aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2017-12-29 10:01:22 (GMT)
committerJouni Malinen <j@w1.fi>2017-12-29 10:01:22 (GMT)
commitb4635f0a61d669b4919fea14bb5efd79dc4dd732 (patch)
treeb51cb478aee483ce82b8eb4990c470bb48b0e5c2
parent9acd0bebab6b29264930f9914dc48556851ded13 (diff)
downloadhostap-b4635f0a61d669b4919fea14bb5efd79dc4dd732.zip
hostap-b4635f0a61d669b4919fea14bb5efd79dc4dd732.tar.gz
hostap-b4635f0a61d669b4919fea14bb5efd79dc4dd732.tar.bz2
tests: GnuTLS configuration of intermediate CA certificate
GnuTLS seems to require the intermediate CA certificate to be included both in the ca_cert and client_cert file for the cases of server and client certificates using different intermediate CA certificates. Use the user_and_ica.pem file with GnuTLS builds and reorder the certificates in that file to make this work with GnuTLS. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--tests/hwsim/auth_serv/iCA-user/user_and_ica.pem140
-rwxr-xr-xtests/hwsim/auth_serv/ica-generate.sh2
-rw-r--r--tests/hwsim/test_ap_eap.py55
3 files changed, 116 insertions, 81 deletions
diff --git a/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem b/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem
index 5de2e9d..0a5c955 100644
--- a/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem
+++ b/tests/hwsim/auth_serv/iCA-user/user_and_ica.pem
@@ -1,76 +1,6 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=FI, O=w1.fi, CN=Root CA
- Validity
- Not Before: Dec 23 19:37:36 2015 GMT
- Not After : Dec 22 19:37:36 2025 GMT
- Subject: C=FI, O=w1.fi, CN=User Intermediate CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
- f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
- 67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
- 9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
- f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
- 9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
- ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
- 10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
- 11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
- 67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
- c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
- e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
- df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
- 6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
- 43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
- 6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
- 65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
- fe:4f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
- X509v3 Authority Key Identifier:
- keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
-
- X509v3 Basic Constraints: critical
- CA:TRUE, pathlen:0
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- Signature Algorithm: sha256WithRSAEncryption
- 0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
- 31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
- 1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
- 6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
- 7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
- 07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
- 3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
- 8f:fa
------BEGIN CERTIFICATE-----
-MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
-BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
-MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
-DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
-kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
-Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
-9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
-2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
-rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
-MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
-ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
-FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
-5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
-4kDSzfuP+g==
------END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
Serial Number: 16236525841851734558 (0xe153ba3a7605da1e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FI, O=w1.fi, CN=User Intermediate CA
@@ -152,3 +82,73 @@ sjY4CLHfB/p6U7hg22NLT+YqQv8paLWZOjbrJgV20qvm0HyvjKAgi1BsO7waU22n
yHCXIVYCJASbYypduIzkv+mPWM1umUc8AntjZ8HHMlPM1cvpoDnv+ES381cMtacj
PxYoxgIUtoDYM0IMgVysPxPQW0pmnzPurFb+NxcrA0A=
-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 15624081837803162868 (0xd8d3e3a6cbe3ccf4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=FI, O=w1.fi, CN=Root CA
+ Validity
+ Not Before: Dec 23 19:37:36 2015 GMT
+ Not After : Dec 22 19:37:36 2025 GMT
+ Subject: C=FI, O=w1.fi, CN=User Intermediate CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:c3:2a:0d:f4:66:23:5d:96:91:f7:a0:be:b1:b0:
+ f7:9e:ae:ea:a6:72:91:f5:70:65:57:91:49:55:59:
+ 67:bb:d7:f5:9e:bc:66:b2:bf:cf:95:31:32:ae:db:
+ 9a:3b:43:e8:a5:8d:1f:8b:3b:e6:e8:e3:3b:b2:9d:
+ f0:58:62:ea:a3:8a:6f:c8:ed:01:ca:27:74:1c:0e:
+ 9e:28:5c:43:98:db:14:b8:72:07:9f:6b:27:28:25:
+ ce:a5:91:b7:b7:23:9a:35:ef:0e:b7:fc:9f:69:4d:
+ 10:2e:81:ab:9d:04:ba:2f:b4:eb:61:7d:fd:68:a1:
+ 11:6f:f4:16:42:16:99:20:38:24:04:2d:39:7c:74:
+ 67:14:b9:aa:26:7a:b2:d9:1e:ce:cd:8b:bc:8d:e3:
