autotests: Test encrypted private keys with EAP-TLS

Make 3 connections in test EAP-TLS, one with an unencrypted private key, one with the private key passphrase provided in the provisioning file and one with the passphrase provided through the agent. Also improve the scanning logic at the beginning.
2018-04-26 11:29:27 +02:00 · 2018-04-26 11:29:27 +02:00 · 25a9d2a71f
parent 56d3d40f30
commit 25a9d2a71f
8 changed files with 134 additions and 9 deletions
--- a/autotests/misc/certs/cert-client-key-md5-des.pem
+++ b/autotests/misc/certs/cert-client-key-md5-des.pem
@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQI4Jws4ZHp7oQCAggABIIEyGImScBCorOX2u/F
+ISGvMBLavYPfA1f349fcfPfjbMeTLtrubuFfSYJDrB1KaP4oWsK3RA8AjuNtP49N
+fWjaAD6E9YTcNPVODgqNaoeslatqszPEqsqfx+vz1inTc+dyZ8ZYTWDlWAFSC33B
+k6z5CX68YdujTI9hBtkwAJuCoSSIKJNM7duSXzlxM3IfCfzRn4BuO+8usdxqrc5A
+p1R+LvDehIeOrQxkpJE3oHPq1xcCG4/WOnHWwRlmHmQIc2Z+ZLdgFjXYLvmNG58B
+PcBAxWjppmZZMXiMqIoZxqQ7hBhwqI2wxCFYAihf4cgn6bT37sv0CeNPjRHfftpr
+3tWgSeqLbov7Sfm5f1tq3AhJ3om8aaHEL8vUexs0j9mKhJyM0gyel+d1pHSi9/Ka
+U/qNk2KzhZl4+/p7ngjkK8or7IDgbRQWzRXac6uxnvhDRuCZWWAjgzq7A9KdjMCf
+T0+OX9USpOl2/cQSeKdRY5xKLBudQGilMvKZwd+rxBMkDBCwl+fj5HX1Tcj085kv
+CSEOpA90HvqI9VvdxPw0KKWTc/d3FgWKVVzEqtVUCbtDGXZnv3Kt9F05zoX/wL2k
+PkCd7yQouCYxPevVVz1kus5mwWHaZbEUW6S9GUSeZXs/Itb9Jwl9X6m1G9e393U+
+FQb95dfDzP1zQzemLJ+Iu6rkmKNC6x1pC+hNG3jy5QRoQ9wB4WV4q3JRHFUECEgd
+CAN52Saz9f7qt1MmoNPM0fSS+ovh08KoABEI7mp8s9fFj0b7x9h/zlRgigNKp+JE
+N9/51OSopajlse0ly+1zb8I2iOGeA3U4cvZG5mEP+kstJvdD4PYgx9cWDm6EDKmN
+4nIL48aNoWFxa7MGJsmQo56QmGAxG7lZusVu4lYUvHQsmqDQWhqBz1k/f4GzioN0
+7wslyuElIrZyRugYdh+Epy7WbXRi9nBhwuWpOx8TnwOszWIfJT7NLWH+/SaVzuG4
+IsR1gnaQ5HLPyXxuaJkzcZs7EOG5S5MT7tDW9i72RZUiUPGztmhOLxkYrH/r3UCa
+8Agc1nYXs8VH9sV+LMMGdCVoY/RwJvZwf13fqnLcmIA4iI8cDf1beUVm1JvdgIL/
+5Pbxyh2sAzyk/DIFD6yCQUacBKkR3EAXPG9gm5jebjHOU+gxSt69e3jgA1BvuoS5
+S3xLePrZnGZuPjM2PQX6LW1wWBtNlhbqWAkyeL3YwEwv2FjluFqALB/He/MaNly3
+UXFULImo8C/2UF9y9hgoSuamFqlKtgaNBUlqNPxX0EQmyCuqBEGYaouZ2TzPfZ44
+Jf6p6sQZeEmklEIDkaC9DvAGU7DPRfxolLpYHvdHQTwnjKMbFkg7FSAzzdNiKKeR
+nEnCkaofA2FASfQaZvOkewACaZfqJ1FCSsoetYq2Ulf8o1f8j/QM+JIq4p0DIybz
+4gsBmg05xufNiZNqZrrFc0/HcZkT3ahgtY+TMzU8d0hAS7roFNlM2lpaE69HJeTZ
+rhRO7/VAU2Kb0bQI5UWe4yfvbPBmmaxw06lPahlBAEgqeULwfVWBPafjSyq8vPag
+9RzpwSASqL6dv89qdOPE0JioA9xZ3cemlVOgqzd04AkdnDf3flGCJa6O9BujGm72
