Beispiel #1
0
/*
 * Test1 - exercise the est_client_get_csrattrs() API.
 */
static void us896_test1(void) {
    int rc;
    unsigned char *csr_data;
    int csr_len;
    EST_CTX *ctx = NULL;

    LOG_FUNC_NM
    ;

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, NULL, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, NULL);
    CU_ASSERT(rc != EST_ERR_NONE);

}
Beispiel #2
0
/*
 * Test the re-enroll API to ensure it gracefully
 * handles a null X509 cert pointer.
 */
static void us898_test3 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    int pkcs7_len = 0;
    int rv;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Generate a private key
     */
    key = generate_private_key();
    CU_ASSERT(key != NULL);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * re-enroll using a null x509 pointer.
     */
    rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NO_CERT);

    /*
     * Clean up
     */
    EVP_PKEY_free(key);
    est_destroy(ectx);
}
Beispiel #3
0
static int regular_csr_attempt (EST_CTX *ectx)
{
    int rv;
    unsigned char *attr_data = NULL;
    int attr_len;
    char file_name[MAX_FILENAME_LEN];

    /*
     * Just get the CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    if (rv != EST_ERR_NONE) {
        printf("\nWarning: CSR attributes were not available");
    } else {
        snprintf(file_name, MAX_FILENAME_LEN, "%s/csr.base64", out_dir);
        write_binary_file(file_name, attr_data, attr_len);
    }
    return (rv);
}
Beispiel #4
0
/*
 * Verify the server fails authentication when the
 * client sends an expired identy cert and uses 
 * valid HTTP auth credentials.
 */
static void us898_test11 (void) 
{
    int rv;
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Read in the private key
     */
    key_len = read_binary_file(US898_TC11_KEY, &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file(US898_TC11_CERT, &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);


    /*
     * Set the authentication mode to use the expired certificate 
     * and valid HTTP auth credentials.
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, cert, key);
    CU_ASSERT(rv == EST_ERR_NONE);
    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_SSL_CONNECT);

    /*
     * Re-Enroll the cert 
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_SSL_CONNECT);

    est_destroy(ectx);
}
Beispiel #5
0
/*
 * Verify the server fails authentication when the
 * client sends a valid identity cert but doesn't 
 * provide HTTP auth credentials.
 */
static void us898_test10 (void) 
{
    char cmd[200];
    int rv;
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a CSR
     */
    sprintf(cmd, "openssl req -new -nodes -out %s -newkey rsa:2048 -keyout %s -subj /CN=127.0.0.1 "
	    "-config CA/estExampleCA.cnf", 
	    US898_TC10_CSR, US898_TC10_KEY);  
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Sign the CSR using our local CA
     */
    sprintf(cmd, "openssl ca -out %s -batch -config CA/estExampleCA.cnf -infiles %s", 
	    US898_TC10_CERT, US898_TC10_CSR);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Read in the private key
     */
    key_len = read_binary_file(US898_TC10_KEY, &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file(US898_TC10_CERT, &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);


    /*
     * Set the authentication mode to use the certificate 
     * No HTTP auth credentials are provided.
     */
    rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll a cert, should fail because we 
     * didn't provide valid HTTP auth credentials
     */
    rv = est_client_enroll(ectx, "TC-US898-10", &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_AUTH_FAIL);

    /*
     * Re-Enroll the cert, should work since
     * we provide a valid cert to identify ourselves
     * and HTTP auth isn't required for re-enroll even when
     * the server has enabled HTTP auth.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    est_destroy(ectx);
}
Beispiel #6
0
static int regular_enroll_attempt (EST_CTX *ectx)
{
    int pkcs7_len = 0;
    int rv;
    char file_name[MAX_FILENAME_LEN];
    unsigned char *new_client_cert;
    unsigned char *attr_data = NULL;
    unsigned char *der_ptr = NULL;
    int attr_len, der_len, nid;
    X509_REQ *csr;

    /*
     * We need to get the CSR attributes first, which allows libest
     * to know if the challengePassword needs to be included in the
     * CSR.
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    if (rv != EST_ERR_NONE) {
        printf("\nWarning: CSR attributes were not available");
        return (rv);
    }