+ c7:58:9c:4a:f9:3a:7e:6c:38:f8:5f:1c:ec:05:4c:
+ e5:56:64:d4:08:d8:fa:db:17:d9:a1:e4:cf:b4:9d:
+ df:99:50:ce:fa:a4:af:af:c6:f7:f2:0e:c2:c5:7b:
+ 6c:f9:6c:eb:17:e5:c8:6e:5a:bf:eb:a6:b8:c0:f7:
+ 43:81:88:c3:d8:aa:a9:60:ac:a7:45:3f:5d:cb:8d:
+ 6c:48:92:2b:04:5a:c4:a8:32:b3:e9:6f:fe:8d:2d:
+ 65:c0:ea:c5:09:b2:30:b1:a3:2e:db:22:8a:49:b1:
+ fe:4f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ AC:C4:F6:07:9E:B2:E5:F1:66:7C:40:05:08:AA:DC:EF:8A:60:DA:C1
+ X509v3 Authority Key Identifier:
+ keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ Signature Algorithm: sha256WithRSAEncryption
+ 0d:60:2b:fa:00:f2:5a:90:31:96:50:c8:9e:7f:60:02:99:c6:
+ 31:d4:93:86:9e:4c:24:15:b6:b2:31:49:21:79:ce:7f:92:86:
+ 1e:83:d8:a0:37:05:1b:89:2b:ef:0b:83:21:b0:37:8d:2f:7b:
+ 6b:7d:c6:04:1e:a2:c8:59:be:52:bf:47:ee:46:cb:45:8d:1f:
+ 7a:e4:d4:e5:54:60:5f:46:b0:ac:68:8a:26:57:ea:48:45:c1:
+ 07:7d:ee:10:9e:94:87:4c:7e:26:2e:f8:ad:03:e5:03:86:09:
+ 3e:48:0c:e0:04:2f:22:b4:e0:3a:b0:72:8c:e2:40:d2:cd:fb:
+ 8f:fa
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAjygAwIBAgIJANjT46bL48z0MA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTEy
+MjMxOTM3MzZaFw0yNTEyMjIxOTM3MzZaMDwxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEdMBsGA1UEAwwUVXNlciBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDKg30ZiNdlpH3oL6xsPeeruqmcpH1cGVX
+kUlVWWe71/WevGayv8+VMTKu25o7Q+iljR+LO+bo4zuynfBYYuqjim/I7QHKJ3Qc
+Dp4oXEOY2xS4cgefaycoJc6lkbe3I5o17w63/J9pTRAugaudBLovtOthff1ooRFv
+9BZCFpkgOCQELTl8dGcUuaomerLZHs7Ni7yN48dYnEr5On5sOPhfHOwFTOVWZNQI
+2PrbF9mh5M+0nd+ZUM76pK+vxvfyDsLFe2z5bOsX5chuWr/rprjA90OBiMPYqqlg
+rKdFP13LjWxIkisEWsSoMrPpb/6NLWXA6sUJsjCxoy7bIopJsf5PAgMBAAGjZjBk
+MB0GA1UdDgQWBBSsxPYHnrLl8WZ8QAUIqtzvimDawTAfBgNVHSMEGDAWgBS4kt79
+ihizMMOfVfMzXbTIKYpBFDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOBgQANYCv6APJakDGWUMief2ACmcYx1JOGnkwk
+FbayMUkhec5/koYeg9igNwUbiSvvC4MhsDeNL3trfcYEHqLIWb5Sv0fuRstFjR96
+5NTlVGBfRrCsaIomV+pIRcEHfe4QnpSHTH4mLvitA+UDhgk+SAzgBC8itOA6sHKM
+4kDSzfuP+g==
+-----END CERTIFICATE-----
diff --git a/tests/hwsim/auth_serv/ica-generate.sh b/tests/hwsim/auth_serv/ica-generate.sh
index 8d77088..d3fe7b9 100755
--- a/tests/hwsim/auth_serv/ica-generate.sh
+++ b/tests/hwsim/auth_serv/ica-generate.sh
@@ -72,7 +72,7 @@ cat ec-ca-openssl.cnf |
> openssl.cnf.tmp
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
-cat iCA-user/cacert.pem iCA-user/user.pem > iCA-user/user_and_ica.pem
+cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
rm openssl.cnf.tmp
echo
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 2c4c406..2d7e712 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -4100,10 +4100,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
params["server_cert"] = "auth_serv/iCA-server/server.pem"
params["private_key"] = "auth_serv/iCA-server/server.key"
hostapd.add_ap(apdev[0], params)
+ tls = dev[0].request("GET tls_library")
+ if "GnuTLS" in tls:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+ else:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
- ca_cert="auth_serv/iCA-user/ca-and-root.pem",
- client_cert="auth_serv/iCA-user/user.pem",
+ ca_cert=ca_cert,
+ client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412")
@@ -4201,10 +4208,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
+ tls = dev[0].request("GET tls_library")
+ if "GnuTLS" in tls:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+ else:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
- ca_cert="auth_serv/iCA-user/ca-and-root.pem",
- client_cert="auth_serv/iCA-user/user.pem",
+ ca_cert=ca_cert,
+ client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=2)
finally:
@@ -4229,10 +4243,17 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
+ tls = dev[0].request("GET tls_library")
+ if "GnuTLS" in tls:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+ else:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
- ca_cert="auth_serv/iCA-user/ca-and-root.pem",
- client_cert="auth_serv/iCA-user/user.pem",
+ ca_cert=ca_cert,
+ client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=1, wait_connect=False)
count = 0
@@ -4272,10 +4293,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, par
params["ocsp_stapling_response"] = fn
try:
hostapd.add_ap(apdev[0], params)
+ tls = dev[0].request("GET tls_library")
+ if "GnuTLS" in tls:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+ else:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
- ca_cert="auth_serv/iCA-user/ca-and-root.pem",
- client_cert="auth_serv/iCA-user/user.pem",
+ ca_cert=ca_cert,
+ client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=3, wait_connect=False)
count = 0
@@ -4332,10 +4360,17 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
params["ocsp_stapling_response_multi"] = fn3
hostapd.add_ap(apdev[0], params)
+ tls = dev[0].request("GET tls_library")
+ if "GnuTLS" in tls:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user_and_ica.pem"
+ else:
+ ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
+ client_cert = "auth_serv/iCA-user/user.pem"
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
identity="tls user",
- ca_cert="auth_serv/iCA-user/ca-and-root.pem",
- client_cert="auth_serv/iCA-user/user.pem",
+ ca_cert=ca_cert,
+ client_cert=client_cert,
private_key="auth_serv/iCA-user/user.key",
scan_freq="2412", ocsp=3)
dev[0].request("REMOVE_NETWORK all")