From 279a0afffbf5bde7bd6da5f0d6cde0bd4bb5cfee Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 11 Jan 2015 20:17:51 +0200 Subject: [PATCH] tests: Generate a fresh OCSP response for each test run GnuTLS has a hardcoded three day limit on OCSP response age regardless of the next update value in the response. To make this work in the test scripts, try to generate a new response when starting the authentication server. The old mechanism of a response without next update value is used as a backup option if openssl is not available or fails to generate the response for some reason. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/as.conf | 2 +- tests/hwsim/auth_serv/as2.conf | 2 +- tests/hwsim/auth_serv/index.txt | 8 ++++ tests/hwsim/auth_serv/ocsp-req.der | Bin 0 -> 113 bytes tests/hwsim/auth_serv/ocsp-responder.key | 16 +++++++ tests/hwsim/auth_serv/ocsp-responder.pem | 54 +++++++++++++++++++++++ tests/hwsim/start.sh | 16 ++++++- 7 files changed, 94 insertions(+), 4 deletions(-) create mode 100644 tests/hwsim/auth_serv/index.txt create mode 100644 tests/hwsim/auth_serv/ocsp-req.der create mode 100644 tests/hwsim/auth_serv/ocsp-responder.key create mode 100644 tests/hwsim/auth_serv/ocsp-responder.pem diff --git a/tests/hwsim/auth_serv/as.conf b/tests/hwsim/auth_serv/as.conf index 8d9c78b81..0d89b92cc 100644 --- a/tests/hwsim/auth_serv/as.conf +++ b/tests/hwsim/auth_serv/as.conf @@ -11,7 +11,7 @@ ctrl_interface_group=admin ca_cert=auth_serv/ca.pem server_cert=auth_serv/server.pem private_key=auth_serv/server.key -ocsp_stapling_response=auth_serv/ocsp-server-cache.der +ocsp_stapling_response=LOGDIR/ocsp-server-cache.der server_id=server.w1.fi eap_sim_db=unix:/tmp/hlr_auc_gw.sock dh_file=auth_serv/dh.conf diff --git a/tests/hwsim/auth_serv/as2.conf b/tests/hwsim/auth_serv/as2.conf index 6261a0902..d9ee031ef 100644 --- a/tests/hwsim/auth_serv/as2.conf +++ b/tests/hwsim/auth_serv/as2.conf @@ -11,7 +11,7 @@ ctrl_interface_group=admin ca_cert=auth_serv/ca.pem server_cert=auth_serv/server.pem private_key=auth_serv/server.key -ocsp_stapling_response=auth_serv/ocsp-server-cache.der +ocsp_stapling_response=LOGDIR/ocsp-server-cache.der server_id=server2.w1.fi eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=LOGDIR/hostapd.db dh_file=auth_serv/dh.conf diff --git a/tests/hwsim/auth_serv/index.txt b/tests/hwsim/auth_serv/index.txt new file mode 100644 index 000000000..52c8e0c37 --- /dev/null +++ b/tests/hwsim/auth_serv/index.txt @@ -0,0 +1,8 @@ +V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA +V 150215075930Z D8D3E3A6CBE3CCC9 unknown /C=FI/O=w1.fi/CN=server3.w1.fi +V 140102000000Z D8D3E3A6CBE3CCCA unknown /C=FI/O=w1.fi/CN=server4.w1.fi +V 150215083008Z D8D3E3A6CBE3CCCB