    /* Generate a CSR */
    csr = X509_REQ_new();

    if (csr == NULL) {
        printf("\nFailed to get X509_REQ");
        return (EST_ERR_NO_CSR);
    }
    rv = populate_x509_csr(csr, priv_key, "EST-client");

    if (rv) {
        printf("\nFailed to populate X509_REQ");
        return (EST_ERR_X509_PUBKEY);
    }


    rv = est_decode_attributes_helper((char*)attr_data, attr_len, &der_ptr, &der_len);
    if (rv != EST_ERR_NONE) {
        printf("\nFailed to decode attributes");
        return (rv);
    }

    while (der_len) {
        rv = est_get_attributes_helper(&der_ptr, &der_len, &nid);

        if (rv == EST_ERR_NONE) {
            /*
             * This switch can be enhanced to include all NID values
             * of interest by the client/server.  In addition the last
             * parameter can be enhanced to provide the character string
             * type information that is included with the NID.
             *
             * Presently only character string types are supported, but at
             * some point OID or groups of strings/OIDs may need to be
             * supported.
             *
             * Note that challenge password should not be included here
             * as it is handled by libest client code.
             */
            switch (nid) {
            case NID_commonName:
                /* add the attribute to the request */
                rv = est_add_attributes_helper(csr, nid, "test\n", 0);
                break;
            case NID_pkcs9_emailAddress:
                /* add the attribute to the request */
                rv = est_add_attributes_helper(csr, nid, "[email protected]\0", 0);
                break;
            case NID_undef:
                printf("\nNID is undefined; skipping it\n");
                break;
            default:
                rv = est_add_attributes_helper(csr, nid, "", 0);
                break;
            }
            if (rv != EST_ERR_NONE) {
                printf("\n Error adding NID=%d", nid);
            }
        }
    }

    X509_REQ_print_fp(stderr, csr);

    rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, priv_key);

    if (verbose) {
        printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n",
               rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
    }
    if (rv == EST_ERR_NONE) {
        /*
         * client library has obtained the new client certificate.
         * now retrieve it from the library
         */
        new_client_cert = malloc(pkcs7_len);
        if (new_client_cert == NULL) {
            if (verbose) {
                printf("\nmalloc of destination buffer for enrollment cert failed\n");
            }
            return (EST_ERR_MALLOC);
        }

        rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
        if (verbose) {
            printf("\nenrollment copy rv = %d\n", rv);
        }
        if (rv == EST_ERR_NONE) {
            /*
             * Enrollment copy worked, dump the pkcs7 cert to stdout
             */
            if (verbose) {
                dumpbin(new_client_cert, pkcs7_len);
            }
        }

        snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
        save_cert(file_name, new_client_cert, pkcs7_len);
        free(new_client_cert);
    }

    return (rv);
}
Beispiel #7
0
/*
 * Test the re-enroll API to ensure it gracefully
 * handles a null EVP_PKEY pointer.
 */
static void us898_test4 (void) 
{
    EST_CTX *ectx;
    int pkcs7_len = 0;
    int rv;
    X509 *cert = NULL;
    unsigned char *cert_raw;
    int cert_len;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Read in an old cert that we can use for re-enroll
     */
    cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * re-enroll using a null EVP_KEY pointer.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, NULL);
    CU_ASSERT(rv == EST_ERR_NO_KEY);

    /*
     * Clean up
     */
    X509_free(cert);
    est_destroy(ectx);
}
Beispiel #8
0
/*
 * This test case uses an existing expired cert and
 * attempts to re-enroll it.  The expired certs contains
 * several X509 extensions. We verify the new issued
 * cert preserves these extensions using grep.  Note, 
 * preserving these extensions requires the OpenSSL CA
 * to enable the "copy_extensions" knob in the OpenSSL
 * config file.  This is why this test suite uses a
 * unique copy of estExampleCA.cnf.
 */
static void us898_test2 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int rv;
    int pkcs7_len = 0;
    unsigned char *new_cert = NULL;
    X509 *cert = NULL;
    BIO *in;
    char cmd[200];
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US898/key-expired.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll an expired cert that contains x509 extensions.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Retrieve the cert that was given to us by the EST server
     */
    if (rv == EST_ERR_NONE) {
	new_cert = malloc(pkcs7_len);
	CU_ASSERT(new_cert != NULL);
	rv = est_client_copy_enrolled_cert(ectx, new_cert);
	CU_ASSERT(rv == EST_ERR_NONE);
    }

