/* * This is the main entry point into the example EST server. * This routine parses the command line options, reads in the * cert chains, creates an EST context, initializes the HTTP * layer (mongoose), and starts a simple TCP server to accept * incoming EST requests. */ int main (int argc, char **argv) { char c; int i; X509 *x; EVP_PKEY * priv_key; BIO *certin; DH *dh; EST_ERROR rv; int sleep_delay = 0; int retry_period = 300; char vfile[255]; int option_index = 0; pem_password_cb *priv_key_cb = NULL; static struct option long_options[] = { {"srp", 1, NULL, 0}, {"enforce-csr", 0, NULL, 0}, {"token", 1, 0, 0}, {"keypass", 1, 0, 0}, {"keypass_stdin", 1, 0, 0 }, {"keypass_arg", 1, 0, 0 }, {NULL, 0, NULL, 0} }; #ifdef WIN32 InitializeCriticalSection(&enrollment_critical_section); #endif /* Show usage if -h or --help options are specified */ if ((argc == 1) || (argc == 2 && (!strcmp(argv[1], "-h") || !strcmp(argv[1], "--help")))) { show_usage_and_exit(); } while ((c = getopt_long(argc, argv, "?fhbwnovr:c:k:m:p:d:lt6", long_options, &option_index)) != -1) { switch (c) { case 0: #if 0 printf("option %s", long_options[option_index].name); if (optarg) { printf(" with arg %s", optarg); } printf("\n"); #endif if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) { srp = 1; strncpy(vfile, optarg, 255); } if (!strncmp(long_options[option_index].name, "enforce-csr", strlen("enforce-csr"))) { enforce_csr = 1; } if (!strncmp(long_options[option_index].name, "token", strlen("token"))) { http_token_auth = 1; memset(valid_token_value, 0, MAX_AUTH_TOKEN_LEN + 1); strncpy(&(valid_token_value[0]), optarg, MAX_AUTH_TOKEN_LEN); } if (!strncmp(long_options[option_index].name,"keypass_stdin", strlen("keypass_stdin"))) { priv_key_cb = PEM_def_callback; } if (!strncmp(long_options[option_index].name,"keypass_arg", strlen("keypass_arg"))) { strncpy(priv_key_pwd, optarg, MAX_PWD_LEN); priv_key_cb = string_password_cb; } break; case 'm': manual_enroll = 1; retry_period = atoi(optarg); break; case 'h': http_digest_auth = 1; break; case 'b': http_basic_auth = 1; break; case 'w': write_csr = 1; break; case 'n': http_auth_disable = 1; break; case 'o': disable_forced_http_auth = 1; break; case 'v': verbose = 1; break; case 'l': crl = 1; break; case 't': pop = 1; break; case '6': v6 = 1; break; #ifndef DISABLE_PTHREADS case 'd': sleep_delay = atoi(optarg); break; #endif case 'p': tcp_port = atoi(optarg); break; case 'c': strncpy(certfile, optarg, EST_MAX_FILE_LEN); break; case 'k': strncpy(keyfile, optarg, EST_MAX_FILE_LEN); break; case 'r': if (strnlen(optarg, MAX_REALM_LEN+1) > MAX_REALM_LEN) { printf("\nRealm value is too large. Max is 32 characters\n"); exit(1); } strncpy(realm, optarg, MAX_REALM_LEN); break; case 'f': /* turn FIPS on if user requested it * and exit if failure. */ set_fips_return = FIPS_mode_set(1); if (set_fips_return != 1) { set_fips_error = ERR_get_error(); printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n"); exit(1); } else { printf("\nRunning EST Sample Server with FIPS MODE = ON !\n"); } ; break; default: show_usage_and_exit(); break; } } argc -= optind; argv += optind; if (verbose) { print_version(stdout); } if (getenv("EST_CSR_ATTR")) { printf("\nUsing CSR Attributes: %s", getenv("EST_CSR_ATTR")); } if (!getenv("EST_CACERTS_RESP")) { printf("\nEST_CACERTS_RESP file not set, set this env variable to resolve"); exit(1); } if (!getenv("EST_TRUSTED_CERTS")) { printf("\nEST_TRUSTED_CERTS file not set, set this env variable to resolve"); exit(1); } /* * Read in the CA certificates */ cacerts_len = read_binary_file(getenv("EST_CACERTS_RESP"), &cacerts_raw); if (cacerts_len <= 0) { printf("\nEST_CACERTS_RESP file could not be read\n"); exit(1); } /* * Read in the trusted CA certificates for the local TLS context */ if (getenv("EST_TRUSTED_CERTS")) { trustcerts_len = read_binary_file(getenv("EST_TRUSTED_CERTS"), &trustcerts); if (trustcerts_len <= 0) { printf("\nEST_TRUSTED_CERTS file could not be read\n"); exit(1); } } est_apps_startup(); /* * Read in the local server certificate */ certin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(certin, certfile) <= 0) { printf("\nUnable to read server