From 25a9d2a71fb741cfb545fe1f49818e4f34988de7 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Thu, 26 Apr 2018 11:29:27 +0200 Subject: [PATCH] autotests: Test encrypted private keys with EAP-TLS Make 3 connections in test EAP-TLS, one with an unencrypted private key, one with the private key passphrase provided in the provisioning file and one with the passphrase provided through the agent. Also improve the scanning logic at the beginning. --- .../misc/certs/cert-client-key-md5-des.pem | 29 +++++++++++++ .../certs/cert-client-key-v2-des-ede3.pem | 30 +++++++++++++ autotests/testEAP-TLS/connection_test.py | 43 +++++++++++++++---- autotests/testEAP-TLS/hw.conf | 4 +- autotests/testEAP-TLS/ssidEAP-TLS2.8021x | 7 +++ autotests/testEAP-TLS/ssidEAP-TLS2.conf | 12 ++++++ autotests/testEAP-TLS/ssidEAP-TLS3.8021x | 6 +++ autotests/testEAP-TLS/ssidEAP-TLS3.conf | 12 ++++++ 8 files changed, 134 insertions(+), 9 deletions(-) create mode 100644 autotests/misc/certs/cert-client-key-md5-des.pem create mode 100644 autotests/misc/certs/cert-client-key-v2-des-ede3.pem create mode 100644 autotests/testEAP-TLS/ssidEAP-TLS2.8021x create mode 100644 autotests/testEAP-TLS/ssidEAP-TLS2.conf create mode 100644 autotests/testEAP-TLS/ssidEAP-TLS3.8021x create mode 100644 autotests/testEAP-TLS/ssidEAP-TLS3.conf diff --git a/autotests/misc/certs/cert-client-key-md5-des.pem b/autotests/misc/certs/cert-client-key-md5-des.pem new file mode 100644 index 00000000..e3edfc58 --- /dev/null +++ b/autotests/misc/certs/cert-client-key-md5-des.pem @@ -0,0 +1,29 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIE6TAbBgkqhkiG9w0BBQMwDgQI4Jws4ZHp7oQCAggABIIEyGImScBCorOX2u/F +ISGvMBLavYPfA1f349fcfPfjbMeTLtrubuFfSYJDrB1KaP4oWsK3RA8AjuNtP49N +fWjaAD6E9YTcNPVODgqNaoeslatqszPEqsqfx+vz1inTc+dyZ8ZYTWDlWAFSC33B +k6z5CX68YdujTI9hBtkwAJuCoSSIKJNM7duSXzlxM3IfCfzRn4BuO+8usdxqrc5A +p1R+LvDehIeOrQxkpJE3oHPq1xcCG4/WOnHWwRlmHmQIc2Z+ZLdgFjXYLvmNG58B +PcBAxWjppmZZMXiMqIoZxqQ7hBhwqI2wxCFYAihf4cgn6bT37sv0CeNPjRHfftpr +3tWgSeqLbov7Sfm5f1tq3AhJ3om8aaHEL8vUexs0j9mKhJyM0gyel+d1pHSi9/Ka +U/qNk2KzhZl4+/p7ngjkK8or7IDgbRQWzRXac6uxnvhDRuCZWWAjgzq7A9KdjMCf +T0+OX9USpOl2/cQSeKdRY5xKLBudQGilMvKZwd+rxBMkDBCwl+fj5HX1Tcj085kv +CSEOpA90HvqI9VvdxPw0KKWTc/d3FgWKVVzEqtVUCbtDGXZnv3Kt9F05zoX/wL2k +PkCd7yQouCYxPevVVz1kus5mwWHaZbEUW6S9GUSeZXs/Itb9Jwl9X6m1G9e393U+ +FQb95dfDzP1zQzemLJ+Iu6rkmKNC6x1pC+hNG3jy5QRoQ9wB4WV4q3JRHFUECEgd +CAN52Saz9f7qt1MmoNPM0fSS+ovh08KoABEI7mp8s9fFj0b7x9h/zlRgigNKp+JE +N9/51OSopajlse0ly+1zb8I2iOGeA3U4cvZG5mEP+kstJvdD4PYgx9cWDm6EDKmN +4nIL48aNoWFxa7MGJsmQo56QmGAxG7lZusVu4lYUvHQsmqDQWhqBz1k/f4GzioN0 +7wslyuElIrZyRugYdh+Epy7WbXRi9nBhwuWpOx8TnwOszWIfJT7NLWH+/SaVzuG4 +IsR1gnaQ5HLPyXxuaJkzcZs7EOG5S5MT7tDW9i72RZUiUPGztmhOLxkYrH/r3UCa +8Agc1nYXs8VH9sV+LMMGdCVoY/RwJvZwf13fqnLcmIA4iI8cDf1beUVm1JvdgIL/ +5Pbxyh2sAzyk/DIFD6yCQUacBKkR3EAXPG9gm5jebjHOU+gxSt69e3jgA1BvuoS5 +S3xLePrZnGZuPjM2PQX6LW1wWBtNlhbqWAkyeL3YwEwv2FjluFqALB/He/MaNly3 +UXFULImo8C/2UF9y9hgoSuamFqlKtgaNBUlqNPxX0EQmyCuqBEGYaouZ2TzPfZ44 +Jf6p6sQZeEmklEIDkaC9DvAGU7DPRfxolLpYHvdHQTwnjKMbFkg7FSAzzdNiKKeR +nEnCkaofA2FASfQaZvOkewACaZfqJ1FCSsoetYq2Ulf8o1f8j/QM+JIq4p0DIybz +4gsBmg05xufNiZNqZrrFc0/HcZkT3ahgtY+TMzU8d0hAS7roFNlM2lpaE69HJeTZ +rhRO7/VAU2Kb0bQI5UWe4yfvbPBmmaxw06lPahlBAEgqeULwfVWBPafjSyq8vPag +9RzpwSASqL6dv89qdOPE0JioA9xZ3cemlVOgqzd04AkdnDf3flGCJa6O9BujGm72 +8t0TmXLstK7YNaxQYA== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/autotests/misc/certs/cert-client-key-v2-des-ede3.pem b/autotests/misc/certs/cert-client-key-v2-des-ede3.pem new file mode 100644 index 00000000..e94d345b --- /dev/null +++ b/autotests/misc/certs/cert-client-key-v2-des-ede3.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVG6rLrQ+fVgCAggA +MBQGCCqGSIb3DQMHBAizDQ76m4Q4ZQSCBMh50R/dRYR4agewBCpNNVYIHV/wotfZ +PhhwcJQFZMmp50rCI9rh13w8TSr+KDreXTY+XzvqFS7fbB0JV3QWlv2wvqkAFXoJ +CYlE40WXg5Qd2H849IyLEil8J5mvoZohDZYNk82zi+PSvkvxJ8d1RJIiHHhmReeC +0+rDHd9C+Xr2MVBOMA+gimx/P3qtS4jI0qjmzyUiorHa9lvY5qzxbMibi4mEAjBy +VWviWHszpCwKVapODFlG2r5R2wvmhp4GUGSigi7KtL7hijEbsh4CW2RqYLR733Nx +WdsyIc4sD3908ttfQSmsSt6vchAMkelwFizGSEFLMsCne3MGjVsLpVitg6nswl6N +pvngZu0zaggWFVPRIt+vIimeHrujzoiUuzDizjOVzCiyRkrFuJEMwN3l/AaSxUiG +lOWga1Eb+McH3oJNU1WtrL7gDwfmKFc26D7xNMnGLcdYxfM1F98XfM3FVswaHdC7 +0uTmEmMdhpoNw4CWai37NpigW01cDnxMMpFuX0yTU8GUU/JkBgZ4NHE1sTZrFiOf +mMr83waumMGwwChhZAd1qDRB35c1HLvVqBt3HkdcyCZP1JBxG4QLrw7IVzG+knlj +QdrBC/lDNA15wG27v5hRUVEoeFRJkOllUlSqfh0PmJw2t32BP8dS6EsM8eTpnQ7R +ysqO5CVZ3WTNFwIZ7wD8zmaBOamkZ1OzOluYFL5sBHGRM05pSEsYOivsi7tlp5Gj +ZQjR+qSKLT34R4QxWhziWgNC/ynjVuWNWX67p1T/ngsM9kGa6cm84XbHQL7CqUyX +H7vOWtWHGCclS1Ori5vjFP8/qdOVGMpiKnX8HvoBv6zxJvfMYNAz39MMewlfHdCa +vEvBVwxLYRxbaL1IGNUebXVyn7JNRhuDm1SDNU1ADj8GW4AL5+22D9xArz8Lnkrj ++lvHm1NMIckciFYHraKmIPeJLiLIxDJ1SX+WgJGLo+P0W2TJLHAnQl5a1KzJOsIq +/y35Q4mFLX0JE4mzAj2S1bsVate4FZpnKqVT0mfN5/UPSnQOpJKRSTYV9QJm1mGb +gtdvwSvSniyjSSP/MAB+M7C0N4syC4N4sXYXJTKcM3CN/tN4ASycpkWRvXXLWRsj +BuQq9z50ojdnx+twu2eG3eYRAGjEW7yOD3GHPQOtCx3IQDptmzYf2v4rk9x+IFfT +L0ZfmyVevXgm9zjHI9s64Ok1g/6SL8lO+wszfjDs1zEgrMRfoVoKOBrWN7fYKiKi +GBUeaZ9HgcM1ha/a63N1LPK9OPR2w4qh+DpCLpfvhzZN6IRv1oFddws8jwye1pJb +1Po33NxHUfsOTX+lpc61NOEua7s3/Wu5gm0jBrX5c/aKCfXMsJHzW+0wl4SAXDog +3Cl29/NAMSQDpQP9A91QSwHYkyzk4rBLcrbx6bQfFSHOqdl2dto+UJfiz+5PzD7s +I7k72LGzrfIOq4brLbrLIGwj/ani/vvSZnXYzx3uUeP9w1EZSgNKC9HLBW7lyav3 +IlY7HAO2GMVlIdzynHPT3wMXtLqf/ykO+tkrEF4LjOu9r+cdhCxHum22vlgZKL7J +J044ViKBro0CWL1wajpFQOvG/BG4VDJ/dfGee0iBr4R+CIkaUwVTCdRsibyZRM8E +FL0= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/autotests/testEAP-TLS/connection_test.py b/autotests/testEAP-TLS/connection_test.py index 172e3f55..816b04e3 100644 --- a/autotests/testEAP-TLS/connection_test.py +++ b/autotests/testEAP-TLS/connection_test.py @@ -6,14 +6,26 @@ import sys sys.path.append('../util') import iwd from iwd import IWD +from iwd import PSKAgent from iwd import NetworkType import testutil +import hostapd class Test(unittest.TestCase): - def test_connection_success(self): + def do_test_connection_success(self, ssid, passphrase=None): wd = IWD() + if passphrase: + psk_agent = PSKAgent(passphrase) + wd.register_psk_agent(psk_agent) + + hostapd_ifname = None + for ifname in hostapd.hostapd_map: + if ssid + '.conf' in hostapd.hostapd_map[ifname].config: + hostapd_ifname = ifname + break + devices = wd.list_devices(); self.assertIsNotNone(devices) device = devices[0] @@ -21,15 +33,16 @@ class Test(unittest.TestCase): condition = 'not obj.scanning' wd.wait_for_object_condition(device, condition) - device.scan() - - condition = 'not obj.scanning' - wd.wait_for_object_condition(device, condition) + if not device.get_ordered_networks(): + device.scan() + condition = 'obj.scanning' + wd.wait_for_object_condition(device, condition) + condition = 'not obj.scanning' + wd.wait_for_object_condition(device, condition) ordered_networks = device.get_ordered_networks() - ordered_network = ordered_networks[0] + ordered_network = [n for n in ordered_networks if n.name == ssid][0] - self.assertEqual(ordered_network.name, "ssidEAP-TLS") self.assertEqual(ordered_network.type, NetworkType.eap) condition = 'not obj.connected' @@ -41,16 +54,30 @@ class Test(unittest.TestCase): wd.wait_for_object_condition(ordered_network.network_object, condition) testutil.test_iface_operstate() - testutil.test_ifaces_connected() + testutil.test_ifaces_connected(hostapd_ifname, 'wln3') device.disconnect() condition = 'not obj.connected' wd.wait_for_object_condition(ordered_network.network_object, condition) + if passphrase: + wd.unregister_psk_agent(psk_agent) + + def test_eap_tls(self): + self.do_test_connection_success('ssidEAP-TLS') + + def