    /*
     * Save the cert to a local file
     */
    rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len);
    CU_ASSERT(rv == 1);

    /*
     * Base 64 decode the cert response
     */
    sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Convert the pkcs7 cert to a PEM cert
     */
    sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Convert PEM cert to a textual representation of the cert
     */
    sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Verify the jimbob DNS extension was preserved
     */
    sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Verify the bobcat DNS extension was preserved
     */
    sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Verify the IP address extension was preserved
     */
    sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Verify the Repudiation key usage extension was preserved
     */
    sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Verify the public key was preserved
     */
    sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT);
    rv = system(cmd);
    CU_ASSERT(rv == 0);

    /*
     * Clean up
     */
    if (new_cert) free(new_cert);
    est_destroy(ectx);
}
Beispiel #9
0
/*
 * Simple enroll - PoP check succeeds with estclient 
 *
 * This test case verifies the proxy is
 * verifying the PoP from the client CSR.  We use
 * estclient since it supports the PoP. 
 */
static void us748_test7 (void) 
{
    long rv;
    EST_CTX *c_ctx;
    EVP_PKEY *new_pkey;
    unsigned char *pkcs7;
    int pkcs7_len;
    unsigned char *attr_data;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * This test case requires PoP to be enabled
     */
    st_enable_pop();

    /*
     * Create a client context
     */
    c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
                            client_manual_cert_verify);
    CU_ASSERT(c_ctx != NULL);
    if (!c_ctx) {
	return;
    }
        
    /*
     * Specify user ID and password since the server is running
     * in Basic Authentication mode.
     */
    rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);
    est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);

    /*
     * get a keypair to be used in the enroll.
     */
    new_pkey = generate_private_key();

    rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Attempt to enroll a CSR
     */
    rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Client library has obtained the new client certificate.
     * Now retrieve it from the library.
     */
    pkcs7 = malloc(pkcs7_len);
    if (!pkcs7) {
        return;
    }
    rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
    CU_ASSERT(rv == EST_ERR_NONE);
    
    /*
     * Clean up
     */
    est_destroy(c_ctx);
    EVP_PKEY_free(new_pkey);
    free(pkcs7);

    /*
     * Disable PoP for future test cases
     */
    st_disable_pop();
}
Beispiel #10
0
/*
 * This test attempts to re-enroll a corrupted cert
 * The public key in the cert is has been corrupted.
 */
static void us898_test5 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int rv;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US898/key-corrupt.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US898/cert-corrupt.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll a cert with wrong signature that contains x509 extensions.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_CLIENT_INVALID_KEY);

    /*
     * Clean up
     */
    est_destroy(ectx);
}
Beispiel #11
0
/*
 * This test case uses an existing expired cert and
 * attempts to re-enroll it.  PoP is disabled on
 * the EST server.  
 */
static void us893_test8 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    X509 *cert = NULL;
    int rv;
    int pkcs7_len = 0;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Make sure PoP is disabled on the server
     */
    st_disable_pop();

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US893/key-expired.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll an expired cert that contains x509 extensions.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    est_destroy(ectx);

    /*
     * Re-enable PoP on the server for the forthcoming test cases.
     */
    st_enable_pop();
}
Beispiel #12
0
static void us893_test7 (void) 
{
    int rv;
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Make sure PoP is disabled on the server
     */
    st_disable_pop();

    /*
     * Stop the proxy server so we can restart
     * it using a different identity cert.
     */
    st_proxy_stop();

    /*
     * Restart the proxy server using the other cert
     */
    rv = st_proxy_start(US893_TCP_PROXY_PORT, 
	          US893_SERVER_CERTKEY,
	          US893_SERVER_CERTKEY,
	          "US893 test realm",
	          "CA/estCA/cacert.crt",
	          "CA/trustedcerts.crt",
		  "estuser",
		  "estpwd",
		  "127.0.0.1",
		  US893_TCP_SERVER_PORT,
		  0,
		  0);
    CU_ASSERT(rv == 0);

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US893/key-expired.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    ectx->csr_pop_required = 1;  //This is a hack for testing only, do not attempt this 
                                 //We need to force the challengePassword into the CSR
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ);

