/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. The expired certs contains
* several X509 extensions. We verify the new issued
* cert preserves these extensions using grep. Note,
* preserving these extensions requires the OpenSSL CA
* to enable the "copy_extensions" knob in the OpenSSL
* config file. This is why this test suite uses a
* unique copy of estExampleCA.cnf.
*/
static void us898_test2 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
X509 *cert = NULL;
BIO *in;
char cmd[200];
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Save the cert to a local file
*/
rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len);
CU_ASSERT(rv == 1);
/*
* Base 64 decode the cert response
*/
sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert the pkcs7 cert to a PEM cert
*/
sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert PEM cert to a textual representation of the cert
*/
sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the jimbob DNS extension was preserved
*/
sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the bobcat DNS extension was preserved
*/
sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the IP address extension was preserved
*/
sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the Repudiation key usage extension was preserved
*/
sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the public key was preserved
*/
sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Clean up
*/
if (new_cert) free(new_cert);
est_destroy(ectx);
}
/*
* Verify that a bogus user ID/password fails when
* using HTTP digest auth.
*/
static void us898_test9 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Enable HTTP digest authentication
*/
st_enable_http_digest_auth();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_AUTH_FAIL);
est_destroy(ectx);
/*
* Re-enable HTTP basic authentication
*/
st_enable_http_basic_auth();
}
/*
* Verify the server fails authentication when the
* client sends an expired identy cert and uses
* valid HTTP auth credentials.
*/
static void us898_test11 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC11_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC11_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use the expired certificate
* and valid HTTP auth credentials.
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, cert, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Re-Enroll the cert
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
est_destroy(ectx);
}
/*
* Verify the client fails authentication when the
* client sends an identy cert which doesn't match
* the trust anchor.
*/
static void us898_test12 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC12_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC12_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use cert for re-enroll.
* This should return an error since the certificate doesn't
* match the trust anchor.
*/
rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a bad cert. The client should reject this cert.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);
}
/*
* Verify the server fails authentication when the
* client sends a valid identity cert but doesn't
* provide HTTP auth credentials.
*/
static void us898_test10 (void)
{
char cmd[200];
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a CSR
*/
sprintf(cmd, "openssl req -new -nodes -out %s -newkey rsa:2048 -keyout %s -subj /CN=127.0.0.1 "
"-config CA/estExampleCA.cnf",
US898_TC10_CSR, US898_TC10_KEY);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Sign the CSR using our local CA
*/
sprintf(cmd, "openssl ca -out %s -batch -config CA/estExampleCA.cnf -infiles %s",
US898_TC10_CERT, US898_TC10_CSR);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC10_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC10_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use the certificate
* No HTTP auth credentials are provided.
*/
rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a cert, should fail because we
* didn't provide valid HTTP auth credentials
*/
rv = est_client_enroll(ectx, "TC-US898-10", &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_AUTH_FAIL);
/*
* Re-Enroll the cert, should work since
* we provide a valid cert to identify ourselves
* and HTTP auth isn't required for re-enroll even when
* the server has enabled HTTP auth.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
est_destroy(ectx);
}
/*
* This test attempts to re-enroll a corrupted cert
* The public key in the cert is has been corrupted.
*/
static void us898_test5 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-corrupt.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-corrupt.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a cert with wrong signature that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CLIENT_INVALID_KEY);
/*
* Clean up
*/
est_destroy(ectx);
}
/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. PoP is disabled on
* the EST server.
*/
static void us893_test8 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
X509 *cert = NULL;
int rv;
int pkcs7_len = 0;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
est_destroy(ectx);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
static void us893_test7 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
est_destroy(ectx);
}
/*
* This test attempts to re-enroll an expired cert
* while the EST server is configured for manual
* approval. The server will send back a retry-after
* response. This verifies the proxy propagates the
* retry-after response to the client.
*/
static void us893_test4 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
int retry_val = 0;
time_t time_val;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval enabled
*/
rv = us893_start_server(1, 0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY);
/*
* The server should be configured with a retry-after
* value of 3600 seconds, which is the default.
*/
rv = est_client_copy_retry_after(ectx, &retry_val, &time_val);
CU_ASSERT(rv == EST_ERR_NONE);
CU_ASSERT(retry_val == 3600);
/*
* Clean up
*/
est_destroy(ectx);
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval disabled
*/
rv = us893_start_server(0, 0);
CU_ASSERT(rv == 0);
}