# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. import json from autotest_lib.client.common_lib.cros import site_eap_certs from autotest_lib.client.common_lib.cros.network import xmlrpc_datatypes from autotest_lib.client.common_lib.cros.network import xmlrpc_security_types from autotest_lib.server.cros.network import hostap_config def __get_altsubject_match_positive_test_cases(outer_auth_type, inner_auth_type): configurations = [] # Pass every subject alternative name included in the alternative subject # match of the server certificate. for subject_alternative_name in ( site_eap_certs.server_cert_3_altsubject_match): eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_3, site_eap_certs.server_cert_3, site_eap_certs.server_private_key_3, site_eap_certs.ca_cert_3, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type, altsubject_match=[json.dumps(subject_alternative_name)]) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config) configurations.append((ap_config, assoc_params)) # Pass multiple DNS subject alternative names (SANs) as altsubject_match. # - One DNS SAN which does not match any of the DNS SANs of the server # certificate. # - Another one which matches one of the DNS SANs of the server certificate. # The connection should be established, i.e. having multiple entries in # 'altsubject_match' is treated as OR, not AND. # For more information about how wpa_supplicant uses altsubject_match field # please refer to: # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_3, site_eap_certs.server_cert_3, site_eap_certs.server_private_key_3, site_eap_certs.ca_cert_3, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type, altsubject_match=[ '{"Type":"DNS","Value":"wrong_dns.com"}', '{"Type":"DNS","Value":"www.example.com"}' ]) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config) configurations.append((ap_config, assoc_params)) return configurations def get_positive_8021x_test_cases(outer_auth_type, inner_auth_type): """Return a test case asserting that outer/inner auth works. @param inner_auth_type one of xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE* @param inner_auth_type one of xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE* @return list of ap_config, association_params tuples for network_WiFi_SimpleConnect. """ configurations = [] eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_1, site_eap_certs.server_cert_1, site_eap_certs.server_private_key_1, site_eap_certs.ca_cert_1, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config) configurations.append((ap_config, assoc_params)) configurations += __get_altsubject_match_positive_test_cases( outer_auth_type, inner_auth_type) return configurations def get_negative_8021x_test_cases(outer_auth_type, inner_auth_type): """Build a set of test cases for TTLS/PEAP authentication. @param inner_auth_type one of xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE* @param inner_auth_type one of xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE* @return list of ap_config, association_params tuples for network_WiFi_SimpleConnect. """ configurations = [] # Bad passwords won't work. eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_1, site_eap_certs.server_cert_1, site_eap_certs.server_private_key_1, site_eap_certs.ca_cert_1, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type, client_password='wrongpassword') ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config, expect_failure=True) configurations.append((ap_config, assoc_params)) # If use the wrong CA on the client, it won't trust the server credentials. eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_1, site_eap_certs.server_cert_1, site_eap_certs.server_private_key_1, site_eap_certs.ca_cert_2, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config, expect_failure=True) configurations.append((ap_config, assoc_params)) # And if the server's credentials are good but expired, we also reject it. eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_1, site_eap_certs.server_expired_cert, site_eap_certs.server_expired_key, site_eap_certs.ca_cert_1, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config, expect_failure=True) configurations.append((ap_config, assoc_params)) # A subject alternative name (SAN) which does not match any of the server # certificate SANs is used. # The connection should not be established, i.e. if the subject alternative # name match field is set, the server certificate is only accepted if it # contains one of its entries. eap_config = xmlrpc_security_types.Tunneled1xConfig( site_eap_certs.ca_cert_3, site_eap_certs.server_cert_3, site_eap_certs.server_private_key_3, site_eap_certs.ca_cert_3, 'testuser', 'password', inner_protocol=inner_auth_type, outer_protocol=outer_auth_type, altsubject_match=['{"Type":"DNS","Value":"wrong_dns.com"}']) ap_config = hostap_config.HostapConfig( frequency=2412, mode=hostap_config.HostapConfig.MODE_11G, security_config=eap_config) assoc_params = xmlrpc_datatypes.AssociationParameters( security_config=eap_config, expect_failure=True) configurations.append((ap_config, assoc_params)) return configurations