/*
* Start the appropriate flavor of st_server
* based what character is specified
* B - Basic auth
* D - Digest auth
* C - CRL checking
* N = No auth
*/
static int us901_start_server(char server_type) {
int rv;
switch (server_type) {
case 'B':
rv = st_start(US901_SERVER_PORT,
US901_SERVER_CERTKEY,
US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt",
"CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0);
st_enable_http_basic_auth();
break;
case 'D':
rv = st_start(US901_SERVER_PORT,
US901_SERVER_CERTKEY,
US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt",
"CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0);
st_enable_http_digest_auth();
break;
case 'C':
system(
"openssl ca -config CA/estExampleCA.cnf -gencrl -out CA/estCA/crl.pem");
SLEEP(1);
system(
"cat CA/trustedcerts.crt CA/estCA/crl.pem > US901/trustedcertsandcrl.crt");
SLEEP(1);
rv = st_start(US901_SERVER_PORT,
US901_SERVER_CERTKEY,
US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt",
"US901/trustedcertsandcrl.crt", "CA/estExampleCA.cnf", 0, 0, 0);
st_enable_crl();
st_disable_http_auth();
break;
case 'N':
rv = st_start(US901_SERVER_PORT,
US901_SERVER_CERTKEY,
US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt",
"CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0);
st_disable_http_auth();
break;
default:
rv = -1;
break;
}
return rv;
}
/*
* Verify that a bogus user ID/password fails when
* using HTTP digest auth.
*/
static void us898_test9 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Enable HTTP digest authentication
*/
st_enable_http_digest_auth();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_AUTH_FAIL);
est_destroy(ectx);
/*
* Re-enable HTTP basic authentication
*/
st_enable_http_basic_auth();
}
