lms_priv_key_t* create_lms_priv_key(void)
{
lms_priv_key_t* lms_private_key = (lms_priv_key_t*) malloc(sizeof(lms_priv_key_t));
unsigned int q = 0;
char temp_string[5] = {0};
entropy_read(lms_private_key->I,ENTROPY_SIZE);
//printf("I: %s\n",stringToHex(lms_private_key->I,ENTROPY_SIZE));
lms_private_key->priv = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t));
lms_private_key->pub = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t));
for(q = 0; q < NUM_LEAF_NODES; q++)
{
//printf("I: %s q: %s \n ",lms_private_key->I,uint32ToString(q,temp_string));
lms_private_key->priv[(unsigned int)q].data = (void *)generate_private_key();
lms_private_key->pub[(unsigned int)q].data = (void *)generate_public_key(
(list_node_t* )lms_private_key->priv[(unsigned int)q].data,\
lms_private_key->I, uint32ToString(q,temp_string));
lms_private_key->priv[(unsigned int)q].next = NULL;
lms_private_key->pub[(unsigned int)q].next = NULL;
D(printf(" Generating %u th OTS key PUBLIC KEY %s \n",q,stringToHex(lms_private_key->pub[(unsigned int)q].data,N));)
//exit(1);
}
lms_private_key->nodes = (list_node_t *) malloc( 2* NUM_LEAF_NODES *sizeof(list_node_t));
for(q = 0; q < 2* NUM_LEAF_NODES; q++)
{
lms_private_key->nodes[(unsigned int)q].data = (char *)malloc(N * sizeof(char));
lms_private_key->nodes[(unsigned int)q].next = NULL;
}
lms_private_key->leaf_num = 0;
lms_private_key->lms_public_key = T(lms_private_key,1);
return lms_private_key;
}
static gnutls_x509_privkey gen_crypto(requiem_client_profile_t *cp,
const char *filename, requiem_uid_t uid, requiem_gid_t gid)
{
int ret;
char buf[65535];
gnutls_x509_privkey key;
size_t size = sizeof(buf);
key = generate_private_key();
if ( ! key ) {
fprintf(stderr, "error while generating RSA private key.\n");
return NULL;
}
ret = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "error exporting private key: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(key);
return NULL;
}
ret = save_buf(filename, uid, gid, (unsigned char *) buf, size);
if ( ret < 0 ) {
fprintf(stderr, "error saving private key.\n");
return NULL;
}
return key;
}
/*
* This test will initialize EST w/o a trust anchor,
* enable SRP, and perform a simpleenroll.
* This should succeed since SRP doesn't require a
* trust anchor.
*/
static void us1060_test104 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* Test the re-enroll API to ensure it gracefully
* handles a null X509 cert pointer.
*/
static void us898_test3 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
int pkcs7_len = 0;
int rv;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Generate a private key
*/
key = generate_private_key();
CU_ASSERT(key != NULL);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* re-enroll using a null x509 pointer.
*/
rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NO_CERT);
/*
* Clean up
*/
EVP_PKEY_free(key);
est_destroy(ectx);
}
KeyTable
AddressDb::keyTable()
{
std::lock_guard<std::mutex> lock(mutex_);
auto m00 = mainBranch(wallet_);
KeyTable out;
for (const auto &i: addresses_)
{
out[i.first] = bc::secret_to_wif(
m00.generate_private_key(i.second.index).private_key());
}
return out;
}
/*
* This function performs a basic simple enroll using
* a UID/PWD to identify the client to the server. This
* is used for a variet of test cases in this module.
*/
static void us898_test1 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
PKCS7 *p7 = NULL;
BIO *b64, *out;
X509 *cert = NULL;
STACK_OF(X509) *certs = NULL;
int i;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* generate a private key
*/
key = generate_private_key();
CU_ASSERT(key != NULL);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Use the simplified API to enroll a CSR
*/
rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
if (rv != EST_ERR_NONE) return;
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Convert the cert to an X509. Be warned this is
* pure hackery.
*/
b64 = BIO_new(BIO_f_base64());
out = BIO_new_mem_buf(new_cert, pkcs7_len);
out = BIO_push(b64, out);
p7 = d2i_PKCS7_bio(out,NULL);
CU_ASSERT(p7 != NULL);
BIO_free_all(out);
i=OBJ_obj2nid(p7->type);
switch (i) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
break;
}
CU_ASSERT(certs != NULL);
if (!certs) return;
/* our new cert should be the one and only
* cert in the pkcs7 blob. We shouldn't have to
* iterate through the full list to find it. */
cert = sk_X509_value(certs, 0);
CU_ASSERT(cert != NULL);
/*
* Wow, that's a lot of work, but we finally have the X509.
