tests: Suite B 192-bit profile
This adds a Suite B test case for 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
4113a96bba
commit
37551fe374
7 changed files with 259 additions and 0 deletions
15
tests/hwsim/auth_serv/ec2-ca.pem
Normal file
15
tests/hwsim/auth_serv/ec2-ca.pem
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICPTCCAcSgAwIBAgIJAL63h7lu0KZpMAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
|
||||
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
|
||||
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTI1MDEy
|
||||
MjExMzIwM1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD
|
||||
VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxOTItYml0IFJvb3QgQ0EwdjAQ
|
||||
BgcqhkjOPQIBBgUrgQQAIgNiAAQjdOMC9bqcDR9/SaOhxNbmQLQTGZfhtmoxHkJL
|
||||
5GG3bwW5hYA2jYHWU84H+mR6om6fg78G+IxjLly2OWiByYUeWDcsYqLGj3UHHaVv
|
||||
rIitaRPyg3dExemnmK3zjgXnoaajZjBkMB0GA1UdDgQWBBSuBbynInvH0vn8IKZc
|
||||
MbtBTo9svTAfBgNVHSMEGDAWgBSuBbynInvH0vn8IKZcMbtBTo9svTASBgNVHRMB
|
||||
Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjBZ
|
||||
vEbGRDQNvzAY3nfYrsrE2Dd11smT6zv0mIvDeQCktbISGpStRBQjAaFjcCyjDEkC
|
||||
MH7ywcqJe+mpWDt5xFJvB52iZ7rX7rO0OX0qmjI38PC0IOo7euJdfcC1gHdSoAW3
|
||||
bA==
|
||||
-----END CERTIFICATE-----
|
||||
53
tests/hwsim/auth_serv/ec2-generate.sh
Executable file
53
tests/hwsim/auth_serv/ec2-generate.sh
Executable file
|
|
@ -0,0 +1,53 @@
|
|||
#!/bin/sh
|
||||
|
||||
OPENSSL=openssl
|
||||
|
||||
CURVE=secp384r1
|
||||
DIGEST="-sha384"
|
||||
DIGEST_CA="-md sha384"
|
||||
|
||||
echo
|
||||
echo "---[ Root CA ]----------------------------------------------------------"
|
||||
echo
|
||||
|
||||
cat ec-ca-openssl.cnf |
|
||||
sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \
|
||||
> ec-ca-openssl.cnf.tmp
|
||||
$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey
|
||||
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST
|
||||
mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
|
||||
touch ec-ca/index.txt
|
||||
rm ec-ca-openssl.cnf.tmp
|
||||
|
||||
echo
|
||||
echo "---[ Server ]-----------------------------------------------------------"
|
||||
echo
|
||||
|
||||
cat ec-ca-openssl.cnf |
|
||||
sed "s/#@CN@/commonName_default = server.w1.fi/" |
|
||||
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
|
||||
> ec-ca-openssl.cnf.tmp
|
||||
$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey
|
||||
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST
|
||||
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA
|
||||
rm ec-ca-openssl.cnf.tmp
|
||||
|
||||
echo
|
||||
echo "---[ User ]-------------------------------------------------------------"
|
||||
echo
|
||||
|
||||
cat ec-ca-openssl.cnf |
|
||||
sed "s/#@CN@/commonName_default = user/" |
|
||||
sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
|
||||
> ec-ca-openssl.cnf.tmp
|
||||
$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey
|
||||
$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST
|
||||
$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
|
||||
rm ec-ca-openssl.cnf.tmp
|
||||
|
||||
echo
|
||||
echo "---[ Verify ]-----------------------------------------------------------"
