From 37551fe374d537808e263772e38d4f88d5cc34b3 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 25 Jan 2015 13:16:06 +0200 Subject: [PATCH] tests: Suite B 192-bit profile This adds a Suite B test case for 192-bit level. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/ec2-ca.pem | 15 +++++++ tests/hwsim/auth_serv/ec2-generate.sh | 53 ++++++++++++++++++++++++ tests/hwsim/auth_serv/ec2-server.key | 9 +++++ tests/hwsim/auth_serv/ec2-server.pem | 58 +++++++++++++++++++++++++++ tests/hwsim/auth_serv/ec2-user.key | 9 +++++ tests/hwsim/auth_serv/ec2-user.pem | 57 ++++++++++++++++++++++++++ tests/hwsim/test_suite_b.py | 58 +++++++++++++++++++++++++++ 7 files changed, 259 insertions(+) create mode 100644 tests/hwsim/auth_serv/ec2-ca.pem create mode 100755 tests/hwsim/auth_serv/ec2-generate.sh create mode 100644 tests/hwsim/auth_serv/ec2-server.key create mode 100644 tests/hwsim/auth_serv/ec2-server.pem create mode 100644 tests/hwsim/auth_serv/ec2-user.key create mode 100644 tests/hwsim/auth_serv/ec2-user.pem diff --git a/tests/hwsim/auth_serv/ec2-ca.pem b/tests/hwsim/auth_serv/ec2-ca.pem new file mode 100644 index 000000000..0054ba800 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICPTCCAcSgAwIBAgIJAL63h7lu0KZpMAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTI1MDEy +MjExMzIwM1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD +VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxOTItYml0IFJvb3QgQ0EwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQjdOMC9bqcDR9/SaOhxNbmQLQTGZfhtmoxHkJL +5GG3bwW5hYA2jYHWU84H+mR6om6fg78G+IxjLly2OWiByYUeWDcsYqLGj3UHHaVv +rIitaRPyg3dExemnmK3zjgXnoaajZjBkMB0GA1UdDgQWBBSuBbynInvH0vn8IKZc +MbtBTo9svTAfBgNVHSMEGDAWgBSuBbynInvH0vn8IKZcMbtBTo9svTASBgNVHRMB +Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjBZ +vEbGRDQNvzAY3nfYrsrE2Dd11smT6zv0mIvDeQCktbISGpStRBQjAaFjcCyjDEkC +MH7ywcqJe+mpWDt5xFJvB52iZ7rX7rO0OX0qmjI38PC0IOo7euJdfcC1gHdSoAW3 +bA== +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ec2-generate.sh b/tests/hwsim/auth_serv/ec2-generate.sh new file mode 100755 index 000000000..5a8d2d224 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-generate.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +OPENSSL=openssl + +CURVE=secp384r1 +DIGEST="-sha384" +DIGEST_CA="-md sha384" + +echo +echo "---[ Root CA ]----------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST +mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private +touch ec-ca/index.txt +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ Server ]-----------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = server.w1.fi/" | + sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST +$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ User ]-------------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = user/" | + sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST +$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ Verify ]-----------------------------------------------------------" +echo + +$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem +$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem diff --git a/tests/hwsim/auth_serv/ec2-server.key b/tests/hwsim/auth_serv/ec2-server.key new file mode 100644 index 000000000..9cd76ee2d --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-server.key @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCjaz/zVDXqNO/XprtliomKOC6QjbBFgsF2YwUAtKB5ukL4miVGNyCu +jIlq9eUD1x6gBwYFK4EEACKhZANiAARWq1ut1b6ctOFBkEOjULL3VjJFP15g0gk+ +sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZvRooiNyL0AH2wk0qzN5u +n02JOt9Q76TVYflE91C5DTxjgLOgxBw= +-----END EC PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ec2-server.pem b/tests/hwsim/auth_serv/ec2-server.pem new file mode 100644 index 