tests: EAP-TTLS and server certificate with client EKU

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/hwsim/auth_serv/server-eku-client.key b/tests/hwsim/auth_serv/server-eku-client.key
new file mode 100644 (file)
index 0000000..f2a99cd
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-eku-client.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKOZ6eLhF2A7cDQa
+dFxG47i9u6rJ8+77EjCgacN0OIA6uiNSx8Fqz7rdQePSaTWkpmBsMR+FvVZsewlj
+zadRa4RAkHd+l2h7OLXEFTt0NzQounri14RTeHZNFre43wly54cmdCwEysXOKfW0
+ztso60VHQo/tiFqjI0mbe7w54QFTAgMBAAECgYAngwCtvtc6cqCCtPDtaGGPOKOe
+d+/mA9U80UE551POBGD4LwH3gKhy5QUI1MR8JCvalca3akF0IfcFKYl9o3hnsZ73
+3wGzxM8BEf9wEVtVC2CTRVoIupleaEk3j8dgaUs/O54WkmAoHF1avXAMSGOUDxCO
+Ggpn2tei78Csdj78IQJBANF7a7RaJsXh6xMI7hlrVrUsIbBvsBo1wbbGCwNRvgzL
+I1mq1O+Go7Aao0pDK7sOUa86j6ECZ5pzqcdPaF22tJ8CQQDH7kTy6ERBbLFxs/Wd
+YLDEh1GIGyGW10tuJTOl2R1TKSBXRzPAeI+jcC+AC00238p4MO899WOVeLvaERZa
+IuLNAkAtlxXGp4Qett9JQj1HbPPu9A7U7km+OorRM2K8MzMQZ7lmz2YORxgiwHlf
+NSU0TZZ7c1xE51gS5i9CAEcvdg7zAkAKIZfa20xCKHjhcyYaIIE0pErMY9uS4jwP
+S9FPMS5cPXRHF/OWaEWXGaM+kNQL2NFQv+IPuLSgKWsThNQmIyhtAkEAiQq1HdN7
+3l8YhUuJtxg7nrh2s0V4UcSNOZxVf/85AKrTu1IfjdwmXFeoRB/y9Ef4h1bcXgzj
+clIVhie7r0JNLw==
+-----END PRIVATE KEY-----

diff --git a/tests/hwsim/auth_serv/server-eku-client.pem b/tests/hwsim/auth_serv/server-eku-client.pem
new file mode 100644 (file)
index 0000000..a924042
--- /dev/null
+++ b/tests/hwsim/auth_serv/server-eku-client.pem
@@ -0,0 +1,62 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15624081837803162827 (0xd8d3e3a6cbe3cccb)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=FI, O=w1.fi, CN=Root CA
+        Validity
+            Not Before: Feb 15 08:30:08 2014 GMT
+            Not After : Feb 15 08:30:08 2015 GMT
+        Subject: C=FI, O=w1.fi, CN=server5.w1.fi
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:a3:99:e9:e2:e1:17:60:3b:70:34:1a:74:5c:46:
+                    e3:b8:bd:bb:aa:c9:f3:ee:fb:12:30:a0:69:c3:74:
+                    38:80:3a:ba:23:52:c7:c1:6a:cf:ba:dd:41:e3:d2:
+                    69:35:a4:a6:60:6c:31:1f:85:bd:56:6c:7b:09:63:
+                    cd:a7:51:6b:84:40:90:77:7e:97:68:7b:38:b5:c4:
+                    15:3b:74:37:34:28:ba:7a:e2:d7:84:53:78:76:4d:
+                    16:b7:b8:df:09:72:e7:87:26:74:2c:04:ca:c5:ce:
+                    29:f5:b4:ce:db:28:eb:45:47:42:8f:ed:88:5a:a3:
+                    23:49:9b:7b:bc:39:e1:01:53
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                33:16:9D:3B:17:15:82:2B:34:6E:38:E8:CC:22:BF:49:A7:5E:2A:2B
+            X509v3 Authority Key Identifier: 
+                keyid:B8:92:DE:FD:8A:18:B3:30:C3:9F:55:F3:33:5D:B4:C8:29:8A:41:14
+
+            Authority Information Access: 
+                OCSP - URI:http://server.w1.fi:8888/
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+    Signature Algorithm: sha1WithRSAEncryption
+         6f:2d:cb:3b:91:50:15:e1:c7:41:15:6c:a4:89:e5:0e:f9:f9:
+         9b:10:36:d8:67:a8:29:e2:6a:6f:89:7b:66:bd:f1:b8:fa:1c:
+         f7:22:8b:85:4e:37:f3:d6:1e:35:df:c7:04:e6:13:20:ca:fa:
+         62:cc:8d:3a:bd:97:10:5c:1b:0b:39:79:ac:13:61:59:79:fd:
+         a1:4b:7d:c9:c5:c4:19:4d:76:5b:cd:6d:1e:f2:aa:ef:67:51:
+         aa:0c:ef:6a:f2:10:71:6f:19:e6:12:ab:3e:65:76:0f:5a:0f:
+         cf:96:30:c3:fc:59:e9:13:af:e1:8a:b0:2c:78:ad:3d:b4:e9:
+         e5:20
+-----BEGIN CERTIFICATE-----
+MIICfTCCAeagAwIBAgIJANjT46bL48zLMA0GCSqGSIb3DQEBBQUAMC8xCzAJBgNV
+BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNDAy
+MTUwODMwMDhaFw0xNTAyMTUwODMwMDhaMDUxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
+DAV3MS5maTEWMBQGA1UEAwwNc2VydmVyNS53MS5maTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEAo5np4uEXYDtwNBp0XEbjuL27qsnz7vsSMKBpw3Q4gDq6I1LH
+wWrPut1B49JpNaSmYGwxH4W9Vmx7CWPNp1FrhECQd36XaHs4tcQVO3Q3NCi6euLX
+hFN4dk0Wt7jfCXLnhyZ0LATKxc4p9bTO2yjrRUdCj+2IWqMjSZt7vDnhAVMCAwEA
+AaOBmjCBlzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQzFp07FxWCKzRuOOjMIr9Jp14q
+KzAfBgNVHSMEGDAWgBS4kt79ihizMMOfVfMzXbTIKYpBFDA1BggrBgEFBQcBAQQp
+MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9zZXJ2ZXIudzEuZmk6ODg4OC8wEwYDVR0l
+BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAby3LO5FQFeHHQRVspInl
+Dvn5mxA22GeoKeJqb4l7Zr3xuPoc9yKLhU4389YeNd/HBOYTIMr6YsyNOr2XEFwb
+Czl5rBNhWXn9oUt9ycXEGU12W81tHvKq72dRqgzvavIQcW8Z5hKrPmV2D1oPz5Yw
+w/xZ6ROv4YqwLHitPbTp5SA=
+-----END CERTIFICATE-----

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index c10e6e584b0e38665e8f35c1c22220af3302bfe5..155ea244c5190f98cb8f9268dba5f985e2e41a1b 100644 (file)
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -949,3 +949,18 @@ def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
                    phase1="tls_disable_time_checks=1",
                    scan_freq="2412")
+
+def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
+    """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
+    params = int_eap_server_params()
+    params["server_cert"] = "auth_serv/server-eku-client.pem"
+    params["private_key"] = "auth_serv/server-eku-client.key"
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="mschap user", password="password",
+                   ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                   wait_connect=False,
+                   scan_freq="2412")
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
+    if ev is None:
+        raise Exception("Timeout on EAP failure report")