Beispiel #1
0
lms_priv_key_t* create_lms_priv_key(void)
{
    lms_priv_key_t* lms_private_key = (lms_priv_key_t*) malloc(sizeof(lms_priv_key_t));    
    unsigned  int q = 0;
    char      temp_string[5] = {0};
    entropy_read(lms_private_key->I,ENTROPY_SIZE);
    //printf("I: %s\n",stringToHex(lms_private_key->I,ENTROPY_SIZE));
    lms_private_key->priv  = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t));
    lms_private_key->pub   = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t));
    for(q = 0; q < NUM_LEAF_NODES; q++)
    {
        //printf("I: %s q: %s \n ",lms_private_key->I,uint32ToString(q,temp_string));
        lms_private_key->priv[(unsigned int)q].data = (void *)generate_private_key();
        lms_private_key->pub[(unsigned int)q].data  = (void *)generate_public_key(
                                                        (list_node_t* )lms_private_key->priv[(unsigned int)q].data,\
                                                        lms_private_key->I, uint32ToString(q,temp_string));
        lms_private_key->priv[(unsigned int)q].next = NULL;
        lms_private_key->pub[(unsigned int)q].next  = NULL;    
        D(printf(" Generating %u th OTS key PUBLIC KEY %s \n",q,stringToHex(lms_private_key->pub[(unsigned int)q].data,N));)
        //exit(1);
    }
    
    lms_private_key->nodes  = (list_node_t *) malloc( 2* NUM_LEAF_NODES *sizeof(list_node_t));
    for(q = 0; q < 2* NUM_LEAF_NODES; q++)
    {
        lms_private_key->nodes[(unsigned int)q].data = (char *)malloc(N * sizeof(char));
        lms_private_key->nodes[(unsigned int)q].next = NULL;
    }
    lms_private_key->leaf_num       = 0;
    lms_private_key->lms_public_key = T(lms_private_key,1);
    return lms_private_key;
}
static gnutls_x509_privkey gen_crypto(requiem_client_profile_t *cp,
                                      const char *filename, requiem_uid_t uid, requiem_gid_t gid)
{
        int ret;
        char buf[65535];
        gnutls_x509_privkey key;
        size_t size = sizeof(buf);

        key = generate_private_key();
        if ( ! key ) {
                fprintf(stderr, "error while generating RSA private key.\n");
                return NULL;
        }

        ret = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &size);
        if ( ret < 0 ) {
                fprintf(stderr, "error exporting private key: %s\n", gnutls_strerror(ret));
                gnutls_x509_privkey_deinit(key);
                return NULL;
        }

        ret = save_buf(filename, uid, gid, (unsigned char *) buf, size);
        if ( ret < 0 ) {
                fprintf(stderr, "error saving private key.\n");
                return NULL;
        }

        return key;
}
Beispiel #3
0
/*
 * This test will initialize EST w/o a trust anchor,
 * enable SRP, and perform a simpleenroll. 
 * This should succeed since SRP doesn't require a
 * trust anchor.
 */
static void us1060_test104 ()
{
    EST_CTX *ectx;
    EVP_PKEY *new_key;
    int rv;
    int pkcs7_len = 0;

    LOG_FUNC_NM;

    /*
     * We need to restart the EST server using an RSA key
     * None of the SRP cipher suites support ECDSA
     */
    st_stop();
    sleep(2);
    us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);

    /*
     * Create a client context 
     */
    ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);

    /*
     * Enable SRP on the client
     */
    rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); 

    /*
     * generate a new private key
     */
    new_key = generate_private_key();
    CU_ASSERT(new_key != NULL);

    /*
     * Attempt to provision a new cert
     */
    rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Cleanup
     */
    EVP_PKEY_free(new_key);
    est_destroy(ectx);
}
Beispiel #4
0
/*
 * Test the re-enroll API to ensure it gracefully
 * handles a null X509 cert pointer.
 */
static void us898_test3 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    int pkcs7_len = 0;
    int rv;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * Generate a private key
     */
    key = generate_private_key();
    CU_ASSERT(key != NULL);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * re-enroll using a null x509 pointer.
     */
    rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NO_CERT);

