int testQuery( const CRYPT_KEYSET_TYPE keysetType, const C_STR keysetName )
{
CRYPT_KEYSET cryptKeyset;
int count = 0, status;
/* Open the database keyset */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, CRYPT_KEYOPT_READONLY );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
if( status == CRYPT_ERROR_OPEN )
return( CRYPT_ERROR_FAILED );
return( FALSE );
}
/* Send the query to the database and read back the results */
status = cryptSetAttributeString( cryptKeyset, CRYPT_KEYINFO_QUERY,
TEXT( "$C='US'" ),
paramStrlen( TEXT( "$C='US'" ) ) );
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "Keyset query", status,
__LINE__ ) );
do
{
CRYPT_CERTIFICATE cryptCert;
status = cryptGetPublicKey( cryptKeyset, &cryptCert,
CRYPT_KEYID_NONE, NULL );
if( cryptStatusOK( status ) )
{
count++;
cryptDestroyCert( cryptCert );
}
}
while( cryptStatusOK( status ) );
if( cryptStatusError( status ) && status != CRYPT_ERROR_COMPLETE )
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()", status,
__LINE__ ) );
if( count < 2 )
{
puts( "Only one certificate was returned, this indicates that the "
"database backend\nglue code isn't processing ongoing queries "
"correctly." );
return( FALSE );
}
printf( "%d certificate(s) matched the query.\n", count );
/* Close the keyset */
status = cryptKeysetClose( cryptKeyset );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetClose() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
static int connectOCSPDirect( void )
{
CRYPT_CERTIFICATE cryptCert;
CRYPT_SESSION cryptSession;
int status;
printf( "Testing direct OCSP query...\n" );
/* Get the EE certificate */
status = importCertFromTemplate( &cryptCert, OCSP_EEOK_FILE_TEMPLATE,
OCSP_SERVER_NO );
if( cryptStatusError( status ) )
{
printf( "EE cryptImportCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create the OCSP session and add the server URL */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_OCSP );
if( status == CRYPT_ERROR_PARAM3 ) /* OCSP session access not available */
return( CRYPT_ERROR_NOTAVAIL );
#ifdef OCSP_SERVER_NAME
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, OCSP_SERVER_NAME,
paramStrlen( OCSP_SERVER_NAME ) );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "cryptSetAttributeString()",
status, __LINE__ ) );
#endif /* Kludges for incorrect/missing authorityInfoAccess values */
/* Check the certificate directly against the server. This check
quantises the result into a basic pass/fail that doesn't provide as
much detail as the low-level OCSP check, so it's not unusual to get
CRYPT_ERROR_INVALID whent he low-level check returns
CRYPT_OCSPSTATUS_UNKNOWN */
status = cryptCheckCert( cryptCert, cryptSession );
printf( "Certificate status check returned %d.\n", status );
/* Clean up */
cryptDestroyCert( cryptCert );
cryptDestroySession( cryptSession );
puts( "OCSP direct query succeeded.\n" );
return( TRUE );
}
static int connectRTCSDirect( void )
{
CRYPT_CERTIFICATE cryptCert;
CRYPT_SESSION cryptSession;
int status;
printf( "Testing direct RTCS query...\n" );
/* Get the EE certificate */
status = importCertFromTemplate( &cryptCert, RTCS_FILE_TEMPLATE,
RTCS_SERVER_NO );
if( cryptStatusError( status ) )
{
printf( "EE cryptImportCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create the RTCS session and add the server URL */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_RTCS );
if( status == CRYPT_ERROR_PARAM3 ) /* RTCS session access not available */
return( CRYPT_ERROR_NOTAVAIL );
#ifdef RTCS_SERVER_NAME
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, RTCS_SERVER_NAME,
paramStrlen( RTCS_SERVER_NAME ) );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "cryptSetAttributeString()",
status, __LINE__ ) );
#endif /* Kludges for incorrect/missing authorityInfoAccess values */
