From 37b4a66ce69357f95cd036e09db40cc612a88b5c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 11 Jan 2015 23:13:35 +0200 Subject: [PATCH] tests: Valid OCSP response with revoked and unknown cert status This increases testing coverage for OCSP processing by confirming that valid OCSP response showing revoked certificate status prevents successful handshake completion. In addition, unknown certificate status is verified to prevent connection if OCSP is required and allow connection if OCSP is optional. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/index-revoked.txt | 8 +++ tests/hwsim/auth_serv/index-unknown.txt | 1 + tests/hwsim/start.sh | 12 +++++ tests/hwsim/test_ap_eap.py | 71 +++++++++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 tests/hwsim/auth_serv/index-revoked.txt create mode 100644 tests/hwsim/auth_serv/index-unknown.txt diff --git a/tests/hwsim/auth_serv/index-revoked.txt b/tests/hwsim/auth_serv/index-revoked.txt new file mode 100644 index 000000000..95b052e3b --- /dev/null +++ b/tests/hwsim/auth_serv/index-revoked.txt @@ -0,0 +1,8 @@ +V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA +V 150215075930Z D8D3E3A6CBE3CCC9 unknown /C=FI/O=w1.fi/CN=server3.w1.fi +V 140102000000Z D8D3E3A6CBE3CCCA unknown /C=FI/O=w1.fi/CN=server4.w1.fi +V 150215083008Z D8D3E3A6CBE3CCCB unknown /C=FI/O=w1.fi/CN=server5.w1.fi +V 150228224144Z D8D3E3A6CBE3CCCC unknown /C=FI/O=w1.fi/CN=server6.w1.fi +V 160111185024Z D8D3E3A6CBE3CCCD unknown /C=FI/O=w1.fi/CN=ocsp.w1.fi +R 150929211122Z 160111185024Z D8D3E3A6CBE3CCD0 unknown /C=FI/O=w1.fi/CN=server.w1.fi +R 150929211300Z 160111185024Z D8D3E3A6CBE3CCD1 unknown /C=FI/O=w1.fi/CN=Test User diff --git a/tests/hwsim/auth_serv/index-unknown.txt b/tests/hwsim/auth_serv/index-unknown.txt new file mode 100644 index 000000000..97dfbbaa6 --- /dev/null +++ b/tests/hwsim/auth_serv/index-unknown.txt @@ -0,0 +1 @@ +V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA diff --git a/tests/hwsim/start.sh b/tests/hwsim/start.sh index 778daef07..df8a76da9 100755 --- a/tests/hwsim/start.sh +++ b/tests/hwsim/start.sh @@ -134,6 +134,18 @@ openssl ocsp -index $DIR/auth_serv/index.txt \ if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der fi + +for i in unknown revoked; do + openssl ocsp -index $DIR/auth_serv/index-$i.txt \ + -rsigner $DIR/auth_serv/ocsp-responder.pem \ + -rkey $DIR/auth_serv/ocsp-responder.key \ + -CA $DIR/auth_serv/ca.pem \ + -issuer $DIR/auth_serv/ca.pem \ + -verify_other $DIR/auth_serv/ca.pem -trust_other \ + -ndays 7 \ + -reqin $DIR/auth_serv/ocsp-req.der \ + -respout $LOGDIR/ocsp-server-cache-$i.der >> $LOGDIR/ocsp.log 2>&1 +done touch $LOGDIR/hostapd.db sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv & diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 01b333a21..1bcb0dcb6 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -1980,6 +1980,77 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): if ev is None: raise Exception("Timeout on EAP failure report") +def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params): + """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked""" + ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", + identity="pap user", ca_cert="auth_serv/ca.pem", + anonymous_identity="ttls", password="password", + phase2="auth=PAP", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + if 'certificate revoked' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") + +def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params): + """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked""" + ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", + identity="pap user", ca_cert="auth_serv/ca.pem", + anonymous_identity="ttls", password="password", + phase2="auth=PAP", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") + +def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params): + """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked""" + ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der") + if not os.path.exists(ocsp): + raise HwsimSkip("No OCSP response available") + params = int_eap_server_params() + params["ocsp_stapling_response"] = ocsp + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", + identity="pap user", ca_cert="auth_serv/ca.pem", + anonymous_identity="ttls", password="password", + phase2="auth=PAP", ocsp=1, scan_freq="2412") + def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev): """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)""" params = int_eap_server_params()