/* * This test attempts to re-enroll a corrupted cert * The public key in the cert is has been corrupted. */ static void us898_test5 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-corrupt.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-corrupt.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll a cert with wrong signature that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CLIENT_INVALID_KEY); /* * Clean up */ est_destroy(ectx); }
/* * Verify that a bogus user ID/password fails when * using HTTP digest auth. */ static void us898_test9 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Enable HTTP digest authentication */ st_enable_http_digest_auth(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_FAIL); est_destroy(ectx); /* * Re-enable HTTP basic authentication */ st_enable_http_basic_auth(); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. The expired certs contains * several X509 extensions. We verify the new issued * cert preserves these extensions using grep. Note, * preserving these extensions requires the OpenSSL CA * to enable the "copy_extensions" knob in the OpenSSL * config file. This is why this test suite uses a * unique copy of estExampleCA.cnf. */ static void us898_test2 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; X509 *cert = NULL; BIO *in; char cmd[200]; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Save the cert to a local file */ rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len); CU_ASSERT(rv == 1); /* * Base 64 decode the cert response */ sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert the pkcs7 cert to a PEM cert */ sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert PEM cert to a textual representation of the cert */ sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the jimbob DNS extension was preserved */ sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the bobcat DNS extension was preserved */ sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the IP address extension was preserved */ sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the Repudiation key usage extension was preserved */ sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the public key was preserved */ sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Clean up */ if (new_cert) free(new_cert); est_destroy(ectx); }
/* * Test the re-enroll API to ensure it gracefully * handles a null EVP_PKEY pointer. */ static void us898_test4 (void) { EST_CTX *ectx; int pkcs7_len = 0; int rv; X509 *cert = NULL; unsigned char *cert_raw; int cert_len; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in an old cert that we can use for re-enroll */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * re-enroll using a null EVP_KEY pointer. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, NULL); CU_ASSERT(rv == EST_ERR_NO_KEY); /* * Clean up */ X509_free(cert); est_destroy(ectx); }
/* * Test2 - exercise the response variations triggered * by est_client_get_csrattrs() */ static void us896_test2(void) { EST_CTX *ctx; unsigned char *pkey = NULL; unsigned char *cacerts = NULL; int cacerts_len = 0; EST_ERROR rc = EST_ERR_NONE; unsigned char *retrieved_cacerts = NULL; int retrieved_cacerts_len = 0; EVP_PKEY *priv_key; SLEEP(1); LOG_FUNC_NM ; /* * Read in the CA certificates */ cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Read in the private key file */ priv_key = read_private_key(CLIENT_UT_PUBKEY); if (priv_key == NULL) { printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); return; } ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ctx != NULL); rc = est_client_set_auth(ctx, "", "", NULL, priv_key); CU_ASSERT(rc == EST_ERR_NONE); est_client_set_server(ctx, US896_SERVER_IP, US896_SERVER_PORT, NULL); /* * issue the get ca certs request */ rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len); /* * should be successful, and should have obtained a valid buffer * containing the CA certs */ CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(retrieved_cacerts_len > 0); retrieved_cacerts = malloc(retrieved_cacerts_len); rc = est_client_copy_cacerts(ctx, retrieved_cacerts); /* * output the retrieved ca certs and compare to what they should be */ if (retrieved_cacerts) { printf("\nRetrieved CA Certs buffer:\n %s\n", retrieved_cacerts); printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len); } free(retrieved_cacerts); /* * All of these are negative tests and require that code in the * EST server is modified such that it will allow bad/corrupted * attributes to be initialized so they can be sent to the client. */ #ifdef NEGATIVE_UNIT_TEST unsigned char *csr_data; int csr_len; /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR1, strlen(TEST_CORRUPT_ATTR1)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc != EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR2, strlen(TEST_CORRUPT_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc != EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); rc = est_server_init_csrattrs(ectx, TEST_SHORT_ATTR, strlen(TEST_SHORT_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc != EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc != EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); #endif if (ctx) { est_destroy(ctx); } if (cacerts) { free(cacerts); } if (pkey) { free(pkey); } }
