The new subrem field in the users database can now be used to issue an
alternative subscription remediation updateNode for clients using
certificate credentials. The data file for this case is similar to the
policy update files, but it starts with the managementTreeURI value in
the first line.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no point in trying to update the Credential node with the
existing contents in case of subscription remediation using a client
certificate instead of a username/password credential, so use the
noMOUpdate in that case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make it easier to find the new username (and the new serial number from
it) when a user entry is renamed at the conclusion of client certificate
re-enrollment sequence.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
A new osu_config field "sim_policy" can now be used to specify the
policy template for SIM provisioning.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Support SIM provisioning exchange with SPP. This uses the
hotspot2dot0-mobile-identifier-hash value from the AAA server to allow
subscription registration through subscription remediation exchange.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds support for the SPP server to request certificate reenrollment
and for the EST server to support the simplereenroll version.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previous implementation updated user database only for username/password
credentials. While client certificates do not need the updated password
to be written, they do need the remediation requirement to be cleared,
so fix that.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These are not really using Phase 2, so use more appropriate
configuration when going through online signup for client certificates.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it a bit easier to use existing hardcoded PPS MO files for
testing purposes when the subscription remediation and policy update
operations target the same path.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This node was modified long time ago to include "SPP-" prefix. Fix the
OSU server implementation to use the correct value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend test=<value> special incorrect behavior testing capabilities in
the OSU server to include the fingerprint of the policy update trust
root: test=corrupt_polupd_hash.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a mechanism to allow special incorrect behavior to be requested from
OSU server by adding an optional parameter test=<value> to the initial
signup URL. This is for protocol testing purposes for the OSU client.
This commit adds two special behavior cases: corrupt_aaa_hash and
corrupt_subrem_hash. These can be used to generate PPS MO with invalid
CertSHA256Fingerprint values for AAAServerTrustRoot and
SubscriptionUpdate nodes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support for user remediation to request a new password from the user
for username/password credentials that have been configured not use use
machine managed password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Instead of defaulting to machine remediation, reject a request to do
subscription remediation if that has not been configured to be required.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add password and machine_managed flag to database in case of machine
managed subscription to fix EAP-TTLS connection failure to production
AP. In case of user managed subscription, the entered password is added
to DB from the PHP script. However in machine managed subscription,
machine generated password is added only in SOAP messages and PPS MO. So
connection to production will fail as the generated password is not
present in the database used by AAA server.
Signed-off-by: Sreenath Sharma <sreenath.mailing.lists@gmail.com>
This is meant mainly for testing purposes and as a reference
implementation showing how OSU SPP server could be implemented. This is
not suitable for any real production use in its current form.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>