certificate file %s\n", certfile); exit(1); } /* * This reads the file, which is expected to be PEM encoded. If you're using * DER encoded certs, you would invoke d2i_X509_bio() instead. */ x = PEM_read_bio_X509(certin, NULL, NULL, NULL); if (x == NULL) { printf("\nError while reading PEM encoded server certificate file %s\n", certfile); exit(1); } BIO_free(certin); /* * Read in the server's private key */ priv_key = read_private_key(keyfile, priv_key_cb); if (priv_key == NULL) { printf("\nError while reading PEM encoded server private key file %s\n", keyfile); ERR_print_errors_fp(stderr); exit(1); } bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!bio_err) { printf("\nBIO not working\n"); exit(1); } if (verbose) { est_init_logger(EST_LOG_LVL_INFO, NULL); est_enable_backtrace(1); } else { est_init_logger(EST_LOG_LVL_ERR, NULL); } ectx = est_server_init(trustcerts, trustcerts_len, cacerts_raw, cacerts_len, EST_CERT_FORMAT_PEM, realm, x, priv_key); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } est_set_ex_data(ectx, &test_app_data); if (enforce_csr) { est_server_enforce_csrattr(ectx); } /* * Change the retry-after period. This is not * necessary, it's only shown here as an example. */ if (verbose) printf("\nRetry period being set to: %d \n", retry_period); est_server_set_retry_period(ectx, retry_period); if (crl) { est_enable_crl(ectx); } if (!pop) { if (verbose) printf("\nDisabling PoP check"); est_server_disable_pop(ectx); } if (srp) { srp_db = SRP_VBASE_new(NULL); if (!srp_db) { printf("\nUnable allocate SRP verifier database. Aborting!!!\n"); exit(1); } if (SRP_VBASE_init(srp_db, vfile) != SRP_NO_ERROR) { printf("\nUnable initialize SRP verifier database. Aborting!!!\n"); exit(1); } if (est_server_enable_srp(ectx, &process_ssl_srp_auth)) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (est_set_ca_enroll_cb(ectx, &process_pkcs10_enrollment)) { printf( "\nUnable to set EST pkcs10 enrollment callback. Aborting!!!\n"); exit(1); } /* * We use the same handler for re-enrollment. Our little toy * CA doesn't do anything special for re-enrollment. A real * CA would need to implement the requirements in section * 4.2 of the EST draft. */ if (est_set_ca_reenroll_cb(ectx, &process_pkcs10_enrollment)) { printf( "\nUnable to set EST pkcs10 enrollment callback. Aborting!!!\n"); exit(1); } if (est_set_csr_cb(ectx, &process_csrattrs_request)) { printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } if (!http_auth_disable) { if (est_set_http_auth_cb(ectx, &process_http_auth)) { printf("\nUnable to set EST HTTP AUTH callback. Aborting!!!\n"); exit(1); } } if (disable_forced_http_auth) { if (verbose) printf( "\nDisabling HTTP authentication when TLS client auth succeeds\n"); if (est_set_http_auth_required(ectx, HTTP_AUTH_NOT_REQUIRED)) { printf("\nUnable to disable required HTTP auth. Aborting!!!\n"); exit(1); } } if (http_digest_auth) { MD5_CTX c; int len; static unsigned char ha1_input_buf[32*3+2]; unsigned char md[17]; int i; rv = est_server_set_auth_mode(ectx, AUTH_DIGEST); if (rv != EST_ERR_NONE) { printf( "\nUnable to enable HTTP digest authentication. Aborting!!!\n"); exit(1); } /* * Cache away the realm value and build the HA1 */ strncpy(digest_user[1], realm, MAX_REALM_LEN); len = sprintf((char *)ha1_input_buf, "%s:%s:%s", "estuser", realm, "estpwd"); MD5_Init(&c); MD5_Update(&c, ha1_input_buf, len); MD5_Final((unsigned char *)md, &c); printf("\nDigest HA1 value = "); memset(digest_user[2], 0, 32); for(i = 0; i < 16; i++){ sprintf(&(digest_user[2][i*2]),"%.2x", (unsigned char) md[i]); printf("%c%c", digest_user[2][i*2], digest_user[2][i*2+1]); } printf("\n"); } if (http_basic_auth) { rv = est_server_set_auth_mode(ectx, AUTH_BASIC); if (rv != EST_ERR_NONE) { printf( "\nUnable to enable HTTP basic authentication. Aborting!!!\n"); exit(1); } } if (http_token_auth) { rv = est_server_set_auth_mode(ectx, AUTH_TOKEN); if (rv != EST_ERR_NONE) { printf( "\nUnable to enable HTTP token authentication. Aborting!!!