/* * This test will initialize EST w/o a trust anchor, * enable SRP, and perform a simpleenroll. * This should succeed since SRP doesn't require a * trust anchor. */ static void us1060_test104 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client */ rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * This routine intializes an EST context, which can later * be used to issue commands to an EST server. */ static EST_CTX * setup_est_context (void) { EST_CTX *ectx; EST_ERROR rv; /* * Initialize an EST context. We must provide the trust * anchor certs at this time. */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } /* * Set the local authentication credentials. We're not using * a certificate to identify ourselves to the server. We're * simply hard-coding the userID and password, which will be * used for HTTP authentication. */ rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, NULL, NULL); if (rv != EST_ERR_NONE) { printf("\nUnable to configure client authentication. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } if (srp) { rv = est_client_enable_srp(ectx, SRP_MINIMAL_N, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } /* * Specify the EST server address and TCP port# */ rv = est_client_set_server(ectx, est_server, est_port, NULL); if (rv != EST_ERR_NONE) { printf("\nUnable to configure server address. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } return (ectx); }
static void do_operation () { EST_CTX *ectx; unsigned char *pkcs7; int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; int retry_delay = 0; time_t retry_time = 0; char *operation; ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } rv = est_client_set_read_timeout(ectx, read_timeout); if (rv != EST_ERR_NONE) { printf("\nUnable to configure read timeout from server. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key); if (rv != EST_ERR_NONE) { printf("\nUnable to configure client authentication. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } if (srp) { rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } est_client_set_server(ectx, est_server, est_port); if (getcert) { operation = "Get CA Cert"; rv = est_client_get_cacerts(ectx, &pkcs7_len); if (rv == EST_ERR_NONE) { if (verbose) { printf("\nGet CA Cert success\n"); } /* * allocate a buffer to retrieve the CA certs * and get them copied in */ pkcs7 = malloc(pkcs7_len); rv = est_client_copy_cacerts(ectx, pkcs7); /* * Dump the retrieved cert to stdout */ if (verbose) { dumpbin(pkcs7, pkcs7_len); } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir); write_binary_file(file_name, pkcs7, pkcs7_len); free(pkcs7); } } if (enroll && getcsr) { operation = "Regular enrollment with server-defined attributes"; rv = regular_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = regular_enroll_attempt(ectx); } } else if (enroll && !getcsr) { operation = "Simple enrollment without server-defined attributes"; rv = simple_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = simple_enroll_attempt(ectx); } } else if (!enroll && getcsr) { operation = "Get CSR attribues"; rv = regular_csr_attempt(ectx); } /* Split reenroll from enroll to allow both messages to be sent */ if (reenroll) { operation = "Re-enrollment"; rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key); if (verbose) { printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for reenroll cert failed\n"); } } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nreenroll copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } } if (rv != EST_ERR_NONE) { /* * something went wrong. */ printf("\n%s failed with code %d (%s)\n", operation, rv, EST_ERR_NUM_TO_STR(rv)); } est_destroy(ectx); ERR_clear_error(); ERR_remove_thread_state(NULL); }
/* * This test does a simple enroll with SRP using a * non-default value for the SRP strength. */ static void us1060_test106 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client * Use a strength below the minimum */ rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW); /* * Enable SRP on the client * Use a strength slightly larger then the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Enable SRP on the client * Use a strength the same size as the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * This test will enable a just the SRP-RSA-AES-128-CBC-SHA * cipher suite, which forces the server to send a certificate * to the client while SRP is used. Similar to #104, we'll * omit configuring the trust anchor on the client context. * This should cause the TLS session to fail since the * server cert can not be verified without a trust anchor. */ static void us1060_test105 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; struct est_dumb_ctx *ed; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client */ rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA"); CU_ASSERT(rv == 1); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv) { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; int ca_certs_len = 0; unsigned char *new_cert = NULL; struct est_dumb_ctx *ed; /* * Create a client context */ if (use_ta) { ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); } else { ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); } CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, port); if (use_srp) { rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); } if (cipher_suite) { /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); CU_ASSERT(rv == 1); } /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key); CU_ASSERT(rv == expected_rv); if (rv != expected_rv) { printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv); } EVP_PKEY_free(new_key); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Retrieve a copy of the new CA certs */ if (rv == EST_ERR_NONE) { new_cert = malloc(ca_certs_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_cacerts(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Cleanup */ est_destroy(ectx); }