/*
* This test attempts to use a client certificate to
* verify the TLS client authentiaiton is working.
* The certificate used is signed by the explicit cert
* chain. Valid HTTP authentication credentials are
* also provided. This should succeed.
*/
static void us901_test21(void) {
long rv;
int st_rv;
st_rv = us901_start_server('B');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_certuid(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_UIDPWD_GOOD,
US901_EXPLICIT_CERT,
US901_EXPLICIT_KEY,
US901_CACERTS,
NULL);
/*
* Since we passed in a valid userID/password,
* we expect the server to respond with 200
*/
CU_ASSERT(rv == 200);
st_stop();
SLEEP(1);
}
int st_buffer_delay(uint32_t milliseconds, int16_t line_number) {
struct Block *block;
if (milliseconds==0) {
st_stop();
return 0;
}
while (st_buffer_full()) { sleep_mode();} // makes sure there are two
/* // slots left on buffer
printPgmString(PSTR("in st_buffer_delay. Delay = "));
printInteger(milliseconds);
printPgmString(PSTR("\r\n"));*/
// Setup block record
block = &block_buffer[block_buffer_head];
block->backlash=0;
block->line_number = line_number;
block->maximum_steps = milliseconds;
block->rate = 1000;
block->mode = SM_HALT;
// Move buffer head
block_buffer_head = (block_buffer_head + 1) % BLOCK_BUFFER_SIZE; //next_buffer_head;
// Ensure that blocks will be processed by enabling the Stepper Driver Interrupt
ENABLE_STEPPER_DRIVER_INTERRUPT();
return 1;
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us895_destroy_suite (void)
{
st_stop();
st_proxy_stop();
SLEEP(2);
return 0;
}
/*
* This test attempts to enroll without using a certificate
* to identity the client, while using a good user ID/pwd.
* However, the EST server is setup to only perform
* certificate authentication (HTTP auth disabled).
* This should fail with a 401 response.
*/
static void us901_test23(void) {
long rv;
int st_rv;
st_rv = us901_start_server('N');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_UIDPWD_GOOD,
US901_CACERTS,
CURLAUTH_BASIC,
NULL, NULL, NULL);
/*
* Since we passed in an invalid userID/password,
* we expect the server to respond with 401
*/
CU_ASSERT(rv == 401);
st_stop();
SLEEP(1);
}
/*
* This test attempts to use a revoked client certificate to
* verify CRL checks are working in the TLS layer.
* This should fail.
*/
static void us901_test12(void) {
long rv;
int st_rv;
st_rv = us901_start_server('R');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_cert(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_REVOKED_CERT,
US901_REVOKED_KEY,
US901_CACERTS,
NULL);
/*
* Since the client cert has been revoked the TLS handshake
* will fail. The EST server should return a 401 response.
*/
CU_ASSERT(rv == 0);
st_stop();
}
/*
* This test attempts to use a self-signed client certificate to
* verify cert chain will reject a cert that has not been
* signed by a valid CA. This should fail.
*/
static void us901_test13(void) {
long rv;
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post_cert(US901_ENROLL_URL,
US901_PKCS10_CT,
US901_PKCS10_REQ,
US901_SELFSIGN_CERT,
US901_SELFSIGN_KEY,
US901_CACERTS,
NULL);
/*
* Since the client cert is not signed by either the local CA
* or external CA, the TLS handshake will fail.
* We will not receive an HTTP status message
* from the server.
*/
CU_ASSERT(rv == 0);
st_stop();
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us893_destory_suite (void)
{
st_stop();
st_proxy_stop();
free(cacerts);
return 0;
}
/*
* This test case does a simple cacerts request
* and looks for the HTTP 200 response code.
*/
static void us901_test5(void) {
long rv;
char cmd[200];
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
outfile = fopen(test5_outfile, "w");
rv = curl_http_get(US901_CACERT_URL, US901_CACERTS, &write_func);
fclose(outfile);
/*
* we expect the server to respond with a 200
*/
CU_ASSERT(rv == 200);
sprintf(cmd,
"openssl base64 -d -in %s | openssl pkcs7 -inform DER -text -print_certs",
test5_outfile);
rv = system(cmd);
CU_ASSERT(rv == 0);
st_stop();
SLEEP(1);
}
/*
* This test case attempts simple cacerts request using
* POST instead of GET. It should fail.
