/*
* Test the optional setting of the CA Certs response chain in est_proxy_init()
* test passthrough (cache disabled) mode of the CA Certs response chain.
*/
static void us894_test26 (void)
{
long rv;
char cmd[200];
LOG_FUNC_NM;
st_proxy_stop();
sleep(1);
/*
* restart the proxy without passing the ca certs response change parameter
* param 5
*/
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
NULL,
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
sleep(1);
outfile = fopen(test26_outfile, "w");
rv = curl_http_get(US894_CACERT_URL, US894_CACERTS, &write_func);
fclose(outfile);
/*
* we expect the server to respond with a 200
*/
CU_ASSERT(rv == 200);
sprintf(cmd, "openssl base64 -d -in %s | openssl pkcs7 -inform DER -text -print_certs", test26_outfile);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* restart the proxy and include the CA Cert response chain
*/
st_proxy_stop();
sleep(1);
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
US894_CACERT,
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
sleep(1);
}
/*
* This test attempts to use a revoked client certificate to
* verify CRL checks are working in the TLS layer.
* This should fail.
*/
static void us894_test12 (void)
{
long rv;
LOG_FUNC_NM;
st_proxy_stop();
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
US894_CACERT,
"US894/trustedcertsandcrl.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
sleep(1);
rv = curl_http_post_cert(US894_ENROLL_URL,
US894_PKCS10_CT,
US894_PKCS10_REQ,
US894_REVOKED_CERT,
US894_REVOKED_KEY,
US894_CACERTS,
NULL);
/*
* Since the client cert has been revoked the TLS handshake
* will fail. The EST server should return a 401 response.
*/
CU_ASSERT(rv == 0);
st_proxy_stop();
rv = st_proxy_start(US894_TCP_PROXY_PORT,
US894_PROXY_CERT,
US894_PROXY_KEY,
"estrealm",
US894_CACERT,
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US894_TCP_SERVER_PORT,
0, // disable PoP
0); // ecdhe nid info
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us895_destroy_suite (void)
{
st_stop();
st_proxy_stop();
SLEEP(2);
return 0;
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us893_destory_suite (void)
{
st_stop();
st_proxy_stop();
free(cacerts);
return 0;
}
/*
* This routine is called when CUnit uninitializes this test
* suite. This can be used to deallocate data or close any
* resources that were used for the test cases.
*/
static int us1060_destroy_suite (void)
{
if (srpdb) {
SRP_VBASE_free(srpdb);
}
st_stop();
st_proxy_stop();
free(cacerts);
return 0;
}
void us748_stop_server()
{
st_stop();
st_proxy_stop();
sleep(2);
}
// untrusted (self-signed) identity cert
static void us893_test11 (void)
{
int rv;
long http_code = 0;
CURL *hnd;
struct curl_slist *slist1;
LOG_FUNC_NM;
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using an untrusted cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_UNTRUSTED_CERT,
US893_UNTRUSTED_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* We don't use the normal curl util API here because
* we need to disable TLS peer verification for this
* special test case.
*/
/*
* Set the Content-Type header in the HTTP request
*/
slist1 = NULL;
slist1 = curl_slist_append(slist1, US893_PKCS10_CT);
/*
* Setup all the other fields that CURL requires
*/
hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_URL, US893_REENROLL_URL_BA);
curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L);
curl_easy_setopt(hnd, CURLOPT_USERPWD, US893_UIDPWD_GOOD);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, US893_PKCS10_RSA2048);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDSIZE_LARGE, (curl_off_t)strlen(US893_PKCS10_RSA2048));
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "curl/7.27.0");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, slist1);
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_easy_setopt(hnd, CURLOPT_CAINFO, US893_CACERTS);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(hnd, CURLOPT_FORBID_REUSE, 1L);
/*
* Issue the HTTP request
*/
curl_easy_perform(hnd);
/*
* Get the HTTP reponse status code from the server
*/
curl_easy_getinfo (hnd, CURLINFO_RESPONSE_CODE, &http_code);
curl_easy_cleanup(hnd);
hnd = NULL;
curl_slist_free_all(slist1);
slist1 = NULL;
CU_ASSERT(http_code == 400);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
}
/*
* This test case uses a bad password configured on
* the EST proxy context. This should cause the EST server to
* reject an enrollment request, but not the reenroll request.
*/
static void us893_test10 (void)
{
int rv;
LOG_FUNC_NM;
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert and a bogus password
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"bogus",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
rv = curl_http_post("https://127.0.0.1:29093/.well-known/est/simpleenroll", US893_PKCS10_CT,
US893_PKCS10_RSA2048,
US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
CU_ASSERT(rv == 401);
rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT,
US893_PKCS10_RSA2048,
US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
CU_ASSERT(rv == 200);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert and the correct password
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
}
static void us893_test7 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
est_destroy(ectx);
}
/*
* This test attempts to re-enroll without PoP
* while the EST server is configured with PoP
* disabled, but the proxy server is using a cert
* that doesn't contain id-kp-cmcRA. This should
* result in a failure because the subjects
* of the proxy cert and the client do not agree.
*/
static void us893_test6 (void)
{
int rv;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Use libcurl to send an enroll request. We use libcurl
* because it will not include the PoP.
*/
rv = curl_http_post(US893_REENROLL_URL_BA, US893_PKCS10_CT,
US893_PKCS10_RSA2048,
US893_UIDPWD_GOOD, US893_CACERTS, CURLAUTH_BASIC,
NULL, NULL, NULL);
/*
* The reenroll should not work since id-kp-cmcRA is not set and the subjects do not agree.
*/
CU_ASSERT(rv == 400);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
/*
* This test attempts to re-enroll an expired cert
* while the EST server is configured for manual
* approval. The server will send back a retry-after
* response. This verifies the proxy propagates the
* retry-after response to the client.
*/
static void us893_test4 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
int retry_val = 0;
time_t time_val;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval enabled
*/
rv = us893_start_server(1, 0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY);
/*
* The server should be configured with a retry-after
* value of 3600 seconds, which is the default.
*/
rv = est_client_copy_retry_after(ectx, &retry_val, &time_val);
CU_ASSERT(rv == EST_ERR_NONE);
CU_ASSERT(retry_val == 3600);
/*
* Clean up
*/
est_destroy(ectx);
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval disabled
*/
rv = us893_start_server(0, 0);
CU_ASSERT(rv == 0);
}