[PATCH 20/24] run_ap_wpa2_eap_tls_intermediate_ca_ocsp: fix cert configuration

Sun Feb 2 11:01:34 PST 2025

On Thu, Apr 04, 2024 at 08:16:26PM +0200, Juliusz Sosinowicz wrote:
> When wolfSSL is on the server side, it won't send the entire chain. The client needs to have the server CA loaded to be able to verify the server and needs to load user_and_ica.pem so it sends a cert chain.
> 
> Use entire cert chain PEM since the test relies on chain being sent. wolfSSL only sends the certificate that was loaded and not the full chain.

This sounds fine, but it looks like the proposed changes do more than
than..

>  .../iCA-server/server-revoked_and_ica.pem     | 162 +++++++++---------
>  tests/hwsim/auth_serv/ica-generate.sh         |   2 +-

> diff --git a/tests/hwsim/auth_serv/ica-generate.sh b/tests/hwsim/auth_serv/ica-generate.sh
> -cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem
> +cat iCA-server/server-revoked.pem iCA-server/cacert.pem > iCA-server/server-revoked_and_ica.pem

This part reordered certificates in server-revoked_and_ica.pem. I guess
that is because of wolfSSL using the exact order in which they are
included(?). It is a bit inconvenient when different TLS libraries have
different behavior in this area, but in any case, if this is needed, I
would prefer this to be done in a manner that does not change the PEM
file for other TLS libraries. In other words, instead of modifying this
file, a new file in the other order of certificates should be created
and wolfSSL-based builds could use that.

> diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
> @@ -4972,14 +4972,18 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
>      fn = ica_ocsp("server.pem", md)
>      params["ocsp_stapling_response"] = fn
>      try:
> -        hostapd.add_ap(apdev[0], params)
> +        hapd = hostapd.add_ap(apdev[0], params)
>          tls = dev[0].request("GET tls_library")
>          if "GnuTLS" in tls or "wolfSSL" in tls:
> -            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
>              client_cert = "auth_serv/iCA-user/user_and_ica.pem"
>          else:
> -            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
>              client_cert = "auth_serv/iCA-user/user.pem"
> +        hapd_tls = hapd.request("GET tls_library")
> +        if "GnuTLS" in hapd_tls or "wolfSSL" in hapd_tls:
> +            ca_cert = "auth_serv/iCA-server/ca-and-root.pem"
> +            client_cert = "auth_serv/iCA-user/user_and_ica.pem"
> +        else:
> +            ca_cert = "auth_serv/iCA-user/ca-and-root.pem"

This looks otherwise reasonable, but why is that client_cert replacement
done based on hapd_tls?

> @@ -5003,7 +5007,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
>      check_ocsp_support(dev[0])
>      params = int_eap_server_params()
>      params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
> -    params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
> +    params["server_cert"] = "auth_serv/iCA-server/server-revoked_and_ica.pem"
>      params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
>      fn = ica_ocsp("server-revoked.pem", md)
>      params["ocsp_stapling_response"] = fn

This should likely be done based on hostapd being build with wolfSSL.

-- 
Jouni Malinen                                            PGP id EFC895FA