*/
static void us901_test20(void) {
long rv;
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
outfile = fopen(test5_outfile, "w");
rv = curl_http_post(US901_CACERT_URL, US901_PKCS10_CT, US901_PKCS10_REQ,
US901_UIDPWD_GOOD, US901_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
fclose(outfile);
/*
* we expect the server to respond with a 400
*/
CU_ASSERT(rv == 400);
st_stop();
SLEEP(1);
}
/*
* This test will initialize EST w/o a trust anchor,
* enable SRP, and perform a simpleenroll.
* This should succeed since SRP doesn't require a
* trust anchor.
*/
static void us1060_test104 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us1060c_destroy_suite (void)
{
if (srpdb) {
SRP_VBASE_free(srpdb);
}
st_stop();
free(cacerts);
return 0;
}
/*
* Simple "happy path" test case using the easy provision
* API with SRP disabled.
*/
static void us1060c_test100 (void)
{
LOG_FUNC_NM;
st_stop();
SLEEP(2);
us1060c_start_server(US1060C_SERVER_CERTKEY, US1060C_SERVER_CERTKEY, 0, 0, 1);
us1060c_easy_provision(0, 1, NULL, US1060C_SERVER_PORT, EST_ERR_NONE);
}
/*
* Simple "happy path" test case using the easy provision
* API with SRP disabled.
*/
static void us1060_test100 ()
{
LOG_FUNC_NM;
st_stop();
sleep(2);
us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
us1060_easy_provision(0, 1, NULL, US1060_SERVER_PORT, EST_ERR_NONE);
}
static void us901_test_sslversion(const SSL_METHOD *m, int expect_fail) {
BIO *conn;
SSL *ssl;
SSL_CTX *ssl_ctx = NULL;
int rv;
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
ssl_ctx = SSL_CTX_new(m);
CU_ASSERT(ssl_ctx != NULL);
/*
* Now that the SSL context is ready, open a socket
* with the server and bind that socket to the context.
*/
conn = open_tcp_socket_ipv4("127.0.0.1", "29901");
CU_ASSERT(conn != NULL);
/*
* Creaea SSL session context
*/
ssl = SSL_new(ssl_ctx);
SSL_set_bio(ssl, conn, conn);
/*
* Now that we have everything ready, let's initiate the TLS
* handshake.
*/
rv = SSL_connect(ssl);
if (!expect_fail) {
CU_ASSERT(rv > 0);
} else {
CU_ASSERT(rv <= 0);
}
/*
* Cleanup all the data
*/
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ssl_ctx);
st_stop();
SLEEP(1);
}
/*
* This test will enable a just the SRP-RSA-AES-128-CBC-SHA
* cipher suite, which forces the server to send a certificate
* to the client while SRP is used. The FQDN check should occur
* and succeed.
*/
static void us1060_test102 ()
{
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1);
us1060_easy_provision(1, 1, "SRP-RSA-AES-128-CBC-SHA", US1060_SERVER_PORT, EST_ERR_NONE);
}
/*
* This test case is verifies the happy path when EST
* proxy is configured in SRP mode. The client will attempt
* to use SRP. The connection between the proxy and
* server does not use SRP. We perform a simple enroll
* operation.
*/
static void us1060_test200 ()
{
long rv;
LOG_FUNC_NM;
/*
* Restart the EST server with SRP disabled
*/
st_stop();
sleep(2);
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 0);
CU_ASSERT(rv == 0);
rv = curl_http_post_srp(US1060_PROXY_ENROLL_URL, US1060_PKCS10_CT, US1060_PKCS10_REQ,
US1060_UIDPWD_GOOD, NULL, CURLAUTH_BASIC,
NULL, "srp_user", "srp_pwd", NULL, NULL);
/*
* Since we passed in a valid SRP userID/password,
* we expect the server to respond with success
*/
CU_ASSERT(rv == 200);
}
/*
* TLS anonymous cipher suites disabled
*
* This test case uses libcurl to test that the
* EST server will not accept anonymous cipher
* suites from the client. We only test a single
* cipher suite here. This attempts to do a
* simple enroll with the server.