\n"); exit(1); } } /* * Set DH parameters for TLS */ dh = get_dh1024dsa(); if (dh) { est_server_set_dh_parms(ectx, dh); } DH_free(dh); /* * Install thread locking mechanism for OpenSSL */ mutex_buf = malloc(CRYPTO_num_locks() * sizeof(MUTEX_TYPE)); if (!mutex_buf) { printf("Cannot allocate mutexes"); exit(1); } for (i = 0; i < CRYPTO_num_locks(); i++) MUTEX_SETUP(mutex_buf[i]); CRYPTO_set_id_callback(id_function); CRYPTO_set_locking_callback(locking_function); printf("\nLaunching EST server...\n"); rv = est_server_start(ectx); if (rv != EST_ERR_NONE) { printf("\nFailed to init mg (rv=%d)\n", rv); exit(1); } /* * Start the simple server, which opens a TCP * socket, waits for incoming connections, and * invokes the EST handler for each connection. */ start_simple_server(ectx, tcp_port, sleep_delay, v6); cleanup(); EVP_PKEY_free(priv_key); X509_free(x); return 0; }
int main (int argc, char **argv) { signed char c; int set_fips_return = 0; char file_name[MAX_FILENAME_LEN]; BIO *keyin; BIO *certin; static struct option long_options[] = { { "trustanchor", 1, 0, 0 }, { "srp", 0, 0, 0 }, { "srp-user", 1, 0, 0 }, { "srp-password", 1, 0, 0 }, { "auth-token", 1, 0, 0 }, { "common-name", 1, 0, 0 }, { "pem-output", 0, 0, 0 }, { NULL, 0, NULL, 0 } }; int option_index = 0; int trustanchor = 1; /* default to require a trust anchor */ char *trustanchor_file = NULL; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; /* * Set the default common name to put into the Subject field */ strncpy(subj_cn, "127.0.0.1", MAX_CN); memset(csr_file, 0, 1); memset(priv_key_file, 0, 1); memset(client_key_file, 0, 1); memset(client_cert_file, 0, 1); memset(out_dir, 0, 1); while ((c = getopt_long(argc, argv, "?zfvagerx:y:k:s:p:o:c:w:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: #if 0 printf("option %s", long_options[option_index].name); if (optarg) { printf(" with arg %s", optarg); } printf("\n"); #endif if (!strncmp(long_options[option_index].name, "trustanchor", strlen("trustanchor"))) { if (!strncmp(optarg, "no", strlen("no"))) { trustanchor = 0; } else { trustanchor_file = optarg; } } if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name, "srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name, "srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } if (!strncmp(long_options[option_index].name, "common-name", strlen("common-name"))) { strncpy(subj_cn, optarg, MAX_CN); } if (!strncmp(long_options[option_index].name, "pem-output", strlen("pem-output"))) { pem_out = 1; } break; case 'v': verbose = 1; break; case 'z': force_pop = 1; break; case 'a': getcsr = 1; break; case 'g': getcert = 1; break; case 'e': enroll = 1; break; case 'r': reenroll = 1; break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'x': strncpy(priv_key_file, optarg, MAX_FILENAME_LEN); break; case 'y': strncpy(csr_file, optarg, MAX_FILENAME_LEN); break; case 'k': strncpy(client_key_file, optarg, MAX_FILENAME_LEN); break; case 'c': strncpy(client_cert_file, optarg, MAX_FILENAME_LEN); break; case 'o': strncpy(out_dir, optarg, MAX_FILENAME_LEN); break; case 'p': est_port = atoi(optarg); break; case 'f': /* Turn FIPS on if requested and exit if failure */ set_fips_return = FIPS_mode_set(1); if (!set_fips_return) { printf("\nERROR setting FIPS MODE ON ...\n"); ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); exit(1); } else { printf("\nRunning EST Sample Client with FIPS MODE = ON\n"); }; break; case 'w': read_timeout = atoi(optarg); if (read_timeout > EST_SSL_READ_TIMEOUT_MAX) { printf("\nMaxium number of seconds to wait is %d, ", EST_SSL_READ_TIMEOUT_MAX); printf("please use a lower value with the -w option\n"); exit(1); } break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf("non-option ARGV-elements: "); while (optind < argc) { printf("%s ", argv[optind++]); } printf("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } if (csr_file[0] && getcsr) { printf("\nError: The -a option (CSR attributes) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && priv_key_file[0]) { printf("\nError: The -x option (private key for CSR) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && force_pop) { printf("\nError: The -z option (PoP) does not make sense with a pre-defined CSR\n"); exit(1); } if (reenroll & csr_file[0]) { printf("\nError: The -y option (predefined CSRs) does not make sense for re-enrollment\n"); exit(1); } if (verbose) { print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); if (csr_file [0]) { printf("\nUsing CSR file %s", csr_file); } if (priv_key_file [0]) { printf("\nUsing identity private key file %s", priv_key_file); } if (client_cert_file[0]) { printf("\nUsing identity client cert file %s", client_cert_file); } if (client_key_file [0]) { printf("\nUsing identity private key file %s", client_key_file); } } if (enroll && reenroll) { printf("\nThe enroll and reenroll operations can not be used together\n"); exit(1); } if (!out_dir[0]) { printf("\nOutput directory must be specified with -o option\n"); exit(1); } if (trustanchor) { if (!trustanchor_file) { /* * Get the trust anchor filename from the environment var */ if (!getenv("EST_OPENSSL_CACERT")) { printf("\nCACERT file not set, set EST_OPENSSL_CACERT to resolve"); exit(1); } trustanchor_file = getenv("EST_OPENSSL_CACERT"); } /* * Read in the CA certificates */ cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nCACERT file could not be read\n"); exit(1); } } /* * Read in the current client certificate */ if (client_cert_file[0]) { certin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(certin, client_cert_file) <= 0) { printf("\nUnable to read client certificate file %s\n", client_cert_file); exit(1); } /* * This reads the file, which is expected to be PEM encoded. If you're using * DER encoded certs, you would invoke d2i_X509_bio() instead. */ client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); if (client_cert == NULL) { printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file); exit(1); } BIO_free(certin); } /* * Read in the client's private key */ if (client_key_file[0]) { keyin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(keyin, client_key_file) <= 0) { printf("\nUnable to read client private key file %s\n", client_key_file); exit(1); } /* * This reads in the private key file, which is expected to be a PEM * encoded private key. If using DER encoding, you would invoke * d2i_PrivateKey_bio() instead. */ client_priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL); if (client_priv_key == NULL) { printf("\nError while reading PEM encoded private key file %s\n", client_key_file); ERR_print_errors_fp(stderr); exit(1); } BIO_free(keyin); } est_apps_startup(); #if DEBUG_OSSL_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif if (verbose) { est_init_logger(EST_LOG_LVL_INFO, &test_logger_stdout); est_enable_backtrace(1); } else { est_init_logger(EST_LOG_LVL_ERR, &test_logger_stdout); } if (!priv_key_file[0] && enroll && !csr_file[0]) { printf("\nA private key is required for enrolling. Creating a new RSA key pair since you didn't provide a key using the -x option."); /* * Create a private key that will be used for the * enroll operation. */ new_pkey = generate_private_key(&new_pkey_len); snprintf(file_name, MAX_FILENAME_LEN, "%s/newkey.pem", out_dir); write_binary_file(file_name, new_pkey, new_pkey_len); free(new_pkey); /* * prepare to read it back in to an EVP_PKEY struct */ strncpy(priv_key_file, file_name, MAX_FILENAME_LEN); } if (enroll && !csr_file[0]) { /* Read in the private key file */ priv_key = read_private_key(priv_key_file); } do_operation(); if (priv_key) { EVP_PKEY_free(priv_key); } if (client_priv_key) { EVP_PKEY_free(client_priv_key); } if (client_cert) { X509_free(client_cert); } free(cacerts); if (c_cert_len) { free(c_cert); } if (c_key_len) { free(c_key); } est_apps_shutdown(); #if DEBUG_OSSL_LEAKS BIO *bio_err; bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); #endif printf("\n"); return 0; }