    /*
     * Stop the proxy server
     */
    st_proxy_stop();

    /*
     * Restart the proxy server using the other cert
     */
    rv = st_proxy_start(US893_TCP_PROXY_PORT, 
	          US893_PROXY_CERT,
	          US893_PROXY_KEY,
	          "US893 test realm",
	          "CA/estCA/cacert.crt",
	          "CA/trustedcerts.crt",
		  "estuser",
		  "estpwd",
		  "127.0.0.1",
		  US893_TCP_SERVER_PORT,
		  0,
		  0);
    CU_ASSERT(rv == 0);

    /*
     * Re-enable PoP on the server for the forthcoming test cases.
     */
    st_enable_pop();

    est_destroy(ectx);
}
Beispiel #13
0
/*
 * This test attempts to re-enroll an expired cert
 * while the EST server is configured for manual
 * approval.  The server will send back a retry-after
 * response.  This verifies the proxy propagates the
 * retry-after response to the client.
 */
static void us893_test4 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int rv;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    int retry_val = 0;
    time_t time_val;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Stop the server.
     */
    st_stop();
    st_proxy_stop();

    /*
     * Restart the server with manual approval enabled
     */
    rv = us893_start_server(1, 0);
    CU_ASSERT(rv == 0);

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US893/key-expired.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll an expired cert that contains x509 extensions.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY);

    /*
     * The server should be configured with a retry-after
     * value of 3600 seconds, which is the default.
     */
    rv = est_client_copy_retry_after(ectx, &retry_val, &time_val);
    CU_ASSERT(rv == EST_ERR_NONE);
    CU_ASSERT(retry_val == 3600);

    /*
     * Clean up
     */
    est_destroy(ectx);

    /*
     * Stop the server.
     */
    st_stop();
    st_proxy_stop();

    /*
     * Restart the server with manual approval disabled
     */
    rv = us893_start_server(0, 0);
    CU_ASSERT(rv == 0);
}
Beispiel #14
0
/*
 * Test2 - exercise the response  variations triggered
 *         by est_client_get_csrattrs()
 */
static void us896_test2(void) {
    EST_CTX *ctx;
    unsigned char *pkey = NULL;
    unsigned char *cacerts = NULL;
    int cacerts_len = 0;
    EST_ERROR rc = EST_ERR_NONE;
    unsigned char *retrieved_cacerts = NULL;
    int retrieved_cacerts_len = 0;
    EVP_PKEY *priv_key;

    SLEEP(1);

    LOG_FUNC_NM
    ;

    /*
     * Read in the CA certificates
     */
    cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts);
    CU_ASSERT(cacerts_len > 0);

    /*
     * Read in the private key file
     */
    priv_key = read_private_key(CLIENT_UT_PUBKEY);
    if (priv_key == NULL) {
        printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY);
        return;
    }

    ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
            client_manual_cert_verify);
    CU_ASSERT(ctx != NULL);

    rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
    CU_ASSERT(rc == EST_ERR_NONE);

    est_client_set_server(ctx, US896_SERVER_IP, US896_SERVER_PORT, NULL);

    /*
     * issue the get ca certs request
     */
    rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len);
    /*
     * should be successful, and should have obtained a valid buffer
     * containing the CA certs
     */
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(retrieved_cacerts_len > 0);

    retrieved_cacerts = malloc(retrieved_cacerts_len);

    rc = est_client_copy_cacerts(ctx, retrieved_cacerts);

    /*
     * output the retrieved ca certs and compare to what they should be
     */
    if (retrieved_cacerts) {

        printf("\nRetrieved CA Certs buffer:\n %s\n", retrieved_cacerts);
        printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len);
    }
    free(retrieved_cacerts);

    /* 
     * All of these are negative tests and require that code in the
     * EST server is modified such that it will allow bad/corrupted
     * attributes to be initialized so they can be sent to the client.
     */
#ifdef NEGATIVE_UNIT_TEST
    unsigned char *csr_data;
    int csr_len;

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR1, strlen(TEST_CORRUPT_ATTR1));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

    rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR2, strlen(TEST_CORRUPT_ATTR2));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

    rc = est_server_init_csrattrs(ectx, TEST_SHORT_ATTR, strlen(TEST_SHORT_ATTR));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

    rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc != EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