* (don't you just love OpenSSL!!!)
* Now that we have an X509 representation of the cert,
* let's try to re-enroll this cert with the CA
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
if (cert) X509_free(cert);
EVP_PKEY_free(key);
if (new_cert) free(new_cert);
est_destroy(ectx);
}
int main (int argc, char **argv)
{
signed char c;
int set_fips_return = 0;
char file_name[MAX_FILENAME_LEN];
BIO *keyin;
BIO *certin;
static struct option long_options[] = {
{ "trustanchor", 1, 0, 0 },
{ "srp", 0, 0, 0 },
{ "srp-user", 1, 0, 0 },
{ "srp-password", 1, 0, 0 },
{ "auth-token", 1, 0, 0 },
{ "common-name", 1, 0, 0 },
{ "pem-output", 0, 0, 0 },
{ NULL, 0, NULL, 0 }
};
int option_index = 0;
int trustanchor = 1; /* default to require a trust anchor */
char *trustanchor_file = NULL;
est_http_uid[0] = 0x0;
est_http_pwd[0] = 0x0;
/*
* Set the default common name to put into the Subject field
*/
strncpy(subj_cn, "127.0.0.1", MAX_CN);
memset(csr_file, 0, 1);
memset(priv_key_file, 0, 1);
memset(client_key_file, 0, 1);
memset(client_cert_file, 0, 1);
memset(out_dir, 0, 1);
while ((c = getopt_long(argc, argv, "?zfvagerx:y:k:s:p:o:c:w:u:h:", long_options, &option_index)) != -1) {
switch (c) {
case 0:
#if 0
printf("option %s", long_options[option_index].name);
if (optarg) {
printf(" with arg %s", optarg);
}
printf("\n");
#endif
if (!strncmp(long_options[option_index].name, "trustanchor", strlen("trustanchor"))) {
if (!strncmp(optarg, "no", strlen("no"))) {
trustanchor = 0;
} else {
trustanchor_file = optarg;
}
}
if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) {
srp = 1;
}
if (!strncmp(long_options[option_index].name, "srp-user", strlen("srp-user"))) {
strncpy(est_srp_uid, optarg, MAX_UID_LEN);
}
if (!strncmp(long_options[option_index].name, "srp-password", strlen("srp-password"))) {
strncpy(est_srp_pwd, optarg, MAX_PWD_LEN);
}
if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) {
strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN);
token_auth_mode = 1;
}
if (!strncmp(long_options[option_index].name, "common-name", strlen("common-name"))) {
strncpy(subj_cn, optarg, MAX_CN);
}
if (!strncmp(long_options[option_index].name, "pem-output", strlen("pem-output"))) {
pem_out = 1;
}
break;
case 'v':
verbose = 1;
break;
case 'z':
force_pop = 1;
break;
case 'a':
getcsr = 1;
break;
case 'g':
getcert = 1;
break;
case 'e':
enroll = 1;
break;
case 'r':
reenroll = 1;
break;
case 'u':
strncpy(est_http_uid, optarg, MAX_UID_LEN);
break;
case 'h':
strncpy(est_http_pwd, optarg, MAX_PWD_LEN);
break;
case 's':
strncpy(est_server, optarg, MAX_SERVER_LEN);
break;
case 'x':
strncpy(priv_key_file, optarg, MAX_FILENAME_LEN);
break;
case 'y':
strncpy(csr_file, optarg, MAX_FILENAME_LEN);
break;
case 'k':
strncpy(client_key_file, optarg, MAX_FILENAME_LEN);
break;
case 'c':
strncpy(client_cert_file, optarg, MAX_FILENAME_LEN);
break;
case 'o':
strncpy(out_dir, optarg, MAX_FILENAME_LEN);
break;
case 'p':
est_port = atoi(optarg);
break;
case 'f':
/* Turn FIPS on if requested and exit if failure */
set_fips_return = FIPS_mode_set(1);
if (!set_fips_return) {
printf("\nERROR setting FIPS MODE ON ...\n");
ERR_load_crypto_strings();
ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE));
exit(1);
} else {
printf("\nRunning EST Sample Client with FIPS MODE = ON\n");
};
break;
case 'w':
read_timeout = atoi(optarg);
if (read_timeout > EST_SSL_READ_TIMEOUT_MAX) {
printf("\nMaxium number of seconds to wait is %d, ", EST_SSL_READ_TIMEOUT_MAX);
printf("please use a lower value with the -w option\n");
exit(1);
}
break;
default:
show_usage_and_exit();
break;
}
}
if (optind < argc) {
printf("non-option ARGV-elements: ");