/* Check the certificate directly against the server */
status = cryptCheckCert( cryptCert, cryptSession );
printf( "Certificate status check returned %d.\n", status );
/* Clean up */
cryptDestroyCert( cryptCert );
cryptDestroySession( cryptSession );
puts( "RTCS direct query succeeded.\n" );
return( TRUE );
}
static int connectOCSP( const CRYPT_SESSION_TYPE sessionType,
const BOOLEAN revokedCert,
const BOOLEAN multipleCerts,
const BOOLEAN localSession )
{
CRYPT_SESSION cryptSession;
CRYPT_CERTIFICATE cryptOCSPRequest;
char filenameBuffer[ FILENAME_BUFFER_SIZE ];
#ifdef UNICODE_STRINGS
wchar_t wcBuffer[ FILENAME_BUFFER_SIZE ];
#endif /* UNICODE_STRINGS */
void *fileNamePtr = filenameBuffer;
#if OCSP_SERVER_NO == 7
int complianceValue;
#endif /* OCSP servers that return broken resposnes */
const BOOLEAN isServer = ( sessionType == CRYPT_SESSION_OCSP_SERVER ) ? \
TRUE : FALSE;
int status;
printf( "%sTesting %sOCSP session...\n", isServer ? "SVR: " : "",
localSession ? "local " : "" );
/* If we're the client, wait for the server to finish initialising */
if( localSession && !isServer && waitMutex() == CRYPT_ERROR_TIMEOUT )
{
printf( "Timed out waiting for server to initialise, line %d.\n",
__LINE__ );
return( FALSE );
}
/* Create the OCSP session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( status == CRYPT_ERROR_PARAM3 ) /* OCSP session access not available */
return( CRYPT_ERROR_NOTAVAIL );
if( cryptStatusError( status ) )
{
printf( "cryptCreateSession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
if( isServer )
{
CRYPT_CONTEXT cryptPrivateKey;
CRYPT_KEYSET cryptCertStore;
if( !setLocalConnect( cryptSession, 80 ) )
return( FALSE );
/* Add the responder private key */
filenameFromTemplate( filenameBuffer, SERVER_PRIVKEY_FILE_TEMPLATE, 1 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPrivateKey( &cryptPrivateKey, fileNamePtr,
USER_PRIVKEY_LABEL, TEST_PRIVKEY_PASSWORD );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_PRIVATEKEY, cryptPrivateKey );
cryptDestroyContext( cryptPrivateKey );
}
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "SVR: cryptSetAttribute()",
status, __LINE__ ) );
/* Add the certificate store that we'll be using to provide
revocation information */
status = cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED,
DATABASE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_READONLY );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special
error code to indicate that the test wasn't performed, but
that this isn't a reason to abort processing */
puts( "SVR: No certificate store available, aborting OCSP "
"responder test.\n" );
cryptDestroySession( cryptSession );
return( CRYPT_ERROR_NOTAVAIL );
}
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_KEYSET, cryptCertStore );
cryptKeysetClose( cryptCertStore );
}
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "SVR: cryptSetAttribute()",
status, __LINE__ ) );
/* Tell the client that we're ready to go */
if( localSession )
releaseMutex();
}
else
{
/* Create the OCSP request */
if( !initOCSP( &cryptOCSPRequest, localSession ? 1 : OCSP_SERVER_NO,
FALSE, revokedCert, multipleCerts,
CRYPT_SIGNATURELEVEL_NONE, CRYPT_UNUSED ) )
return( FALSE );
/* Set up the server information and activate the session. In
theory the OCSP request will contain all the information needed
for the session so there'd be nothing else to add before we
activate it, however many certs contain incorrect server URLs so
we set the server name manually if necessary, overriding the
value present in the OCSP request (via the certificate) */
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_REQUEST,
cryptOCSPRequest );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "cryptSetAttribute()",
