diff --git a/tests/hwsim/start.sh b/tests/hwsim/start.sh index b5b311b81..7a26d2825 100755 --- a/tests/hwsim/start.sh +++ b/tests/hwsim/start.sh @@ -155,26 +155,6 @@ if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der fi -openssl ocsp -reqout $LOGDIR/ocsp-req.der -issuer $DIR/auth_serv/ca.pem \ - -sha256 -serial 0xD8D3E3A6CBE3CD1F -no_nonce >> $LOGDIR/ocsp.log 2>&1 -for i in "" "-unknown" "-revoked"; do - openssl ocsp -index $DIR/auth_serv/index$i.txt \ - -rsigner $DIR/auth_serv/ca.pem \ - -rkey $DIR/auth_serv/ca-key.pem \ - -CA $DIR/auth_serv/ca.pem \ - -ndays 7 \ - -reqin $LOGDIR/ocsp-req.der \ - -resp_no_certs \ - -respout $LOGDIR/ocsp-resp-ca-signed$i.der >> $LOGDIR/ocsp.log 2>&1 -done -openssl ocsp -index $DIR/auth_serv/index.txt \ - -rsigner $DIR/auth_serv/server.pem \ - -rkey $DIR/auth_serv/server.key \ - -CA $DIR/auth_serv/ca.pem \ - -ndays 7 \ - -reqin $LOGDIR/ocsp-req.der \ - -respout $LOGDIR/ocsp-resp-server-signed.der >> $LOGDIR/ocsp.log 2>&1 - touch $LOGDIR/hostapd.db sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv & diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 3faf46a05..1eef5b7d6 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4163,13 +4163,59 @@ def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params): private_key_passwd="whatever", ocsp=2, scan_freq="2412") +def ocsp_req(outfile): + if os.path.exists(outfile): + return + arg = ["openssl", "ocsp", + "-reqout", outfile, + '-issuer', 'auth_serv/ca.pem', + '-sha256', + '-serial', '0xD8D3E3A6CBE3CD1F', + '-no_nonce'] + run_openssl(arg) + if not os.path.exists(outfile): + raise HwsimSkip("Failed to generate OCSP request") + +def ocsp_resp_ca_signed(reqfile, outfile, status): + ocsp_req(reqfile) + if os.path.exists(outfile): + return + arg = ["openssl", "ocsp", + "-index", "auth_serv/index%s.txt" % status, + "-rsigner", "auth_serv/ca.pem", + "-rkey", "auth_serv/ca-key.pem", + "-CA", "auth_serv/ca.pem", + "-ndays", "7", + "-reqin", reqfile, + "-resp_no_certs", + "-respout", outfile] + run_openssl(arg) + if not os.path.exists(outfile): + raise HwsimSkip("No OCSP response available") + +def ocsp_resp_server_signed(reqfile, outfile): + ocsp_req(reqfile) + if os.path.exists(outfile): + return + arg = ["openssl", "ocsp", + "-index", "auth_serv/index.txt", + "-rsigner", "auth_serv/server.pem", + "-rkey", "auth_serv/server.key", + "-CA", "auth_serv/ca.pem", + "-ndays", "7", + "-reqin", reqfile, + "-respout", outfile] + run_openssl(arg) + if not os.path.exists(outfile): + raise HwsimSkip("No OCSP response available") + def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params): """EAP-TLS and CA signed OCSP response (good)""" check_ocsp_support(dev[0]) check_pkcs12_support(dev[0]) + req = os.path.join(params['logdir'], "ocsp-req.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der") - if not os.path.exists(ocsp): - raise HwsimSkip("No OCSP response available") + ocsp_resp_ca_signed(req, ocsp, "") params = int_eap_server_params() params["ocsp_stapling_response"] = ocsp hostapd.add_ap(apdev[0], params) @@ -4183,9 +4229,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params): """EAP-TLS and CA signed OCSP response (revoked)""" check_ocsp_support(dev[0]) check_pkcs12_support(dev[0]) + req = os.path.join(params['logdir'], "ocsp-req.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der") - if not os.path.exists(ocsp): - raise HwsimSkip("No OCSP response available") + ocsp_resp_ca_signed(req, ocsp, "-revoked") params = int_eap_server_params() params["ocsp_stapling_response"] = ocsp hostapd.add_ap(apdev[0], params) @@ -4215,9 +4261,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params): """EAP-TLS and CA signed OCSP response (unknown)""" check_ocsp_support(dev[0]) check_pkcs12_support(dev[0]) + req = os.path.join(params['logdir'], "ocsp-req.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der") - if not os.path.exists(ocsp): - raise HwsimSkip("No OCSP response available") + ocsp_resp_ca_signed(req, ocsp, "-unknown") params = int_eap_server_params() params["ocsp_stapling_response"] = ocsp hostapd.add_ap(apdev[0], params) @@ -4245,9 +4291,9 @@ def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params): """EAP-TLS and server signed OCSP response""" check_ocsp_support(dev[0]) check_pkcs12_support(dev[0]) + req = os.path.join(params['logdir'], "ocsp-req.der") ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der") - if not os.path.exists(ocsp): - raise HwsimSkip("No OCSP response available") + ocsp_resp_server_signed(req, ocsp) params = int_eap_server_params() params["ocsp_stapling_response"] = ocsp hostapd.add_ap(apdev[0], params) @@ -4705,14 +4751,13 @@ def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params): check_ocsp_multi_support(dev[0]) check_pkcs12_support(dev[0]) + req = os.path.join(params['logdir'], "ocsp-req.der") ocsp_revoked = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der") - if not os.path.exists(ocsp_revoked): - raise HwsimSkip("No OCSP response (revoked) available") ocsp_unknown = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der") - if not os.path.exists(ocsp_unknown): - raise HwsimSkip("No OCSP response(unknown) available") + ocsp_resp_ca_signed(req, ocsp_revoked, "-revoked") + ocsp_resp_ca_signed(req, ocsp_unknown, "-unknown") with open(ocsp_revoked, "rb") as f: resp_revoked = f.read()