/*
* This test will initialize EST w/o a trust anchor,
* enable SRP, and perform a simpleenroll.
* This should succeed since SRP doesn't require a
* trust anchor.
*/
static void us1060_test104 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST104", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* This routine intializes an EST context, which can later
* be used to issue commands to an EST server.
*/
static EST_CTX * setup_est_context (void)
{
EST_CTX *ectx;
EST_ERROR rv;
/*
* Initialize an EST context. We must provide the trust
* anchor certs at this time.
*/
ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL);
if (!ectx) {
printf("\nUnable to initialize EST context. Aborting!!!\n");
exit(1);
}
/*
* Set the local authentication credentials. We're not using
* a certificate to identify ourselves to the server. We're
* simply hard-coding the userID and password, which will be
* used for HTTP authentication.
*/
rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, NULL, NULL);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure client authentication. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
if (srp) {
rv = est_client_enable_srp(ectx, SRP_MINIMAL_N, est_srp_uid, est_srp_pwd);
if (rv != EST_ERR_NONE) {
printf("\nUnable to enable SRP. Aborting!!!\n");
exit(1);
}
}
if (token_auth_mode) {
rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb);
if (rv != EST_ERR_NONE) {
printf("\nUnable to register token auth callback. Aborting!!!\n");
exit(1);
}
}
/*
* Specify the EST server address and TCP port#
*/
rv = est_client_set_server(ectx, est_server, est_port, NULL);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure server address. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
return (ectx);
}
static void do_operation ()
{
EST_CTX *ectx;
unsigned char *pkcs7;
int pkcs7_len = 0;
int rv;
char file_name[MAX_FILENAME_LEN];
unsigned char *new_client_cert;
int retry_delay = 0;
time_t retry_time = 0;
char *operation;
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
if (!ectx) {
printf("\nUnable to initialize EST context. Aborting!!!\n");
exit(1);
}
rv = est_client_set_read_timeout(ectx, read_timeout);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure read timeout from server. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure client authentication. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
if (srp) {
rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd);
if (rv != EST_ERR_NONE) {
printf("\nUnable to enable SRP. Aborting!!!\n");
exit(1);
}
}
if (token_auth_mode) {
rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb);
if (rv != EST_ERR_NONE) {
printf("\nUnable to register token auth callback. Aborting!!!\n");
exit(1);
}
}
est_client_set_server(ectx, est_server, est_port);
if (getcert) {
operation = "Get CA Cert";
rv = est_client_get_cacerts(ectx, &pkcs7_len);
if (rv == EST_ERR_NONE) {
if (verbose) {
printf("\nGet CA Cert success\n");
}
/*
* allocate a buffer to retrieve the CA certs
* and get them copied in
*/
pkcs7 = malloc(pkcs7_len);
rv = est_client_copy_cacerts(ectx, pkcs7);
/*
* Dump the retrieved cert to stdout
*/
if (verbose) {
dumpbin(pkcs7, pkcs7_len);
}
/*
* Generate the output file name, which contains the thread ID
* and iteration number.
*/
snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir);
write_binary_file(file_name, pkcs7, pkcs7_len);
free(pkcs7);
}
}
if (enroll && getcsr) {
operation = "Regular enrollment with server-defined attributes";
rv = regular_enroll_attempt(ectx);
if (rv == EST_ERR_CA_ENROLL_RETRY) {
/*
* go get the retry period
*/
rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time);
if (verbose) {
printf("\nretry after period copy rv = %d "
"Retry-After delay seconds = %d "
"Retry-After delay time = %s\n",
rv, retry_delay, ctime(&retry_time) );
}
if (rv == EST_ERR_NONE) {
retry_enroll_delay(retry_delay, retry_time);
}
/*
* now that we're back, try to enroll again
*/
rv = regular_enroll_attempt(ectx);
}
} else if (enroll && !getcsr) {
operation = "Simple enrollment without server-defined attributes";
rv = simple_enroll_attempt(ectx);
if (rv == EST_ERR_CA_ENROLL_RETRY) {
/*
* go get the retry period
*/
rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time);
if (verbose) {
printf("\nretry after period copy rv = %d "
"Retry-After delay seconds = %d "
"Retry-After delay time = %s\n",
rv, retry_delay, ctime(&retry_time) );
}
if (rv == EST_ERR_NONE) {
retry_enroll_delay(retry_delay, retry_time);
}
/*
* now that we're back, try to enroll again
*/
rv = simple_enroll_attempt(ectx);
}
} else if (!enroll && getcsr) {
operation = "Get CSR attribues";
rv = regular_csr_attempt(ectx);
}
/* Split reenroll from enroll to allow both messages to be sent */
if (reenroll) {
operation = "Re-enrollment";
rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key);
if (verbose) {
printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n",
rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
}
if (rv == EST_ERR_NONE) {
/*
* client library has obtained the new client certificate.