    /*
     * Clean up
     */
    EVP_PKEY_free(key);
    est_destroy(ectx);
}
KeyTable
AddressDb::keyTable()
{
    std::lock_guard<std::mutex> lock(mutex_);

    auto m00 = mainBranch(wallet_);
    KeyTable out;
    for (const auto &i: addresses_)
    {
        out[i.first] = bc::secret_to_wif(
                           m00.generate_private_key(i.second.index).private_key());
    }

    return out;
}
Beispiel #6
0
/*
 * This function performs a basic simple enroll using
 * a UID/PWD to identify the client to the server.  This
 * is used for a variet of test cases in this module.
 */
static void us898_test1 (void) 
{
    EST_CTX *ectx;
    EVP_PKEY *key;
    int rv;
    int pkcs7_len = 0;
    unsigned char *new_cert = NULL;
    PKCS7 *p7 = NULL;
    BIO *b64, *out;
    X509 *cert = NULL;
    STACK_OF(X509) *certs = NULL;
    int i;
    unsigned char *attr_data = NULL;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Create a client context 
     */
    ectx = est_client_init(cacerts, cacerts_len, 
                           EST_CERT_FORMAT_PEM,
                           client_manual_cert_verify);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);

    /*
     * generate a private key
     */
    key = generate_private_key();
    CU_ASSERT(key != NULL);

    /*
     * Get the latest CSR attributes
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Use the simplified API to enroll a CSR
     */
    rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);
    if (rv != EST_ERR_NONE) return;

    /*
     * Retrieve the cert that was given to us by the EST server
     */
    if (rv == EST_ERR_NONE) {
	new_cert = malloc(pkcs7_len);
	CU_ASSERT(new_cert != NULL);
	rv = est_client_copy_enrolled_cert(ectx, new_cert);
	CU_ASSERT(rv == EST_ERR_NONE);
    }

    /*
     * Convert the cert to an X509.  Be warned this is
     * pure hackery.  
     */
    b64 = BIO_new(BIO_f_base64());
    out = BIO_new_mem_buf(new_cert, pkcs7_len);
    out = BIO_push(b64, out);
    p7 = d2i_PKCS7_bio(out,NULL);
    CU_ASSERT(p7 != NULL);
    BIO_free_all(out);
    i=OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
	certs = p7->d.sign->cert;
	break;
    case NID_pkcs7_signedAndEnveloped:
	certs = p7->d.signed_and_enveloped->cert;
	break;
    default:
	break;
    }
    CU_ASSERT(certs != NULL);
    if (!certs) return;
    /* our new cert should be the one and only
     * cert in the pkcs7 blob.  We shouldn't have to
     * iterate through the full list to find it. */
    cert = sk_X509_value(certs, 0);
    CU_ASSERT(cert != NULL);


    /* 
     * Wow, that's a lot of work, but we finally have the X509.
     * (don't you just love OpenSSL!!!)
     * Now that we have an X509 representation of the cert,
     * let's try to re-enroll this cert with the CA
     */
    rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Cleanup
     */
    if (cert) X509_free(cert);
    EVP_PKEY_free(key);
    if (new_cert) free(new_cert);
    est_destroy(ectx);
}
Beispiel #7
0
int main (int argc, char **argv)
{
    signed char c;
    int set_fips_return = 0;
    char file_name[MAX_FILENAME_LEN];
    BIO *keyin;
    BIO *certin;
    static struct option long_options[] = {
        { "trustanchor",  1, 0,    0 },
        { "srp",          0, 0,    0 },
        { "srp-user",     1, 0,    0 },
        { "srp-password", 1, 0,    0 },
        { "auth-token",   1, 0,    0 },
        { "common-name",  1, 0,    0 },
        { "pem-output",   0, 0,    0 },
        { NULL,           0, NULL, 0 }
    };
    int option_index = 0;
    int trustanchor = 1; /* default to require a trust anchor */
    char *trustanchor_file = NULL;

    est_http_uid[0] = 0x0;
    est_http_pwd[0] = 0x0;

