lms_priv_key_t* create_lms_priv_key(void) { lms_priv_key_t* lms_private_key = (lms_priv_key_t*) malloc(sizeof(lms_priv_key_t)); unsigned int q = 0; char temp_string[5] = {0}; entropy_read(lms_private_key->I,ENTROPY_SIZE); //printf("I: %s\n",stringToHex(lms_private_key->I,ENTROPY_SIZE)); lms_private_key->priv = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t)); lms_private_key->pub = (list_node_t *) malloc(NUM_LEAF_NODES *sizeof(list_node_t)); for(q = 0; q < NUM_LEAF_NODES; q++) { //printf("I: %s q: %s \n ",lms_private_key->I,uint32ToString(q,temp_string)); lms_private_key->priv[(unsigned int)q].data = (void *)generate_private_key(); lms_private_key->pub[(unsigned int)q].data = (void *)generate_public_key( (list_node_t* )lms_private_key->priv[(unsigned int)q].data,\ lms_private_key->I, uint32ToString(q,temp_string)); lms_private_key->priv[(unsigned int)q].next = NULL; lms_private_key->pub[(unsigned int)q].next = NULL; D(printf(" Generating %u th OTS key PUBLIC KEY %s \n",q,stringToHex(lms_private_key->pub[(unsigned int)q].data,N));) //exit(1); } lms_private_key->nodes = (list_node_t *) malloc( 2* NUM_LEAF_NODES *sizeof(list_node_t)); for(q = 0; q < 2* NUM_LEAF_NODES; q++) { lms_private_key->nodes[(unsigned int)q].data = (char *)malloc(N * sizeof(char)); lms_private_key->nodes[(unsigned int)q].next = NULL; } lms_private_key->leaf_num = 0; lms_private_key->lms_public_key = T(lms_private_key,1); return lms_private_key; }
static gnutls_x509_privkey gen_crypto(requiem_client_profile_t *cp, const char *filename, requiem_uid_t uid, requiem_gid_t gid) { int ret; char buf[65535]; gnutls_x509_privkey key; size_t size = sizeof(buf); key = generate_private_key(); if ( ! key ) { fprintf(stderr, "error while generating RSA private key.\n"); return NULL; } ret = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &size); if ( ret < 0 ) { fprintf(stderr, "error exporting private key: %s\n", gnutls_strerror(ret)); gnutls_x509_privkey_deinit(key); return NULL; } ret = save_buf(filename, uid, gid, (unsigned char *) buf, size); if ( ret < 0 ) { fprintf(stderr, "error saving private key.\n"); return NULL; } return key; }
/* * This test will initialize EST w/o a trust anchor, * enable SRP, and perform a simpleenroll. * This should succeed since SRP doesn't require a * trust anchor. */ static void us1060_test104 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client */ rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * Test the re-enroll API to ensure it gracefully * handles a null X509 cert pointer. */ static void us898_test3 (void) { EST_CTX *ectx; EVP_PKEY *key; int pkcs7_len = 0; int rv; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * re-enroll using a null x509 pointer. */ rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NO_CERT); /* * Clean up */ EVP_PKEY_free(key); est_destroy(ectx); }
KeyTable AddressDb::keyTable() { std::lock_guard<std::mutex> lock(mutex_); auto m00 = mainBranch(wallet_); KeyTable out; for (const auto &i: addresses_) { out[i.first] = bc::secret_to_wif( m00.generate_private_key(i.second.index).private_key()); } return out; }
/* * This function performs a basic simple enroll using * a UID/PWD to identify the client to the server. This * is used for a variet of test cases in this module. */ static void us898_test1 (void) { EST_CTX *ectx; EVP_PKEY *key; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; PKCS7 *p7 = NULL; BIO *b64, *out; X509 *cert = NULL; STACK_OF(X509) *certs = NULL; int i; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Use the simplified API to enroll a CSR */ rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); if (rv != EST_ERR_NONE) return; /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Convert the cert to an X509. Be warned this is * pure hackery. */ b64 = BIO_new(BIO_f_base64()); out = BIO_new_mem_buf(new_cert, pkcs7_len); out = BIO_push(b64, out); p7 = d2i_PKCS7_bio(out,NULL); CU_ASSERT(p7 != NULL); BIO_free_all(out); i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: certs = p7->d.sign->cert; break; case NID_pkcs7_signedAndEnveloped: certs = p7->d.signed_and_enveloped->cert; break; default: break; } CU_ASSERT(certs != NULL); if (!certs) return; /* our new cert should be the one and only * cert in the pkcs7 blob. We shouldn't have to * iterate through the full list to find it. */ cert = sk_X509_value(certs, 0); CU_ASSERT(cert != NULL); /* * Wow, that's a lot of work, but we finally have the X509. * (don't you just love OpenSSL!!!) * Now that we have an X509 representation of the cert, * let's try to re-enroll this cert with the CA */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ if (cert) X509_free(cert); EVP_PKEY_free(key); if (new_cert) free(new_cert); est_destroy(ectx); }