status, __LINE__ ) );
cryptDestroyCert( cryptOCSPRequest );
if( localSession && !setLocalConnect( cryptSession, 80 ) )
return( FALSE );
#ifdef OCSP_SERVER_NAME
if( !localSession )
{
printf( "Setting OCSP server to %s.\n", OCSP_SERVER_NAME );
cryptDeleteAttribute( cryptSession, CRYPT_SESSINFO_SERVER_NAME );
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, OCSP_SERVER_NAME,
paramStrlen( OCSP_SERVER_NAME ) );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession,
"cryptSetAttributeString()", status,
__LINE__ ) );
}
#endif /* Kludges for incorrect/missing authorityInfoAccess values */
if( OCSP_SERVER_NO == 1 || localSession )
{
/* The cryptlib server doesn't handle the weird v1 certIDs */
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_VERSION,
2 );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "cryptSetAttribute()",
status, __LINE__ ) );
}
#if OCSP_SERVER_NO == 7
/* Some OCSP server's responses are broken so we have to turn down
the compliance level to allow them to be processed */
cryptGetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CERT_COMPLIANCELEVEL,
&complianceValue );
cryptSetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CERT_COMPLIANCELEVEL,
CRYPT_COMPLIANCELEVEL_OBLIVIOUS );
#endif /* OCSP servers that return broken resposnes */
/* Wait for the server to finish initialising */
if( localSession && waitMutex() == CRYPT_ERROR_TIMEOUT )
{
printf( "Timed out waiting for server to initialise, line %d.\n",
__LINE__ );
return( FALSE );
}
}
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE );
#if OCSP_SERVER_NO == 7
/* Restore normal certificate processing */
cryptSetAttribute( CRYPT_UNUSED, CRYPT_OPTION_CERT_COMPLIANCELEVEL,
complianceValue );
#endif /* OCSP servers that return broken resposnes */
if( isServer )
printConnectInfo( cryptSession );
if( cryptStatusError( status ) )
{
printExtError( cryptSession, isServer ? \
"SVR: Attempt to activate OCSP server session" : \
"Attempt to activate OCSP client session", status,
__LINE__ );
#if OCSP_SERVER_NO == 5
if( status == CRYPT_ERROR_SIGNATURE )
{
char errorMessage[ 512 ];
int errorMessageLength;
status = cryptGetAttributeString( cryptSession,
CRYPT_ATTRIBUTE_ERRORMESSAGE,
errorMessage, &errorMessageLength );
if( cryptStatusOK( status ) && errorMessageLength >= 29 && \
!memcmp( errorMessage, "OCSP response doesn't contain", 29 ) )
{
cryptDestroySession( cryptSession );
puts( " (Verisign's OCSP responder sends broken responses, "
"continuing...)\n" );
return( CRYPT_ERROR_FAILED );
}
}
#endif /* Verisign's broken OCSP responder */
if( !isServer && isServerDown( cryptSession, status ) )
{
puts( " (Server could be down, faking it and continuing...)\n" );
cryptDestroySession( cryptSession );
return( CRYPT_ERROR_FAILED );
}
cryptDestroySession( cryptSession );
return( FALSE );
}
/* Obtain the response information */
if( !isServer )
{
CRYPT_CERTIFICATE cryptOCSPResponse;
status = cryptGetAttribute( cryptSession, CRYPT_SESSINFO_RESPONSE,
&cryptOCSPResponse );
if( cryptStatusError( status ) )
{
printf( "cryptGetAttribute() failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
printCertInfo( cryptOCSPResponse );
cryptDestroyCert( cryptOCSPResponse );
}
/* There are so many weird ways to delegate trust and signing authority
mentioned in the OCSP RFC without any indication of which one
implementors will follow that we can't really perform any sort of
automated check since every responder seems to interpret this
differently, and many require manual installation of responder certs
in order to function */
#if 0
status = cryptCheckCert( cryptOCSPResponse , CRYPT_UNUSED );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptOCSPResponse , "cryptCheckCert()",
status, __LINE__ ) );
#endif /* 0 */