    /*
     * Set the default common name to put into the Subject field
     */
    strncpy(subj_cn, "127.0.0.1", MAX_CN);

    memset(csr_file, 0, 1);
    memset(priv_key_file, 0, 1);
    memset(client_key_file, 0, 1);
    memset(client_cert_file, 0, 1);
    memset(out_dir, 0, 1);

    while ((c = getopt_long(argc, argv, "?zfvagerx:y:k:s:p:o:c:w:u:h:", long_options, &option_index)) != -1) {
        switch (c) {
        case 0:
#if 0
            printf("option %s", long_options[option_index].name);
            if (optarg) {
                printf(" with arg %s", optarg);
            }
            printf("\n");
#endif
            if (!strncmp(long_options[option_index].name, "trustanchor", strlen("trustanchor"))) {
                if (!strncmp(optarg, "no", strlen("no"))) {
                    trustanchor = 0;
                } else {
                    trustanchor_file = optarg;
                }
            }
            if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) {
                srp = 1;
            }
            if (!strncmp(long_options[option_index].name, "srp-user", strlen("srp-user"))) {
                strncpy(est_srp_uid, optarg, MAX_UID_LEN);
            }
            if (!strncmp(long_options[option_index].name, "srp-password", strlen("srp-password"))) {
                strncpy(est_srp_pwd, optarg, MAX_PWD_LEN);
            }
	    if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) {
		strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN);
                token_auth_mode = 1;
	    }
            if (!strncmp(long_options[option_index].name, "common-name", strlen("common-name"))) {
                strncpy(subj_cn, optarg, MAX_CN);
            }
            if (!strncmp(long_options[option_index].name, "pem-output", strlen("pem-output"))) {
                pem_out = 1;
            }
            break;
        case 'v':
            verbose = 1;
            break;
        case 'z':
            force_pop = 1;
            break;
        case 'a':
            getcsr = 1;
            break;
        case 'g':
            getcert = 1;
            break;
        case 'e':
            enroll = 1;
            break;
        case 'r':
            reenroll = 1;
            break;
        case 'u':
            strncpy(est_http_uid, optarg, MAX_UID_LEN);
            break;
        case 'h':
            strncpy(est_http_pwd, optarg, MAX_PWD_LEN);
            break;
        case 's':
            strncpy(est_server, optarg, MAX_SERVER_LEN);
            break;
        case 'x':
            strncpy(priv_key_file, optarg, MAX_FILENAME_LEN);
            break;
        case 'y':
            strncpy(csr_file, optarg, MAX_FILENAME_LEN);
            break;
        case 'k':
            strncpy(client_key_file, optarg, MAX_FILENAME_LEN);
            break;
        case 'c':
            strncpy(client_cert_file, optarg, MAX_FILENAME_LEN);
            break;
        case 'o':
            strncpy(out_dir, optarg, MAX_FILENAME_LEN);
            break;
        case 'p':
            est_port = atoi(optarg);
            break;
        case 'f':
            /* Turn FIPS on if requested and exit if failure */
            set_fips_return = FIPS_mode_set(1);
            if (!set_fips_return) {
                printf("\nERROR setting FIPS MODE ON ...\n");
                ERR_load_crypto_strings();
                ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE));
                exit(1);
            } else {
                printf("\nRunning EST Sample Client with FIPS MODE = ON\n");
            };
            break;
        case 'w':
            read_timeout = atoi(optarg);
            if (read_timeout > EST_SSL_READ_TIMEOUT_MAX) {
                printf("\nMaxium number of seconds to wait is %d, ", EST_SSL_READ_TIMEOUT_MAX);
                printf("please use a lower value with the -w option\n");
                exit(1);
            }
            break;
        default:
            show_usage_and_exit();
            break;
        }
    }
    if (optind < argc) {
        printf("non-option ARGV-elements: ");
        while (optind < argc) {
            printf("%s ", argv[optind++]);
        }
        printf("\n");
    }
    argc -= optind;
    argv += optind;

    if (est_http_uid[0] && !est_http_pwd[0]) {
        printf("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n");
        exit(1);
    }

    if (csr_file[0] && getcsr) {
        printf("\nError: The -a option (CSR attributes) does not make sense with a pre-defined CSR\n");
        exit(1);
    }
    if (csr_file[0] && priv_key_file[0]) {
        printf("\nError: The -x option (private key for CSR) does not make sense with a pre-defined CSR\n");
        exit(1);
    }
    if (csr_file[0] && force_pop) {
        printf("\nError: The -z option (PoP) does not make sense with a pre-defined CSR\n");
        exit(1);
    }
    if (reenroll & csr_file[0]) {
        printf("\nError: The -y option (predefined CSRs) does not make sense for re-enrollment\n");
        exit(1);
    }