|
||||
echo
|
||||
|
||||
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
|
||||
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
|
||||
9
tests/hwsim/auth_serv/ec2-server.key
Normal file
9
tests/hwsim/auth_serv/ec2-server.key
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
-----BEGIN EC PARAMETERS-----
|
||||
BgUrgQQAIg==
|
||||
-----END EC PARAMETERS-----
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIGkAgEBBDCjaz/zVDXqNO/XprtliomKOC6QjbBFgsF2YwUAtKB5ukL4miVGNyCu
|
||||
jIlq9eUD1x6gBwYFK4EEACKhZANiAARWq1ut1b6ctOFBkEOjULL3VjJFP15g0gk+
|
||||
sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZvRooiNyL0AH2wk0qzN5u
|
||||
n02JOt9Q76TVYflE91C5DTxjgLOgxBw=
|
||||
-----END EC PRIVATE KEY-----
|
||||
58
tests/hwsim/auth_serv/ec2-server.pem
Normal file
58
tests/hwsim/auth_serv/ec2-server.pem
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 9347590364512421238 (0x81b94fe92ea08576)
|
||||
Signature Algorithm: ecdsa-with-SHA384
|
||||
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
|
||||
Validity
|
||||
Not Before: Jan 25 11:32:03 2015 GMT
|
||||
Not After : Jan 25 11:32:03 2016 GMT
|
||||
Subject: C=FI, O=w1.fi, CN=server.w1.fi
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: id-ecPublicKey
|
||||
Public-Key: (384 bit)
|
||||
pub:
|
||||
04:56:ab:5b:ad:d5:be:9c:b4:e1:41:90:43:a3:50:
|
||||
b2:f7:56:32:45:3f:5e:60:d2:09:3e:b0:14:cc:06:
|
||||
88:14:e5:64:4d:ed:0a:1d:fe:37:de:9b:99:38:3b:
|
||||
b1:4a:61:93:40:6a:b0:c5:32:1d:b2:0c:c5:d9:bd:
|
||||
1a:28:88:dc:8b:d0:01:f6:c2:4d:2a:cc:de:6e:9f:
|
||||
4d:89:3a:df:50:ef:a4:d5:61:f9:44:f7:50:b9:0d:
|
||||
3c:63:80:b3:a0:c4:1c
|
||||
ASN1 OID: secp384r1
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints: critical
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
19:D7:57:D0:3B:91:84:A4:AF:93:03:32:3C:AB:C4:F9:A7:B0:27:19
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
|
||||
|
||||
X509v3 Subject Alternative Name: critical
|
||||
DNS:server.w1.fi
|
||||
X509v3 Extended Key Usage: critical
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: ecdsa-with-SHA384
|
||||
30:65:02:30:79:68:37:af:eb:46:e8:77:35:13:77:d5:db:eb:
|
||||
f9:75:40:cd:d4:3d:0a:03:ec:67:a0:22:fe:65:f5:d7:ca:53:
|
||||
4a:85:f5:14:4b:41:f9:b9:98:a6:85:8b:ac:e0:c8:6c:02:31:
|
||||
00:83:12:02:be:93:2b:c2:00:74:ec:cb:fc:5a:8c:a6:5e:52:
|
||||
ee:20:76:3d:73:2b:fb:fe:60:4c:52:f3:bc:1e:4c:e8:f9:ea:
|
||||
f6:e2:f6:ca:c6:a8:3b:2d:9a:17:eb:4d:0a
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICTTCCAdOgAwIBAgIJAIG5T+kuoIV2MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
|
||||
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
|
||||
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
|
||||
NTExMzIwM1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD
|
||||
DAxzZXJ2ZXIudzEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARWq1ut1b6ctOFB
|
||||
kEOjULL3VjJFP15g0gk+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZ
|
||||
vRooiNyL0AH2wk0qzN5un02JOt9Q76TVYflE91C5DTxjgLOgxByjgZIwgY8wDAYD
|
||||
VR0TAQH/BAIwADAdBgNVHQ4EFgQUGddX0DuRhKSvkwMyPKvE+aewJxkwHwYDVR0j
|
||||
BBgwFoAUrgW8pyJ7x9L5/CCmXDG7QU6PbL0wGgYDVR0RAQH/BBAwDoIMc2VydmVy
