tests: Server checking CRL with check_crl_strict=0

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-08-11 11:04:13 +03:00
parent 698a0067c9
commit 6379bd6acf
2 changed files with 86 additions and 0 deletions

View file

@ -0,0 +1,63 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15624081837803162817 (0xd8d3e3a6cbe3ccc1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FI, O=w1.fi, CN=Root CA
Validity
Not Before: Jun 29 16:41:22 2013 GMT
Not After : Jun 27 16:41:22 2023 GMT
Subject: C=FI, O=w1.fi, CN=Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:be:1e:86:e4:79:03:c1:d1:94:d5:d4:b3:b1:28:
90:76:fb:b8:a6:cd:6d:1c:d1:48:f4:08:9a:67:ff:
f9:a6:54:b1:19:29:df:29:1b:cd:f1:6f:66:01:e7:
db:79:ce:c0:39:2a:25:13:26:94:0c:2c:7b:5a:2c:
81:0f:94:ee:51:d0:75:e6:46:db:17:46:a7:15:8b:
0e:57:0f:b0:54:76:63:12:ca:86:18:bc:1a:c3:16:
c0:70:09:d6:6b:43:39:b8:98:29:46:ac:cb:6a:ad:
38:88:3b:07:dc:81:cd:3a:f6:1d:f6:2f:ef:1d:d7:
ae:8a:b6:d1:e7:b3:15:02:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
X509v3 Authority Key Identifier:
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
1a:cf:77:60:44:43:c4:55:0e:99:e0:89:aa:b9:d3:7b:32:b7:
5c:9c:7c:ca:fe:8c:d4:94:c6:5e:f3:83:19:5f:29:59:68:a4:
4f:dc:04:2e:b8:71:c0:6d:3b:ae:01:e4:b9:88:99:cc:ce:82:
be:6a:28:c2:ac:6a:94:c6:87:90:ed:85:3c:10:71:c5:ff:3c:
70:64:e2:41:62:31:ea:86:7b:11:8c:93:ea:c6:f3:f3:4e:f9:
d4:f2:81:90:d7:f4:fa:a1:91:6e:d4:dd:15:3e:26:3b:ac:1e:
c3:c2:1f:ed:bb:34:bf:cb:b2:67:c6:c6:51:e8:51:22:b4:f3:
92:e8
-----BEGIN CERTIFICATE-----
MIICLDCCAZWgAwIBAgIJANjT46bL48zBMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xMzA2
MjkxNjQxMjJaFw0yMzA2MjcxNjQxMjJaMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAvh6G5HkDwdGU1dSzsSiQdvu4ps1tHNFI9AiaZ//5plSxGSnfKRvN8W9m
Aefbec7AOSolEyaUDCx7WiyBD5TuUdB15kbbF0anFYsOVw+wVHZjEsqGGLwawxbA
cAnWa0M5uJgpRqzLaq04iDsH3IHNOvYd9i/vHdeuirbR57MVArkCAwEAAaNQME4w
HQYDVR0OBBYEFLiS3v2KGLMww59V8zNdtMgpikEUMB8GA1UdIwQYMBaAFLiS3v2K
GLMww59V8zNdtMgpikEUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
Gs93YERDxFUOmeCJqrnTezK3XJx8yv6M1JTGXvODGV8pWWikT9wELrhxwG07rgHk
uYiZzM6CvmoowqxqlMaHkO2FPBBxxf88cGTiQWIx6oZ7EYyT6sbz80751PKBkNf0
+qGRbtTdFT4mO6wew8If7bs0v8uyZ8bGUehRIrTzkug=
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIIBBjBxAgEBMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQRcNMTkwODExMDc1ODM0WhcNMTkwODEx
MDg1ODM0WqAOMAwwCgYDVR0UBAMCARIwDQYJKoZIhvcNAQELBQADgYEAOTijPynY
c8ACRpu0+uIRjI6xIXDZqRubRvp/qrQVWtWHJWP2d6CbtaQVhZIfYFJLrLVfKyJv
WyzkLNdLw/l6rbVN5ctb+fByjjV6H99IExeYiGIuoXN++m8CTUqt77cim0TA1WkQ
bEwEY9aIN8zsXqioLvg5OBlWUfxnKmi2sQI=
-----END X509 CRL-----

View file

@ -5535,6 +5535,29 @@ def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
private_key="auth_serv/user.key") private_key="auth_serv/user.key")
dev[0].request("REMOVE_NETWORK all") dev[0].request("REMOVE_NETWORK all")
def test_ap_wpa2_eap_tls_check_crl_not_strict(dev, apdev):
"""EAP-TLS and server checking CRL with check_crl_strict=0"""
params = int_eap_server_params()
params['check_crl'] = '1'
params['ca_cert'] = "auth_serv/ca-and-crl-expired.pem"
hapd = hostapd.add_ap(apdev[0], params)
# check_crl_strict=1 and expired CRL --> reject connection
eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key", expect_failure=True)
dev[0].request("REMOVE_NETWORK all")
hapd.disable()
hapd.set("check_crl_strict", "0")
hapd.enable()
# check_crl_strict=0 --> accept
eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key")
dev[0].request("REMOVE_NETWORK all")
def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params): def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params):
"""EAP-TLS and server reloading CRL from ca_cert""" """EAP-TLS and server reloading CRL from ca_cert"""
ca_cert = os.path.join(params['logdir'], ca_cert = os.path.join(params['logdir'],