tests: Add negative TLS test case to verify trust root validation
Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
d93a240731
commit
c7afc0789c
2 changed files with 105 additions and 0 deletions
55
tests/hwsim/auth_serv/ca-incorrect.pem
Normal file
55
tests/hwsim/auth_serv/ca-incorrect.pem
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
Certificate:
|
||||||
|
Data:
|
||||||
|
Version: 3 (0x2)
|
||||||
|
Serial Number: 10855188644662735910 (0x96a5608f1ef9f426)
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
Issuer: C=FI, CN=TEST - Incorrect Root CA
|
||||||
|
Validity
|
||||||
|
Not Before: Oct 20 16:30:06 2013 GMT
|
||||||
|
Not After : Oct 18 16:30:06 2023 GMT
|
||||||
|
Subject: C=FI, CN=TEST - Incorrect Root CA
|
||||||
|
Subject Public Key Info:
|
||||||
|
Public Key Algorithm: rsaEncryption
|
||||||
|
Public-Key: (1024 bit)
|
||||||
|
Modulus:
|
||||||
|
00:bc:0c:8e:61:1e:5b:ea:b2:6b:cc:8a:8c:38:85:
|
||||||
|
6d:79:e0:7a:28:d1:b5:55:65:52:f8:e2:2c:74:c1:
|
||||||
|
00:15:c6:15:84:56:08:f5:e9:eb:bc:07:8d:b7:97:
|
||||||
|
b6:73:7f:46:77:86:31:d0:f0:7f:95:d6:4a:7c:35:
|
||||||
|
07:85:43:41:5e:f4:07:84:e6:52:cb:52:38:ef:fe:
|
||||||
|
6a:16:84:22:45:2e:c1:a1:16:8d:d2:b3:62:c2:05:
|
||||||
|
77:43:04:2e:d0:52:ee:db:78:10:79:44:49:92:35:
|
||||||
|
ee:99:83:aa:a0:1d:e6:3d:c3:c6:a2:8e:b6:4d:7f:
|
||||||
|
d8:11:a9:a3:bc:68:1d:a2:6f
|
||||||
|
Exponent: 65537 (0x10001)
|
||||||
|
X509v3 extensions:
|
||||||
|
X509v3 Subject Key Identifier:
|
||||||
|
3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
|
||||||
|
X509v3 Authority Key Identifier:
|
||||||
|
keyid:3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
|
||||||
|
|
||||||
|
X509v3 Basic Constraints:
|
||||||
|
CA:TRUE
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
31:98:35:4b:d8:d2:8e:55:7a:af:06:f8:ef:6b:24:13:11:12:
|
||||||
|
b0:77:81:b9:ab:50:20:d6:78:99:3f:bc:3d:89:d4:b2:bd:7a:
|
||||||
|
54:03:fc:a7:a4:9f:2b:09:da:75:c9:8d:4c:65:90:c5:df:fc:
|
||||||
|
6b:48:52:f1:0a:aa:57:8a:b1:f5:fe:35:87:87:32:39:b9:ad:
|
||||||
|
80:f0:8e:36:72:63:d5:97:20:e5:b6:06:64:31:5a:66:66:15:
|
||||||
|
85:68:b7:9d:26:8b:46:7f:e8:1b:09:f5:c2:4a:35:7c:49:e2:
|
||||||
|
b2:dc:59:b2:91:8d:85:33:07:09:ca:78:7a:db:b3:e5:58:2c:
|
||||||
|
cc:6a
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICLjCCAZegAwIBAgIJAJalYI8e+fQmMA0GCSqGSIb3DQEBBQUAMDAxCzAJBgNV
|
||||||
|
BAYTAkZJMSEwHwYDVQQDDBhURVNUIC0gSW5jb3JyZWN0IFJvb3QgQ0EwHhcNMTMx
|
||||||
|
MDIwMTYzMDA2WhcNMjMxMDE4MTYzMDA2WjAwMQswCQYDVQQGEwJGSTEhMB8GA1UE
|
||||||
|
AwwYVEVTVCAtIEluY29ycmVjdCBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
|
||||||
|
ADCBiQKBgQC8DI5hHlvqsmvMiow4hW154Hoo0bVVZVL44ix0wQAVxhWEVgj16eu8
|
||||||
|
B423l7Zzf0Z3hjHQ8H+V1kp8NQeFQ0Fe9AeE5lLLUjjv/moWhCJFLsGhFo3Ss2LC
|
||||||
|
BXdDBC7QUu7beBB5REmSNe6Zg6qgHeY9w8aijrZNf9gRqaO8aB2ibwIDAQABo1Aw
|
||||||
|
TjAdBgNVHQ4EFgQUPknLp2qnCE/ameQ8ZKKslr6Z5PIwHwYDVR0jBBgwFoAUPknL
|
||||||
|
p2qnCE/ameQ8ZKKslr6Z5PIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
|
||||||
|
gQAxmDVL2NKOVXqvBvjvayQTERKwd4G5q1Ag1niZP7w9idSyvXpUA/ynpJ8rCdp1
|
||||||
|
yY1MZZDF3/xrSFLxCqpXirH1/jWHhzI5ua2A8I42cmPVlyDltgZkMVpmZhWFaLed
|
||||||
|
JotGf+gbCfXCSjV8SeKy3FmykY2FMwcJynh627PlWCzMag==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -151,3 +151,53 @@ def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
|
||||||
anonymous_identity="ttls", password="password",
|
anonymous_identity="ttls", password="password",
|
||||||
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
|
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
|
||||||
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
||||||
|
"""WPA2-Enterprise negative test - incorrect trust root"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
|
||||||
|
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
|
||||||
|
password="password", phase2="auth=MSCHAPV2",
|
||||||
|
ca_cert="auth_serv/ca-incorrect.pem",
|
||||||
|
wait_connect=False)
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Association and EAP start timed out")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP method selection timed out")
|
||||||
|
if "TTLS" not in ev:
|
||||||
|
raise Exception("Unexpected EAP method")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
|
||||||
|
"CTRL-EVENT-EAP-SUCCESS",
|
||||||
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
|
"CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result timed out")
|
||||||
|
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
|
||||||
|
raise Exception("TLS certificate error not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
|
||||||
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
|
"CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result(2) timed out")
|
||||||
|
if "CTRL-EVENT-EAP-FAILURE" not in ev:
|
||||||
|
raise Exception("EAP failure not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result(3) timed out")
|
||||||
|
if "CTRL-EVENT-DISCONNECTED" not in ev:
|
||||||
|
raise Exception("Disconnection not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Network block disabling not reported")
|
||||||
|
|
Loading…
Reference in a new issue