* now retrieve it from the library
*/
new_client_cert = malloc(pkcs7_len);
if (new_client_cert == NULL) {
if (verbose) {
printf("\nmalloc of destination buffer for reenroll cert failed\n");
}
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (verbose) {
printf("\nreenroll copy rv = %d\n", rv);
}
if (rv == EST_ERR_NONE) {
/*
* Enrollment copy worked, dump the pkcs7 cert to stdout
*/
if (verbose) {
dumpbin(new_client_cert, pkcs7_len);
}
}
/*
* Generate the output file name, which contains the thread ID
* and iteration number.
*/
snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
save_cert(file_name, new_client_cert, pkcs7_len);
free(new_client_cert);
}
}
if (rv != EST_ERR_NONE) {
/*
* something went wrong.
*/
printf("\n%s failed with code %d (%s)\n",
operation, rv, EST_ERR_NUM_TO_STR(rv));
}
est_destroy(ectx);
ERR_clear_error();
ERR_remove_thread_state(NULL);
}
/*
* This test does a simple enroll with SRP using a
* non-default value for the SRP strength.
*/
static void us1060_test106 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
rv = us1060_start_server(US1060_SERVER_CERTKEY, US1060_SERVER_CERTKEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
* Use a strength below the minimum
*/
rv = est_client_enable_srp(ectx, 1023, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_SRP_STRENGTH_LOW);
/*
* Enable SRP on the client
* Use a strength slightly larger then the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1537, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106a", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Enable SRP on the client
* Use a strength the same size as the N value in passwd.srpv
*/
rv = est_client_enable_srp(ectx, 1536, US1060_UID, US1060_PWD);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST106b", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
/*
* This test will enable a just the SRP-RSA-AES-128-CBC-SHA
* cipher suite, which forces the server to send a certificate
* to the client while SRP is used. Similar to #104, we'll
* omit configuring the trust anchor on the client context.
* This should cause the TLS session to fail since the
* server cert can not be verified without a trust anchor.
*/
static void us1060_test105 ()
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
struct est_dumb_ctx *ed;
LOG_FUNC_NM;
/*
* We need to restart the EST server using an RSA key
* None of the SRP cipher suites support ECDSA
*/
st_stop();
sleep(2);
us1060_start_server(US1060_RSA_CERT, US1060_RSA_KEY, 0, 0, 1);
/*
* Create a client context
*/
ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, US1060_SERVER_PORT);
/*
* Enable SRP on the client
*/
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, "SRP-RSA-AES-128-CBC-SHA");
CU_ASSERT(rv == 1);
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_enroll(ectx, "US1060_TEST105", &pkcs7_len, new_key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Cleanup
*/
EVP_PKEY_free(new_key);
est_destroy(ectx);
}
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv)
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
int ca_certs_len = 0;
unsigned char *new_cert = NULL;
struct est_dumb_ctx *ed;
/*
* Create a client context
*/
if (use_ta) {
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
} else {
ectx = est_client_init(NULL, 0,
EST_CERT_FORMAT_PEM,
NULL);
}
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, port);
if (use_srp) {
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
}
if (cipher_suite) {
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite);
CU_ASSERT(rv == 1);
}
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key);
CU_ASSERT(rv == expected_rv);
if (rv != expected_rv) {
printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv);
}
EVP_PKEY_free(new_key);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Retrieve a copy of the new CA certs
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(ca_certs_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_cacerts(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Cleanup
*/
est_destroy(ectx);
}
