/*
* This test case attempts to re-enroll. PoP is disabled on
* the EST server. The CSR does not contain a PoP.
*/
static void us893_test9 (void)
{
int rv;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Use libcurl to send an enroll request. We use libcurl
* because it will not include the PoP.
*/
rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT,
US893_PKCS10_RSA2048,
US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
/*
* The reenroll should work since PoP is not enabled anywhere.
*/
CU_ASSERT(rv == 200);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
/*
* Test1 - exercise the server side variations triggered
* by est_client_get_csrattrs()
*/
static void us895_test1 (void)
{
EST_CTX *ctx;
unsigned char *pkey = NULL;
unsigned char *cacerts = NULL;
int cacerts_len = 0;
EST_ERROR rc = EST_ERR_NONE;
EVP_PKEY * priv_key;
int csr_len;
unsigned char *csr_data = NULL;
SLEEP(1);
LOG_FUNC_NM
;
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(SERVER_UT_CACERT, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Read in the private key file
*/
priv_key = read_private_key(SERVER_UT_PUBKEY);
if (priv_key == NULL) {
printf("\nError while reading private key file %s\n", SERVER_UT_PUBKEY);
return;
}
ctx = est_client_init(
cacerts,
cacerts_len,
EST_CERT_FORMAT_PEM,
proxy_manual_cert_verify);
CU_ASSERT(ctx != NULL);
rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
CU_ASSERT(rc == EST_ERR_NONE);
est_client_set_server(ctx, US895_SERVER_IP, US895_PROXY_PORT, NULL);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
/* should get 204 with no data */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
/* Real base64 string - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Setting the smallest base64 size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2));
CU_ASSERT(strncmp(TEST_ATTR2, (const char *) csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR3));
CU_ASSERT(strncmp(TEST_ATTR3, (const char *) csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
rc = est_server_init_csrattrs(
ectx,
TEST_1024_NOPOP,
strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *) csr_data, csr_len) == 0);
/* Enable PoP and test responses with PoP added */
st_enable_pop();
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_data != NULL);
CU_ASSERT(csr_len = 20);
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(
ectx,
TEST_1024_NOPOP,
strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_POP));
CU_ASSERT(strncmp(TEST_1024_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
CU_ASSERT(
strncmp(TEST_ATTR4_122POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
CU_ASSERT(
strncmp(TEST_ATTR5_117POP, (const char *) csr_data, csr_len) == 0);
/* Real base64 string needs PoP added - should pass */
rc = est_server_init_csrattrs(
ectx,
TEST_ATTR_NOPOP,
strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(
strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 116 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 244 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 245 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 250 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(
strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);
/* disable PoP */
st_disable_pop();
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Real base64 string PoP should not be added - should pass */
rc = est_server_init_csrattrs(
ectx,
TEST_ATTR_NOPOP,
strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *) csr_data, csr_len) == 0);
/* All ASN.1 types supported by CiscoSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *) csr_data, csr_len) == 0);
if (ctx) {
est_destroy(ctx);
}
if (cacerts) {
free(cacerts);
}
if (pkey) {
free(pkey);
}
}
/*
* Simple enroll - PoP check succeeds with estclient
*
* This test case verifies the proxy is
* verifying the PoP from the client CSR. We use
* estclient since it supports the PoP.
*/
static void us748_test7 (void)
{
long rv;
EST_CTX *c_ctx;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* This test case requires PoP to be enabled
*/
st_enable_pop();
/*
* Create a client context
*/
c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(c_ctx != NULL);
if (!c_ctx) {
return;
}
/*
* Specify user ID and password since the server is running
* in Basic Authentication mode.
*/
rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* get a keypair to be used in the enroll.
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll a CSR
*/
rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Client library has obtained the new client certificate.
* Now retrieve it from the library.
*/
pkcs7 = malloc(pkcs7_len);
if (!pkcs7) {
return;
}
rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Clean up
*/
est_destroy(c_ctx);
EVP_PKEY_free(new_pkey);
free(pkcs7);
/*
* Disable PoP for future test cases
*/
st_disable_pop();
}
/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. PoP is disabled on
* the EST server.
*/
static void us893_test8 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
X509 *cert = NULL;
int rv;
int pkcs7_len = 0;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
est_destroy(ectx);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
static void us893_test7 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
est_destroy(ectx);
}
/*
* This test attempts to re-enroll without PoP
* while the EST server is configured with PoP
* disabled, but the proxy server is using a cert
* that doesn't contain id-kp-cmcRA. This should
* result in a failure because the subjects
* of the proxy cert and the client do not agree.