|
||||
LncxLmZpMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAKBggq
|
||||
hkjOPQQDAwNoADBlAjB5aDev60bodzUTd9Xb6/l1QM3UPQoD7GegIv5l9dfKU0qF
|
||||
9RRLQfm5mKaFi6zgyGwCMQCDEgK+kyvCAHTsy/xajKZeUu4gdj1zK/v+YExS87we
|
||||
TOj56vbi9srGqDstmhfrTQo=
|
||||
-----END CERTIFICATE-----
|
||||
9
tests/hwsim/auth_serv/ec2-user.key
Normal file
9
tests/hwsim/auth_serv/ec2-user.key
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
-----BEGIN EC PARAMETERS-----
|
||||
BgUrgQQAIg==
|
||||
-----END EC PARAMETERS-----
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIGkAgEBBDB7tpaHBuZZG+MVYjRVpZvZvZxxFOu/reH2Ms3DiBH5DHW7dLP7T4Gs
|
||||
X+yw8bQZwCqgBwYFK4EEACKhZANiAATJYVk5woo/LAFd+znRAoMOClGXtfO2yZlp
|
||||
3n6jYUsG48W03XOlYd2/aCJVtGp6SwRVxumfYT4TejEj/Ky44vOlmQ9pasNfMYYN
|
||||
kpHcAWJ8sV7mP7LM9YVksksfhon91+E=
|
||||
-----END EC PRIVATE KEY-----
|
||||
57
tests/hwsim/auth_serv/ec2-user.pem
Normal file
57
tests/hwsim/auth_serv/ec2-user.pem
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 9347590364512421239 (0x81b94fe92ea08577)
|
||||
Signature Algorithm: ecdsa-with-SHA384
|
||||
Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
|
||||
Validity
|
||||
Not Before: Jan 25 11:32:03 2015 GMT
|
||||
Not After : Jan 25 11:32:03 2016 GMT
|
||||
Subject: C=FI, O=w1.fi, CN=user
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: id-ecPublicKey
|
||||
Public-Key: (384 bit)
|
||||
pub:
|
||||
04:c9:61:59:39:c2:8a:3f:2c:01:5d:fb:39:d1:02:
|
||||
83:0e:0a:51:97:b5:f3:b6:c9:99:69:de:7e:a3:61:
|
||||
4b:06:e3:c5:b4:dd:73:a5:61:dd:bf:68:22:55:b4:
|
||||
6a:7a:4b:04:55:c6:e9:9f:61:3e:13:7a:31:23:fc:
|
||||
ac:b8:e2:f3:a5:99:0f:69:6a:c3:5f:31:86:0d:92:
|
||||
91:dc:01:62:7c:b1:5e:e6:3f:b2:cc:f5:85:64:b2:
|
||||
4b:1f:86:89:fd:d7:e1
|
||||
ASN1 OID: secp384r1
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
75:EA:7B:CE:8A:99:D2:E7:77:B4:3B:80:68:59:E9:B6:88:B2:FA:F6
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
|
||||
|
||||
X509v3 Subject Alternative Name:
|
||||
email:user@w1.fi
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Client Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
Signature Algorithm: ecdsa-with-SHA384
|
||||
30:65:02:31:00:c2:b7:35:4e:5e:d1:da:7f:35:a0:ac:54:92:
|
||||
18:08:0d:9c:86:e9:4e:cf:3a:09:48:23:eb:4d:56:77:e5:d0:
|
||||
e7:b0:55:b3:0e:91:2d:f8:3e:1c:4e:0d:b7:32:dc:11:1b:02:
|
||||
30:49:c2:6b:63:39:3c:4b:d9:e9:8d:b9:ce:6e:8e:9f:88:43:
|
||||
03:e0:5f:7e:75:44:12:66:f8:c6:ae:8e:f1:da:10:02:36:8c:
|
||||
7b:a2:89:a0:05:3b:c6:39:d6:e1:7a:b7:85
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICOjCCAcCgAwIBAgIJAIG5T+kuoIV3MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
|
||||
AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
|
||||
F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
|
||||
NTExMzIwM1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD
|
||||
DAR1c2VyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyWFZOcKKPywBXfs50QKDDgpR
|
||||
l7XztsmZad5+o2FLBuPFtN1zpWHdv2giVbRqeksEVcbpn2E+E3oxI/ysuOLzpZkP
|
||||
aWrDXzGGDZKR3AFifLFe5j+yzPWFZLJLH4aJ/dfho4GHMIGEMAkGA1UdEwQCMAAw
|
||||
HQYDVR0OBBYEFHXqe86KmdLnd7Q7gGhZ6baIsvr2MB8GA1UdIwQYMBaAFK4FvKci
