/*
* This test attempts to use a self-signed client certificate to
* verify cert chain will reject a cert that has not been
* signed by a valid CA. This should fail.
*/
static void us901_test13(void) {
long rv;
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_cert(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_SELFSIGN_CERT,
US901_SELFSIGN_KEY,
US901_CACERTS,
NULL);
/*
* Since the client cert is not signed by either the local CA
* or external CA, the TLS handshake will fail.
* We will not receive an HTTP status message
* from the server.
*/
CU_ASSERT(rv == 0);
st_stop();
}
/*
* This test attempts to use a revoked client certificate to
* verify CRL checks are working in the TLS layer.
* This should fail.
*/
static void us901_test12(void) {
long rv;
int st_rv;
st_rv = us901_start_server('R');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_cert(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_REVOKED_CERT,
US901_REVOKED_KEY,
US901_CACERTS,
NULL);
/*
* Since the client cert has been revoked the TLS handshake
* will fail. The EST server should return a 401 response.
*/
CU_ASSERT(rv == 0);
st_stop();
}
/*
* This test attempts to use a client certificate to
* verify the TLS client authentiaiton is working.
* The certificate used is signed by the implicit cert
* chain. This should succeed.
*/
static void us901_test11(void) {
long rv;
int st_rv;
st_rv = us901_start_server('N');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_cert(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_IMPLICIT_CERT,
US901_IMPLICIT_KEY,
US901_CACERTS,
NULL);
/*
* Since we passed in a valid userID/password,
* we expect the server to respond with 200
*/
CU_ASSERT(rv == 200);
st_stop();
SLEEP(1);
}
/*
* This test attempts to use a client certificate to
* verify the TLS client authentication is working.
* The certificate used is signed by the implicit cert
* chain. This should succeed.
*/
static void us894_test11 (void)
{
long rv;
LOG_FUNC_NM;
rv = st_proxy_http_disable(1);
if (rv == -1) {
printf("Could not set HTTP authentication callback\n");
return;
}
sleep(1);
rv = curl_http_post_cert(US894_ENROLL_URL,
US894_PKCS10_CT,
US894_PKCS10_REQ,
US894_IMPLICIT_CERT,
US894_IMPLICIT_KEY,
US894_CACERTS,
NULL);
/*
* Since we passed in a valid userID/password,
* we expect the server to respond with 200
*/
CU_ASSERT(rv == 200);
rv = st_proxy_http_disable(0);
if (rv == -1) {
printf("Could not set HTTP authentication callback\n");
return;
}
}
/*
* This test attempts to use a revoked client certificate to
* verify CRL checks are working in the TLS layer.
* This should fail.
*/
static void us894_test12 (void)
{
long rv;
LOG_FUNC_NM;
st_proxy_stop();
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
US894_CACERT,
"US894/trustedcertsandcrl.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
sleep(1);
rv = curl_http_post_cert(US894_ENROLL_URL,
US894_PKCS10_CT,
US894_PKCS10_REQ,
US894_REVOKED_CERT,
US894_REVOKED_KEY,
US894_CACERTS,
NULL);
/*
* Since the client cert has been revoked the TLS handshake
* will fail. The EST server should return a 401 response.
*/
CU_ASSERT(rv == 0);
st_proxy_stop();
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
US894_CACERT,
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
}
/*
* This test attempts to use a self-signed client certificate to
* verify cert chain will reject a cert that has not been
* signed by a valid CA. This should fail.
*/
static void us894_test13 (void)
{
long rv;
LOG_FUNC_NM;
sleep(1);
rv = curl_http_post_cert(US894_ENROLL_URL,
US894_PKCS10_CT,
US894_PKCS10_REQ,
US894_SELFSIGN_CERT,
US894_SELFSIGN_KEY,
US894_CACERTS,
NULL);
/*
* Since the client cert is not signed by either the local CA
* or external CA, the TLS handshake will fail.
* We will not receive an HTTP status message
* from the server.
*/
CU_ASSERT(rv == 0);
}
