/* * Start the appropriate flavor of st_server * based what character is specified * B - Basic auth * D - Digest auth * C - CRL checking * N = No auth */ static int us901_start_server(char server_type) { int rv; switch (server_type) { case 'B': rv = st_start(US901_SERVER_PORT, US901_SERVER_CERTKEY, US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0); st_enable_http_basic_auth(); break; case 'D': rv = st_start(US901_SERVER_PORT, US901_SERVER_CERTKEY, US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0); st_enable_http_digest_auth(); break; case 'C': system( "openssl ca -config CA/estExampleCA.cnf -gencrl -out CA/estCA/crl.pem"); SLEEP(1); system( "cat CA/trustedcerts.crt CA/estCA/crl.pem > US901/trustedcertsandcrl.crt"); SLEEP(1); rv = st_start(US901_SERVER_PORT, US901_SERVER_CERTKEY, US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt", "US901/trustedcertsandcrl.crt", "CA/estExampleCA.cnf", 0, 0, 0); st_enable_crl(); st_disable_http_auth(); break; case 'N': rv = st_start(US901_SERVER_PORT, US901_SERVER_CERTKEY, US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "CA/estExampleCA.cnf", 0, 0, 0); st_disable_http_auth(); break; default: rv = -1; break; } return rv; }
/* * Verify that a bogus user ID/password fails when * using HTTP digest auth. */ static void us898_test9 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Enable HTTP digest authentication */ st_enable_http_digest_auth(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_FAIL); est_destroy(ectx); /* * Re-enable HTTP basic authentication */ st_enable_http_basic_auth(); }