diff --git a/tests/hwsim/auth_serv/server-eku-client.key b/tests/hwsim/auth_serv/server-eku-client.key new file mode 100644 index 000000000..f2a99cd1b --- /dev/null +++ b/tests/hwsim/auth_serv/server-eku-client.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKOZ6eLhF2A7cDQa +dFxG47i9u6rJ8+77EjCgacN0OIA6uiNSx8Fqz7rdQePSaTWkpmBsMR+FvVZsewlj +zadRa4RAkHd+l2h7OLXEFTt0NzQounri14RTeHZNFre43wly54cmdCwEysXOKfW0 +ztso60VHQo/tiFqjI0mbe7w54QFTAgMBAAECgYAngwCtvtc6cqCCtPDtaGGPOKOe +d+/mA9U80UE551POBGD4LwH3gKhy5QUI1MR8JCvalca3akF0IfcFKYl9o3hnsZ73 +3wGzxM8BEf9wEVtVC2CTRVoIupleaEk3j8dgaUs/O54WkmAoHF1avXAMSGOUDxCO +Ggpn2tei78Csdj78IQJBANF7a7RaJsXh6xMI7hlrVrUsIbBvsBo1wbbGCwNRvgzL +I1mq1O+Go7Aao0pDK7sOUa86j6ECZ5pzqcdPaF22tJ8CQQDH7kTy6ERBbLFxs/Wd +YLDEh1GIGyGW10tuJTOl2R1TKSBXRzPAeI+jcC+AC00238p4MO899WOVeLvaERZa +IuLNAkAtlxXGp4Qett9JQj1HbPPu9A7U7km+OorRM2K8MzMQZ7lmz2YORxgiwHlf +NSU0TZZ7c1xE51gS5i9CAEcvdg7zAkAKIZfa20xCKHjhcyYaIIE0pErMY9uS4jwP +S9FPMS5cPXRHF/OWaEWXGaM+kNQL2NFQv+IPuLSgKWsThNQmIyhtAkEAiQq1HdN7 +3l8YhUuJtxg7nrh2s0V4UcSNOZxVf/85AKrTu1IfjdwmXFeoRB/y9Ef4h1bcXgzj +clIVhie7r0JNLw== +-----END PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/server-eku-client.pem b/tests/hwsim/auth_serv/server-eku-client.pem new file mode 100644 index 000000000..a9240420e --- /dev/null +++ b/tests/hwsim/auth_serv/server-eku-client.pem @@ -0,0 +1,62 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15624081837803162827 (0xd8d3e3a6cbe3cccb) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=FI, O=w1.fi, CN=Root CA + Validity + Not Before: Feb 15 08:30:08 2014 GMT + Not After : Feb 15 08:30:08 2015 GMT + Subject: C=FI, O=w1.fi, CN=server5.w1.fi + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:a3:99:e9:e2:e1:17:60:3b:70:34:1a:74:5c:46: + e3:b8:bd:bb:aa:c9:f3:ee:fb:12:30:a0:69:c3:74: + 38:80:3a:ba:23:52:c7:c1:6a:cf:ba:dd:41:e3:d2: + 69:35:a4:a6:60:6c:31:1f:85:bd:56:6c:7b:09:63: + cd:a7:51:6b:84:40:90:77:7e:97:68:7b:38:b5:c4: + 15:3b:74:37:34:28:ba:7a:e2:d7:84:53:78:76:4d: + 16:b7:b8:df:09:72:e7:87:26:74:2c:04:ca:c5:ce: + 29:f5:b4:ce:db:28:eb:45:47:42:8f:ed:88:5a:a3: + 23:49:9b:7b:bc:39:e1:01:53 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 33:16:9D:3B:17:15:82:2B:34:6E:38:E8:CC:22:BF:49:A7:5E:2A:2B + X509v3 Authority Key Identifier: + keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14 + + Authority Information Access: + OCSP - URI:http://server.w1.fi:8888/ + + X509v3 Extended Key Usage: + TLS Web Client Authentication + Signature Algorithm: sha1WithRSAEncryption + 6f:2d:cb:3b:91:50:15:e1:c7:41:15:6c:a4:89:e5:0e:f9:f9: + 9b:10:36:d8:67:a8:29:e2:6a:6f:89:7b:66:bd:f1:b8:fa:1c: + f7:22:8b:85:4e:37:f3:d6:1e:35:df:c7:04:e6:13:20:ca:fa: + 62:cc:8d:3a:bd:97:10:5c:1b:0b:39:79:ac:13:61:59:79:fd: + a1:4b:7d:c9:c5:c4:19:4d:76:5b:cd:6d:1e:f2:aa:ef:67:51: + aa:0c:ef:6a:f2:10:71:6f:19:e6:12:ab:3e:65:76:0f:5a:0f: + cf:96:30:c3:fc:59:e9:13:af:e1:8a:b0:2c:78:ad:3d:b4:e9: + e5:20 +-----BEGIN CERTIFICATE----- +MIICfTCCAeagAwIBAgIJANjT46bL48zLMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV +BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAy +MTUwODMwMDhaFw0xNTAyMTUwODMwMDhaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyNS53MS5maTCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEAo5np4uEXYDtwNBp0XEbjuL27qsnz7vsSMKBpw3Q4gDq6I1LH +wWrPut1B49JpNaSmYGwxH4W9Vmx7CWPNp1FrhECQd36XaHs4tcQVO3Q3NCi6euLX +hFN4dk0Wt7jfCXLnhyZ0LATKxc4p9bTO2yjrRUdCj+2IWqMjSZt7vDnhAVMCAwEA +AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQzFp07FxWCKzRuOOjMIr9Jp14q +KzAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp +MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l +BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAby3LO5FQFeHHQRVspInl +Dvn5mxA22GeoKeJqb4l7Zr3xuPoc9yKLhU4389YeNd/HBOYTIMr6YsyNOr2XEFwb +Czl5rBNhWXn9oUt9ycXEGU12W81tHvKq72dRqgzvavIQcW8Z5hKrPmV2D1oPz5Yw +w/xZ6ROv4YqwLHitPbTp5SA= +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index c10e6e584..155ea244c 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -949,3 +949,18 @@ def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev): ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP", phase1="tls_disable_time_checks=1", scan_freq="2412") + +def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev): + """WPA2-Enterprise using EAP-TTLS and server cert with client EKU""" + params = int_eap_server_params() + params["server_cert"] = "auth_serv/server-eku-client.pem" + params["private_key"] = "auth_serv/server-eku-client.key" + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", + identity="mschap user", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP", + wait_connect=False, + scan_freq="2412") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report")