/* The main() function for setting up and running the tests. * Returns a CUE_SUCCESS on successful running, another * CUnit error code on failure. */ int main(int argc, char *argv[]) { #ifdef HAVE_CUNIT int xml = 0; int con = 0; CU_pFailureRecord fr; int size; int i; int rv; if (argc >= 2 && !strcmp(argv[1], "-xml")) { xml = 1; } else if (argc >= 2 && !strcmp(argv[1], "-con")) { con = 1; } est_apps_startup(); est_set_log_source(EST_CLIENT); /* * Install thread locking mechanism for OpenSSL */ size = sizeof(pthread_mutex_t) * CRYPTO_num_locks(); if ((ssl_mutexes = (pthread_mutex_t*)malloc((size_t)size)) == NULL) { printf("Cannot allocate mutexes"); exit(1); } for (i = 0; i < CRYPTO_num_locks(); i++) { pthread_mutex_init(&ssl_mutexes[i], NULL); } CRYPTO_set_locking_callback(&ssl_locking_callback); CRYPTO_set_id_callback(&ssl_id_callback); /* initialize the CUnit test registry */ if (CUE_SUCCESS != CU_initialize_registry()) { return CU_get_error(); } #define ADD(N) { extern int N##_add_suite(void); rv = N##_add_suite(); \ if (rv != CUE_SUCCESS) { fprintf(stderr, "Failed "#N"_add_suite (%d)\n", rv); exit(1); } } ADD(us748); ADD(us893); ADD(us894); ADD(us895); ADD(us896); ADD(us897); ADD(us898); ADD(us899); ADD(us900); ADD(us901); ADD(us902); ADD(us903); ADD(us1005); ADD(us1060); ADD(us1159); ADD(us1864); ADD(us1883); ADD(us1884); ADD(us2174); if (xml) { /* Run all test using automated interface, which * generates XML output */ CU_list_tests_to_file(); CU_automated_run_tests(); } else if (con) { CU_console_run_tests(); } else { /* Run all tests using the CUnit Basic interface, * which generates text output */ #if 0 CU_basic_set_mode(CU_BRM_VERBOSE); CU_basic_run_tests(); #else CU_set_test_start_handler (test_start); CU_set_test_complete_handler(test_complete); CU_run_all_tests(); #endif fr = CU_get_failure_list(); if (fr) { fprintf(stderr, "\nHere is a summary of the failed test cases:\n"); print_failures(fr); } else { fprintf(stderr, "\nAll enabled tests passed.\n"); } } /* * Tear down the mutexes used by OpenSSL */ CRYPTO_set_locking_callback(NULL); for (i = 0; i < CRYPTO_num_locks(); i++) { pthread_mutex_destroy(&ssl_mutexes[i]); } CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); free(ssl_mutexes); CU_cleanup_registry(); est_apps_shutdown(); return CU_get_error(); #else printf("\nlibcunit not installed, unit tests are not enabled\n"); return 255; #endif }
int main (int argc, char **argv) { signed char c; EVP_PKEY *priv_key; BIO *certin, *keyin; X509 *x; EST_ERROR rv; int sleep_delay = 0; char vfile[255]; int option_index = 0; static struct option long_options[] = { {"srp", 1, NULL, 0}, {"token", 1, 0, 0}, {"auth-token", 1, 0, 0}, {"help", 0, NULL, 0}, {NULL, 0, NULL, 0} }; strncpy(est_server, "127.0.0.1", MAX_SERVER_LEN); while ((c = getopt_long(argc, argv, "?vt6nhfr:c:k:s:p:l:d:", long_options, &option_index)) != -1) { switch (c) { case 0: if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) { srp = 1; strncpy(vfile, optarg, 255); } else if (!strncmp(long_options[option_index].name,"token", strlen("token"))) { server_http_token_auth = 1; strncpy(&(valid_token_value[0]), optarg, MAX_AUTH_TOKEN_LEN); } else if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); client_token_auth_mode = 1; } else show_usage_and_exit(); break; case 'v': verbose = 1; break; case 't': pop = 1; break; case '6': v6 = 1; break; case 'h': http_digest_auth = 1; break; case 'b': http_basic_auth = 1; break; case 'n': http_auth_disable = 1; break; case 'c': strncpy(certfile, optarg, EST_MAX_FILE_LEN); break; case 'k': strncpy(keyfile, optarg, EST_MAX_FILE_LEN); break; case 'r': strncpy(realm, optarg, MAX_REALM); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; #ifndef DISABLE_PTHREADS case 'd': sleep_delay = atoi(optarg); break; #endif case 'p': est_server_port = atoi(optarg); break; case 'l': listen_port = atoi(optarg); break; case 'f': /* * Turn FIPS on if user requested it and exit if failure */ set_fips_return = FIPS_mode_set(1); if (set_fips_return != 1) { set_fips_error = ERR_get_error(); printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n"); exit(1); } else { printf("Running EST Sample Proxy with FIPS MODE = ON !