*/
static void us901_test14(void) {
long rv;
int st_rv;
st_rv = us901_start_server('D');
if (st_rv) {
return;
}
LOG_FUNC_NM
;
SLEEP(1);
rv = curl_http_post(US901_ENROLL_URL, US901_PKCS10_CT, US901_PKCS10_REQ,
US901_UIDPWD_GOOD, US901_CACERTS, CURLAUTH_BASIC, "ADH-AES128-SHA256", NULL,
NULL);
/*
* TLS handshake should have failed, curl should return 0
*/
CU_ASSERT(rv == 0);
st_stop();
SLEEP(1);
}
/****************************************************************************
* Exported Functions
****************************************************************************/
uint8 stt_test_1(void)
{
uint8 result = STT_SUCCESS;
char string_0[ST_NODE_LIMIT] = {0};
UART_1_Start();
UART_1_PutString("\x1b\x5b\x32\x4a");
UART_1_PutString("FINITE STATE MACHINE LIBRARY TEST\r\n");
UART_1_PutString("\r\n");
UART_1_PutString("Test\tFunction\t\tResult\r\n");
UART_1_PutString("----\t--------\t\t------\r\n");
/*
* Initialise test.
*/
if (result == STT_SUCCESS)
{
st_start();
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
/*
* Test st_add_key().
*/
if (result == STT_SUCCESS)
{
if (st_add_key(NULL) == ST_BAD_ARGUMENT)
{
UART_1_PutString(" 1\tst_add_key()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 1\tst_add_key()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_add_key("A") == ST_SUCCESS)
{
UART_1_PutString(" 2\tst_add_key()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 2\tst_add_key()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_get_limit().
*/
if (result == STT_SUCCESS)
{
if (st_get_limit() == ST_NODE_LIMIT)
{
UART_1_PutString(" 3\tst_get_limit()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 3\tst_get_limit()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Initialise st_set_limit() test.
*/
if (result == STT_SUCCESS)
{
if (st_add_key("B") == ST_SUCCESS)
{
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
else
{
UART_1_PutString(" -\tInitialise test...\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_add_key("C") == ST_SUCCESS)
{
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
else
{
UART_1_PutString(" -\tInitialise test...\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_set_limit().
*/
if (result == STT_SUCCESS)
{
if (st_set_limit(1) == ST_FAILURE)
{
UART_1_PutString(" 4\tst_set_limit()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 4\tst_set_limit()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_set_limit(0) == ST_SUCCESS)
{
UART_1_PutString(" 5\tst_set_limit()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 5\tst_set_limit()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_copy_buffer().
*/
if (result == STT_SUCCESS)
{
if (st_copy_buffer(NULL) == ST_BAD_ARGUMENT)
{
UART_1_PutString(" 6\tst_copy_buffer()\tPASS\r\n");
}
else
{
UART_1_PutString(" 6\tst_copy_buffer()\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_copy_buffer(string_0) == ST_SUCCESS)
{
UART_1_PutString(" 7\tst_copy_buffer()\tPASS\r\n");
}
else
{
UART_1_PutString(" 7\tst_copy_buffer()\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (strcmp(string_0, "ABC") == ST_SUCCESS)
{
UART_1_PutString(" 8\tst_copy_buffer()\tPASS\r\n");
}
else
{
UART_1_PutString(" 8\tst_copy_buffer()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_get_count().
*/
if (result == STT_SUCCESS)
{
if (st_get_count() == 3)
{
UART_1_PutString(" 9\tst_get_count()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 9\tst_get_count()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_empty_buffer().
*/
if (result == STT_SUCCESS)
{
st_empty_buffer();
if (st_get_count() == 0)
{
UART_1_PutString(" 10\tst_empty_buffer()\tPASS\r\n");
}
else
{
UART_1_PutString(" 10\tst_empty_buffer()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_copy_buffer().