    if (verbose) {
        print_version();
        printf("\nUsing EST server %s:%d", est_server, est_port);
        if (csr_file        [0]) {
            printf("\nUsing CSR file %s", csr_file);
        }
        if (priv_key_file   [0]) {
            printf("\nUsing identity private key file %s", priv_key_file);
        }
        if (client_cert_file[0]) {
            printf("\nUsing identity client cert file %s", client_cert_file);
        }
        if (client_key_file [0]) {
            printf("\nUsing identity private key file %s", client_key_file);
        }
    }

    if (enroll && reenroll) {
        printf("\nThe enroll and reenroll operations can not be used together\n");
        exit(1);
    }

    if (!out_dir[0]) {
        printf("\nOutput directory must be specified with -o option\n");
        exit(1);
    }

    if (trustanchor) {
        if (!trustanchor_file) {
            /*
             * Get the trust anchor filename from the environment var
             */
            if (!getenv("EST_OPENSSL_CACERT")) {
                printf("\nCACERT file not set, set EST_OPENSSL_CACERT to resolve");
                exit(1);
            }
            trustanchor_file = getenv("EST_OPENSSL_CACERT");
        }

        /*
         * Read in the CA certificates
         */
        cacerts_len = read_binary_file(trustanchor_file, &cacerts);
        if (cacerts_len <= 0) {
            printf("\nCACERT file could not be read\n");
            exit(1);
        }
    }

    /*
     * Read in the current client certificate
     */
    if (client_cert_file[0]) {
        certin = BIO_new(BIO_s_file_internal());
        if (BIO_read_filename(certin, client_cert_file) <= 0) {
            printf("\nUnable to read client certificate file %s\n", client_cert_file);
            exit(1);
        }
        /*
         * This reads the file, which is expected to be PEM encoded.  If you're using
         * DER encoded certs, you would invoke d2i_X509_bio() instead.
         */
        client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL);
        if (client_cert == NULL) {
            printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file);
            exit(1);
        }
        BIO_free(certin);
    }

    /*
     * Read in the client's private key
     */
    if (client_key_file[0]) {
        keyin = BIO_new(BIO_s_file_internal());
        if (BIO_read_filename(keyin, client_key_file) <= 0) {
            printf("\nUnable to read client private key file %s\n", client_key_file);
            exit(1);
        }
        /*
         * This reads in the private key file, which is expected to be a PEM
         * encoded private key.  If using DER encoding, you would invoke
         * d2i_PrivateKey_bio() instead.
         */
        client_priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL);
        if (client_priv_key == NULL) {
            printf("\nError while reading PEM encoded private key file %s\n", client_key_file);
            ERR_print_errors_fp(stderr);
            exit(1);
        }
        BIO_free(keyin);
    }

    est_apps_startup();

#if DEBUG_OSSL_LEAKS
    CRYPTO_malloc_debug_init();
    CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif

    if (verbose) {
        est_init_logger(EST_LOG_LVL_INFO, &test_logger_stdout);
        est_enable_backtrace(1);
    } else {
        est_init_logger(EST_LOG_LVL_ERR, &test_logger_stdout);
    }

    if (!priv_key_file[0] && enroll && !csr_file[0]) {
	printf("\nA private key is required for enrolling.  Creating a new RSA key pair since you didn't provide a key using the -x option.");
        /*
         * Create a private key that will be used for the
         * enroll operation.
         */
        new_pkey = generate_private_key(&new_pkey_len);
        snprintf(file_name, MAX_FILENAME_LEN, "%s/newkey.pem", out_dir);
        write_binary_file(file_name, new_pkey, new_pkey_len);
        free(new_pkey);

        /*
         * prepare to read it back in to an EVP_PKEY struct
         */
        strncpy(priv_key_file, file_name, MAX_FILENAME_LEN);

    }

    if (enroll && !csr_file[0]) {
	/* Read in the private key file */
	priv_key = read_private_key(priv_key_file);
    }


    do_operation();

    if (priv_key) {
        EVP_PKEY_free(priv_key);
    }
    if (client_priv_key) {
        EVP_PKEY_free(client_priv_key);
    }
    if (client_cert) {
        X509_free(client_cert);
    }

    free(cacerts);
    if (c_cert_len) {
        free(c_cert);
    }
    if (c_key_len) {
        free(c_key);
    }

    est_apps_shutdown();