\n"); }; break; case '?': default: show_usage_and_exit(); break; } } argc -= optind; argv += optind; if (verbose) { fprintf(stdout, "EST Proxy start up values:\n"); print_version(stdout); fprintf(stdout, "Using EST server %s:%d\n", est_server, est_server_port); fprintf(stdout, "Listening on port: %d\n", listen_port); fprintf(stdout, "Using identity cert file: %s\n", certfile); fprintf(stdout, "Using identity private key file: %s\n", keyfile); fprintf(stdout, "Using realm value: %s\n", realm); fflush(stdout); } if (!getenv("EST_TRUSTED_CERTS")) { printf("\nEST_TRUSTED_CERTS file not set, set this env variable to resolve\n"); exit(1); } /* * Read in the CA certificates */ if (getenv("EST_CACERTS_RESP")) { cacerts_len = read_binary_file(getenv("EST_CACERTS_RESP"), &cacerts_raw); if (cacerts_len <= 0) { printf("\nEST_CACERTS_RESP file could not be read\n"); exit(1); } } /* * Read in the trusted CA certificates for the local TLS context */ if (getenv("EST_TRUSTED_CERTS")) { trustcerts_len = read_binary_file(getenv("EST_TRUSTED_CERTS"), &trustcerts); if (trustcerts_len <= 0) { printf("\nEST_TRUSTED_CERTS file could not be read\n"); exit(1); } } est_apps_startup(); /* * Read in the local server certificate */ certin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(certin, certfile) <= 0) { printf("\nUnable to read server certificate file %s\n", certfile); exit(1); } /* * This reads the file, which is expected to be PEM encoded. If you're using * DER encoded certs, you would invoke d2i_X509_bio() instead. */ x = PEM_read_bio_X509(certin, NULL, NULL, NULL); if (x == NULL) { printf("\nError while reading PEM encoded server certificate file %s\n", certfile); exit(1); } BIO_free(certin); /* * Read in the server's private key */ keyin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(keyin, keyfile) <= 0) { printf("\nUnable to read server private key file %s\n", keyfile); exit(1); } /* * This reads in the private key file, which is expected to be a PEM * encoded private key. If using DER encoding, you would invoke * d2i_PrivateKey_bio() instead. */ priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL); if (priv_key == NULL) { printf("\nError while reading PEM encoded private key file %s\n", keyfile); ERR_print_errors_fp(stderr); exit(1); } BIO_free(keyin); if (verbose) { est_init_logger(EST_LOG_LVL_INFO, NULL); est_enable_backtrace(1); } /* * Initialize EST context from libest */ ectx = est_proxy_init(trustcerts, trustcerts_len, cacerts_raw, cacerts_len, EST_CERT_FORMAT_PEM, realm, x, priv_key, "estuser", "estpwd"); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } if (!http_auth_disable) { if (est_set_http_auth_cb(ectx, &process_http_auth)) { printf("\nUnable to set EST HTTP AUTH callback. Aborting!!!\n"); exit(1); } } if (http_digest_auth) { rv = est_proxy_set_auth_mode(ectx, AUTH_DIGEST); if (rv != EST_ERR_NONE) { printf("\nUnable to enable HTTP digest authentication. Aborting!!!\n"); exit(1); } } if (http_basic_auth) { rv = est_server_set_auth_mode(ectx, AUTH_BASIC); if (rv != EST_ERR_NONE) { printf("\nUnable to enable HTTP basic authentication. Aborting!!!\n"); exit(1); } } if (server_http_token_auth) { rv = est_server_set_auth_mode(ectx, AUTH_TOKEN); if (rv != EST_ERR_NONE) { printf("\nUnable to enable HTTP token authentication. Aborting!!!\n"); exit(1); } } if (!pop) { printf("Disabling PoP check\n"); est_server_disable_pop(ectx); } est_proxy_set_server(ectx, est_server, est_server_port); if (srp) { srp_db = SRP_VBASE_new(NULL); if (!srp_db) { printf("\nUnable allocate SRP verifier database. Aborting!!!\n"); exit(1); } if (SRP_VBASE_init(srp_db, vfile) != SRP_NO_ERROR) { printf("\nUnable initialize SRP verifier database. Aborting!!!\n"); exit(1); } if (est_server_enable_srp(ectx, &process_ssl_srp_auth)) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (client_token_auth_mode) { rv = est_proxy_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } #ifndef DISABLE_PTHREADS /* * Install thread locking mechanism for OpenSSL */ int size = sizeof(pthread_mutex_t) * CRYPTO_num_locks(); if ((ssl_mutexes = (pthread_mutex_t*)malloc((size_t)size)) == NULL) { printf("\nCannot allocate mutexes\n"); exit(1); } int i; for (i = 0; i < CRYPTO_num_locks(); i++) { pthread_mutex_init(&ssl_mutexes[i], NULL); } CRYPTO_set_locking_callback(&ssl_locking_callback); CRYPTO_set_id_callback(&ssl_id_callback); #endif printf("Launching EST proxy...\n"); rv = est_proxy_start(ectx); if (rv != EST_ERR_NONE) { printf("\nFailed to init mg (rv=%d)\n", rv); exit(1); } /* * Start the simple server, which opens a TCP * socket, waits for incoming connections, and * invokes the EST handler for each connection. */ start_simple_server(ectx, listen_port, sleep_delay, v6); cleanup(); return 0; }