test_eap_tls2(self): + self.do_test_connection_success('ssidEAP-TLS2') + + def test_eap_tls3(self): + self.do_test_connection_success('ssidEAP-TLS3', 'abc') + @classmethod def setUpClass(cls): IWD.copy_to_storage('ssidEAP-TLS.8021x') + IWD.copy_to_storage('ssidEAP-TLS2.8021x') + IWD.copy_to_storage('ssidEAP-TLS3.8021x') @classmethod def tearDownClass(cls): diff --git a/autotests/testEAP-TLS/hw.conf b/autotests/testEAP-TLS/hw.conf index 0cbda377..44cd4239 100644 --- a/autotests/testEAP-TLS/hw.conf +++ b/autotests/testEAP-TLS/hw.conf @@ -1,6 +1,8 @@ [SETUP] -num_radios=2 +num_radios=4 tmpfs_extra_stuff=../misc/certs [HOSTAPD] rad0=ssidEAP-TLS.conf +rad1=ssidEAP-TLS2.conf +rad2=ssidEAP-TLS3.conf diff --git a/autotests/testEAP-TLS/ssidEAP-TLS2.8021x b/autotests/testEAP-TLS/ssidEAP-TLS2.8021x new file mode 100644 index 00000000..8314e7f7 --- /dev/null +++ b/autotests/testEAP-TLS/ssidEAP-TLS2.8021x @@ -0,0 +1,7 @@ +[Security] +EAP-Method=TLS +EAP-TLS-CACert=/tmp/certs/cert-ca.pem +EAP-TLS-ClientCert=/tmp/certs/cert-client.pem +EAP-TLS-ClientKey=/tmp/certs/cert-client-key-md5-des.pem +EAP-TLS-ClientKeyPassphrase=abc +EAP-Identity=abc@example.com diff --git a/autotests/testEAP-TLS/ssidEAP-TLS2.conf b/autotests/testEAP-TLS/ssidEAP-TLS2.conf new file mode 100644 index 00000000..ebb0f36b --- /dev/null +++ b/autotests/testEAP-TLS/ssidEAP-TLS2.conf @@ -0,0 +1,12 @@ +hw_mode=g +channel=2 +ssid=ssidEAP-TLS2 + +wpa=3 +wpa_key_mgmt=WPA-EAP +ieee8021x=1 +eap_server=1 +eap_user_file=/tmp/certs/eap-user-tls.text +ca_cert=/tmp/certs/cert-ca.pem +server_cert=/tmp/certs/cert-server.pem +private_key=/tmp/certs/cert-server-key.pem diff --git a/autotests/testEAP-TLS/ssidEAP-TLS3.8021x b/autotests/testEAP-TLS/ssidEAP-TLS3.8021x new file mode 100644 index 00000000..f0e2dddd --- /dev/null +++ b/autotests/testEAP-TLS/ssidEAP-TLS3.8021x @@ -0,0 +1,6 @@ +[Security] +EAP-Method=TLS +EAP-TLS-CACert=/tmp/certs/cert-ca.pem +EAP-TLS-ClientCert=/tmp/certs/cert-client.pem +EAP-TLS-ClientKey=/tmp/certs/cert-client-key-v2-des-ede3.pem +EAP-Identity=abc@example.com diff --git a/autotests/testEAP-TLS/ssidEAP-TLS3.conf b/autotests/testEAP-TLS/ssidEAP-TLS3.conf new file mode 100644 index 00000000..ebbeab13 --- /dev/null +++ b/autotests/testEAP-TLS/ssidEAP-TLS3.conf @@ -0,0 +1,12 @@ +hw_mode=g +channel=3 +ssid=ssidEAP-TLS3 + +wpa=3 +wpa_key_mgmt=WPA-EAP +ieee8021x=1 +eap_server=1 +eap_user_file=/tmp/certs/eap-user-tls.text +ca_cert=/tmp/certs/cert-ca.pem +server_cert=/tmp/certs/cert-server.pem +private_key=/tmp/certs/cert-server-key.pem