+8t0TmXLstK7YNaxQYA==
+-----END ENCRYPTED PRIVATE KEY-----
--- a/autotests/misc/certs/cert-client-key-v2-des-ede3.pem
+++ b/autotests/misc/certs/cert-client-key-v2-des-ede3.pem
@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVG6rLrQ+fVgCAggA
+MBQGCCqGSIb3DQMHBAizDQ76m4Q4ZQSCBMh50R/dRYR4agewBCpNNVYIHV/wotfZ
+PhhwcJQFZMmp50rCI9rh13w8TSr+KDreXTY+XzvqFS7fbB0JV3QWlv2wvqkAFXoJ
+CYlE40WXg5Qd2H849IyLEil8J5mvoZohDZYNk82zi+PSvkvxJ8d1RJIiHHhmReeC
+0+rDHd9C+Xr2MVBOMA+gimx/P3qtS4jI0qjmzyUiorHa9lvY5qzxbMibi4mEAjBy
+VWviWHszpCwKVapODFlG2r5R2wvmhp4GUGSigi7KtL7hijEbsh4CW2RqYLR733Nx
+WdsyIc4sD3908ttfQSmsSt6vchAMkelwFizGSEFLMsCne3MGjVsLpVitg6nswl6N
+pvngZu0zaggWFVPRIt+vIimeHrujzoiUuzDizjOVzCiyRkrFuJEMwN3l/AaSxUiG
+lOWga1Eb+McH3oJNU1WtrL7gDwfmKFc26D7xNMnGLcdYxfM1F98XfM3FVswaHdC7
+0uTmEmMdhpoNw4CWai37NpigW01cDnxMMpFuX0yTU8GUU/JkBgZ4NHE1sTZrFiOf
+mMr83waumMGwwChhZAd1qDRB35c1HLvVqBt3HkdcyCZP1JBxG4QLrw7IVzG+knlj
+QdrBC/lDNA15wG27v5hRUVEoeFRJkOllUlSqfh0PmJw2t32BP8dS6EsM8eTpnQ7R
+ysqO5CVZ3WTNFwIZ7wD8zmaBOamkZ1OzOluYFL5sBHGRM05pSEsYOivsi7tlp5Gj
+ZQjR+qSKLT34R4QxWhziWgNC/ynjVuWNWX67p1T/ngsM9kGa6cm84XbHQL7CqUyX
+H7vOWtWHGCclS1Ori5vjFP8/qdOVGMpiKnX8HvoBv6zxJvfMYNAz39MMewlfHdCa
+vEvBVwxLYRxbaL1IGNUebXVyn7JNRhuDm1SDNU1ADj8GW4AL5+22D9xArz8Lnkrj
+lvHm1NMIckciFYHraKmIPeJLiLIxDJ1SX+WgJGLo+P0W2TJLHAnQl5a1KzJOsIq
+/y35Q4mFLX0JE4mzAj2S1bsVate4FZpnKqVT0mfN5/UPSnQOpJKRSTYV9QJm1mGb
+gtdvwSvSniyjSSP/MAB+M7C0N4syC4N4sXYXJTKcM3CN/tN4ASycpkWRvXXLWRsj
+BuQq9z50ojdnx+twu2eG3eYRAGjEW7yOD3GHPQOtCx3IQDptmzYf2v4rk9x+IFfT
+L0ZfmyVevXgm9zjHI9s64Ok1g/6SL8lO+wszfjDs1zEgrMRfoVoKOBrWN7fYKiKi
+GBUeaZ9HgcM1ha/a63N1LPK9OPR2w4qh+DpCLpfvhzZN6IRv1oFddws8jwye1pJb
+1Po33NxHUfsOTX+lpc61NOEua7s3/Wu5gm0jBrX5c/aKCfXMsJHzW+0wl4SAXDog
+3Cl29/NAMSQDpQP9A91QSwHYkyzk4rBLcrbx6bQfFSHOqdl2dto+UJfiz+5PzD7s
+I7k72LGzrfIOq4brLbrLIGwj/ani/vvSZnXYzx3uUeP9w1EZSgNKC9HLBW7lyav3
+IlY7HAO2GMVlIdzynHPT3wMXtLqf/ykO+tkrEF4LjOu9r+cdhCxHum22vlgZKL7J
+J044ViKBro0CWL1wajpFQOvG/BG4VDJ/dfGee0iBr4R+CIkaUwVTCdRsibyZRM8E
+FL0=
+-----END ENCRYPTED PRIVATE KEY-----
--- a/autotests/testEAP-TLS/connection_test.py
+++ b/autotests/testEAP-TLS/connection_test.py
@ -6,14 +6,26 @@ import sys
 sys.path.append('../util')
 import iwd
 from iwd import IWD
+from iwd import PSKAgent
 from iwd import NetworkType
 import testutil
+import hostapd