/* Clean up */
status = cryptDestroySession( cryptSession );
if( cryptStatusError( status ) )
{
printf( "cryptDestroySession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
puts( isServer ? "SVR: OCSP server session succeeded.\n" : \
"OCSP client session succeeded.\n" );
return( TRUE );
}
static int connectRTCS( const CRYPT_SESSION_TYPE sessionType,
const BOOLEAN multipleCerts,
const BOOLEAN localSession )
{
CRYPT_SESSION cryptSession;
CRYPT_CERTIFICATE cryptRTCSRequest;
char filenameBuffer[ FILENAME_BUFFER_SIZE ];
#ifdef UNICODE_STRINGS
wchar_t wcBuffer[ FILENAME_BUFFER_SIZE ];
#endif /* UNICODE_STRINGS */
void *fileNamePtr = filenameBuffer;
const BOOLEAN isServer = ( sessionType == CRYPT_SESSION_RTCS_SERVER ) ? \
TRUE : FALSE;
int status;
printf( "%sTesting %sRTCS session...\n", isServer ? "SVR: " : "",
localSession ? "local " : "" );
/* If we're the client, wait for the server to finish initialising */
if( localSession && !isServer && waitMutex() == CRYPT_ERROR_TIMEOUT )
{
printf( "Timed out waiting for server to initialise, line %d.\n",
__LINE__ );
return( FALSE );
}
/* Create the RTCS session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( status == CRYPT_ERROR_PARAM3 ) /* RTCS session access not available */
return( CRYPT_ERROR_NOTAVAIL );
if( cryptStatusError( status ) )
{
printf( "cryptCreateSession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
if( isServer )
{
CRYPT_CONTEXT cryptPrivateKey;
CRYPT_KEYSET cryptCertStore;
if( !setLocalConnect( cryptSession, 80 ) )
return( FALSE );
/* Add the responder private key */
filenameFromTemplate( filenameBuffer, SERVER_PRIVKEY_FILE_TEMPLATE, 1 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPrivateKey( &cryptPrivateKey, fileNamePtr,
USER_PRIVKEY_LABEL, TEST_PRIVKEY_PASSWORD );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_PRIVATEKEY, cryptPrivateKey );
cryptDestroyContext( cryptPrivateKey );
}
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "SVR: cryptSetAttribute()",
status, __LINE__ ) );
/* Add the certificate store that we'll be using to provide
revocation information */
status = cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED,
DATABASE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_READONLY );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special
error code to indicate that the test wasn't performed, but
that this isn't a reason to abort processing */
puts( "SVR: No certificate store available, aborting RTCS "
"responder test.\n" );
cryptDestroySession( cryptSession );
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_OPEN )
{
/* The keyset is available, but it hasn't been created yet by an
earlier self-test, this isn't a reason to abort processing */
puts( "SVR: Certificate store hasn't been created yet by "
"earlier tests, aborting\n RTCS responder test.\n" );
cryptDestroySession( cryptSession );
return( CRYPT_ERROR_NOTAVAIL );
}
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_KEYSET, cryptCertStore );
cryptKeysetClose( cryptCertStore );
}
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "SVR: cryptSetAttribute()",
status, __LINE__ ) );
/* Tell the client that we're ready to go */
if( localSession )
releaseMutex();
}
else
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert = DUMMY_INIT;
/* Get the certificate whose status we're checking */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED,
DATABASE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_READONLY );
if( cryptStatusOK( status ) )
{
status = cryptGetPublicKey( cryptKeyset, &cryptCert,
CRYPT_KEYID_NAME,
TEXT( "Test user 1" ) );
cryptKeysetClose( cryptKeyset );
}
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate for RTCS status check, error "