*/
if (result == STT_SUCCESS)
{
if (st_copy_buffer(string_0) == ST_EMPTY)
{
UART_1_PutString(" 11\tst_copy_buffer()\tPASS\r\n");
}
else
{
UART_1_PutString(" 11\tst_copy_buffer()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_is_valid_input().
*/
if (result == STT_SUCCESS)
{
if (st_is_valid_input() == ST_FAILURE)
{
UART_1_PutString(" 12\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 12\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Initialise st_is_valid_input() test.
*/
if (result == STT_SUCCESS)
{
if (st_add_key("C") == ST_SUCCESS)
{
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
else
{
UART_1_PutString(" -\tInitialise test...\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_is_valid_input().
*/
if (result == STT_SUCCESS)
{
if (st_is_valid_input() == ST_SUCCESS)
{
UART_1_PutString(" 13\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 13\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_get_count() == 0)
{
UART_1_PutString(" 14\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 14\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_set_state().
*/
if (result == STT_SUCCESS)
{
if (st_set_state(ST_STATE_MAXIMUM) == ST_BAD_ARGUMENT)
{
UART_1_PutString(" 15\tst_set_state()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 15\tst_set_state()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_set_state(ST_STATE_4) == ST_SUCCESS)
{
UART_1_PutString(" 16\tst_set_state()\t\tPASS\r\n");
}
else
{
UART_1_PutString(" 16\tst_set_state()\t\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Initialise st_is_valid_input() test.
*/
if (result == STT_SUCCESS)
{
if (st_add_key("\r") == ST_SUCCESS)
{
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
else
{
UART_1_PutString(" -\tInitialise test...\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_is_valid_input().
*/
if (result == STT_SUCCESS)
{
if (st_is_valid_input() == ST_SUCCESS)
{
UART_1_PutString(" 17\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 17\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
if (st_get_count() == 1)
{
UART_1_PutString(" 18\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 18\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Initialise st_is_valid_input() test.
*/
if (result == STT_SUCCESS)
{
if (st_set_state(ST_STATE_2) == ST_SUCCESS)
{
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
else
{
UART_1_PutString(" -\tInitialise test...\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Test st_is_valid_input().
*/
if (result == STT_SUCCESS)
{
if (st_is_valid_input() == ST_FAILURE)
{
UART_1_PutString(" 19\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 19\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
if (result == STT_SUCCESS)
{
st_set_bit(ST_HARDWARE_EVENT);
if (st_is_valid_input() == ST_SUCCESS)
{
UART_1_PutString(" 20\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 20\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Initialise st_is_valid_input() test.
*/
if (result == STT_SUCCESS)
{
st_clear_bit(ST_CARRIAGE_RETURN);
UART_1_PutString(" -\tInitialise test...\tPASS\r\n");
}
/*
* Test st_is_valid_input().
*/
if (result == STT_SUCCESS)
{
if (st_is_valid_input() == ST_FAILURE)
{
UART_1_PutString(" 21\tst_is_valid_input()\tPASS\r\n");
}
else
{
UART_1_PutString(" 21\tst_is_valid_input()\tFAIL\r\n");
result = STT_FAILURE;
}
}
/*
* Report test result.
*/
if (result == STT_SUCCESS)
{
UART_1_PutString("\r\n");
UART_1_PutString("TEST PASSED\r\n");
}
else
{
UART_1_PutString("\r\n");
UART_1_PutString("TEST FAILED\r\n");
}
/*
* Clean-up test.
*/
while (UART_1_ReadTxStatus() != UART_1_TX_STS_FIFO_EMPTY)
{
CyDelay(1);
}
UART_1_Stop();
st_stop();
return result;
}
void us748_stop_server()
{
st_stop();
st_proxy_stop();
sleep(2);
}
void us1190_stop_server ()
{
st_stop();
SLEEP(2);
}
/*
* This test does a simple enroll with SRP using a
* non-default value for the SRP strength.
