blob: deb018db10db9a1d287c09498fede1356ea81282 [file] [log] [blame]
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Try 802.1x authentication. The supplicant must be restarted between
# trials because it is "sticky" with regards to various parameters
# related to certificate authentication. A thread is currently afoot
# in the hostap mailing list about this, but for the time being we will
# do supplicant restarts to test.
{ "name":"Check1x_AES",
"steps":[ # Channel [any]
[ "create", { "type":"hostap" } ],
[ "install_files", { "system" : "router",
"files" :
{ site_eap_certs.server_ca_cert_1_install_path :
site_eap_certs.ca_cert_1,
site_eap_certs.server_cert_1_install_path :
site_eap_certs.server_cert_1,
site_eap_certs.server_key_1_install_path :
site_eap_certs.server_private_key_1,
site_eap_certs.server_expired_cert_install_path :
site_eap_certs.server_expired_cert,
site_eap_certs.server_expired_key_install_path :
site_eap_certs.server_expired_key,
"/tmp/hostapd_eap_user_file" :
"* TLS"} } ],
[ "config", { "channel":"2412", "mode":"11g",
"wpa":"1", "wpa_key_mgmt":"WPA-EAP",
"wpa_pairwise":"CCMP", "ieee8021x":"1",
"eap_server" : "1",
"ca_cert" :
site_eap_certs.server_ca_cert_1_install_path,
"server_cert" :
site_eap_certs.server_cert_1_install_path,
"private_key" :
site_eap_certs.server_key_1_install_path,
"eap_user_file" : "/tmp/hostapd_eap_user_file"} ],
[ "install_files", { "system" : "client",
"files" :
{ site_eap_certs.client_ca_cert_1_install_path :
site_eap_certs.ca_cert_1,
site_eap_certs.client_ca_cert_2_install_path :
site_eap_certs.ca_cert_2,
site_eap_certs.client_cert_1_install_path :
site_eap_certs.client_cert_1,
site_eap_certs.client_cert_2_install_path :
site_eap_certs.client_cert_2,
site_eap_certs.client_key_1_install_path :
site_eap_certs.client_private_key_1,
site_eap_certs.client_key_2_install_path :
site_eap_certs.client_private_key_2, } } ],
[ "connect", {"security":"802_1x",
"psk" : "EAP.Identity:chromeos"
":EAP.ClientCert:" +
site_eap_certs.client_cert_1_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_1_install_path +
":EAP.CACert:" +
site_eap_certs.client_ca_cert_1_install_path
} ],
[ "client_ping", { "count":"10" } ],
[ "disconnect" ],
# Ensure authentication fails if server's cert is missing.
[ "config", { "ssid_suffix":"t1" } ],
[ "!connect", { "security":"802_1x",
"psk" : "EAP.Identity:chromeos"
":EAP.ClientCert:" +
site_eap_certs.client_cert_1_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_1_install_path },
"TLS: Certificate verification failed"],
# Ensure authentication fails if server's cert doesn't match our CA cert.
[ "config", { "ssid_suffix":"t2" } ],
[ "!connect", { "security":"802_1x",
"psk" : "EAP.Identity:chromeos"
":EAP.ClientCert:" +
site_eap_certs.client_cert_1_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_1_install_path +
":EAP.CACert:" +
site_eap_certs.client_ca_cert_2_install_path},
"TLS: Certificate verification failed"],
# However, authentication should succeed when we don't care that the server
# certs don't match our local CA cert. This is only when we're not aware
# of any ca certificates at all.
[ "config", { "ssid_suffix":"t3" } ],
[ "connect", { "security":"802_1x",
"psk" : "EAP.Identity:chromeos" +
":EAP.ClientCert:" +
site_eap_certs.client_cert_1_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_1_install_path +
":EAP.UseSystemCAs:"}, ],
[ "client_ping", { "count":"10" } ],
[ "disconnect" ],
# Try authenticating using the wrong client certiificate.
[ "config", { "ssid_suffix":"t4" } ],
[ "!connect", { "security":"802_1x",
"psk" : "EAP.Identity:chromeos"
":EAP.ClientCert:" +
site_eap_certs.client_cert_2_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_2_install_path +
":EAP.CACert:" +
site_eap_certs.client_ca_cert_1_install_path},
"SSL: SSL3 alert: read "
"\(remote end reported an error\):fatal:unknown CA" ],
# Try authenticating using an expired server certiificate.
[ "config", { "ssid_suffix":"t5",
"server_cert" :
site_eap_certs.server_expired_cert_install_path,
"private_key" :
site_eap_certs.server_expired_key_install_path,
} ],
[ "!connect", { "security":"802_1x",
"psk" : "EAP.Identity:chromeos"
":EAP.ClientCert:" +
site_eap_certs.client_cert_1_install_path +
":EAP.PrivateKey:" +
site_eap_certs.client_key_1_install_path +
":EAP.CACert:" +
site_eap_certs.client_ca_cert_1_install_path },
"TLS: Certificate verification failed, error 10 "
"\(certificate has expired\)"
],
[ "destroy" ],
],
}