"code %d, line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Create the RTCS request */
if( !initRTCS( &cryptRTCSRequest, cryptCert, localSession ? \
1 : RTCS_SERVER_NO, multipleCerts ) )
return( FALSE );
cryptDestroyCert( cryptCert );
/* Set up the server information and activate the session. In
theory the RTCS request will contain all the information needed
for the session so there'd be nothing else to add before we
activate it, however many certs contain incorrect server URLs so
we set the server name manually if necessary, overriding the
value present in the RTCS request (via the certificate) */
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_REQUEST,
cryptRTCSRequest );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "cryptSetAttribute()",
status, __LINE__ ) );
cryptDestroyCert( cryptRTCSRequest );
if( localSession && !setLocalConnect( cryptSession, 80 ) )
return( FALSE );
#ifdef RTCS_SERVER_NAME
if( !localSession )
{
printf( "Setting RTCS server to %s.\n", RTCS_SERVER_NAME );
cryptDeleteAttribute( cryptSession, CRYPT_SESSINFO_SERVER_NAME );
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, RTCS_SERVER_NAME,
paramStrlen( RTCS_SERVER_NAME ) );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession,
"cryptSetAttributeString()", status,
__LINE__ ) );
}
#endif /* Kludges for incorrect/missing authorityInfoAccess values */
/* Wait for the server to finish initialising */
if( localSession && waitMutex() == CRYPT_ERROR_TIMEOUT )
{
printf( "Timed out waiting for server to initialise, line %d.\n",
__LINE__ );
return( FALSE );
}
}
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE );
if( isServer )
printConnectInfo( cryptSession );
if( cryptStatusError( status ) )
{
printExtError( cryptSession, isServer ? \
"SVR: Attempt to activate RTCS server session" : \
"Attempt to activate RTCS client session", status,
__LINE__ );
if( !isServer && isServerDown( cryptSession, status ) )
{
puts( " (Server could be down, faking it and continuing...)\n" );
cryptDestroySession( cryptSession );
return( CRYPT_ERROR_FAILED );
}
cryptDestroySession( cryptSession );
return( FALSE );
}
/* Obtain the response information */
if( !isServer )
{
CRYPT_CERTIFICATE cryptRTCSResponse;
status = cryptGetAttribute( cryptSession, CRYPT_SESSINFO_RESPONSE,
&cryptRTCSResponse );
if( cryptStatusError( status ) )
{
printf( "cryptGetAttribute() failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
printCertInfo( cryptRTCSResponse );
cryptDestroyCert( cryptRTCSResponse );
}
/* Clean up */
status = cryptDestroySession( cryptSession );
if( cryptStatusError( status ) )
{
printf( "cryptDestroySession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
puts( isServer ? "SVR: RTCS server session succeeded.\n" : \
"RTCS client session succeeded.\n" );
return( TRUE );
}
static int connectTSP( const CRYPT_SESSION_TYPE sessionType,
const CRYPT_HANDLE externalCryptContext,
const BOOLEAN persistentConnection,
const BOOLEAN localSession )
{
CRYPT_SESSION cryptSession;
const BOOLEAN isServer = ( sessionType == CRYPT_SESSION_TSP_SERVER ) ? \
TRUE : FALSE;
const BOOLEAN useAltHash = ( !isServer && 0 ) ? TRUE : FALSE;
int status;
printf( "%sTesting %sTSP session...\n", isServer ? "SVR: " : "",
localSession ? "local " : "" );
/* Acquire the init mutex if we're the server */
if( localSession && isServer )
waitMutex();
/* Create the TSP session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( status == CRYPT_ERROR_PARAM3 ) /* TSP session access not available */
return( CRYPT_ERROR_NOTAVAIL );
if( cryptStatusError( status ) )
{
printf( "%scryptCreateSession() failed with error code %d, line "
"%d.\n", isServer ? "SVR: " : "", status, __LINE__ );
return( FALSE );
}
/* Set up the server information and activate the session. Since this
