/* * This test case attempts to re-enroll. PoP is disabled on * the EST server. The CSR does not contain a PoP. */ static void us893_test9 (void) { int rv; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Use libcurl to send an enroll request. We use libcurl * because it will not include the PoP. */ rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT, US893_PKCS10_RSA2048, US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC, NULL, NULL, NULL); /* * The reenroll should work since PoP is not enabled anywhere. */ CU_ASSERT(rv == 200); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); }
/* * Test1 - exercise the server side variations triggered * by est_client_get_csrattrs() */ static void us895_test1 (void) { EST_CTX *ctx; unsigned char *pkey = NULL; unsigned char *cacerts = NULL; int cacerts_len = 0; EST_ERROR rc = EST_ERR_NONE; EVP_PKEY * priv_key; int csr_len; unsigned char *csr_data = NULL; SLEEP(1); LOG_FUNC_NM ; /* * Read in the CA certificates */ cacerts_len = read_binary_file(SERVER_UT_CACERT, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Read in the private key file */ priv_key = read_private_key(SERVER_UT_PUBKEY); if (priv_key == NULL) { printf("\nError while reading private key file %s\n", SERVER_UT_PUBKEY); return; } ctx = est_client_init( cacerts, cacerts_len, EST_CERT_FORMAT_PEM, proxy_manual_cert_verify); CU_ASSERT(ctx != NULL); rc = est_client_set_auth(ctx, "", "", NULL, priv_key); CU_ASSERT(rc == EST_ERR_NONE); est_client_set_server(ctx, US895_SERVER_IP, US895_PROXY_PORT, NULL); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); /* should get 204 with no data */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); /* Real base64 string - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Setting the smallest base64 size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2)); CU_ASSERT(strncmp(TEST_ATTR2, (const char *) csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR3)); CU_ASSERT(strncmp(TEST_ATTR3, (const char *) csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); rc = est_server_init_csrattrs( ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP)); CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *) csr_data, csr_len) == 0); /* Enable PoP and test responses with PoP added */ st_enable_pop(); rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_data != NULL); CU_ASSERT(csr_len = 20); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); rc = est_server_init_csrattrs( ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_POP)); CU_ASSERT(strncmp(TEST_1024_POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP)); CU_ASSERT( strncmp(TEST_ATTR4_122POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP)); CU_ASSERT( strncmp(TEST_ATTR5_117POP, (const char *) csr_data, csr_len) == 0); /* Real base64 string needs PoP added - should pass */ rc = est_server_init_csrattrs( ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT( strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0); /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0); /* Setting the size 116 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 244 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 245 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 250 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP)); CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT( strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0); /* disable PoP */ st_disable_pop(); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Real base64 string PoP should not be added - should pass */ rc = est_server_init_csrattrs( ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *) csr_data, csr_len) == 0); /* All ASN.1 types supported by CiscoSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR)); CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *) csr_data, csr_len) == 0); if (ctx) { est_destroy(ctx); } if (cacerts) { free(cacerts); } if (pkey) { free(pkey); } }
/* * Simple enroll - PoP check succeeds with estclient * * This test case verifies the proxy is * verifying the PoP from the client CSR. We use * estclient since it supports the PoP. */ static void us748_test7 (void) { long rv; EST_CTX *c_ctx; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * This test case requires PoP to be enabled */ st_enable_pop(); /* * Create a client context */ c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(c_ctx != NULL); if (!c_ctx) { return; } /* * Specify user ID and password since the server is running * in Basic Authentication mode. */ rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * get a keypair to be used in the enroll. */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll a CSR */ rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); /* * Client library has obtained the new client certificate. * Now retrieve it from the library. */ pkcs7 = malloc(pkcs7_len); if (!pkcs7) { return; } rv = est_client_copy_enrolled_cert (c_ctx, pkcs7); CU_ASSERT(rv == EST_ERR_NONE); /* * Clean up */ est_destroy(c_ctx); EVP_PKEY_free(new_pkey); free(pkcs7); /* * Disable PoP for future test cases */ st_disable_pop(); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. PoP is disabled on * the EST server. */ static void us893_test8 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; X509 *cert = NULL; int rv; int pkcs7_len = 0; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); est_destroy(ectx); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); }
static void us893_test7 (void) { int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Stop the proxy server so we can restart * it using a different identity cert. */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_SERVER_CERTKEY, US893_SERVER_CERTKEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ); /* * Stop the proxy server */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_PROXY_CERT, US893_PROXY_KEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); est_destroy(ectx); }
/* * This test attempts to re-enroll without PoP * while the EST server is configured with PoP * disabled, but the proxy server is using a cert * that doesn't contain id-kp-cmcRA. This should * result in a failure because the subjects * of the proxy cert and the client do not agree. */ static void us893_test6 (void) { int rv; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Stop the proxy server so we can restart * it using a different identity cert. */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_SERVER_CERTKEY, US893_SERVER_CERTKEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Use libcurl to send an enroll request. We use libcurl * because it will not include the PoP. */ rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT, US893_PKCS10_RSA2048, US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC, NULL, NULL, NULL); /* * The reenroll should not work since id-kp-cmcRA is not set and the subjects do not agree. */ CU_ASSERT(rv == 400); /* * Stop the proxy server */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_PROXY_CERT, US893_PROXY_KEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); }