#endif

    if (ctx) {
        est_destroy(ctx);
    }
    if (cacerts) {
        free(cacerts);
    }
    if (pkey) {
        free(pkey);
    }
}
Beispiel #15
0
/*
 * Verify the client fails authentication when the
 * client sends an identy cert which doesn't match 
 * the trust anchor. 
 */
static void us898_test12 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int rv;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    
    /*
     * Read in the private key
     */
    key_len = read_binary_file(US898_TC12_KEY, &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file(US898_TC12_CERT, &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);


    /*
     * Set the authentication mode to use cert for re-enroll.
     * This should return an error since the certificate doesn't
     * match the trust anchor. 
     */
    rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
    CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    
    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll a bad cert. The client should reject this cert. 
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);
}
Beispiel #16
0
/*
 * This function performs a basic simple enroll using
 * a UID/PWD to identify the client to the server.  This
 * is used for a variet of test cases in this module.
 */
static void us898_test1 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    int rv;
    int pkcs7_len = 0;
    unsigned char *new_cert = NULL;
    PKCS7 *p7 = NULL;
    BIO *b64, *out;
    X509 *cert = NULL;
    STACK_OF(X509) *certs = NULL;
    int i;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * generate a private key
     */
    key = generate_private_key();
    CU_ASSERT(key != NULL);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Use the simplified API to enroll a CSR
     */
    rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);
    if (rv != EST_ERR_NONE) return;

    /*
     * Retrieve the cert that was given to us by the EST server
     */
    if (rv == EST_ERR_NONE) {
	new_cert = malloc(pkcs7_len);
	CU_ASSERT(new_cert != NULL);
	rv = est_client_copy_enrolled_cert(ectx, new_cert);
	CU_ASSERT(rv == EST_ERR_NONE);
    }

    /*
     * Convert the cert to an X509.  Be warned this is
     * pure hackery.  
     */
    b64 = BIO_new(BIO_f_base64());
    out = BIO_new_mem_buf(new_cert, pkcs7_len);
    out = BIO_push(b64, out);
    p7 = d2i_PKCS7_bio(out,NULL);
    CU_ASSERT(p7 != NULL);
    BIO_free_all(out);
    i=OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
	certs = p7->d.sign->cert;
	break;
    case NID_pkcs7_signedAndEnveloped:
	certs = p7->d.signed_and_enveloped->cert;
	break;
    default:
	break;
    }
    CU_ASSERT(certs != NULL);
    if (!certs) return;
    /* our new cert should be the one and only
     * cert in the pkcs7 blob.  We shouldn't have to
     * iterate through the full list to find it. */
    cert = sk_X509_value(certs, 0);
    CU_ASSERT(cert != NULL);


    /* 
     * Wow, that's a lot of work, but we finally have the X509.
     * (don't you just love OpenSSL!!!)
     * Now that we have an X509 representation of the cert,
     * let's try to re-enroll this cert with the CA
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Cleanup
     */
    if (cert) X509_free(cert);
    EVP_PKEY_free(key);
    if (new_cert) free(new_cert);
    est_destroy(ectx);
}
Beispiel #17
0
static void us748_test9 (void) 
{
    EST_CTX *ctx;
    int rv;
    unsigned char *cacerts;
    int caclen = 0;
    EVP_PKEY *new_pkey;
    unsigned char *pkcs7;
    int pkcs7_len = 0;
    unsigned char *attr_data;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Make sure our EST server has PoP disabled
     */
    st_disable_pop();

    /*
     * Read in the CA certs
     */
    caclen = read_binary_file(US748_CACERTS, &cacerts);
    CU_ASSERT(cacerts_len > 0); 

    /*
     * Init the client context
     */
    ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM,
                          client_manual_cert_verify);

    /*
     * We'll use simple HTTP auth to identify ourselves
     */
    rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT);

