$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
rm ec-ca-openssl.cnf.tmp
+echo
+echo "---[ User p256 ]--------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+ sed "s/#@CN@/commonName_default = user-p256/" |
+ sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \
+ > ec-ca-openssl.cnf.tmp
+$OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256
+rm ec-ca-openssl.cnf.tmp
+
echo
echo "---[ Verify ]-----------------------------------------------------------"
echo
$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
+$OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem
--- /dev/null
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPrr8f6NDa+p9BbWuyoFWfshi7pBwZVSltEoE3JoKMfEoAoGCCqGSM49
+AwEHoUQDQgAEt4F55Q020CgCdvgNzw3I+K/eZiDJIODExC0Qti5YJWD/Ah5KG3lh
+qmRWRLRLn+giBMgUEJeWDjWcHdzWBYhwEQ==
+-----END EC PRIVATE KEY-----
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 12897810923590592256 (0xb2fe3ab310c52700)
+ Signature Algorithm: ecdsa-with-SHA256
+ Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
+ Validity
+ Not Before: Jan 12 18:16:42 2018 GMT
+ Not After : Jan 10 18:16:42 2028 GMT
+ Subject: C=FI, O=w1.fi, CN=user-p256
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (256 bit)
+ pub:
+ 04:b7:81:79:e5:0d:36:d0:28:02:76:f8:0d:cf:0d:
+ c8:f8:af:de:66:20:c9:20:e0:c4:c4:2d:10:b6:2e:
+ 58:25:60:ff:02:1e:4a:1b:79:61:aa:64:56:44:b4:
+ 4b:9f:e8:22:04:c8:14:10:97:96:0e:35:9c:1d:dc:
+ d6:05:88:70:11
+ ASN1 OID: prime256v1
+ NIST CURVE: P-256
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ EC:7E:B2:10:44:3E:D2:A1:98:E4:1E:8F:7E:32:49:2E:B2:59:3C:92
+ X509v3 Authority Key Identifier:
+ keyid:B8:97:C9:BE:63:12:AB:F6:A0:8C:B6:5E:FB:97:6E:10:8E:DC:48:F5
+
+ X509v3 Subject Alternative Name:
+ email:user-p256@w1.fi
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ Signature Algorithm: ecdsa-with-SHA256
+ 30:65:02:31:00:c9:1e:c8:25:d5:69:1c:24:4f:09:b6:45:31:
+ c2:46:a0:44:84:ae:b1:e3:bb:34:19:f6:04:63:61:cf:37:7a:
+ 9b:a1:72:99:9d:86:36:26:35:a1:99:0a:3a:7c:06:26:3e:02:
+ 30:70:e8:c3:20:0a:c5:4f:f6:95:6c:0a:b1:7a:1b:5d:b0:d2:
+ c6:10:4d:2f:44:31:c7:1a:db:6c:25:07:4b:2d:94:0e:c9:b4:
+ b1:c8:8c:cb:ea:67:8f:37:20:f6:cc:64:fe
+-----BEGIN CERTIFICATE-----
+MIICJzCCAa2gAwIBAgIJALL+OrMQxScAMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE4MDExMjE4MTY0MloXDTI4MDEx
+MDE4MTY0MlowMTELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRIwEAYDVQQD
+DAl1c2VyLXAyNTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS3gXnlDTbQKAJ2
++A3PDcj4r95mIMkg4MTELRC2LlglYP8CHkobeWGqZFZEtEuf6CIEyBQQl5YONZwd
+3NYFiHARo4GMMIGJMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOx+shBEPtKhmOQej34y
+SS6yWTySMB8GA1UdIwQYMBaAFLiXyb5jEqv2oIy2XvuXbhCO3Ej1MBoGA1UdEQQT
+MBGBD3VzZXItcDI1NkB3MS5maTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
+BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAMkeyCXVaRwkTwm2RTHCRqBEhK6x47s0
+GfYEY2HPN3qboXKZnYY2JjWhmQo6fAYmPgIwcOjDIArFT/aVbAqxehtdsNLGEE0v
+RDHHGttsJQdLLZQOybSxyIzL6mePNyD2zGT+
+-----END CERTIFICATE-----
private_key="auth_serv/ec2-user.key",
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
+def test_suite_b_192_radius_and_p256_cert(dev, apdev):
+ """Suite B 192-bit level and p256 client cert"""
+ check_suite_b_192_capa(dev)
+ dev[0].flush_scan_cache()
+ params = suite_b_as_params()
+ params['ca_cert'] = 'auth_serv/ec2-ca.pem'
+ params['server_cert'] = 'auth_serv/ec2-server.pem'
+ params['private_key'] = 'auth_serv/ec2-server.key'
+ params['openssl_ciphers'] = 'SUITEB192'
+ hostapd.add_ap(apdev[1], params)
+
+ params = { "ssid": "test-suite-b",
+ "wpa": "2",
+ "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
+ "rsn_pairwise": "GCMP-256",
+ "group_mgmt_cipher": "BIP-GMAC-256",
+ "ieee80211w": "2",
+ "ieee8021x": "1",
+ 'auth_server_addr': "127.0.0.1",
+ 'auth_server_port': "18129",
+ 'auth_server_shared_secret': "radius",
+ 'nas_identifier': "nas.w1.fi" }
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
+ ieee80211w="2",
+ #openssl_ciphers="SUITEB192",
+ eap="TLS", identity="tls user",
+ ca_cert="auth_serv/ec2-ca.pem",
+ client_cert="auth_serv/ec2-user-p256.pem",
+ private_key="auth_serv/ec2-user-p256.key",
+ pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
+ wait_connect=False)
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
+ if ev is None:
+ raise Exception("EAP-Failure not reported")
+ ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
+ if ev is None:
+ raise Exception("Disconnection not reported")
+ if "reason=23" not in ev:
+ raise Exception("Unexpected disconnection reason: " + ev);
+
def test_suite_b_pmkid_failure(dev, apdev):
"""WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
check_suite_b_capa(dev)
projects / thirdparty / hostap.git / commitdiff