|
||||
e8fS+fwgplwxu0FOj2y9MBUGA1UdEQQOMAyBCnVzZXJAdzEuZmkwEwYDVR0lBAww
|
||||
CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgWgMAoGCCqGSM49BAMDA2gAMGUCMQDCtzVO
|
||||
XtHafzWgrFSSGAgNnIbpTs86CUgj601Wd+XQ57BVsw6RLfg+HE4NtzLcERsCMEnC
|
||||
a2M5PEvZ6Y25zm6On4hDA+BffnVEEmb4xq6O8doQAjaMe6KJoAU7xjnW4Xq3hQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -68,3 +68,61 @@ def test_suite_b(dev, apdev):
|
|||
raise Exception("Roaming with the AP timed out")
|
||||
if "CTRL-EVENT-EAP-STARTED" in ev:
|
||||
raise Exception("Unexpected EAP exchange")
|
||||
|
||||
def test_suite_b_192(dev, apdev):
|
||||
"""WPA2-PSK/GCMP-256 connection at Suite B 192-bit level"""
|
||||
if "GCMP-256" not in dev[0].get_capability("pairwise"):
|
||||
raise HwsimSkip("GCMP-256 not supported")
|
||||
if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
|
||||
raise HwsimSkip("BIP-GMAC-256 not supported")
|
||||
if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
|
||||
raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
|
||||
tls = dev[0].request("GET tls_library")
|
||||
if not tls.startswith("OpenSSL"):
|
||||
raise HwsimSkip("TLS library not supported for Suite B: " + tls);
|
||||
if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
|
||||
raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
|
||||
|
||||
params = { "ssid": "test-suite-b",
|
||||
"wpa": "2",
|
||||
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
||||
"rsn_pairwise": "GCMP-256",
|
||||
"group_mgmt_cipher": "BIP-GMAC-256",
|
||||
"ieee80211w": "2",
|
||||
"ieee8021x": "1",
|
||||
"openssl_ciphers": "SUITEB192",
|
||||
"eap_server": "1",
|
||||
"eap_user_file": "auth_serv/eap_user.conf",
|
||||
"ca_cert": "auth_serv/ec2-ca.pem",
|
||||
"server_cert": "auth_serv/ec2-server.pem",
|
||||
"private_key": "auth_serv/ec2-server.key" }
|
||||
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||
|
||||
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
||||
ieee80211w="2",
|
||||
openssl_ciphers="SUITEB192",
|
||||
eap="TLS", identity="tls user",
|
||||
ca_cert="auth_serv/ec2-ca.pem",
|
||||
client_cert="auth_serv/ec2-user.pem",
|
||||
private_key="auth_serv/ec2-user.key",
|
||||
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
||||
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
|
||||
if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
|
||||
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
||||
|
||||
bss = dev[0].get_bss(apdev[0]['bssid'])
|
||||
if 'flags' not in bss:
|
||||
raise Exception("Could not get BSS flags from BSS table")
|
||||
if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
|
||||
raise Exception("Unexpected BSS flags: " + bss['flags'])
|
||||
|
||||
dev[0].request("DISCONNECT")
|
||||
dev[0].wait_disconnected(timeout=20)
|
||||
dev[0].dump_monitor()
|
||||
dev[0].request("RECONNECT")
|
||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
||||
"CTRL-EVENT-CONNECTED"], timeout=20)
|
||||
if ev is None:
|
||||
raise Exception("Roaming with the AP timed out")
|
||||
if "CTRL-EVENT-EAP-STARTED" in ev:
|
||||
raise Exception("Unexpected EAP exchange")
|
||||
|
|
|
|||
Loading…
Reference in a new issue