int main (int argc, char **argv) { EST_ERROR rv; char c; char *key_data; EVP_PKEY *key; char *trustanchor_file; EST_CTX *ectx; int p7_len; int ca_certs_len; unsigned char *new_client_cert; unsigned char *new_certs; static struct option long_options[] = { {"srp", 0, 0, 0}, {"srp-user", 1, 0, 0}, {"srp-password", 1, 0, 0}, {"auth-token", 1, 0, 0}, {NULL, 0, NULL, 0} }; int option_index = 0; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; while ((c = getopt_long(argc, argv, "s:p:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name,"srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name,"srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'p': est_port = atoi(optarg); break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf ("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } /* * Initialize the library, including OpenSSL */ est_apps_startup(); print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); /* * Read in the trusted certificates, which are used by * libEST to verify the identity of the EST server. */ trustanchor_file = getenv("EST_OPENSSL_CACERT"); cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nTrusted certs file could not be read. Did you set EST_OPENSSL_CACERT?\n"); exit(1); } /* * This is not required, but we'll enable full debugs */ #ifndef WIN32 /* Initialize the EST logging */ est_init_logger(EST_LOG_LVL_INFO, NULL); #else InitializeCriticalSection (&logger_critical_section); est_init_logger(EST_LOG_LVL_INFO, &windows_logger_stderr); #endif /* * Create a public/private key pair that will be used for * the enrollment. We'll write this out to a local * file called new_key.pem. */ key_data = generate_private_RSA_key(2048, NULL/* no password_cb */); write_binary_file("./new_key.pem", (unsigned char *)key_data, strlen(key_data)); /* * Use the load_clear macro to load in an unencrypted key */ key = load_clear_private_key_PEM(key_data); if(!key) { printf("\nUnable to load newly created key from PEM file\n"); exit(1); } memset(key_data, 0, strlen(key_data)); free(key_data); key_data = NULL; ectx = setup_est_context(); if (!ectx) { printf("\nUnable to create EST client context\n"); exit(1); } /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "localhost", &p7_len, &ca_certs_len, key); if (rv != EST_ERR_NONE) { printf("\nProvisioning failed with error %s\n", EST_ERR_NUM_TO_STR(rv)); exit(1); } EVP_PKEY_free(key); /* * Retrieve a copy of the cert */ new_client_cert = malloc(p7_len); if (new_client_cert == NULL){ printf("\nFailed to allocate memory for the newly provisioned cert\n"); exit(1); } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new cert with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Save the cert to local storage */ write_binary_file(cert_file_name, new_client_cert, p7_len); free(new_client_cert); /* * Retrieve a copy of the new trust anchor */ new_certs = malloc(ca_certs_len); rv = est_client_copy_cacerts(ectx, new_certs); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new CA certs with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Your appliations should save the CA certs to local storage in case * they're needed for future use. */ write_binary_file(ca_file_name, new_certs, ca_certs_len); free(new_certs); printf("\n\nSuccess!!!\n"); free(cacerts); est_destroy(ectx); est_apps_shutdown(); printf("\n"); return 0; }
/* The main() function for setting up and running the tests. * Returns a CUE_SUCCESS on successful running, another * CUnit error code on failure. */ int main(int argc, char *argv[]) { int xml = 0; int con = 0; CU_pFailureRecord fr; int i; if (argc >= 2 && !strcmp(argv[1], "-xml")) { xml = 1; } else if (argc >= 2 && !strcmp(argv[1], "-con")) { con = 1; } #ifdef HAVE_CUNIT int rv; #ifndef WIN32 struct sigaction sig_act; /* * Indicate that the broken pipe signal during writes should be * ignored */ memset(&sig_act, 0, sizeof(struct sigaction)); sig_act.sa_handler = SIG_IGN; sigemptyset(&sig_act.sa_mask); if (sigaction(SIGPIPE, &sig_act, NULL) == -1) { printf("\nCannot set ignore action for SIGPIPE\n"); } #endif est_apps_startup(); /* * Install thread locking mechanism for OpenSSL */ mutex_buf = malloc(CRYPTO_num_locks() * sizeof(MUTEX_TYPE)); if (!mutex_buf) { printf("Cannot allocate mutexes"); exit(1); } for (i = 0; i < CRYPTO_num_locks(); i++) MUTEX_SETUP(mutex_buf[i]); CRYPTO_set_id_callback(id_function); CRYPTO_set_locking_callback(locking_function); /* initialize the CUnit test registry */ if (CUE_SUCCESS != CU_initialize_registry()) { return CU_get_error(); } #ifdef ENABLE_ALL_SUITES rv = us748_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US748 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us893_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US893 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us894_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US894 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us895_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US895 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us896_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US896 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us897_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US897 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us898_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US898 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us899_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US899 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us900_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US900 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us901_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US901 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us902_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US902 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us903_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US903 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1005_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1005 (%d)", rv); exit(1); } #endif #if (DISABLE_SUITE != 0) rv = us1060_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1060 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1060c_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1060c (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1159_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1159 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1190_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1190 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1864_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1864 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1883_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1883 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us1884_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US1884 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us2174_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US2174 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us3496_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US3496 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us3512_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US3512 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us3612_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US3612 (%d)", rv); exit(1); } #endif #ifdef ENABLE_ALL_SUITES rv = us4020_add_suite(); if (rv != CUE_SUCCESS) { printf("\nFailed to add test suite for US4020 (%d)", rv); exit(1); } #endif if (xml) { /* Run all test using automated interface, which * generates XML output */ CU_list_tests_to_file(); CU_automated_run_tests(); } else if (con) { CU_console_run_tests(); } else { /* Run all tests using the CUnit Basic interface, * which generates text output */ CU_basic_set_mode(CU_BRM_VERBOSE); CU_basic_run_tests(); fr = CU_get_failure_list(); if (fr) { printf("\n\nHere is a summary of the failed test cases:\n"); CU_basic_show_failures(fr); } } /* * Tear down the mutexes used by OpenSSL */ if (!mutex_buf) return 0; CRYPTO_set_id_callback(NULL); CRYPTO_set_locking_callback(NULL); for (i = 0; i < CRYPTO_num_locks(); i++) MUTEX_CLEANUP(mutex_buf[i]); free(mutex_buf); mutex_buf = NULL; CU_cleanup_registry(); est_apps_shutdown(); return CU_get_error(); #else printf("\nlibcunit not installed, unit test are not enabled\n"); #endif }