test explicitly tests the ability to handle persistent connections,
we don't use the general-purpose request/response server wrapper,
which only uses persistent connections opportunistically */
if( isServer )
{
CRYPT_CONTEXT privateKey = externalCryptContext;
if( !setLocalConnect( cryptSession, 318 ) )
return( FALSE );
if( externalCryptContext == CRYPT_UNUSED )
status = getPrivateKey( &privateKey, TSA_PRIVKEY_FILE,
USER_PRIVKEY_LABEL,
TEST_PRIVKEY_PASSWORD );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_PRIVATEKEY, privateKey );
if( externalCryptContext == CRYPT_UNUSED )
cryptDestroyContext( privateKey );
}
}
else
{
if( localSession )
{
if( !setLocalConnect( cryptSession, 318 ) )
return( FALSE );
}
else
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, TSP_SERVER_NAME,
paramStrlen( TSP_SERVER_NAME ) );
}
}
if( cryptStatusError( status ) )
{
printf( "cryptSetAttribute/cryptSetAttributeString() failed with "
"error code %d, line %d.\n", status, __LINE__ );
return( FALSE );
}
status = testTSP( cryptSession, isServer, FALSE, useAltHash, localSession );
if( status <= 0 )
return( status );
/* Check whether the session connection is still open */
if( persistentConnection )
{
int connectionActive;
status = cryptGetAttribute( cryptSession, CRYPT_SESSINFO_CONNECTIONACTIVE,
&connectionActive );
if( cryptStatusError( status ) || !connectionActive )
{
printExtError( cryptSession, isServer ? \
"SVR: Persistent connection has been closed, "
"operation" : \
"Persistent connection has been closed, operation",
status, __LINE__ );
return( FALSE );
}
/* Activate the connection to handle two more requests */
status = testTSP( cryptSession, isServer, TRUE, FALSE, FALSE );
if( status <= 0 )
return( status );
status = testTSP( cryptSession, isServer, TRUE, FALSE, FALSE );
if( status <= 0 )
return( status );
}
/* Clean up */
status = cryptDestroySession( cryptSession );
if( cryptStatusError( status ) )
{
printf( "cryptDestroySession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
printf( isServer ? "SVR: %sTSP server session succeeded.\n\n" : \
"%sTSP client session succeeded.\n\n",
persistentConnection ? "Persistent " : "" );
return( TRUE );
}
static int fuzzSession( const CRYPT_SESSION_TYPE sessionType )
{
CRYPT_SESSION cryptSession;
const BOOLEAN isServer = \
( sessionType == CRYPT_SESSION_SSH_SERVER || \
sessionType == CRYPT_SESSION_SSL_SERVER || \
sessionType == CRYPT_SESSION_OCSP_SERVER || \
sessionType == CRYPT_SESSION_TSP_SERVER || \
sessionType == CRYPT_SESSION_CMP_SERVER || \
sessionType == CRYPT_SESSION_SCEP_SERVER ) ? \
TRUE : FALSE;
int status;
/* Create the session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( cryptStatusError( status ) )
return( status );
/* Set up the various attributes needed to establish a minimal session */
if( !isServer )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME,
"www.example.com", 15 );
if( cryptStatusError( status ) )
return( status );
}
if( isServer )
{
CRYPT_CONTEXT cryptPrivKey;
char filenameBuffer[ FILENAME_BUFFER_SIZE ];
filenameFromTemplate( filenameBuffer,
SERVER_PRIVKEY_FILE_TEMPLATE, 1 );
status = getPrivateKey( &cryptPrivKey, filenameBuffer,
USER_PRIVKEY_LABEL, TEST_PRIVKEY_PASSWORD );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_PRIVATEKEY,
cryptPrivKey );
cryptDestroyContext( cryptPrivKey );
}
if( cryptStatusError( status ) )
return( status );
}
if( sessionType == CRYPT_SESSION_SSH || \
sessionType == CRYPT_SESSION_SSH_SERVER )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_USERNAME,
SSH_USER_NAME,
paramStrlen( SSH_USER_NAME ) );
if( cryptStatusOK( status ) )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_PASSWORD,
SSH_PASSWORD,
paramStrlen( SSH_PASSWORD ) );
}
if( cryptStatusError( status ) )
return( status );