int main (int argc, char **argv) { signed char c; int set_fips_return = 0; char file_name[MAX_FILENAME_LEN]; BIO *keyin; BIO *certin; static struct option long_options[] = { { "trustanchor", 1, 0, 0 }, { "srp", 0, 0, 0 }, { "srp-user", 1, 0, 0 }, { "srp-password", 1, 0, 0 }, { "auth-token", 1, 0, 0 }, { "common-name", 1, 0, 0 }, { "pem-output", 0, 0, 0 }, { NULL, 0, NULL, 0 } }; int option_index = 0; int trustanchor = 1; /* default to require a trust anchor */ char *trustanchor_file = NULL; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; /* * Set the default common name to put into the Subject field */ strncpy(subj_cn, "127.0.0.1", MAX_CN); memset(csr_file, 0, 1); memset(priv_key_file, 0, 1); memset(client_key_file, 0, 1); memset(client_cert_file, 0, 1); memset(out_dir, 0, 1); while ((c = getopt_long(argc, argv, "?zfvagerx:y:k:s:p:o:c:w:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: #if 0 printf("option %s", long_options[option_index].name); if (optarg) { printf(" with arg %s", optarg); } printf("\n"); #endif if (!strncmp(long_options[option_index].name, "trustanchor", strlen("trustanchor"))) { if (!strncmp(optarg, "no", strlen("no"))) { trustanchor = 0; } else { trustanchor_file = optarg; } } if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name, "srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name, "srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } if (!strncmp(long_options[option_index].name, "common-name", strlen("common-name"))) { strncpy(subj_cn, optarg, MAX_CN); } if (!strncmp(long_options[option_index].name, "pem-output", strlen("pem-output"))) { pem_out = 1; } break; case 'v': verbose = 1; break; case 'z': force_pop = 1; break; case 'a': getcsr = 1; break; case 'g': getcert = 1; break; case 'e': enroll = 1; break; case 'r': reenroll = 1; break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'x': strncpy(priv_key_file, optarg, MAX_FILENAME_LEN); break; case 'y': strncpy(csr_file, optarg, MAX_FILENAME_LEN); break; case 'k': strncpy(client_key_file, optarg, MAX_FILENAME_LEN); break; case 'c': strncpy(client_cert_file, optarg, MAX_FILENAME_LEN); break; case 'o': strncpy(out_dir, optarg, MAX_FILENAME_LEN); break; case 'p': est_port = atoi(optarg); break; case 'f': /* Turn FIPS on if requested and exit if failure */ set_fips_return = FIPS_mode_set(1); if (!set_fips_return) { printf("\nERROR setting FIPS MODE ON ...\n"); ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); exit(1); } else { printf("\nRunning EST Sample Client with FIPS MODE = ON\n"); }; break; case 'w': read_timeout = atoi(optarg); if (read_timeout > EST_SSL_READ_TIMEOUT_MAX) { printf("\nMaxium number of seconds to wait is %d, ", EST_SSL_READ_TIMEOUT_MAX); printf("please use a lower value with the -w option\n"); exit(1); } break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf("non-option ARGV-elements: "); while (optind < argc) { printf("%s ", argv[optind++]); } printf("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } if (csr_file[0] && getcsr) { printf("\nError: The -a option (CSR attributes) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && priv_key_file[0]) { printf("\nError: The -x option (private key for CSR) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && force_pop) { printf("\nError: The -z option (PoP) does not make sense with a pre-defined CSR\n"); exit(1); } if (reenroll & csr_file[0]) { printf("\nError: The -y option (predefined CSRs) does not make sense for re-enrollment\n"); exit(1); } if (verbose) { print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); if (csr_file [0]) { printf("\nUsing CSR file %s", csr_file); } if (priv_key_file [0]) { printf("\nUsing identity private key file %s", priv_key_file); } if (client_cert_file[0]) { printf("\nUsing identity client cert file %s", client_cert_file); } if (client_key_file [0]) { printf("\nUsing identity private key file %s", client_key_file); } } if (enroll && reenroll) { printf("\nThe enroll and reenroll operations can not be used together\n"); exit(1); } if (!out_dir[0]) { printf("\nOutput directory must be specified with -o option\n"); exit(1); } if (trustanchor) { if (!trustanchor_file) { /* * Get the trust anchor filename from the environment var */ if (!getenv("EST_OPENSSL_CACERT")) { printf("\nCACERT file not set, set EST_OPENSSL_CACERT to resolve"); exit(1); } trustanchor_file = getenv("EST_OPENSSL_CACERT"); } /* * Read in the CA certificates */ cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nCACERT file could not be read\n"); exit(1); } } /* * Read in the current client certificate */ if (client_cert_file[0]) { certin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(certin, client_cert_file) <= 0) { printf("\nUnable to read client certificate file %s\n", client_cert_file); exit(1); } /* * This reads the file, which is expected to be PEM encoded. If you're using * DER encoded certs, you would invoke d2i_X509_bio() instead. */ client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); if (client_cert == NULL) { printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file); exit(1); } BIO_free(certin); } /* * Read in the client's private key */ if (client_key_file[0]) { keyin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(keyin, client_key_file) <= 0) { printf("\nUnable to read client private key file %s\n", client_key_file); exit(1); } /* * This reads in the private key file, which is expected to be a PEM * encoded private key. If using DER encoding, you would invoke * d2i_PrivateKey_bio() instead. */ client_priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL); if (client_priv_key == NULL) { printf("\nError while reading PEM encoded private key file %s\n", client_key_file); ERR_print_errors_fp(stderr); exit(1); } BIO_free(keyin); } est_apps_startup(); #if DEBUG_OSSL_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif if (verbose) { est_init_logger(EST_LOG_LVL_INFO, &test_logger_stdout); est_enable_backtrace(1); } else { est_init_logger(EST_LOG_LVL_ERR, &test_logger_stdout); } if (!priv_key_file[0] && enroll && !csr_file[0]) { printf("\nA private key is required for enrolling. Creating a new RSA key pair since you didn't provide a key using the -x option."); /* * Create a private key that will be used for the * enroll operation. */ new_pkey = generate_private_key(&new_pkey_len); snprintf(file_name, MAX_FILENAME_LEN, "%s/newkey.pem", out_dir); write_binary_file(file_name, new_pkey, new_pkey_len); free(new_pkey); /* * prepare to read it back in to an EVP_PKEY struct */ strncpy(priv_key_file, file_name, MAX_FILENAME_LEN); } if (enroll && !csr_file[0]) { /* Read in the private key file */ priv_key = read_private_key(priv_key_file); } do_operation(); if (priv_key) { EVP_PKEY_free(priv_key); } if (client_priv_key) { EVP_PKEY_free(client_priv_key); } if (client_cert) { X509_free(client_cert); } free(cacerts); if (c_cert_len) { free(c_cert); } if (c_key_len) { free(c_key); } est_apps_shutdown(); #if DEBUG_OSSL_LEAKS BIO *bio_err; bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); #endif printf("\n"); return 0; }
static void us748_test9 (void) { EST_CTX *ctx; int rv; unsigned char *cacerts; int caclen = 0; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len = 0; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * Make sure our EST server has PoP disabled */ st_disable_pop(); /* * Read in the CA certs */ caclen = read_binary_file(US748_CACERTS, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Init the client context */ ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM, client_manual_cert_verify); /* * We'll use simple HTTP auth to identify ourselves */ rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * Create some space to hold the cert and generate * a private key */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll */ ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); pkcs7 = malloc(pkcs7_len); rv = est_client_copy_enrolled_cert(ctx, pkcs7); free(pkcs7); est_destroy(ctx); }
