| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Try 802.1x authentication. The supplicant must be restarted between |
| # trials because it is "sticky" with regards to various parameters |
| # related to certificate authentication. A thread is currently afoot |
| # in the hostap mailing list about this, but for the time being we will |
| # do supplicant restarts to test. |
| |
| { "name":"Check1x_AES", |
| "steps":[ # Channel [any] |
| [ "create", { "type":"hostap" } ], |
| [ "install_files", { "system" : "router", |
| "files" : |
| { site_eap_certs.server_ca_cert_1_install_path : |
| site_eap_certs.ca_cert_1, |
| site_eap_certs.server_cert_1_install_path : |
| site_eap_certs.server_cert_1, |
| site_eap_certs.server_key_1_install_path : |
| site_eap_certs.server_private_key_1, |
| site_eap_certs.server_expired_cert_install_path : |
| site_eap_certs.server_expired_cert, |
| site_eap_certs.server_expired_key_install_path : |
| site_eap_certs.server_expired_key, |
| "/tmp/hostapd_eap_user_file" : |
| "* TLS"} } ], |
| [ "initialize_tpm", { } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.ca_cert_1, |
| "id" : site_eap_certs.ca_cert_1_tpm_key_id, |
| "object_type": "cert" } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.ca_cert_2, |
| "id" : site_eap_certs.ca_cert_2_tpm_key_id, |
| "object_type": "cert" } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.client_cert_1, |
| "id" : site_eap_certs.cert_1_tpm_key_id, |
| "object_type": "cert" } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.client_cert_2, |
| "id" : site_eap_certs.cert_2_tpm_key_id, |
| "object_type": "cert" } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.client_private_key_1, |
| "id" : site_eap_certs.key_1_tpm_key_id, |
| "object_type": "key" } ], |
| [ "install_tpm_object", { "data" : site_eap_certs.client_private_key_2, |
| "id" : site_eap_certs.key_2_tpm_key_id, |
| "object_type": "key" } ], |
| |
| # Connect with correct settings, just to make sure everything is good. |
| [ "config", { "channel":"2412", "mode":"11g", |
| "wpa":"1", "wpa_key_mgmt":"WPA-EAP", |
| "wpa_pairwise":"CCMP", "ieee8021x":"1", |
| "eap_server" : "1", |
| "ca_cert" : |
| site_eap_certs.server_ca_cert_1_install_path, |
| "server_cert" : |
| site_eap_certs.server_cert_1_install_path, |
| "private_key" : |
| site_eap_certs.server_key_1_install_path, |
| "eap_user_file" : "/tmp/hostapd_eap_user_file"} ], |
| [ "connect", {"security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" |
| ":EAP.CertID:" + |
| site_eap_certs.cert_1_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_1_tpm_key_id + |
| ":EAP.CACertID:" + |
| site_eap_certs.ca_cert_1_tpm_key_id + |
| ":EAP.PIN:" + site_eap_certs.auth_pin } ], |
| [ "client_ping", { "count":"10" } ], |
| [ "disconnect" ], |
| |
| # Ensure authentication fails if we have no ca_cert. |
| [ "config", { "ssid_suffix":"t1" } ], |
| [ "!connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" |
| ":EAP.CertID:" + |
| site_eap_certs.cert_1_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_1_tpm_key_id + |
| ":EAP.PIN:" + |
| site_eap_certs.auth_pin }, |
| "TLS: Certificate verification failed"], |
| |
| # Ensure authentication fails if server's cert doesn't match our CA cert. |
| [ "config", { "ssid_suffix":"t2" } ], |
| [ "!connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" + |
| ":EAP.CertID:" + |
| site_eap_certs.cert_1_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_1_tpm_key_id + |
| ":EAP.CACertID:" + |
| site_eap_certs.ca_cert_2_tpm_key_id + |
| ":EAP.PIN:" + site_eap_certs.auth_pin }, |
| "TLS: Certificate verification failed"], |
| |
| # However, authentication should succeed when we don't care that the server |
| # certs don't match our local CA cert. This is only when we're not aware |
| # of any ca certificates at all. |
| [ "config", { "ssid_suffix":"t3" } ], |
| [ "connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" + |
| ":EAP.CertID:" + |
| site_eap_certs.cert_1_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_1_tpm_key_id + |
| ":EAP.PIN:" + site_eap_certs.auth_pin + |
| ":EAP.UseSystemCAs:"} ], |
| [ "client_ping", { "count":"10" } ], |
| [ "disconnect" ], |
| |
| |
| # Try authenticating using the wrong client certiificate. |
| [ "config", { "ssid_suffix":"t4" } ], |
| [ "!connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" + |
| ":EAP.CertID:" + |
| site_eap_certs.cert_2_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_2_tpm_key_id + |
| ":EAP.CACertID:" + |
| site_eap_certs.ca_cert_1_tpm_key_id + |
| ":EAP.PIN:" + site_eap_certs.auth_pin }, |
| "SSL: SSL3 alert: read " |
| "\(remote end reported an error\):fatal:unknown CA" ], |
| |
| # Try authenticating using an expired server certiificate. |
| [ "config", { "ssid_suffix":"t5", |
| "server_cert" : |
| site_eap_certs.server_expired_cert_install_path, |
| "private_key" : |
| site_eap_certs.server_expired_key_install_path, |
| } ], |
| [ "!connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:chromeos" + |
| ":EAP.CertID:" + |
| site_eap_certs.cert_1_tpm_key_id + |
| ":EAP.KeyID:" + |
| site_eap_certs.key_1_tpm_key_id + |
| ":EAP.CACertID:" + |
| site_eap_certs.ca_cert_1_tpm_key_id + |
| ":EAP.PIN:" + site_eap_certs.auth_pin }, |
| "TLS: Certificate verification failed, error 10 " |
| "\(certificate has expired\)" |
| ], |
| |
| [ "destroy" ], |
| ], |
| } |