/* * This function performs a basic simple enroll using * a UID/PWD to identify the client to the server. This * is used for a variet of test cases in this module. */ static void us898_test1 (void) { EST_CTX *ectx; EVP_PKEY *key; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; PKCS7 *p7 = NULL; BIO *b64, *out; X509 *cert = NULL; STACK_OF(X509) *certs = NULL; int i; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Use the simplified API to enroll a CSR */ rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); if (rv != EST_ERR_NONE) return; /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Convert the cert to an X509. Be warned this is * pure hackery. */ b64 = BIO_new(BIO_f_base64()); out = BIO_new_mem_buf(new_cert, pkcs7_len); out = BIO_push(b64, out); p7 = d2i_PKCS7_bio(out,NULL); CU_ASSERT(p7 != NULL); BIO_free_all(out); i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: certs = p7->d.sign->cert; break; case NID_pkcs7_signedAndEnveloped: certs = p7->d.signed_and_enveloped->cert; break; default: break; } CU_ASSERT(certs != NULL); if (!certs) return; /* our new cert should be the one and only * cert in the pkcs7 blob. We shouldn't have to * iterate through the full list to find it. */ cert = sk_X509_value(certs, 0); CU_ASSERT(cert != NULL); /* * Wow, that's a lot of work, but we finally have the X509. * (don't you just love OpenSSL!!!) * Now that we have an X509 representation of the cert, * let's try to re-enroll this cert with the CA */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ if (cert) X509_free(cert); EVP_PKEY_free(key); if (new_cert) free(new_cert); est_destroy(ectx); }
/* * This test does a simple enroll with SRP using a * non-default value for the SRP strength. */ static void us1060_test106 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client * Use a strength below the minimum */ rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW); /* * Enable SRP on the client * Use a strength slightly larger then the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Enable SRP on the client * Use a strength the same size as the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * Test1 - exercise the server side variations triggered * by est_client_get_csrattrs() */ static void us895_test1 (void) { EST_CTX *ctx; unsigned char *pkey = NULL; unsigned char *cacerts = NULL; int cacerts_len = 0; EST_ERROR rc = EST_ERR_NONE; EVP_PKEY * priv_key; int csr_len; unsigned char *csr_data = NULL; SLEEP(1); LOG_FUNC_NM ; /* * Read in the CA certificates */ cacerts_len = read_binary_file(SERVER_UT_CACERT, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Read in the private key file */ priv_key = read_private_key(SERVER_UT_PUBKEY); if (priv_key == NULL) { printf("\nError while reading private key file %s\n", SERVER_UT_PUBKEY); return; } ctx = est_client_init( cacerts, cacerts_len, EST_CERT_FORMAT_PEM, proxy_manual_cert_verify); CU_ASSERT(ctx != NULL); rc = est_client_set_auth(ctx, "", "", NULL, priv_key); CU_ASSERT(rc == EST_ERR_NONE); est_client_set_server(ctx, US895_SERVER_IP, US895_PROXY_PORT, NULL); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); /* should get 204 with no data */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); /* Real base64 string - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Setting the smallest base64 size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2)); CU_ASSERT(strncmp(TEST_ATTR2, (const char *) csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR3)); CU_ASSERT(strncmp(TEST_ATTR3, (const char *) csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); rc = est_server_init_csrattrs( ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP)); CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *) csr_data, csr_len) == 0); /* Enable PoP and test responses with PoP added */ st_enable_pop(); rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_data != NULL); CU_ASSERT(csr_len = 20); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); rc = est_server_init_csrattrs( ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_POP)); CU_ASSERT(strncmp(TEST_1024_POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP)); CU_ASSERT( strncmp(TEST_ATTR4_122POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP)); CU_ASSERT( strncmp(TEST_ATTR5_117POP, (const char *) csr_data, csr_len) == 0); /* Real base64 string needs PoP added - should pass */ rc = est_server_init_csrattrs( ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT( strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 116 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 244 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 245 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 250 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP)); CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT( strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0); /* disable PoP */ st_disable_pop(); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Real base64 string PoP should not be added - should pass */ rc = est_server_init_csrattrs( ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *) csr_data, csr_len) == 0); /* All ASN.1 types supported by CiscoSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR)); CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *) csr_data, csr_len) == 0); if (ctx) { est_destroy(ctx); } if (cacerts) { free(cacerts); } if (pkey) { free(pkey); } }