unknown /C=FI/O=w1.fi/CN=server5.w1.fi +V 150228224144Z D8D3E3A6CBE3CCCC unknown /C=FI/O=w1.fi/CN=server6.w1.fi +V 160111185024Z D8D3E3A6CBE3CCCD unknown /C=FI/O=w1.fi/CN=ocsp.w1.fi +V 150929211122Z D8D3E3A6CBE3CCD0 unknown /C=FI/O=w1.fi/CN=server.w1.fi +V 150929211300Z D8D3E3A6CBE3CCD1 unknown /C=FI/O=w1.fi/CN=Test User diff --git a/tests/hwsim/auth_serv/ocsp-req.der b/tests/hwsim/auth_serv/ocsp-req.der new file mode 100644 index 0000000000000000000000000000000000000000..20999b93f18a9e56f2c7b4a968766e5e8cf834c8 GIT binary patch literal 113 zcmV-%0FM7KZ!m2zMleJ$LNEyi1uG5%0vZJX1Qg70P%pT%wz0lW4`acpf@MPD1Ahb* zxRT!eiWsvn!=F|2GhMXEDT+Z90to=v)8nSgaBQPN_9|j341_1>H2QUEw1QG-g T`TkDX?vjuiov9~A^hhkes$MCQ literal 0 HcmV?d00001 diff --git a/tests/hwsim/auth_serv/ocsp-responder.key b/tests/hwsim/auth_serv/ocsp-responder.key new file mode 100644 index 000000000..fb866fbf5 --- /dev/null +++ b/tests/hwsim/auth_serv/ocsp-responder.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALJeLx3nLPZsq7AW +nvoSL7JMyCN7aAh2OIOX9T8FrF3ZganOdZKhvJbGyADuHtfw2orY58DXQsMlYufH +YPqogkwbznOaq42z/j22fwH+WWRCdagEGActImQnufGvAbTtv6bqkXjRnDD1YTf/ ++Rv4Fl9rdzL51+OdDNXDuUMW8DrDAgMBAAECgYAja1yD3aIqFQ5K21MaaX4bM/AS +S7Eu7Prv9r72ktPVlxmOdLcYNRHUBwk0VhS94NAk/kmXG6fgRI5NZGQ3ojqtOXLV +VhlcitYAfJvNpyKmFKgdGZQIxaaQr/F2X8tH5yFdIt+6mDOGptTb/S3ljQwNsg59 +7t/jYzSe5mK/Gbw4MQJBAN3sZqGz6ABygLTuTiXhE9sCXDSGy4d8ZWMaajuD7N6k +sAGKsaiVozeIvg0JNiCMm02A8M/cWjGedDWFxrnvvF8CQQDNwagUpozfXMboibHI +BNwpUzyri/5bqJ/dU7/sAOA1AZ9yoO5s2WlNutXkG3mDoQCzseG/pNxU403dU0jQ +wpwdAkEAk5lbWUkSkNmXCL9GcqMUVaFoOfc8/suZkyRKa3L+48Wc2imop3t+przn +yjvKKDPcRtvvThA8XKwKll53Ict0+QJBAKj7o09Sed/4EmRosdnUI/zMn8dD8mLU +2narkbQCBCGEc69w/F/pLtLn30K4TdQNJsZuETmT7GDLTee3vtW0/wECQCtyVgw/ +aZ0QTac8ut1oG072qOA2cFGhEuDELlX8JcNy28ygmzn0KS8uiTsq6YVu8V7WCj4X +EkAZMm19nY5ZE+A= +-----END PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ocsp-responder.pem b/tests/hwsim/auth_serv/ocsp-responder.pem new file mode 100644 index 000000000..bbde1e8ef --- /dev/null +++ b/tests/hwsim/auth_serv/ocsp-responder.pem @@ -0,0 +1,54 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 15624081837803162829 (0xd8d3e3a6cbe3cccd) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=FI, O=w1.fi, CN=Root CA + Validity + Not Before: Jan 11 18:50:24 2015 GMT + Not After : Jan 11 18:50:24 2016 GMT + Subject: C=FI, O=w1.fi, CN=ocsp.w1.fi + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:b2:5e:2f:1d:e7:2c:f6:6c:ab:b0:16:9e:fa:12: + 2f:b2:4c:c8:23:7b:68:08:76:38:83:97:f5:3f:05: + ac:5d:d9:81:a9:ce:75:92:a1:bc:96:c6:c8:00:ee: + 1e:d7:f0:da:8a:d8:e7:c0:d7:42:c3:25:62:e7:c7: + 60:fa:a8:82:4c:1b:ce:73:9a:ab:8d:b3:fe:3d:b6: + 7f:01:fe:59:64:42:75:a8:04:18:07:2d:22:64:27: + b9:f1:af:01:b4:ed:bf:a6:ea:91:78:d1:9c:30:f5: + 61:37:ff:f9:1b:f8:16:5f:6b:77:32:f9:d7:e3:9d: + 0c:d5:c3:b9:43:16:f0:3a:c3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Extended Key Usage: + OCSP Signing + Signature Algorithm: sha256WithRSAEncryption + 41:42:b6:70:4a:70:1f:ad:d9:25:f7:02:94:bd:91:b7:69:ad: + 31:59:c6:2a:4e:5e:4a:ed:5d:c1:24:09:98:94:15:42:86:2c: + b2:9d:62:7a:e0:ec:60:39:47:93:c9:c7:61:01:b5:2c:00:53: + 86:6e:66:99:ee:b3:57:5d:fb:83:6b:d3:77:26:0c:c7:2d:16: + ea:84:69:59:b7:a8:de:35:61:0b:7a:f3:62:1e:1a:94:91:c4: + bd:85:4a:63:10:09:11:88:75:c9:f5:57:84:9a:ef:d1:78:29: + 5e:76:fc:33:76:84:b2:b5:f6:88:cc:fb:f9:cf:9f:b4:88:29: + 3c:9d +-----BEGIN CERTIFICATE----- +MIICDjCCAXegAwIBAgIJANjT46bL48zNMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV +BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTAx +MTExODUwMjRaFw0xNjAxMTExODUwMjRaMDIxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK +DAV3MS5maTETMBEGA1UEAwwKb2NzcC53MS5maTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEAsl4vHecs9myrsBae+hIvskzII3toCHY4g5f1PwWsXdmBqc51kqG8 +lsbIAO4e1/DaitjnwNdCwyVi58dg+qiCTBvOc5qrjbP+PbZ/Af5ZZEJ1qAQYBy0i +ZCe58a8BtO2/puqReNGcMPVhN//5G/gWX2t3MvnX450M1cO5QxbwOsMCAwEAAaMv +MC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwkw +DQYJKoZIhvcNAQELBQADgYEAQUK2cEpwH63ZJfcClL2Rt2mtMVnGKk5eSu1dwSQJ +mJQVQoYssp1ieuDsYDlHk8nHYQG1LABThm5mme6zV137g2vTdyYMxy0W6oRpWbeo +3jVhC3rzYh4alJHEvYVKYxAJEYh1yfVXhJrv0XgpXnb8M3aEsrX2iMz7+c+ftIgp +PJ0= +-----END CERTIFICATE----- diff --git a/tests/hwsim/start.sh b/tests/hwsim/start.sh index 9ffb482de..778daef07 100755 --- a/tests/hwsim/start.sh +++ b/tests/hwsim/start.sh @@ -65,8 +65,8 @@ for i in 0 1 2; do sed "s/ GROUP=.*$/ GROUP=$GROUP/" "$DIR/p2p$i.conf" > "$LOGDIR/p2p$i.conf" done -sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf" -sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf" +sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf" +sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf" if [ "$1" = "valgrind" ]; then VALGRIND=y @@ -122,6 +122,18 @@ if [ -x $HLR_AUC_GW ]; then sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw & fi +openssl ocsp -index $DIR/auth_serv/index.txt \ + -rsigner $DIR/auth_serv/ocsp-responder.pem \ + -rkey $DIR/auth_serv/ocsp-responder.key \ + -CA $DIR/auth_serv/ca.pem \ + -issuer $DIR/auth_serv/ca.pem \ + -verify_other $DIR/auth_serv/ca.pem -trust_other \ + -ndays 7 \ + -reqin $DIR/auth_serv/ocsp-req.der \ + -respout $LOGDIR/ocsp-server-cache.der > $LOGDIR/ocsp.log 2>&1 +if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then + cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der +fi touch $LOGDIR/hostapd.db sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &