     try:
         hostapd.add_ap(apdev[0], params)
+        tls = dev[0].request("GET tls_library")
+        if "GnuTLS" in tls:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+        else:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user.pem"
         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
                        identity="tls user",
-                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       ca_cert=ca_cert,
-                       client_cert="auth_serv/iCA-user/user.pem",
+                       client_cert=client_cert,
                        private_key="auth_serv/iCA-user/user.key",
                        scan_freq="2412", ocsp=3, wait_connect=False)
         count = 0
@@ -4332,10 +4360,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
         params["ocsp_stapling_response_multi"] = fn3
 
         hostapd.add_ap(apdev[0], params)
+        tls = dev[0].request("GET tls_library")
+        if "GnuTLS" in tls:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+        else:
+            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+            client_cert = "auth_serv/iCA-user/user.pem"
         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
                        identity="tls user",
-                       ca_cert="auth_serv/iCA-user/ca-and-root.pem",
+                       ca_cert=ca_cert,
-                       client_cert="auth_serv/iCA-user/user.pem",
+                       client_cert=client_cert,
                        private_key="auth_serv/iCA-user/user.key",
                        scan_freq="2412", ocsp=3)
         dev[0].request("REMOVE_NETWORK all")