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv) { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; int ca_certs_len = 0; unsigned char *new_cert = NULL; struct est_dumb_ctx *ed; /* * Create a client context */ if (use_ta) { ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); } else { ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); } CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, port); if (use_srp) { rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); } if (cipher_suite) { /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); CU_ASSERT(rv == 1); } /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key); CU_ASSERT(rv == expected_rv); if (rv != expected_rv) { printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv); } EVP_PKEY_free(new_key); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Retrieve a copy of the new CA certs */ if (rv == EST_ERR_NONE) { new_cert = malloc(ca_certs_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_cacerts(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Cleanup */ est_destroy(ectx); }
/* * This test will enable a just the SRP-RSA-AES-128-CBC-SHA * cipher suite, which forces the server to send a certificate * to the client while SRP is used. Similar to #104, we'll * omit configuring the trust anchor on the client context. * This should cause the TLS session to fail since the * server cert can not be verified without a trust anchor. */ static void us1060_test105 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; struct est_dumb_ctx *ed; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client */ rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA"); CU_ASSERT(rv == 1); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. PoP is disabled on * the EST server. */ static void us893_test8 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; X509 *cert = NULL; int rv; int pkcs7_len = 0; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); est_destroy(ectx); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); }
static void us893_test7 (void) { int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Stop the proxy server so we can restart * it using a different identity cert. */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_SERVER_CERTKEY, US893_SERVER_CERTKEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ); /* * Stop the proxy server */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_PROXY_CERT, US893_PROXY_KEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); est_destroy(ectx); }
/* * This test attempts to re-enroll an expired cert * while the EST server is configured for manual * approval. The server will send back a retry-after * response. This verifies the proxy propagates the * retry-after response to the client. */ static void us893_test4 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; int retry_val = 0; time_t time_val; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval enabled */ rv = us893_start_server(1, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY); /* * The server should be configured with a retry-after * value of 3600 seconds, which is the default. */ rv = est_client_copy_retry_after(ectx, &retry_val, &time_val); CU_ASSERT(rv == EST_ERR_NONE); CU_ASSERT(retry_val == 3600); /* * Clean up */ est_destroy(ectx); /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval disabled */ rv = us893_start_server(0, 0); CU_ASSERT(rv == 0); }
/* * Simple enroll - PoP check succeeds with estclient * * This test case verifies the proxy is * verifying the PoP from the client CSR. We use * estclient since it supports the PoP. */ static void us748_test7 (void) { long rv; EST_CTX *c_ctx; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * This test case requires PoP to be enabled */ st_enable_pop(); /* * Create a client context */ c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(c_ctx != NULL); if (!c_ctx) { return; } /* * Specify user ID and password since the server is running * in Basic Authentication mode. */ rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * get a keypair to be used in the enroll. */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll a CSR */ rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); /* * Client library has obtained the new client certificate. * Now retrieve it from the library. */ pkcs7 = malloc(pkcs7_len); if (!pkcs7) { return; } rv = est_client_copy_enrolled_cert (c_ctx, pkcs7); CU_ASSERT(rv == EST_ERR_NONE); /* * Clean up */ est_destroy(c_ctx); EVP_PKEY_free(new_pkey); free(pkcs7); /* * Disable PoP for future test cases */ st_disable_pop(); }