/* * Simple enroll - PoP check succeeds with estclient * * This test case verifies the proxy is * verifying the PoP from the client CSR. We use * estclient since it supports the PoP. */ static void us748_test7 (void) { long rv; EST_CTX *c_ctx; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * This test case requires PoP to be enabled */ st_enable_pop(); /* * Create a client context */ c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(c_ctx != NULL); if (!c_ctx) { return; } /* * Specify user ID and password since the server is running * in Basic Authentication mode. */ rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * get a keypair to be used in the enroll. */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll a CSR */ rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); /* * Client library has obtained the new client certificate. * Now retrieve it from the library. */ pkcs7 = malloc(pkcs7_len); if (!pkcs7) { return; } rv = est_client_copy_enrolled_cert (c_ctx, pkcs7); CU_ASSERT(rv == EST_ERR_NONE); /* * Clean up */ est_destroy(c_ctx); EVP_PKEY_free(new_pkey); free(pkcs7); /* * Disable PoP for future test cases */ st_disable_pop(); }
/* * This test does a simple enroll with SRP using a * non-default value for the SRP strength. */ static void us1060_test106 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client * Use a strength below the minimum */ rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW); /* * Enable SRP on the client * Use a strength slightly larger then the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Enable SRP on the client * Use a strength the same size as the N value in passwd.srpv */ rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
/* * This test will enable a just the SRP-RSA-AES-128-CBC-SHA * cipher suite, which forces the server to send a certificate * to the client while SRP is used. Similar to #104, we'll * omit configuring the trust anchor on the client context. * This should cause the TLS session to fail since the * server cert can not be verified without a trust anchor. */ static void us1060_test105 () { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; struct est_dumb_ctx *ed; LOG_FUNC_NM; /* * We need to restart the EST server using an RSA key * None of the SRP cipher suites support ECDSA */ st_stop(); sleep(2); us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1); /* * Create a client context */ ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT); /* * Enable SRP on the client */ rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA"); CU_ASSERT(rv == 1); /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Cleanup */ EVP_PKEY_free(new_key); est_destroy(ectx); }
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv) { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; int ca_certs_len = 0; unsigned char *new_cert = NULL; struct est_dumb_ctx *ed; /* * Create a client context */ if (use_ta) { ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); } else { ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); } CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, port); if (use_srp) { rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); } if (cipher_suite) { /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); CU_ASSERT(rv == 1); } /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key); CU_ASSERT(rv == expected_rv); if (rv != expected_rv) { printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv); } EVP_PKEY_free(new_key); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Retrieve a copy of the new CA certs */ if (rv == EST_ERR_NONE) { new_cert = malloc(ca_certs_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_cacerts(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Cleanup */ est_destroy(ectx); }
BCW_API hd_public_key hd_private_key::generate_public_key(uint32_t i) const { return generate_private_key(i); }
static void create_peerkey () { peer_privkey = generate_private_key (bits); peer_pubkey = private_key_to_pub (peer_privkey); }