tests: Valid OCSP response with revoked and unknown cert status

This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/hwsim/auth_serv/index-revoked.txt b/tests/hwsim/auth_serv/index-revoked.txt
new file mode 100644 (file)
index 0000000..95b052e
--- /dev/null
+++ b/tests/hwsim/auth_serv/index-revoked.txt
@@ -0,0 +1,8 @@
+V      230627164122Z           D8D3E3A6CBE3CCC1        unknown /C=FI/O=w1.fi/CN=Root CA
+V      150215075930Z           D8D3E3A6CBE3CCC9        unknown /C=FI/O=w1.fi/CN=server3.w1.fi
+V      140102000000Z           D8D3E3A6CBE3CCCA        unknown /C=FI/O=w1.fi/CN=server4.w1.fi
+V      150215083008Z           D8D3E3A6CBE3CCCB        unknown /C=FI/O=w1.fi/CN=server5.w1.fi
+V      150228224144Z           D8D3E3A6CBE3CCCC        unknown /C=FI/O=w1.fi/CN=server6.w1.fi
+V      160111185024Z           D8D3E3A6CBE3CCCD        unknown /C=FI/O=w1.fi/CN=ocsp.w1.fi
+R      150929211122Z   160111185024Z   D8D3E3A6CBE3CCD0        unknown /C=FI/O=w1.fi/CN=server.w1.fi
+R      150929211300Z   160111185024Z   D8D3E3A6CBE3CCD1        unknown /C=FI/O=w1.fi/CN=Test User

diff --git a/tests/hwsim/auth_serv/index-unknown.txt b/tests/hwsim/auth_serv/index-unknown.txt
new file mode 100644 (file)
index 0000000..97dfbba
--- /dev/null
+++ b/tests/hwsim/auth_serv/index-unknown.txt
@@ -0,0 +1 @@
+V      230627164122Z           D8D3E3A6CBE3CCC1        unknown /C=FI/O=w1.fi/CN=Root CA

diff --git a/tests/hwsim/start.sh b/tests/hwsim/start.sh
index 778daef074d6f82d7c9f863c7c3541b8f071df3f..df8a76da9604b8093361b0bdfca91f54b5506086 100755 (executable)
--- a/tests/hwsim/start.sh
+++ b/tests/hwsim/start.sh
@@ -134,6 +134,18 @@ openssl ocsp -index $DIR/auth_serv/index.txt \
 if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
     cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
 fi
+
+for i in unknown revoked; do
+    openssl ocsp -index $DIR/auth_serv/index-$i.txt \
+       -rsigner $DIR/auth_serv/ocsp-responder.pem \
+       -rkey $DIR/auth_serv/ocsp-responder.key \
+       -CA $DIR/auth_serv/ca.pem \
+       -issuer $DIR/auth_serv/ca.pem \
+       -verify_other $DIR/auth_serv/ca.pem -trust_other \
+       -ndays 7 \
+       -reqin $DIR/auth_serv/ocsp-req.der \
+       -respout $LOGDIR/ocsp-server-cache-$i.der >> $LOGDIR/ocsp.log 2>&1
+done
 touch $LOGDIR/hostapd.db
 sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
 

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 01b333a21c6d72e6b8c214167250504ad3c35a13..1bcb0dcb6b3992c2d7541036d286becb29846b98 100644 (file)
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -1980,6 +1980,77 @@ def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
     if ev is None:
         raise Exception("Timeout on EAP failure report")
 
+def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=2,
+                   wait_connect=False, scan_freq="2412")
+    count = 0
+    while True:
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
+        if ev is None:
+            raise Exception("Timeout on EAP status")
+        if 'bad certificate status response' in ev:
+            break
+        if 'certificate revoked' in ev:
+            break
+        count = count + 1
+        if count > 10:
+            raise Exception("Unexpected number of EAP status messages")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=2,
+                   wait_connect=False, scan_freq="2412")
+    count = 0
+    while True:
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
+        if ev is None:
+            raise Exception("Timeout on EAP status")
+        if 'bad certificate status response' in ev:
+            break
+        count = count + 1
+        if count > 10:
+            raise Exception("Unexpected number of EAP status messages")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")
+
+def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
+    """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
+    ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
+    if not os.path.exists(ocsp):
+        raise HwsimSkip("No OCSP response available")
+    params = int_eap_server_params()
+    params["ocsp_stapling_response"] = ocsp
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="pap user", ca_cert="auth_serv/ca.pem",
+                   anonymous_identity="ttls", password="password",
+                   phase2="auth=PAP", ocsp=1, scan_freq="2412")
+
 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
     params = int_eap_server_params()