000000000..a7cc37e13 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-server.pem @@ -0,0 +1,58 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9347590364512421238 (0x81b94fe92ea08576) + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA + Validity + Not Before: Jan 25 11:32:03 2015 GMT + Not After : Jan 25 11:32:03 2016 GMT + Subject: C=FI, O=w1.fi, CN=server.w1.fi + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:56:ab:5b:ad:d5:be:9c:b4:e1:41:90:43:a3:50: + b2:f7:56:32:45:3f:5e:60:d2:09:3e:b0:14:cc:06: + 88:14:e5:64:4d:ed:0a:1d:fe:37:de:9b:99:38:3b: + b1:4a:61:93:40:6a:b0:c5:32:1d:b2:0c:c5:d9:bd: + 1a:28:88:dc:8b:d0:01:f6:c2:4d:2a:cc:de:6e:9f: + 4d:89:3a:df:50:ef:a4:d5:61:f9:44:f7:50:b9:0d: + 3c:63:80:b3:a0:c4:1c + ASN1 OID: secp384r1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + 19:D7:57:D0:3B:91:84:A4:AF:93:03:32:3C:AB:C4:F9:A7:B0:27:19 + X509v3 Authority Key Identifier: + keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD + + X509v3 Subject Alternative Name: critical + DNS:server.w1.fi + X509v3 Extended Key Usage: critical + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: ecdsa-with-SHA384 + 30:65:02:30:79:68:37:af:eb:46:e8:77:35:13:77:d5:db:eb: + f9:75:40:cd:d4:3d:0a:03:ec:67:a0:22:fe:65:f5:d7:ca:53: + 4a:85:f5:14:4b:41:f9:b9:98:a6:85:8b:ac:e0:c8:6c:02:31: + 00:83:12:02:be:93:2b:c2:00:74:ec:cb:fc:5a:8c:a6:5e:52: + ee:20:76:3d:73:2b:fb:fe:60:4c:52:f3:bc:1e:4c:e8:f9:ea: + f6:e2:f6:ca:c6:a8:3b:2d:9a:17:eb:4d:0a +-----BEGIN CERTIFICATE----- +MIICTTCCAdOgAwIBAgIJAIG5T+kuoIV2MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy +NTExMzIwM1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD +DAxzZXJ2ZXIudzEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARWq1ut1b6ctOFB +kEOjULL3VjJFP15g0gk+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZ +vRooiNyL0AH2wk0qzN5un02JOt9Q76TVYflE91C5DTxjgLOgxByjgZIwgY8wDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUGddX0DuRhKSvkwMyPKvE+aewJxkwHwYDVR0j +BBgwFoAUrgW8pyJ7x9L5/CCmXDG7QU6PbL0wGgYDVR0RAQH/BBAwDoIMc2VydmVy +LncxLmZpMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAKBggq +hkjOPQQDAwNoADBlAjB5aDev60bodzUTd9Xb6/l1QM3UPQoD7GegIv5l9dfKU0qF +9RRLQfm5mKaFi6zgyGwCMQCDEgK+kyvCAHTsy/xajKZeUu4gdj1zK/v+YExS87we +TOj56vbi9srGqDstmhfrTQo= +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ec2-user.key b/tests/hwsim/auth_serv/ec2-user.key new file mode 100644 index 000000000..adfa93781 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-user.key @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDB7tpaHBuZZG+MVYjRVpZvZvZxxFOu/reH2Ms3DiBH5DHW7dLP7T4Gs +X+yw8bQZwCqgBwYFK4EEACKhZANiAATJYVk5woo/LAFd+znRAoMOClGXtfO2yZlp +3n6jYUsG48W03XOlYd2/aCJVtGp6SwRVxumfYT4TejEj/Ky44vOlmQ9pasNfMYYN +kpHcAWJ8sV7mP7LM9YVksksfhon91+E= +-----END EC PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ec2-user.pem b/tests/hwsim/auth_serv/ec2-user.pem new file mode 100644 index 000000000..ef86cd172 --- /dev/null +++ b/tests/hwsim/auth_serv/ec2-user.pem @@ -0,0 +1,57 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9347590364512421239 (0x81b94fe92ea08577) + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA + Validity + Not Before: Jan 25 11:32:03 2015 GMT + Not After : Jan 25 11:32:03 2016 GMT + Subject: C=FI, O=w1.fi, CN=user + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:c9:61:59:39:c2:8a:3f:2c:01:5d:fb:39:d1:02: + 83:0e:0a:51:97:b5:f3:b6:c9:99:69:de:7e:a3:61: + 4b:06:e3:c5:b4:dd:73:a5:61:dd:bf:68:22:55:b4: + 6a:7a:4b:04:55:c6:e9:9f:61:3e:13:7a:31:23:fc: + ac:b8:e2:f3:a5:99:0f:69:6a:c3:5f:31:86:0d:92: + 91:dc:01:62:7c:b1:5e:e6:3f:b2:cc:f5:85:64:b2: + 4b:1f:86:89:fd:d7:e1 + ASN1 OID: secp384r1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 75:EA:7B:CE:8A:99:D2:E7:77:B4:3B:80:68:59:E9:B6:88:B2:FA:F6 + X509v3 