while (optind < argc) {
printf("%s ", argv[optind++]);
}
printf("\n");
}
argc -= optind;
argv += optind;
if (est_http_uid[0] && !est_http_pwd[0]) {
printf("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n");
exit(1);
}
if (csr_file[0] && getcsr) {
printf("\nError: The -a option (CSR attributes) does not make sense with a pre-defined CSR\n");
exit(1);
}
if (csr_file[0] && priv_key_file[0]) {
printf("\nError: The -x option (private key for CSR) does not make sense with a pre-defined CSR\n");
exit(1);
}
if (csr_file[0] && force_pop) {
printf("\nError: The -z option (PoP) does not make sense with a pre-defined CSR\n");
exit(1);
}
if (reenroll & csr_file[0]) {
printf("\nError: The -y option (predefined CSRs) does not make sense for re-enrollment\n");
exit(1);
}
if (verbose) {
print_version();
printf("\nUsing EST server %s:%d", est_server, est_port);
if (csr_file [0]) {
printf("\nUsing CSR file %s", csr_file);
}
if (priv_key_file [0]) {
printf("\nUsing identity private key file %s", priv_key_file);
}
if (client_cert_file[0]) {
printf("\nUsing identity client cert file %s", client_cert_file);
}
if (client_key_file [0]) {
printf("\nUsing identity private key file %s", client_key_file);
}
}
if (enroll && reenroll) {
printf("\nThe enroll and reenroll operations can not be used together\n");
exit(1);
}
if (!out_dir[0]) {
printf("\nOutput directory must be specified with -o option\n");
exit(1);
}
if (trustanchor) {
if (!trustanchor_file) {
/*
* Get the trust anchor filename from the environment var
*/
if (!getenv("EST_OPENSSL_CACERT")) {
printf("\nCACERT file not set, set EST_OPENSSL_CACERT to resolve");
exit(1);
}
trustanchor_file = getenv("EST_OPENSSL_CACERT");
}
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(trustanchor_file, &cacerts);
if (cacerts_len <= 0) {
printf("\nCACERT file could not be read\n");
exit(1);
}
}
/*
* Read in the current client certificate
*/
if (client_cert_file[0]) {
certin = BIO_new(BIO_s_file_internal());
if (BIO_read_filename(certin, client_cert_file) <= 0) {
printf("\nUnable to read client certificate file %s\n", client_cert_file);
exit(1);
}
/*
* This reads the file, which is expected to be PEM encoded. If you're using
* DER encoded certs, you would invoke d2i_X509_bio() instead.
*/
client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL);
if (client_cert == NULL) {
printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file);
exit(1);
}
BIO_free(certin);
}
/*
* Read in the client's private key
*/
if (client_key_file[0]) {
keyin = BIO_new(BIO_s_file_internal());
if (BIO_read_filename(keyin, client_key_file) <= 0) {
printf("\nUnable to read client private key file %s\n", client_key_file);
exit(1);
}
/*
* This reads in the private key file, which is expected to be a PEM
* encoded private key. If using DER encoding, you would invoke
* d2i_PrivateKey_bio() instead.
*/
client_priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL);
if (client_priv_key == NULL) {
printf("\nError while reading PEM encoded private key file %s\n", client_key_file);
ERR_print_errors_fp(stderr);
exit(1);
}
BIO_free(keyin);
}
est_apps_startup();
#if DEBUG_OSSL_LEAKS
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif
if (verbose) {
est_init_logger(EST_LOG_LVL_INFO, &test_logger_stdout);
est_enable_backtrace(1);
} else {
est_init_logger(EST_LOG_LVL_ERR, &test_logger_stdout);
}
if (!priv_key_file[0] && enroll && !csr_file[0]) {
printf("\nA private key is required for enrolling. Creating a new RSA key pair since you didn't provide a key using the -x option.");
/*
* Create a private key that will be used for the
* enroll operation.
