This verifies client private key use in encrypted PKCS #8 format with
PKCS #5 v1.5 format using pbeWithMD5AndDES-CBC and PKCS #5 v2.0 format
using PBES2 with des-ede3-cbc.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.
Signed-off-by: Jouni Malinen <j@w1.fi>
Due to a serial number mismatch, the correct "revoked" status was not
used; instead "unknown" was used. While the test case would not fail for
this, incorrect code path was checked.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.
Signed-off-by: Jouni Malinen <j@w1.fi>
This ends up using the special User-Name = STA MAC address case for
Accounting-Request. In addition, add Chargeable-User-Identity for one of
the STAs.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.
Signed-off-by: Jouni Malinen <j@w1.fi>
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
This tests RP EAP-Initiate/Re-auth-Start transmission, ERP key
derivation, and EAP-Initiate/Re-auth + EAP-Finish/Re-auth exchange and
rMSK derivation.
Signed-off-by: Jouni Malinen <j@w1.fi>
This verifies that hostapd uses Session-Timeout value from Access-Accept
as the lifetime for the PMKSA cache entries and expires entries both
while the station is disconnected and during an association.
Signed-off-by: Jouni Malinen <j@w1.fi>
Extend EAP-SIM/AKA/AKA' test coverage by setting up another
authentication server instance to store dynamic SIM/AKA/AKA' information
into an SQLite database. This allows the stored reauth/pseudonym data to
be modified on the server side and by doing so, allows testing fallback
from reauth to pseudonym/permanent identity.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify that session information is stored from Access-Accept and sent to
the station at the requested timeout. Verify that station processes this
notification.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>