Authority Key Identifier: + keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD + + X509v3 Subject Alternative Name: + email:user@w1.fi + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: ecdsa-with-SHA384 + 30:65:02:31:00:c2:b7:35:4e:5e:d1:da:7f:35:a0:ac:54:92: + 18:08:0d:9c:86:e9:4e:cf:3a:09:48:23:eb:4d:56:77:e5:d0: + e7:b0:55:b3:0e:91:2d:f8:3e:1c:4e:0d:b7:32:dc:11:1b:02: + 30:49:c2:6b:63:39:3c:4b:d9:e9:8d:b9:ce:6e:8e:9f:88:43: + 03:e0:5f:7e:75:44:12:66:f8:c6:ae:8e:f1:da:10:02:36:8c: + 7b:a2:89:a0:05:3b:c6:39:d6:e1:7a:b7:85 +-----BEGIN CERTIFICATE----- +MIICOjCCAcCgAwIBAgIJAIG5T+kuoIV3MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy +NTExMzIwM1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD +DAR1c2VyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyWFZOcKKPywBXfs50QKDDgpR +l7XztsmZad5+o2FLBuPFtN1zpWHdv2giVbRqeksEVcbpn2E+E3oxI/ysuOLzpZkP +aWrDXzGGDZKR3AFifLFe5j+yzPWFZLJLH4aJ/dfho4GHMIGEMAkGA1UdEwQCMAAw +HQYDVR0OBBYEFHXqe86KmdLnd7Q7gGhZ6baIsvr2MB8GA1UdIwQYMBaAFK4FvKci +e8fS+fwgplwxu0FOj2y9MBUGA1UdEQQOMAyBCnVzZXJAdzEuZmkwEwYDVR0lBAww +CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgWgMAoGCCqGSM49BAMDA2gAMGUCMQDCtzVO +XtHafzWgrFSSGAgNnIbpTs86CUgj601Wd+XQ57BVsw6RLfg+HE4NtzLcERsCMEnC +a2M5PEvZ6Y25zm6On4hDA+BffnVEEmb4xq6O8doQAjaMe6KJoAU7xjnW4Xq3hQ== +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index fa17ed9f5..2fee87c48 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -68,3 +68,61 @@ def test_suite_b(dev, apdev): raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") + +def test_suite_b_192(dev, apdev): + """WPA2-PSK/GCMP-256 connection at Suite B 192-bit level""" + if "GCMP-256" not in dev[0].get_capability("pairwise"): + raise HwsimSkip("GCMP-256 not supported") + if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"): + raise HwsimSkip("BIP-GMAC-256 not supported") + if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"): + raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported") + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("TLS library not supported for Suite B: " + tls); + if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls: + raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls) + + params = { "ssid": "test-suite-b", + "wpa": "2", + "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", + "rsn_pairwise": "GCMP-256", + "group_mgmt_cipher": "BIP-GMAC-256", + "ieee80211w": "2", + "ieee8021x": "1", + "openssl_ciphers": "SUITEB192", + "eap_server": "1", + "eap_user_file": "auth_serv/eap_user.conf", + "ca_cert": "auth_serv/ec2-ca.pem", + "server_cert": "auth_serv/ec2-server.pem", + "private_key": "auth_serv/ec2-server.key" } + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", + ieee80211w="2", + openssl_ciphers="SUITEB192", + eap="TLS", identity="tls user", + ca_cert="auth_serv/ec2-ca.pem", + client_cert="auth_serv/ec2-user.pem", + private_key="auth_serv/ec2-user.key", + pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") + tls_cipher = dev[0].get_status_field("EAP TLS cipher") + if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384": + raise Exception("Unexpected TLS cipher: " + tls_cipher) + + bss = dev[0].get_bss(apdev[0]['bssid']) + if 'flags' not in bss: + raise Exception("Could not get BSS flags from BSS table") + if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: + raise Exception("Unexpected BSS flags: " + bss['flags']) + + dev[0].request("DISCONNECT") + dev[0].wait_disconnected(timeout=20) + dev[0].dump_monitor() + dev[0].request("RECONNECT") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", + "CTRL-EVENT-CONNECTED"], timeout=20) + if ev is None: + raise Exception("Roaming with the AP timed out") + if "CTRL-EVENT-EAP-STARTED" in ev: + raise Exception("Unexpected EAP exchange")