#if DEBUG_OSSL_LEAKS
    BIO *bio_err;
    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    CRYPTO_mem_leaks(bio_err);
    BIO_free(bio_err);
#endif

    printf("\n");
    return 0;
}
Beispiel #8
0
static void us748_test9 (void) 
{
    EST_CTX *ctx;
    int rv;
    unsigned char *cacerts;
    int caclen = 0;
    EVP_PKEY *new_pkey;
    unsigned char *pkcs7;
    int pkcs7_len = 0;
    unsigned char *attr_data;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * Make sure our EST server has PoP disabled
     */
    st_disable_pop();

    /*
     * Read in the CA certs
     */
    caclen = read_binary_file(US748_CACERTS, &cacerts);
    CU_ASSERT(cacerts_len > 0); 

    /*
     * Init the client context
     */
    ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM,
                          client_manual_cert_verify);

    /*
     * We'll use simple HTTP auth to identify ourselves
     */
    rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT);

    /*
     * Create some space to hold the cert and generate
     * a private key
     */
    new_pkey = generate_private_key();            

    rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Attempt to enroll
     */
    ctx->csr_pop_required = 1;  //This is a hack for testing only, do not attempt this 
                                //We need to force the challengePassword into the CSR    
    rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey);
    CU_ASSERT(rv == EST_ERR_NONE);

    pkcs7 = malloc(pkcs7_len);
    rv = est_client_copy_enrolled_cert(ctx, pkcs7);
    
    free(pkcs7);
    est_destroy(ctx);
}
Beispiel #9
0
/*
 * Simple enroll - PoP check succeeds with estclient 
 *
 * This test case verifies the proxy is
 * verifying the PoP from the client CSR.  We use
 * estclient since it supports the PoP. 
 */
static void us748_test7 (void) 
{
    long rv;
    EST_CTX *c_ctx;
    EVP_PKEY *new_pkey;
    unsigned char *pkcs7;
    int pkcs7_len;
    unsigned char *attr_data;
    int attr_len;

    LOG_FUNC_NM;

    /*
     * This test case requires PoP to be enabled
     */
    st_enable_pop();

    /*
     * Create a client context
     */
    c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
                            client_manual_cert_verify);
    CU_ASSERT(c_ctx != NULL);
    if (!c_ctx) {
	return;
    }
        
    /*
     * Specify user ID and password since the server is running
     * in Basic Authentication mode.
     */
    rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);
    est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);

    /*
     * get a keypair to be used in the enroll.
     */
    new_pkey = generate_private_key();

    rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Attempt to enroll a CSR
     */
    rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Client library has obtained the new client certificate.
     * Now retrieve it from the library.
     */
    pkcs7 = malloc(pkcs7_len);
    if (!pkcs7) {
        return;
    }
    rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
    CU_ASSERT(rv == EST_ERR_NONE);
    
    /*
     * Clean up
     */
    est_destroy(c_ctx);
    EVP_PKEY_free(new_pkey);
    free(pkcs7);

    /*
     * Disable PoP for future test cases
     */
    st_disable_pop();
}
Beispiel #10
0
/*
 * This test does a simple enroll with SRP using a
 * non-default value for the SRP strength.
 */
static void us1060_test106 ()
{
    EST_CTX *ectx;
    EVP_PKEY *new_key;
    int rv;
    int pkcs7_len = 0;

    LOG_FUNC_NM;

    /*
     * We need to restart the EST server using an RSA key
     * None of the SRP cipher suites support ECDSA
     */
    st_stop();
    sleep(2);
    rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);

    /*
     * Create a client context 
     */
    ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);

    /*
     * Enable SRP on the client
     * Use a strength below the minimum
     */
    rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD); 
    CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW);

    /*
     * Enable SRP on the client
     * Use a strength slightly larger then the N value in passwd.srpv
     */
    rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD); 
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * generate a new private key
     */
    new_key = generate_private_key();
    CU_ASSERT(new_key != NULL);

    /*
     * Attempt to provision a new cert
     */
    rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key);
    CU_ASSERT(rv == EST_ERR_SSL_CONNECT);

    /*
     * Enable SRP on the client
     * Use a strength the same size as the N value in passwd.srpv
     */
    rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD); 
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Attempt to provision a new cert
     */
    rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Cleanup
     */
    EVP_PKEY_free(new_key);
    est_destroy(ectx);
}
Beispiel #11
0
/*
 * This test will enable a just the SRP-RSA-AES-128-CBC-SHA
 * cipher suite, which forces the server to send a certificate
 * to the client while SRP is used.  Similar to #104, we'll
 * omit configuring the trust anchor on the client context.
 * This should cause the TLS session to fail since the
 * server cert can not be verified without a trust anchor. 
 */
static void us1060_test105 ()
{
    EST_CTX *ectx;
    EVP_PKEY *new_key;
    int rv;
    int pkcs7_len = 0;
    struct est_dumb_ctx *ed;