}
status = cryptSetFuzzData( cryptSession, NULL, 0 );
cryptDestroySession( cryptSession );
return( CRYPT_OK );
}
static int fuzzSession( const CRYPT_SESSION_TYPE sessionType,
const char *fuzzFileName )
{
CRYPT_SESSION cryptSession;
CRYPT_CONTEXT cryptPrivKey = CRYPT_UNUSED;
BYTE buffer[ 4096 ];
const BOOLEAN isServer = \
( sessionType == CRYPT_SESSION_SSH_SERVER || \
sessionType == CRYPT_SESSION_SSL_SERVER || \
sessionType == CRYPT_SESSION_OCSP_SERVER || \
sessionType == CRYPT_SESSION_RTCS_SERVER || \
sessionType == CRYPT_SESSION_TSP_SERVER || \
sessionType == CRYPT_SESSION_CMP_SERVER || \
sessionType == CRYPT_SESSION_SCEP_SERVER ) ? \
TRUE : FALSE;
int length, status;
/* Create the session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( cryptStatusError( status ) )
return( status );
/* Set up the various attributes needed to establish a minimal session */
if( !isServer )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME,
"localhost", 9 );
if( cryptStatusError( status ) )
return( status );
}
if( isServer )
{
if( !loadRSAContexts( CRYPT_UNUSED, NULL, &cryptPrivKey ) )
return( CRYPT_ERROR_FAILED );
}
if( sessionType == CRYPT_SESSION_SSH || \
sessionType == CRYPT_SESSION_CMP )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_USERNAME,
SSH_USER_NAME,
paramStrlen( SSH_USER_NAME ) );
if( cryptStatusOK( status ) )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_PASSWORD,
SSH_PASSWORD,
paramStrlen( SSH_PASSWORD ) );
}
if( cryptStatusError( status ) )
return( status );
}
if( sessionType == CRYPT_SESSION_CMP )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_CMP_REQUESTTYPE,
CRYPT_REQUESTTYPE_INITIALISATION );
if( cryptStatusError( status ) )
return( status );
}
/* Perform any final session initialisation */
cryptFuzzInit( cryptSession, cryptPrivKey );
/* We're ready to go, start the forkserver and read the mutable data */
#ifndef __WINDOWS__
__afl_manual_init();
#endif /* !__WINDOWS__ */
length = readFileData( fuzzFileName, fuzzFileName, buffer, 4096, 32,
TRUE );
if( length < 32 )
return( CRYPT_ERROR_READ );
/* Perform the fuzzing */
( void ) cryptSetFuzzData( cryptSession, buffer, length );
cryptDestroySession( cryptSession );
if( cryptPrivKey != CRYPT_UNUSED )
cryptDestroyContext( cryptPrivKey );
return( CRYPT_OK );
}
static int generateKey( const int keyBits, const char *certRequestFileName )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCertRequest;
CRYPT_CONTEXT cryptKey;
FILE *filePtr;
BYTE certBuffer[ BUFFER_SIZE ];
char filenameBuffer[ FILENAME_BUFFER_SIZE ];
void *fileNamePtr = filenameBuffer;
int length, count, status;
/* Generate a key to certify. We can't just reuse the built-in test key
because this has already been used as the CA key and the keyset code
won't allow it to be added to a keyset as both a CA key and user key,
so we have to generate a new one */
status = cryptCreateContext( &cryptKey, CRYPT_UNUSED, CRYPT_ALGO_ECDSA );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptKey, CRYPT_CTXINFO_KEYSIZE,
keyBits >> 3 );
if( cryptStatusOK( status ) )
{
status = cryptSetAttributeString( cryptKey, CRYPT_CTXINFO_LABEL,
USER_PRIVKEY_LABEL,
paramStrlen( USER_PRIVKEY_LABEL ) );
}
if( cryptStatusOK( status ) )
status = cryptGenerateKey( cryptKey );
if( cryptStatusError( status ) )
{
printf( "Key generation failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create the certificate request for the new key */
status = cryptCreateCert( &cryptCertRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTREQUEST );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptCertRequest,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, cryptKey );
if( cryptStatusOK( status ) && \
!addCertFields( cryptCertRequest, certRequestData, __LINE__ ) )