/* * Verify the server fails authentication when the * client sends a valid identity cert but doesn't * provide HTTP auth credentials. */ static void us898_test10 (void) { char cmd[200]; int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a CSR */ sprintf(cmd, "openssl req -new -nodes -out %s -newkey rsa:2048 -keyout %s -subj /CN=127.0.0.1 " "-config CA/estExampleCA.cnf", US898_TC10_CSR, US898_TC10_KEY); rv = system(cmd); CU_ASSERT(rv == 0); /* * Sign the CSR using our local CA */ sprintf(cmd, "openssl ca -out %s -batch -config CA/estExampleCA.cnf -infiles %s", US898_TC10_CERT, US898_TC10_CSR); rv = system(cmd); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Read in the private key */ key_len = read_binary_file(US898_TC10_KEY, &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file(US898_TC10_CERT, &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Set the authentication mode to use the certificate * No HTTP auth credentials are provided. */ rv = est_client_set_auth(ectx, NULL, NULL, cert, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll a cert, should fail because we * didn't provide valid HTTP auth credentials */ rv = est_client_enroll(ectx, "TC-US898-10", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_FAIL); /* * Re-Enroll the cert, should work since * we provide a valid cert to identify ourselves * and HTTP auth isn't required for re-enroll even when * the server has enabled HTTP auth. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); est_destroy(ectx); }
static void us748_test9 (void) { EST_CTX *ctx; int rv; unsigned char *cacerts; int caclen = 0; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len = 0; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * Make sure our EST server has PoP disabled */ st_disable_pop(); /* * Read in the CA certs */ caclen = read_binary_file(US748_CACERTS, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Init the client context */ ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM, client_manual_cert_verify); /* * We'll use simple HTTP auth to identify ourselves */ rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * Create some space to hold the cert and generate * a private key */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll */ ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); pkcs7 = malloc(pkcs7_len); rv = est_client_copy_enrolled_cert(ctx, pkcs7); free(pkcs7); est_destroy(ctx); }
/* * Verify the server fails authentication when the * client sends an expired identy cert and uses * valid HTTP auth credentials. */ static void us898_test11 (void) { int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Read in the private key */ key_len = read_binary_file(US898_TC11_KEY, &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file(US898_TC11_CERT, &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Set the authentication mode to use the expired certificate * and valid HTTP auth credentials. */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, cert, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_AUTH_CERT); /* * Re-Enroll the cert */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_CERT); est_destroy(ectx); }
/* * get_client_ctx() performs a search through a ordered array. * The key for the search is the current thread id and the value returned * is the client context that's been created for this thread. If no * entry exists in the array for this thread id, a new one is created. */ static EST_CTX *get_client_ctx (EST_CTX *p_ctx) { EST_CTX *c_ctx = NULL; EST_ERROR rv; unsigned long cur_threadid = 0; unsigned long cur_pid = getpid(); CLIENT_CTX_LU_NODE_T *found_node; unsigned long zero_threadid = 0x0; CLIENT_CTX_LU_NODE_T *empty_node; int empty_index; /* * TODO: This is really returning a pointer to an opaque value, so * what's being used here is typically a pointer in pthread based * environments and not the actual pthread id. The only helper API to * access the actual id is pthread_equal(). If this must be used, then * the array search would best be changed to a linear search. * We mix in the PID of the current process with the thread ID in * case the application is forking new processes (e.g. NGINX). */ #ifndef DISABLE_PTHREADS #ifdef __MINGW32__ cur_threadid = (unsigned long) GetCurrentThreadId(); #else cur_threadid = (unsigned long) pthread_self(); #endif #endif cur_threadid += cur_pid; found_node = (CLIENT_CTX_LU_NODE_T *) bsearch(&cur_threadid, p_ctx->client_ctx_array, cur_max_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T), bsearch_compare); if (found_node == NULL) { /* * need to allocate a context and get it ready to be used. */ c_ctx = est_client_init(p_ctx->ca_chain_raw, p_ctx->ca_chain_raw_len, EST_CERT_FORMAT_PEM, NULL); if (c_ctx == NULL) { EST_LOG_ERR("Unable to allocate and initialize EST client context for proxy use"); return (NULL); } /* * The name is a bit misleading. The identity cert and private * key used for proxy mode are the ones stored in the server_cert and * server_priv_key, however they are used in both directions, so here * when setting up the client side, it looks mixed up. Might want to * change the name in context to hold these. */ rv = est_client_set_auth(c_ctx, p_ctx->userid, p_ctx->password, p_ctx->server_cert, p_ctx->server_priv_key); if (rv != EST_ERR_NONE) { EST_LOG_ERR("Unable to set authentication configuration in the client context for proxy use"); est_destroy(c_ctx); return (NULL); } rv = est_client_set_auth_cred_cb(c_ctx, p_ctx->auth_credentials_cb); if (rv != EST_ERR_NONE) { EST_LOG_ERR("Unable to register authentication credential callback."); return (NULL); } rv = est_client_set_server(c_ctx, p_ctx->est_server, p_ctx->est_port_num); if (rv != EST_ERR_NONE) { EST_LOG_ERR("Unable to set the upstream server configuration in the client context for proxy