 class Test(unittest.TestCase):

-    def test_connection_success(self):
+    def do_test_connection_success(self, ssid, passphrase=None):
        wd = IWD()

+        if passphrase:
+            psk_agent = PSKAgent(passphrase)
+            wd.register_psk_agent(psk_agent)
+
+        hostapd_ifname = None
+        for ifname in hostapd.hostapd_map:
+            if ssid + '.conf' in hostapd.hostapd_map[ifname].config:
+                hostapd_ifname = ifname
+                break
+
        devices = wd.list_devices();
        self.assertIsNotNone(devices)
        device = devices[0]
@ -21,15 +33,16 @@ class Test(unittest.TestCase):
        condition = 'not obj.scanning'
        wd.wait_for_object_condition(device, condition)

-        device.scan()
-
-        condition = 'not obj.scanning'
-        wd.wait_for_object_condition(device, condition)
+        if not device.get_ordered_networks():
+            device.scan()
+            condition = 'obj.scanning'
+            wd.wait_for_object_condition(device, condition)
+            condition = 'not obj.scanning'
+            wd.wait_for_object_condition(device, condition)

        ordered_networks = device.get_ordered_networks()
-        ordered_network = ordered_networks[0]
+        ordered_network = [n for n in ordered_networks if n.name == ssid][0]

-        self.assertEqual(ordered_network.name, "ssidEAP-TLS")
        self.assertEqual(ordered_network.type, NetworkType.eap)

        condition = 'not obj.connected'
@ -41,16 +54,30 @@ class Test(unittest.TestCase):
        wd.wait_for_object_condition(ordered_network.network_object, condition)

        testutil.test_iface_operstate()
-        testutil.test_ifaces_connected()
+        testutil.test_ifaces_connected(hostapd_ifname, 'wln3')

        device.disconnect()

        condition = 'not obj.connected'
        wd.wait_for_object_condition(ordered_network.network_object, condition)

+        if passphrase:
+            wd.unregister_psk_agent(psk_agent)
+
+    def test_eap_tls(self):
+        self.do_test_connection_success('ssidEAP-TLS')
+
+    def test_eap_tls2(self):
+        self.do_test_connection_success('ssidEAP-TLS2')
+
+    def test_eap_tls3(self):
+        self.do_test_connection_success('ssidEAP-TLS3', 'abc')
+
    @classmethod
    def setUpClass(cls):
        IWD.copy_to_storage('ssidEAP-TLS.8021x')
+        IWD.copy_to_storage('ssidEAP-TLS2.8021x')
+        IWD.copy_to_storage('ssidEAP-TLS3.8021x')

    @classmethod
    def tearDownClass(cls):
--- a/autotests/testEAP-TLS/hw.conf
+++ b/autotests/testEAP-TLS/hw.conf
@ -1,6 +1,8 @@
 [SETUP]
-num_radios=2
+num_radios=4
 tmpfs_extra_stuff=../misc/certs

 [HOSTAPD]
 rad0=ssidEAP-TLS.conf
+rad1=ssidEAP-TLS2.conf
+rad2=ssidEAP-TLS3.conf
--- a/autotests/testEAP-TLS/ssidEAP-TLS2.8021x
+++ b/autotests/testEAP-TLS/ssidEAP-TLS2.8021x
@ -0,0 +1,7 @@
+[Security]
+EAP-Method=TLS
+EAP-TLS-CACert=/tmp/certs/cert-ca.pem
+EAP-TLS-ClientCert=/tmp/certs/cert-client.pem
+EAP-TLS-ClientKey=/tmp/certs/cert-client-key-md5-des.pem
+EAP-TLS-ClientKeyPassphrase=abc
+EAP-Identity=abc@example.com
--- a/autotests/testEAP-TLS/ssidEAP-TLS2.conf
+++ b/autotests/testEAP-TLS/ssidEAP-TLS2.conf
@ -0,0 +1,12 @@
+hw_mode=g
+channel=2
+ssid=ssidEAP-TLS2
+
+wpa=3
+wpa_key_mgmt=WPA-EAP
+ieee8021x=1
+eap_server=1
+eap_user_file=/tmp/certs/eap-user-tls.text
+ca_cert=/tmp/certs/cert-ca.pem
+server_cert=/tmp/certs/cert-server.pem
+private_key=/tmp/certs/cert-server-key.pem
--- a/autotests/testEAP-TLS/ssidEAP-TLS3.8021x
+++ b/autotests/testEAP-TLS/ssidEAP-TLS3.8021x
@ -0,0 +1,6 @@
+[Security]
+EAP-Method=TLS
+EAP-TLS-CACert=/tmp/certs/cert-ca.pem
+EAP-TLS-ClientCert=/tmp/certs/cert-client.pem
+EAP-TLS-ClientKey=/tmp/certs/cert-client-key-v2-des-ede3.pem
+EAP-Identity=abc@example.com
--- a/autotests/testEAP-TLS/ssidEAP-TLS3.conf
+++ b/autotests/testEAP-TLS/ssidEAP-TLS3.conf
@ -0,0 +1,12 @@
+hw_mode=g
+channel=3
+ssid=ssidEAP-TLS3
+
+wpa=3
+wpa_key_mgmt=WPA-EAP
+ieee8021x=1
+eap_server=1
+eap_user_file=/tmp/certs/eap-user-tls.text
+ca_cert=/tmp/certs/cert-ca.pem
+server_cert=/tmp/certs/cert-server.pem
+private_key=/tmp/certs/cert-server-key.pem