    /*
     * Create some space to hold the cert and generate
     * a private key
     */
    new_pkey = generate_private_key();            

    rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Attempt to enroll
     */
    ctx->csr_pop_required = 1;  //This is a hack for testing only, do not attempt this 
                                //We need to force the challengePassword into the CSR    
    rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey);
    CU_ASSERT(rv == EST_ERR_NONE);

    pkcs7 = malloc(pkcs7_len);
    rv = est_client_copy_enrolled_cert(ctx, pkcs7);
    
    free(pkcs7);
    est_destroy(ctx);
}
Beispiel #18
0
/*
 * Test1 - exercise the server side variations triggered
 *         by est_client_get_csrattrs()
 */
static void us895_test1 (void)
{
    EST_CTX *ctx;
    unsigned char *pkey = NULL;
    unsigned char *cacerts = NULL;
    int cacerts_len = 0;
    EST_ERROR rc = EST_ERR_NONE;
    EVP_PKEY * priv_key;
    int csr_len;
    unsigned char *csr_data = NULL;

    SLEEP(1);

    LOG_FUNC_NM
    ;

    /*
     * Read in the CA certificates
     */
    cacerts_len = read_binary_file(SERVER_UT_CACERT, &cacerts);
    CU_ASSERT(cacerts_len > 0);

    /*
     * Read in the private key file
     */
    priv_key = read_private_key(SERVER_UT_PUBKEY);
    if (priv_key == NULL) {
        printf("\nError while reading private key file %s\n", SERVER_UT_PUBKEY);
        return;
    }

    ctx = est_client_init(
        cacerts,
        cacerts_len,
        EST_CERT_FORMAT_PEM,
        proxy_manual_cert_verify);
    CU_ASSERT(ctx != NULL);

    rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
    CU_ASSERT(rc == EST_ERR_NONE);

    est_client_set_server(ctx, US895_SERVER_IP, US895_PROXY_PORT, NULL);

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);
    /* should get 204 with no data */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

    /* Real base64 string - should pass */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);

    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* Setting the smallest base64 size */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2));
    CU_ASSERT(strncmp(TEST_ATTR2, (const char *) csr_data, csr_len) == 0);

    rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR3));
    CU_ASSERT(strncmp(TEST_ATTR3, (const char *) csr_data, csr_len) == 0);

    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    rc = est_server_init_csrattrs(
        ectx,
        TEST_1024_NOPOP,
        strlen(TEST_1024_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
    CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *) csr_data, csr_len) == 0);

    /* Enable PoP and test responses with PoP added */
    st_enable_pop();

    rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_data != NULL);
    CU_ASSERT(csr_len = 20);
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);

    rc = est_server_init_csrattrs(
        ectx,
        TEST_1024_NOPOP,
        strlen(TEST_1024_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_1024_POP));
    CU_ASSERT(strncmp(TEST_1024_POP, (const char *) csr_data, csr_len) == 0);

    /* Setting the size 122 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
    CU_ASSERT(
        strncmp(TEST_ATTR4_122POP, (const char *) csr_data, csr_len) == 0);

    /* Setting the size 117 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
    CU_ASSERT(
        strncmp(TEST_ATTR5_117POP, (const char *) csr_data, csr_len) == 0);

    /* Real base64 string needs PoP added - should pass */
    rc = est_server_init_csrattrs(
        ectx,
        TEST_ATTR_NOPOP,
        strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
    CU_ASSERT(
        strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);

    /* Not a real base64 string - should fail */
    rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
    CU_ASSERT(rc != EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);

    /* Setting the smallest size */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
    CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);

    /* Setting the size 116 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 244 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 245 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 250 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
    CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *) csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
    CU_ASSERT(
        strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
    CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);

    /* disable PoP */
    st_disable_pop();

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* Real base64 string PoP should not be added - should pass */
    rc = est_server_init_csrattrs(
        ectx,
        TEST_ATTR_NOPOP,
        strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *) csr_data, csr_len) == 0);

    /* All ASN.1 types supported by CiscoSSL */
    rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
    CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *) csr_data, csr_len) == 0);

    if (ctx) {
        est_destroy(ctx);
    }
    if (cacerts) {
        free(cacerts);
    }
    if (pkey) {
        free(pkey);
    }
}
Beispiel #19
0
/*
 * This function is used by the server side of the EST proxy to respond to an
 * incoming CSR Attributes request.  This function is similar to the Client API
 * function, est_client_get_csrattrs().
  */
static int est_proxy_handle_csr_attrs (EST_CTX *ctx, void *http_ctx)
{
    int rv = EST_ERR_NONE;
    int pop_present;
    char *csr_data, *csr_data_pop;
    int csr_len, csr_pop_len;
    EST_CTX *client_ctx;