use"); est_destroy(c_ctx); return (NULL); } rv = est_client_set_read_timeout(c_ctx, p_ctx->read_timeout); if (rv != EST_ERR_NONE) { EST_LOG_ERR("Unable to set the SSL read timeout in the client context"); est_destroy(c_ctx); return (NULL); } /* * make sure there's room for another entry */ empty_node = (CLIENT_CTX_LU_NODE_T *) bsearch(&zero_threadid, p_ctx->client_ctx_array, cur_max_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T), bsearch_compare); if (empty_node == NULL) { /* * we're out of space. allocate a new array and copy over what's * already there. Double the size of the current one. */ CLIENT_CTX_LU_NODE_T *temp_array; cur_max_ctx_array *= 2; temp_array = (CLIENT_CTX_LU_NODE_T *) malloc(sizeof(CLIENT_CTX_LU_NODE_T)*cur_max_ctx_array); memset(temp_array, 0, sizeof(CLIENT_CTX_LU_NODE_T)*cur_max_ctx_array); memcpy(temp_array, p_ctx->client_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T)*cur_max_ctx_array/2); free(p_ctx->client_ctx_array); p_ctx->client_ctx_array = temp_array; qsort(p_ctx->client_ctx_array, cur_max_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T), bsearch_compare); empty_node = (CLIENT_CTX_LU_NODE_T *) bsearch(&zero_threadid, p_ctx->client_ctx_array, cur_max_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T), bsearch_compare); } empty_index = (int) (empty_node - p_ctx->client_ctx_array); /* * add to the array and sort it into its proper place */ p_ctx->client_ctx_array[empty_index].threadid = cur_threadid; p_ctx->client_ctx_array[empty_index].client_ctx = c_ctx; qsort(p_ctx->client_ctx_array, cur_max_ctx_array, sizeof(CLIENT_CTX_LU_NODE_T), bsearch_compare); } else { /* * the entry was found in the tree, return the client context for this pid */ c_ctx = found_node->client_ctx; } return(c_ctx); }
/* * Test2 - exercise the server side variations triggered * by est_client_get_csrattrs() */ static void us900_test2 (void) { EST_CTX *ctx; unsigned char *pkey = NULL; unsigned char *cacerts = NULL; int cacerts_len = 0; EST_ERROR rc = EST_ERR_NONE; unsigned char *retrieved_cacerts = NULL; int retrieved_cacerts_len = 0; EVP_PKEY *priv_key; int csr_len; unsigned char *csr_data = NULL; sleep(1); LOG_FUNC_NM; /* * Read in the CA certificates */ cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Read in the private key file */ priv_key = read_private_key(CLIENT_UT_PUBKEY); if (priv_key == NULL) { printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); return; } ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ctx != NULL); rc = est_client_set_auth(ctx, "", "", NULL, priv_key); CU_ASSERT(rc == EST_ERR_NONE); est_client_set_server(ctx, US900_SERVER_IP, US900_SERVER_PORT); /* * issue the get ca certs request */ rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len); /* * should be successful, and should have obtained a valid buffer * containing the CA certs */ CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(retrieved_cacerts_len > 0); retrieved_cacerts = malloc(retrieved_cacerts_len); rc = est_client_copy_cacerts(ctx, retrieved_cacerts); /* * output the retrieved ca certs and compare to what they should be */ if (retrieved_cacerts) { printf("\nRetrieved CA Certs buffer:\n %.*s\n", retrieved_cacerts_len, retrieved_cacerts); printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len); } free(retrieved_cacerts); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); /* should get 204 with no data */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); /* Real base64 string - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2)); CU_ASSERT(strncmp(TEST_ATTR2, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR3)); CU_ASSERT(strncmp(TEST_ATTR3, (const char *)csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP)); CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *)csr_data, csr_len) == 0); /* Enable PoP and test responses with PoP added */ st_enable_pop(); rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_data != NULL); CU_ASSERT(csr_len = 20); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_POP)); CU_ASSERT(strncmp(TEST_1024_POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP)); CU_ASSERT(strncmp(TEST_ATTR4_122POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP)); CU_ASSERT(strncmp(TEST_ATTR5_117POP, (const char *)csr_data, csr_len) == 0); /* Real base64 string needs PoP added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 116 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 244 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 245 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 250 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP)); CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0); /* disable PoP */ st_disable_pop(); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Real base64 string PoP should not be added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *)csr_data, csr_len) == 0); /* All ASN.1 types supported by OpenSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR)); CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_1025_NOPOP, strlen(TEST_1025_NOPOP)); CU_ASSERT(rc != EST_ERR_NONE); rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR)); CU_ASSERT(rc != EST_ERR_NONE); if (ctx) { est_destroy(ctx); } if (cacerts) { free(cacerts); } if (pkey) { free(pkey); } }