*/
static void us893_test6 (void)
{
int rv;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Use libcurl to send an enroll request. We use libcurl
* because it will not include the PoP.
*/
rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT,
US893_PKCS10_RSA2048,
US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
/*
* The reenroll should not work since id-kp-cmcRA is not set and the subjects do not agree.
*/
CU_ASSERT(rv == 400);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
/*
* Test2 - exercise the server side variations triggered
* by est_client_get_csrattrs()
*/
static void us900_test2 (void)
{
EST_CTX *ctx;
unsigned char *pkey = NULL;
unsigned char *cacerts = NULL;
int cacerts_len = 0;
EST_ERROR rc = EST_ERR_NONE;
unsigned char *retrieved_cacerts = NULL;
int retrieved_cacerts_len = 0;
EVP_PKEY *priv_key;
int csr_len;
unsigned char *csr_data = NULL;
sleep(1);
LOG_FUNC_NM;
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Read in the private key file
*/
priv_key = read_private_key(CLIENT_UT_PUBKEY);
if (priv_key == NULL) {
printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY);
return;
}
ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ctx != NULL);
rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
CU_ASSERT(rc == EST_ERR_NONE);
est_client_set_server(ctx, US900_SERVER_IP, US900_SERVER_PORT);
/*
* issue the get ca certs request
*/
rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len);
/*
* should be successful, and should have obtained a valid buffer
* containing the CA certs
*/
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(retrieved_cacerts_len > 0);
retrieved_cacerts = malloc(retrieved_cacerts_len);
rc = est_client_copy_cacerts(ctx, retrieved_cacerts);
/*
* output the retrieved ca certs and compare to what they should be
*/
if (retrieved_cacerts) {
printf("\nRetrieved CA Certs buffer:\n %.*s\n", retrieved_cacerts_len, retrieved_cacerts);
printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len);
}
free(retrieved_cacerts);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
/* should get 204 with no data */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
/* Real base64 string - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2));
CU_ASSERT(strncmp(TEST_ATTR2, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR3));
CU_ASSERT(strncmp(TEST_ATTR3, (const char *)csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *)csr_data, csr_len) == 0);
/* Enable PoP and test responses with PoP added */
st_enable_pop();
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_data != NULL);
CU_ASSERT(csr_len = 20);
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_POP));
CU_ASSERT(strncmp(TEST_1024_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
CU_ASSERT(strncmp(TEST_ATTR4_122POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
CU_ASSERT(strncmp(TEST_ATTR5_117POP, (const char *)csr_data, csr_len) == 0);
/* Real base64 string needs PoP added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 116 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 244 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 245 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 250 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);
/* disable PoP */
st_disable_pop();
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Real base64 string PoP should not be added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *)csr_data, csr_len) == 0);
/* All ASN.1 types supported by OpenSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_1025_NOPOP, strlen(TEST_1025_NOPOP));
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR));
CU_ASSERT(rc != EST_ERR_NONE);
if (ctx) {
est_destroy(ctx);
}
if (cacerts) {
free(cacerts);
}
if (pkey) {
free(pkey);
}
}
/*
* Test1 - exercise the est_server_init_csrattrs() API.
*/
static void us900_test1 (void)
{
int rc;
LOG_FUNC_NM;
/* NULL ctx - should fail */
rc = est_server_init_csrattrs(NULL, "US900 test1", 10);
CU_ASSERT(rc != EST_ERR_NONE);
/* NULL string - should pass */
rc = est_server_init_csrattrs(ectx, NULL, 10);
CU_ASSERT(rc == EST_ERR_NONE);
/* Zero length - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 0);
CU_ASSERT(rc != EST_ERR_NONE);
/* Length too long - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", MAX_CSRATTRS+1);
CU_ASSERT(rc != EST_ERR_NONE);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
/* Real base64 string - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the smallest base64 size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting an illegally small base64 size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR7, strlen(TEST_ATTR7));
CU_ASSERT(rc != EST_ERR_NONE);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
/* enable PoP */
st_enable_pop();
/* Real base64 string needs PoP added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 116 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 244 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 245 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 250 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
CU_ASSERT(rc == EST_ERR_NONE);
/* All ASN.1 types supported by OpenSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
/* disable PoP */
st_disable_pop();
/* All ASN.1 types supported by OpenSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
/* Real base64 string PoP should not be added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
}