    /*
     * get the client context for this thread
     */
    client_ctx = get_client_ctx(ctx);
    if (!client_ctx) {
        EST_LOG_ERR("Unable to obtain client context for proxy operation");
	return (EST_ERR_NO_CTX);
    }

    /*
     * Invoke client code to retrieve the CSR attributes.
     * Note: there is no need to authenticate the client (see sec 4.5)
     */
    EST_LOG_INFO("Proxy get csr attributes");
    rv = est_client_get_csrattrs(client_ctx, (unsigned char **)&csr_data, &csr_len);
    /*
     * csr_data points to the memory allocated to hold the csr attributes,
     * which will be freed in this call stack.  To prevent a double-free
     * we null the to pointer on the client context.
     */
    client_ctx->retrieved_csrattrs = NULL;
    client_ctx->retrieved_csrattrs_len = 0;
    if (rv == EST_ERR_NONE) {
	ctx->csr_pop_present = 0;
	if (ctx->server_enable_pop) {
	    rv = est_is_challengePassword_present(csr_data, csr_len, &pop_present);
	    if (rv != EST_ERR_NONE) {
		EST_LOG_ERR("Error during PoP/sanity check");
		est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
		return (EST_ERR_NONE);
	    }
	    ctx->csr_pop_present = pop_present;

	    if (!ctx->csr_pop_present) {
		if (csr_len == 0) {
                    csr_data = malloc(EST_CSRATTRS_POP_LEN + 1);
		    if (!csr_data) {
			return (EST_ERR_MALLOC);
		    }
		    strncpy(csr_data, EST_CSRATTRS_POP, EST_CSRATTRS_POP_LEN);
		    csr_data[EST_CSRATTRS_POP_LEN] = 0;
		    csr_len = EST_CSRATTRS_POP_LEN;
		    return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx));
		}
		rv = est_add_challengePassword(csr_data, csr_len, &csr_data_pop, &csr_pop_len);
		if (rv != EST_ERR_NONE) {
		    if (csr_data) {
		        free(csr_data);
		    }
		    EST_LOG_ERR("Error during add PoP");
		    est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
		    return (EST_ERR_NONE);
		}
		if (csr_data) {
		    free(csr_data);
		}
		csr_data = csr_data_pop;
		csr_len = csr_pop_len;
	    }
	}
    } else {
	EST_LOG_ERR("Server not reachable or sent corrupt attributes");
	est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
	return (EST_ERR_NONE);
    }
    return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx));
}
Beispiel #20
0
/*
 * Verify that a bogus user ID/password fails when
 * using HTTP digest auth.
 */
static void us898_test9 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    unsigned char *key_raw;
    int key_len;
    unsigned char *cert_raw;
    int cert_len;
    int rv;
    int pkcs7_len = 0;
    X509 *cert = NULL;
    BIO *in;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Enable HTTP digest authentication
     */
    st_enable_http_digest_auth();

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Read in the private key
     */
    key_len = read_binary_file("US898/key-expired.pem", &key_raw);
    CU_ASSERT(key_len > 0);
    key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
    CU_ASSERT(key != NULL);
    free(key_raw);

    /*
     * Read in the old cert
     */
    cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
    CU_ASSERT(cert_len > 0);
    in = BIO_new_mem_buf(cert_raw, cert_len);
    CU_ASSERT(in != NULL);
    if (!in) return;
    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
    CU_ASSERT(cert != NULL);
    if (!cert) return; 
    BIO_free_all(in);
    free(cert_raw);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Enroll an expired cert that contains x509 extensions.
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_AUTH_FAIL);

    est_destroy(ectx);

    /*
     * Re-enable HTTP basic authentication
     */
    st_enable_http_basic_auth();

}
Beispiel #21
0
/*
 * Test2 - exercise the server side variations triggered
 *         by est_client_get_csrattrs()
 */
static void us900_test2 (void) 
{
    EST_CTX *ctx;
    unsigned char *pkey = NULL;
    unsigned char *cacerts = NULL;
    int cacerts_len = 0;
    EST_ERROR rc = EST_ERR_NONE;
    unsigned char *retrieved_cacerts = NULL;
    int  retrieved_cacerts_len = 0;
    EVP_PKEY *priv_key;
    int csr_len;
    unsigned char *csr_data = NULL;

    sleep(1);
    
