tests: Server checking CRL with check_crl_strict=0
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
698a0067c9
commit
6379bd6acf
2 changed files with 86 additions and 0 deletions
63
tests/hwsim/auth_serv/ca-and-crl-expired.pem
Normal file
63
tests/hwsim/auth_serv/ca-and-crl-expired.pem
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 15624081837803162817 (0xd8d3e3a6cbe3ccc1)
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
Issuer: C=FI, O=w1.fi, CN=Root CA
|
||||||
|
Validity
|
||||||
|
Not Before: Jun 29 16:41:22 2013 GMT
|
||||||
|
Not After : Jun 27 16:41:22 2023 GMT
|
||||||
|
Subject: C=FI, O=w1.fi, CN=Root CA
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
Public-Key: (1024 bit)
|
||||||
|
Modulus:
|
||||||
|
00:be:1e:86:e4:79:03:c1:d1:94:d5:d4:b3:b1:28:
|
||||||
|
90:76:fb:b8:a6:cd:6d:1c:d1:48:f4:08:9a:67:ff:
|
||||||
|
f9:a6:54:b1:19:29:df:29:1b:cd:f1:6f:66:01:e7:
|
||||||
|
db:79:ce:c0:39:2a:25:13:26:94:0c:2c:7b:5a:2c:
|
||||||
|
81:0f:94:ee:51:d0:75:e6:46:db:17:46:a7:15:8b:
|
||||||
|
0e:57:0f:b0:54:76:63:12:ca:86:18:bc:1a:c3:16:
|
||||||
|
c0:70:09:d6:6b:43:39:b8:98:29:46:ac:cb:6a:ad:
|
||||||
|
38:88:3b:07:dc:81:cd:3a:f6:1d:f6:2f:ef:1d:d7:
|
||||||
|
ae:8a:b6:d1:e7:b3:15:02:b9
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
|
||||||
|
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:TRUE
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
1a:cf:77:60:44:43:c4:55:0e:99:e0:89:aa:b9:d3:7b:32:b7:
|
||||||
|
5c:9c:7c:ca:fe:8c:d4:94:c6:5e:f3:83:19:5f:29:59:68:a4:
|
||||||
|
4f:dc:04:2e:b8:71:c0:6d:3b:ae:01:e4:b9:88:99:cc:ce:82:
|
||||||
|
be:6a:28:c2:ac:6a:94:c6:87:90:ed:85:3c:10:71:c5:ff:3c:
|
||||||
|
70:64:e2:41:62:31:ea:86:7b:11:8c:93:ea:c6:f3:f3:4e:f9:
|
||||||
|
d4:f2:81:90:d7:f4:fa:a1:91:6e:d4:dd:15:3e:26:3b:ac:1e:
|
||||||
|
c3:c2:1f:ed:bb:34:bf:cb:b2:67:c6:c6:51:e8:51:22:b4:f3:
|
||||||
|
92:e8
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICLDCCAZWgAwIBAgIJANjT46bL48zBMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
|
||||||
|
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xMzA2
|
||||||
|
MjkxNjQxMjJaFw0yMzA2MjcxNjQxMjJaMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
|
||||||
|
DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
|
||||||
|
gYkCgYEAvh6G5HkDwdGU1dSzsSiQdvu4ps1tHNFI9AiaZ//5plSxGSnfKRvN8W9m
|
||||||
|
Aefbec7AOSolEyaUDCx7WiyBD5TuUdB15kbbF0anFYsOVw+wVHZjEsqGGLwawxbA
|
||||||
|
cAnWa0M5uJgpRqzLaq04iDsH3IHNOvYd9i/vHdeuirbR57MVArkCAwEAAaNQME4w
|
||||||
|
HQYDVR0OBBYEFLiS3v2KGLMww59V8zNdtMgpikEUMB8GA1UdIwQYMBaAFLiS3v2K
|
||||||
|
GLMww59V8zNdtMgpikEUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
|
||||||
|
Gs93YERDxFUOmeCJqrnTezK3XJx8yv6M1JTGXvODGV8pWWikT9wELrhxwG07rgHk
|
||||||
|
uYiZzM6CvmoowqxqlMaHkO2FPBBxxf88cGTiQWIx6oZ7EYyT6sbz80751PKBkNf0
|
||||||
|
+qGRbtTdFT4mO6wew8If7bs0v8uyZ8bGUehRIrTzkug=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN X509 CRL-----
|
||||||
|
MIIBBjBxAgEBMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
|
||||||
|
DAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQRcNMTkwODExMDc1ODM0WhcNMTkwODEx
|
||||||
|
MDg1ODM0WqAOMAwwCgYDVR0UBAMCARIwDQYJKoZIhvcNAQELBQADgYEAOTijPynY
|
||||||
|
c8ACRpu0+uIRjI6xIXDZqRubRvp/qrQVWtWHJWP2d6CbtaQVhZIfYFJLrLVfKyJv
|
||||||
|
WyzkLNdLw/l6rbVN5ctb+fByjjV6H99IExeYiGIuoXN++m8CTUqt77cim0TA1WkQ
|
||||||
|
bEwEY9aIN8zsXqioLvg5OBlWUfxnKmi2sQI=
|
||||||
|
-----END X509 CRL-----
|
|
@ -5535,6 +5535,29 @@ def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
|
||||||
private_key="auth_serv/user.key")
|
private_key="auth_serv/user.key")
|
||||||
dev[0].request("REMOVE_NETWORK all")
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_tls_check_crl_not_strict(dev, apdev):
|
||||||
|
"""EAP-TLS and server checking CRL with check_crl_strict=0"""
|
||||||
|
params = int_eap_server_params()
|
||||||
|
params['check_crl'] = '1'
|
||||||
|
params['ca_cert'] = "auth_serv/ca-and-crl-expired.pem"
|
||||||
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
|
# check_crl_strict=1 and expired CRL --> reject connection
|
||||||
|
eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
|
||||||
|
client_cert="auth_serv/user.pem",
|
||||||
|
private_key="auth_serv/user.key", expect_failure=True)
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
hapd.disable()
|
||||||
|
hapd.set("check_crl_strict", "0")
|
||||||
|
hapd.enable()
|
||||||
|
|
||||||
|
# check_crl_strict=0 --> accept
|
||||||
|
eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
|
||||||
|
client_cert="auth_serv/user.pem",
|
||||||
|
private_key="auth_serv/user.key")
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params):
|
def test_ap_wpa2_eap_tls_crl_reload(dev, apdev, params):
|
||||||
"""EAP-TLS and server reloading CRL from ca_cert"""
|
"""EAP-TLS and server reloading CRL from ca_cert"""
|
||||||
ca_cert = os.path.join(params['logdir'],
|
ca_cert = os.path.join(params['logdir'],
|
||||||
|
|
Loading…
Reference in a new issue