DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

tests: Move ocsp-resp-*-signed*.der generation into test case

Browse source 
There is no need to generate these OCSP responses for every single test
session. Generate these more dynamically if a test case that uses these
files is executed.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-12-27 20:01:38 +02:00
parent b6bb4cd8c5
commit d07ca835cb
2 changed files with 57 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
tests/hwsim/start.sh
View file

@ -155,26 +155,6 @@ if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
fi
openssl ocsp -reqout $LOGDIR/ocsp-req.der -issuer $DIR/auth_serv/ca.pem \
-sha256 -serial 0xD8D3E3A6CBE3CD1F -no_nonce >> $LOGDIR/ocsp.log 2>&1
for i in "" "-unknown" "-revoked"; do
openssl ocsp -index $DIR/auth_serv/index$i.txt \
-rsigner $DIR/auth_serv/ca.pem \
-rkey $DIR/auth_serv/ca-key.pem \
-CA $DIR/auth_serv/ca.pem \
-ndays 7 \
-reqin $LOGDIR/ocsp-req.der \
-resp_no_certs \
-respout $LOGDIR/ocsp-resp-ca-signed$i.der >> $LOGDIR/ocsp.log 2>&1
done
openssl ocsp -index $DIR/auth_serv/index.txt \
-rsigner $DIR/auth_serv/server.pem \
-rkey $DIR/auth_serv/server.key \
-CA $DIR/auth_serv/ca.pem \
-ndays 7 \
-reqin $LOGDIR/ocsp-req.der \
-respout $LOGDIR/ocsp-resp-server-signed.der >> $LOGDIR/ocsp.log 2>&1
touch $LOGDIR/hostapd.db
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &

69
tests/hwsim/test_ap_eap.py
View file

@ -4163,13 +4163,59 @@ def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
private_key_passwd="whatever", ocsp=2,
scan_freq="2412")
def ocsp_req(outfile):
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-reqout", outfile,
'-issuer', 'auth_serv/ca.pem',
'-sha256',
'-serial', '0xD8D3E3A6CBE3CD1F',
'-no_nonce']
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("Failed to generate OCSP request")
def ocsp_resp_ca_signed(reqfile, outfile, status):
ocsp_req(reqfile)
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-index", "auth_serv/index%s.txt" % status,
"-rsigner", "auth_serv/ca.pem",
"-rkey", "auth_serv/ca-key.pem",
"-CA", "auth_serv/ca.pem",
"-ndays", "7",
"-reqin", reqfile,
"-resp_no_certs",
"-respout", outfile]
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("No OCSP response available")
def ocsp_resp_server_signed(reqfile, outfile):
ocsp_req(reqfile)
if os.path.exists(outfile):
return
arg = ["openssl", "ocsp",
"-index", "auth_serv/index.txt",
"-rsigner", "auth_serv/server.pem",
"-rkey", "auth_serv/server.key",
"-CA", "auth_serv/ca.pem",
"-ndays", "7",
"-reqin", reqfile,
"-respout", outfile]
run_openssl(arg)
if not os.path.exists(outfile):
raise HwsimSkip("No OCSP response available")
def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (good)"""
check_ocsp_support(dev[0])
check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
ocsp_resp_ca_signed(req, ocsp, "")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params)
@ -4183,9 +4229,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (revoked)"""
check_ocsp_support(dev[0])
check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
ocsp_resp_ca_signed(req, ocsp, "-revoked")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params)
@ -4215,9 +4261,9 @@ def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
"""EAP-TLS and CA signed OCSP response (unknown)"""
check_ocsp_support(dev[0])
check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
ocsp_resp_ca_signed(req, ocsp, "-unknown")
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params)
@ -4245,9 +4291,9 @@ def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
"""EAP-TLS and server signed OCSP response"""
check_ocsp_support(dev[0])
check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
if not os.path.exists(ocsp):
raise HwsimSkip("No OCSP response available")
ocsp_resp_server_signed(req, ocsp)
params = int_eap_server_params()
params["ocsp_stapling_response"] = ocsp
hostapd.add_ap(apdev[0], params)
@ -4705,14 +4751,13 @@ def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
check_ocsp_multi_support(dev[0])
check_pkcs12_support(dev[0])
req = os.path.join(params['logdir'], "ocsp-req.der")
ocsp_revoked = os.path.join(params['logdir'],
"ocsp-resp-ca-signed-revoked.der")
if not os.path.exists(ocsp_revoked):
raise HwsimSkip("No OCSP response (revoked) available")
ocsp_unknown = os.path.join(params['logdir'],
"ocsp-resp-ca-signed-unknown.der")
if not os.path.exists(ocsp_unknown):
raise HwsimSkip("No OCSP response(unknown) available")
ocsp_resp_ca_signed(req, ocsp_revoked, "-revoked")
ocsp_resp_ca_signed(req, ocsp_unknown, "-unknown")
with open(ocsp_revoked, "rb") as f:
resp_revoked = f.read()