    LOG_FUNC_NM;

    /*
     * Read in the CA certificates
     */
    cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts);
    CU_ASSERT(cacerts_len > 0);

    /*
     * Read in the private key file
     */
    priv_key = read_private_key(CLIENT_UT_PUBKEY);
    if (priv_key == NULL) {
	printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY);
        return;
    }

    ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ctx != NULL);

    rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
    CU_ASSERT(rc == EST_ERR_NONE);    

    est_client_set_server(ctx, US900_SERVER_IP, US900_SERVER_PORT);
    
    /*
     * issue the get ca certs request
     */
    rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len);
    /*
     * should be successful, and should have obtained a valid buffer
     * containing the CA certs
     */
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(retrieved_cacerts_len > 0);

    retrieved_cacerts = malloc(retrieved_cacerts_len);
    
    rc = est_client_copy_cacerts(ctx, retrieved_cacerts);
    
    /*
     * output the retrieved ca certs and compare to what they should be
     */    
    if (retrieved_cacerts) {

        printf("\nRetrieved CA Certs buffer:\n %.*s\n", retrieved_cacerts_len, retrieved_cacerts);
        printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len);    
    }
    free(retrieved_cacerts);

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* should get 204 with no data */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);
    CU_ASSERT(csr_data == NULL);

    /* Real base64 string - should pass */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);


    if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);


    if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }
    /* callback should supersede init csrattrs */
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);



    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* Setting the smallest size */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2));
    CU_ASSERT(strncmp(TEST_ATTR2, (const char *)csr_data, csr_len) == 0);

    rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
    CU_ASSERT(rc == EST_ERR_NONE);

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR3));
    CU_ASSERT(strncmp(TEST_ATTR3, (const char *)csr_data, csr_len) == 0);

    /* clear csrattrs */
    rc = est_server_init_csrattrs(ectx, NULL, 0);
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == 0);

    rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
    CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *)csr_data, csr_len) == 0);

    /* Enable PoP and test responses with PoP added */
    st_enable_pop();

    rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_data != NULL);
    CU_ASSERT(csr_len = 20);
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);

    rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_1024_POP));
    CU_ASSERT(strncmp(TEST_1024_POP, (const char *)csr_data, csr_len) == 0);

    /* Setting the size 122 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
    CU_ASSERT(strncmp(TEST_ATTR4_122POP, (const char *)csr_data, csr_len) == 0);

    /* Setting the size 117 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
    CU_ASSERT(strncmp(TEST_ATTR5_117POP, (const char *)csr_data, csr_len) == 0);

    /* Real base64 string needs PoP added - should pass */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
    CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);

    /* Not a real base64 string - should fail */
    rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
    CU_ASSERT(rc != EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
    CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);

    /* Setting the smallest size */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
    CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);

    /* Setting the size 116 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 244 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 245 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);

    /* Setting the size 250 */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
    CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *)csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR1));
    CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
    CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);

    if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
    CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);

    /* disable PoP */
    st_disable_pop();

    /* clear callback */
    if (est_set_csr_cb(ectx, NULL)) {
        printf("\nUnable to set EST CSR Attributes callback.  Aborting!!!\n");
        exit(1);
    }

    /* Real base64 string PoP should not be added - should pass */
    rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
    CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *)csr_data, csr_len) == 0);

    /* All ASN.1 types supported by OpenSSL */
    rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
    CU_ASSERT(rc == EST_ERR_NONE);
    rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
    CU_ASSERT(rc == EST_ERR_NONE);
    CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
    CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *)csr_data, csr_len) == 0);


    rc = est_server_init_csrattrs(ectx, TEST_1025_NOPOP, strlen(TEST_1025_NOPOP));
    CU_ASSERT(rc != EST_ERR_NONE);
    rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR));
    CU_ASSERT(rc != EST_ERR_NONE);

    if (ctx) {
        est_destroy(ctx);
    }
    if (cacerts) {
        free(cacerts);
    }
    if (pkey) {
        free(pkey);
    }
}