/* * Test2 - exercise the server side variations triggered * by est_client_get_csrattrs() */ static void us900_test2 (void) { EST_CTX *ctx; unsigned char *pkey = NULL; unsigned char *cacerts = NULL; int cacerts_len = 0; EST_ERROR rc = EST_ERR_NONE; unsigned char *retrieved_cacerts = NULL; int retrieved_cacerts_len = 0; EVP_PKEY *priv_key; int csr_len; unsigned char *csr_data = NULL; sleep(1); LOG_FUNC_NM; /* * Read in the CA certificates */ cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Read in the private key file */ priv_key = read_private_key(CLIENT_UT_PUBKEY); if (priv_key == NULL) { printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); return; } ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ctx != NULL); rc = est_client_set_auth(ctx, "", "", NULL, priv_key); CU_ASSERT(rc == EST_ERR_NONE); est_client_set_server(ctx, US900_SERVER_IP, US900_SERVER_PORT); /* * issue the get ca certs request */ rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len); /* * should be successful, and should have obtained a valid buffer * containing the CA certs */ CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(retrieved_cacerts_len > 0); retrieved_cacerts = malloc(retrieved_cacerts_len); rc = est_client_copy_cacerts(ctx, retrieved_cacerts); /* * output the retrieved ca certs and compare to what they should be */ if (retrieved_cacerts) { printf("\nRetrieved CA Certs buffer:\n %.*s\n", retrieved_cacerts_len, retrieved_cacerts); printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len); } free(retrieved_cacerts); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); /* should get 204 with no data */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); CU_ASSERT(csr_data == NULL); /* Real base64 string - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* callback should supersede init csrattrs */ rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2)); CU_ASSERT(strncmp(TEST_ATTR2, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR3)); CU_ASSERT(strncmp(TEST_ATTR3, (const char *)csr_data, csr_len) == 0); /* clear csrattrs */ rc = est_server_init_csrattrs(ectx, NULL, 0); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == 0); rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP)); CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *)csr_data, csr_len) == 0); /* Enable PoP and test responses with PoP added */ st_enable_pop(); rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_data != NULL); CU_ASSERT(csr_len = 20); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_1024_POP)); CU_ASSERT(strncmp(TEST_1024_POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP)); CU_ASSERT(strncmp(TEST_ATTR4_122POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP)); CU_ASSERT(strncmp(TEST_ATTR5_117POP, (const char *)csr_data, csr_len) == 0); /* Real base64 string needs PoP added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_POP)); CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0); /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0); /* Setting the size 116 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 244 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 245 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 250 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP)); CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR1)); CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0); if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP)); CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0); /* disable PoP */ st_disable_pop(); /* clear callback */ if (est_set_csr_cb(ectx, NULL)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } /* Real base64 string PoP should not be added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP)); CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *)csr_data, csr_len) == 0); /* All ASN.1 types supported by OpenSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len); CU_ASSERT(rc == EST_ERR_NONE); CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR)); CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *)csr_data, csr_len) == 0); rc = est_server_init_csrattrs(ectx, TEST_1025_NOPOP, strlen(TEST_1025_NOPOP)); CU_ASSERT(rc != EST_ERR_NONE); rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR)); CU_ASSERT(rc != EST_ERR_NONE); if (ctx) { est_destroy(ctx); } if (cacerts) { free(cacerts); } if (pkey) { free(pkey); } }
/* * Test1 - exercise the est_server_init_csrattrs() API. */ static void us900_test1 (void) { int rc; LOG_FUNC_NM; /* NULL ctx - should fail */ rc = est_server_init_csrattrs(NULL, "US900 test1", 10); CU_ASSERT(rc != EST_ERR_NONE); /* NULL string - should pass */ rc = est_server_init_csrattrs(ectx, NULL, 10); CU_ASSERT(rc == EST_ERR_NONE); /* Zero length - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 0); CU_ASSERT(rc != EST_ERR_NONE); /* Length too long - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", MAX_CSRATTRS+1); CU_ASSERT(rc != EST_ERR_NONE); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); /* Real base64 string - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the smallest base64 size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting an illegally small base64 size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR7, strlen(TEST_ATTR7)); CU_ASSERT(rc != EST_ERR_NONE); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); /* enable PoP */ st_enable_pop(); /* Real base64 string needs PoP added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); /* Not a real base64 string - should fail */ rc = est_server_init_csrattrs(ectx, "US900 test1", 11); CU_ASSERT(rc != EST_ERR_NONE); /* Setting the smallest size */ rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 122 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 117 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 116 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 244 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 245 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245)); CU_ASSERT(rc == EST_ERR_NONE); /* Setting the size 250 */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250)); CU_ASSERT(rc == EST_ERR_NONE); /* All ASN.1 types supported by OpenSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); /* disable PoP */ st_disable_pop(); /* All ASN.1 types supported by OpenSSL */ rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR)); CU_ASSERT(rc == EST_ERR_NONE); /* Real base64 string PoP should not be added - should pass */ rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP)); CU_ASSERT(rc == EST_ERR_NONE); }