    LOG_FUNC_NM;

    /*
     * We need to restart the EST server using an RSA key
     * None of the SRP cipher suites support ECDSA
     */
    st_stop();
    sleep(2);
    us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1);

    /*
     * Create a client context 
     */
    ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);

    /*
     * Enable SRP on the client
     */
    rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); 

    /*
     * This is not an approved use of the EST API.  We do this
     * here only to increase code coverage for testing
     * purposes only.  If you are looking at this code as
     * an example of how to use the EST API, do not do this!
     */
    ed = (struct est_dumb_ctx*)ectx;
    rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA"); 
    CU_ASSERT(rv == 1);

    /*
     * generate a new private key
     */
    new_key = generate_private_key();
    CU_ASSERT(new_key != NULL);

    /*
     * Attempt to provision a new cert
     */
    rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key);
    CU_ASSERT(rv == EST_ERR_SSL_CONNECT);

    /*
     * Cleanup
     */
    EVP_PKEY_free(new_key);
    est_destroy(ectx);
}
Beispiel #12
0
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv)
{
    EST_CTX *ectx;
    EVP_PKEY *new_key;
    int rv;
    int pkcs7_len = 0;
    int ca_certs_len = 0;
    unsigned char *new_cert = NULL;
    struct est_dumb_ctx *ed;

    /*
     * Create a client context 
     */
    if (use_ta) {
	ectx = est_client_init(cacerts, cacerts_len, 
	                       EST_CERT_FORMAT_PEM,
		               NULL);
    } else {
	ectx = est_client_init(NULL, 0, 
	                       EST_CERT_FORMAT_PEM,
		               NULL);
    }
    CU_ASSERT(ectx != NULL);

    /*
     * Set the authentication mode to use a user id/password
     */
    rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
    CU_ASSERT(rv == EST_ERR_NONE);

    /*
     * Set the EST server address/port
     */
    est_client_set_server(ectx, US1060_SERVER_IP, port);

    if (use_srp) {
	rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); 
    }

    if (cipher_suite) {
	/*
	 * This is not an approved use of the EST API.  We do this
	 * here only to increase code coverage for testing
	 * purposes only.  If you are looking at this code as
	 * an example of how to use the EST API, do not do this!
	 */
	ed = (struct est_dumb_ctx*)ectx;
	rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); 
	CU_ASSERT(rv == 1);
    }

    /*
     * generate a new private key
     */
    new_key = generate_private_key();
    CU_ASSERT(new_key != NULL);

    /*
     * Attempt to provision a new cert
     */
    rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key);
    CU_ASSERT(rv == expected_rv);
    if (rv != expected_rv) {
	printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv);
    }
    EVP_PKEY_free(new_key);

    /*
     * Retrieve the cert that was given to us by the EST server
     */
    if (rv == EST_ERR_NONE) {
	new_cert = malloc(pkcs7_len);
	CU_ASSERT(new_cert != NULL);
	rv = est_client_copy_enrolled_cert(ectx, new_cert);
	CU_ASSERT(rv == EST_ERR_NONE);
        if (new_cert) free(new_cert);
    } else {
        est_destroy(ectx);
	return;
    }

    /*
     * Retrieve a copy of the new CA certs
     */
    if (rv == EST_ERR_NONE) {
	new_cert = malloc(ca_certs_len);
	CU_ASSERT(new_cert != NULL);
	rv = est_client_copy_cacerts(ectx, new_cert);
	CU_ASSERT(rv == EST_ERR_NONE);
        if (new_cert) free(new_cert);
    } else {
        est_destroy(ectx);
	return;
    }

    /*
     * Cleanup
     */
    est_destroy(ectx);
}
Beispiel #13
0
BCW_API hd_public_key hd_private_key::generate_public_key(uint32_t i) const
{
    return generate_private_key(i);
}
Beispiel #14
0
static void
create_peerkey ()
{
    peer_privkey = generate_private_key (bits);
    peer_pubkey = private_key_to_pub (peer_privkey);
}