tests: Add negative TLS test case to verify trust root validation

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2013-10-20 19:41:01 +03:00
parent d93a240731
commit c7afc0789c
2 changed files with 105 additions and 0 deletions

View file

@ -0,0 +1,55 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10855188644662735910 (0x96a5608f1ef9f426)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FI, CN=TEST - Incorrect Root CA
Validity
Not Before: Oct 20 16:30:06 2013 GMT
Not After : Oct 18 16:30:06 2023 GMT
Subject: C=FI, CN=TEST - Incorrect Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:0c:8e:61:1e:5b:ea:b2:6b:cc:8a:8c:38:85:
6d:79:e0:7a:28:d1:b5:55:65:52:f8:e2:2c:74:c1:
00:15:c6:15:84:56:08:f5:e9:eb:bc:07:8d:b7:97:
b6:73:7f:46:77:86:31:d0:f0:7f:95:d6:4a:7c:35:
07:85:43:41:5e:f4:07:84:e6:52:cb:52:38:ef:fe:
6a:16:84:22:45:2e:c1:a1:16:8d:d2:b3:62:c2:05:
77:43:04:2e:d0:52:ee:db:78:10:79:44:49:92:35:
ee:99:83:aa:a0:1d:e6:3d:c3:c6:a2:8e:b6:4d:7f:
d8:11:a9:a3:bc:68:1d:a2:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
X509v3 Authority Key Identifier:
keyid:3E:49:CB:A7:6A:A7:08:4F:DA:99:E4:3C:64:A2:AC:96:BE:99:E4:F2
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
31:98:35:4b:d8:d2:8e:55:7a:af:06:f8:ef:6b:24:13:11:12:
b0:77:81:b9:ab:50:20:d6:78:99:3f:bc:3d:89:d4:b2:bd:7a:
54:03:fc:a7:a4:9f:2b:09:da:75:c9:8d:4c:65:90:c5:df:fc:
6b:48:52:f1:0a:aa:57:8a:b1:f5:fe:35:87:87:32:39:b9:ad:
80:f0:8e:36:72:63:d5:97:20:e5:b6:06:64:31:5a:66:66:15:
85:68:b7:9d:26:8b:46:7f:e8:1b:09:f5:c2:4a:35:7c:49:e2:
b2:dc:59:b2:91:8d:85:33:07:09:ca:78:7a:db:b3:e5:58:2c:
cc:6a
-----BEGIN CERTIFICATE-----
MIICLjCCAZegAwIBAgIJAJalYI8e+fQmMA0GCSqGSIb3DQEBBQUAMDAxCzAJBgNV
BAYTAkZJMSEwHwYDVQQDDBhURVNUIC0gSW5jb3JyZWN0IFJvb3QgQ0EwHhcNMTMx
MDIwMTYzMDA2WhcNMjMxMDE4MTYzMDA2WjAwMQswCQYDVQQGEwJGSTEhMB8GA1UE
AwwYVEVTVCAtIEluY29ycmVjdCBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC8DI5hHlvqsmvMiow4hW154Hoo0bVVZVL44ix0wQAVxhWEVgj16eu8
B423l7Zzf0Z3hjHQ8H+V1kp8NQeFQ0Fe9AeE5lLLUjjv/moWhCJFLsGhFo3Ss2LC
BXdDBC7QUu7beBB5REmSNe6Zg6qgHeY9w8aijrZNf9gRqaO8aB2ibwIDAQABo1Aw
TjAdBgNVHQ4EFgQUPknLp2qnCE/ameQ8ZKKslr6Z5PIwHwYDVR0jBBgwFoAUPknL
p2qnCE/ameQ8ZKKslr6Z5PIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAxmDVL2NKOVXqvBvjvayQTERKwd4G5q1Ag1niZP7w9idSyvXpUA/ynpJ8rCdp1
yY1MZZDF3/xrSFLxCqpXirH1/jWHhzI5ua2A8I42cmPVlyDltgZkMVpmZhWFaLed
JotGf+gbCfXCSjV8SeKy3FmykY2FMwcJynh627PlWCzMag==
-----END CERTIFICATE-----

View file

@ -151,3 +151,53 @@ def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
anonymous_identity="ttls", password="password", anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
"""WPA2-Enterprise negative test - incorrect trust root"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca-incorrect.pem",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")