*/
new_pkey = generate_private_key(&new_pkey_len);
snprintf(file_name, MAX_FILENAME_LEN, "%s/newkey.pem", out_dir);
write_binary_file(file_name, new_pkey, new_pkey_len);
free(new_pkey);
/*
* prepare to read it back in to an EVP_PKEY struct
*/
strncpy(priv_key_file, file_name, MAX_FILENAME_LEN);
}
if (enroll && !csr_file[0]) {
/* Read in the private key file */
priv_key = read_private_key(priv_key_file);
}
do_operation();
if (priv_key) {
EVP_PKEY_free(priv_key);
}
if (client_priv_key) {
EVP_PKEY_free(client_priv_key);
}
if (client_cert) {
X509_free(client_cert);
}
free(cacerts);
if (c_cert_len) {
free(c_cert);
}
if (c_key_len) {
free(c_key);
}
est_apps_shutdown();
#if DEBUG_OSSL_LEAKS
BIO *bio_err;
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
#endif
printf("\n");
return 0;
}
static void us748_test9 (void)
{
EST_CTX *ctx;
int rv;
unsigned char *cacerts;
int caclen = 0;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len = 0;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure our EST server has PoP disabled
*/
st_disable_pop();
/*
* Read in the CA certs
*/
caclen = read_binary_file(US748_CACERTS, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Init the client context
*/
ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
/*
* We'll use simple HTTP auth to identify ourselves
*/
rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* Create some space to hold the cert and generate
* a private key
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll
*/
ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
pkcs7 = malloc(pkcs7_len);
rv = est_client_copy_enrolled_cert(ctx, pkcs7);
free(pkcs7);
est_destroy(ctx);
}
/*
* Simple enroll - PoP check succeeds with estclient
*
* This test case verifies the proxy is
* verifying the PoP from the client CSR. We use
* estclient since it supports the PoP.
*/
static void us748_test7 (void)
{
long rv;
EST_CTX *c_ctx;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* This test case requires PoP to be enabled
*/
st_enable_pop();
/*
* Create a client context
*/
c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(c_ctx != NULL);
if (!c_ctx) {
return;
}
/*
* Specify user ID and password since the server is running
* in Basic Authentication mode.
*/
rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* get a keypair to be used in the enroll.
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll a CSR
*/
rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Client library has obtained the new client certificate.
* Now retrieve it from the library.
*/
pkcs7 = malloc(pkcs7_len);
if (!pkcs7) {
return;
}
rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Clean up
*/
est_destroy(c_ctx);
EVP_PKEY_free(new_pkey);
free(pkcs7);
/*
* Disable PoP for future test cases
*/
st_disable_pop();
}
/*
* This test does a simple enroll with SRP using a
* non-default value for the SRP strength.
*/
static void us1060_test106 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
* Use a strength below the minimum
*/
rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW);
/*
* Enable SRP on the client
* Use a strength slightly larger then the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Enable SRP on the client
* Use a strength the same size as the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* This test will enable a just the SRP-RSA-AES-128-CBC-SHA
* cipher suite, which forces the server to send a certificate
* to the client while SRP is used. Similar to #104, we'll
* omit configuring the trust anchor on the client context.
* This should cause the TLS session to fail since the
* server cert can not be verified without a trust anchor.
*/
static void us1060_test105 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
struct est_dumb_ctx *ed;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA");
CU_ASSERT(rv == 1);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv)
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
int ca_certs_len = 0;
unsigned char *new_cert = NULL;
struct est_dumb_ctx *ed;
/*
* Create a client context
*/
if (use_ta) {
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
} else {
ectx = est_client_init(NULL, 0,
EST_CERT_FORMAT_PEM,
NULL);
}
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, port);
if (use_srp) {
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
}
if (cipher_suite) {
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite);
CU_ASSERT(rv == 1);
}
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key);
CU_ASSERT(rv == expected_rv);
if (rv != expected_rv) {
printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv);
}
EVP_PKEY_free(new_key);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Retrieve a copy of the new CA certs
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(ca_certs_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_cacerts(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Cleanup
*/
est_destroy(ectx);
}
BCW_API hd_public_key hd_private_key::generate_public_key(uint32_t i) const
{
return generate_private_key(i);
}
static void
create_peerkey ()
{
peer_privkey = generate_private_key (bits);
peer_pubkey = private_key_to_pub (peer_privkey);
}