*/
static void us1060_test106 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
* Use a strength below the minimum
*/
rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW);
/*
* Enable SRP on the client
* Use a strength slightly larger then the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Enable SRP on the client
* Use a strength the same size as the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* This test will enable a just the SRP-RSA-AES-128-CBC-SHA
* cipher suite, which forces the server to send a certificate
* to the client while SRP is used. Similar to #104, we'll
* omit configuring the trust anchor on the client context.
* This should cause the TLS session to fail since the
* server cert can not be verified without a trust anchor.
*/
static void us1060_test105 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
struct est_dumb_ctx *ed;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA");
CU_ASSERT(rv == 1);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
void
on_button10_clicked (GtkButton *button,
gpointer user_data)
{
st_stop();
}
/*
* This is our worker for each entry in the test matrix above.
* We read the configuration from the entry, configure the
* server and client as needed, and attempt a simple enroll
* using Curl as the client.
* The argument i is the index of the entry in the table above.
*/
static void us1060_test_matrix_item (int i)
{
long rv;
LOG_FUNC_NM;
printf("\nRunning matrix test %s\n", test_matrix[i].test_name);
/*
* Stop the server and restart it to make sure
* it's in the correct mode.
*/
st_stop();
if (test_matrix[i].server_srp == SRP_ON) {
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
} else {
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 0);
}
CU_ASSERT(rv == 0);
/*
* Set the server HTTP auth configuration
*/
switch (test_matrix[i].server_http) {
case HTTP_OFF:
st_disable_http_auth();
break;
case HTTP_OPTIONAL:
st_enable_http_auth();
st_set_http_auth_optional();
break;
case HTTP_REQUIRED:
st_enable_http_auth();
st_set_http_auth_required();
break;
}
switch (test_matrix[i].curl_srp) {
case SRP_GOOD:
rv = curl_http_post_srp(US1060_ENROLL_URL, US1060_PKCS10_CT, US1060_PKCS10_REQ,
test_matrix[i].curl_http_auth, NULL, CURLAUTH_BASIC,
NULL, "srp_user", "srp_pwd", NULL, NULL);
break;
case SRP_BAD:
rv = curl_http_post_srp(US1060_ENROLL_URL, US1060_PKCS10_CT, US1060_PKCS10_REQ,
test_matrix[i].curl_http_auth, NULL, CURLAUTH_BASIC,
NULL, "srp_user", "boguspwd", NULL, NULL);
break;
case SRP_NONE:
/*
* Some of the SRP disabled test cases use a client
* certificate.
*/
if (test_matrix[i].curl_cert) {
rv = curl_http_post_certuid(US1060_ENROLL_URL, US1060_PKCS10_CT, US1060_PKCS10_REQ,
test_matrix[i].curl_http_auth,
test_matrix[i].curl_cert, test_matrix[i].curl_key,
US1060_CACERTS, NULL);
} else {
rv = curl_http_post(US1060_ENROLL_URL, US1060_PKCS10_CT, US1060_PKCS10_REQ,
test_matrix[i].curl_http_auth, US1060_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
}
break;
}
CU_ASSERT(rv == test_matrix[i].expected_http_result);
if (rv != test_matrix[i].expected_http_result) {
printf("\nMatrix test %s failed with rv = %d\n", test_matrix[i].test_name, (int)rv);
}
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us898_destroy_suite (void)
{
st_stop();
free(cacerts);
return 0;
}
/*
* This test attempts to re-enroll an expired cert
* while the EST server is configured for manual
* approval. The server will send back a retry-after
* response.
*/
static void us898_test6 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Stop the server.
*/
st_stop();
/*
* Restart the server with manual approval enabled
*/
rv = us898_start_server(1, 0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY);
/*
* Clean up
*/
est_destroy(ectx);
/*
* Stop the server.
*/
st_stop();
/*
* Restart the server with manual approval disabled
*/
rv = us898_start_server(0, 0);
CU_ASSERT(rv == 0);
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us900_destroy_suite (void)
{
st_stop();
sleep(2);
return 0;
}