return( FALSE );
if( cryptStatusOK( status ) )
status = cryptSignCert( cryptCertRequest, cryptKey );
if( cryptStatusOK( status ) )
{
status = cryptExportCert( certBuffer, BUFFER_SIZE, &length,
CRYPT_CERTFORMAT_CERTIFICATE,
cryptCertRequest );
cryptDestroyCert( cryptCertRequest );
}
if( cryptStatusError( status ) )
{
printf( "Certificate request creation failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
if( ( filePtr = fopen( certRequestFileName, "wb" ) ) != NULL )
{
count = fwrite( certBuffer, 1, length, filePtr );
fclose( filePtr );
}
if( filePtr == NULL || count < length )
{
printf( "Couldn't write certificate request to disk, line %d.\n",
__LINE__ );
return( FALSE );
}
/* Create the keyset and add the private key to it */
filenameFromTemplate( filenameBuffer, SERVER_ECPRIVKEY_FILE_TEMPLATE,
keyBits );
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE,
fileNamePtr, CRYPT_KEYOPT_CREATE );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptAddPrivateKey( cryptKeyset, cryptKey,
TEST_PRIVKEY_PASSWORD );
if( cryptStatusError( status ) )
{
printExtError( cryptKeyset, "cryptAddPrivateKey()", status,
__LINE__ );
return( FALSE );
}
cryptDestroyContext( cryptKey );
cryptKeysetClose( cryptKeyset );
return( TRUE );
}
int main(int argc, char **argv) {
char *host = "https://www.pcwebshop.co.uk/";
int port = 443;
char *cafile;
int status;
char* serverName;
CRYPT_CERTIFICATE cryptCert;
CRYPT_SESSION cryptSession;
CRYPT_CERTIFICATE trustedCert;
CRYPT_ATTRIBUTE_TYPE errorLocus;
CRYPT_ERRTYPE_TYPE errorType;
if (argc == 4) {
host = argv[1];
port = atoi(argv[2]);
cafile = argv[3];
} else {
printf("!!Incorrect arguments");
return -1;
}
memset(&cryptSession, 0, sizeof(cryptSession));
status = cryptInit();
if (status != CRYPT_OK) {
TRACE("Failed to initialize library : %d\n", status);
return -1;
}
if(add_globally_trusted_cert(&trustedCert, cafile) == FALSE) {
return -1;
}
//Create the session
status = cryptCreateSession(&cryptSession, CRYPT_UNUSED, CRYPT_SESSION_SSL );
if (status != CRYPT_OK) {
TRACE("Failed to crate session : %d\n", status);
return -1;
}
serverName = host;
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME, serverName,
paramStrlen( serverName ) );
if (status != CRYPT_OK) {
TRACE("Failed cryptSetAttribute CRYPT_SESSINFO_SERVER_NAME: %d\n", status);
return -1;
}
//Specify the Port
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_SERVER_PORT, port );
if (status != CRYPT_OK) {
TRACE("Failed cryptSetAttribute CRYPT_SESSINFO_SERVER_PORT: %d\n", status);
return -1;
}
// Activate the session
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE );
if( cryptStatusError( status ) ) {
if (status == CRYPT_ERROR_INVALID) {
printf("%d\n",CRYPT_ERROR_INVALID);
#ifdef __DETAILED__
BYTE buffer[ 1024 ];
int length;
status = cryptGetAttributeString( cryptSession,
CRYPT_ATTRIBUTE_ERRORMESSAGE, buffer,
&length );
puts(buffer);
CRYPT_CERTIFICATE cryptCertificate;
status = cryptGetAttribute( cryptSession, CRYPT_SESSINFO_RESPONSE, &cryptCertificate );
if( cryptStatusError( status ) ) {
TRACE( "Couldn't get certificate, status %d, line %d.\n",
status, __LINE__ );
return 0;
}
int errorType, errorLocus;
status = cryptGetAttribute( cryptCertificate, CRYPT_ATTRIBUTE_ERRORTYPE,
&errorType );
printf("errorType = %d\n", errorType);
if( cryptStatusError( status ) ) {
status = cryptGetAttribute( cryptCertificate,
CRYPT_ATTRIBUTE_ERRORLOCUS,
&errorLocus );
printf("errorLocus = %d\n", errorLocus);
}
/*if( cryptStatusOK( status ) && \
errorType == CRYPT_ERRTYPE_CONSTRAINT && \
errorLocus == CRYPT_CERTINFO_VALIDFROM )
*/
#endif
return 0;
}
else {
TRACE("Failed to setup connection : %d\n", status);
return -1;
}
}
else
printf("%d\n",CRYPT_OK);
delete_globally_trusted_cert(trustedCert);
return CRYPT_OK;
}
