/*
* This function performs a basic simple enroll using
* a UID/PWD to identify the client to the server. This
* is used for a variet of test cases in this module.
*/
static void us898_test1 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
PKCS7 *p7 = NULL;
BIO *b64, *out;
X509 *cert = NULL;
STACK_OF(X509) *certs = NULL;
int i;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* generate a private key
*/
key = generate_private_key();
CU_ASSERT(key != NULL);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Use the simplified API to enroll a CSR
*/
rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
if (rv != EST_ERR_NONE) return;
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Convert the cert to an X509. Be warned this is
* pure hackery.
*/
b64 = BIO_new(BIO_f_base64());
out = BIO_new_mem_buf(new_cert, pkcs7_len);
out = BIO_push(b64, out);
p7 = d2i_PKCS7_bio(out,NULL);
CU_ASSERT(p7 != NULL);
BIO_free_all(out);
i=OBJ_obj2nid(p7->type);
switch (i) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
break;
}
CU_ASSERT(certs != NULL);
if (!certs) return;
/* our new cert should be the one and only
* cert in the pkcs7 blob. We shouldn't have to
* iterate through the full list to find it. */
cert = sk_X509_value(certs, 0);
CU_ASSERT(cert != NULL);
/*
* Wow, that's a lot of work, but we finally have the X509.
* (don't you just love OpenSSL!!!)
* Now that we have an X509 representation of the cert,
* let's try to re-enroll this cert with the CA
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
if (cert) X509_free(cert);
EVP_PKEY_free(key);
if (new_cert) free(new_cert);
est_destroy(ectx);
}
/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. The expired certs contains
* several X509 extensions. We verify the new issued
* cert preserves these extensions using grep. Note,
* preserving these extensions requires the OpenSSL CA
* to enable the "copy_extensions" knob in the OpenSSL
* config file. This is why this test suite uses a
* unique copy of estExampleCA.cnf.
*/
static void us898_test2 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
X509 *cert = NULL;
BIO *in;
char cmd[200];
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Save the cert to a local file
*/
rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len);
CU_ASSERT(rv == 1);
/*
* Base 64 decode the cert response
*/
sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert the pkcs7 cert to a PEM cert
*/
sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert PEM cert to a textual representation of the cert
*/
sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the jimbob DNS extension was preserved
*/
sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the bobcat DNS extension was preserved
*/
sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the IP address extension was preserved
*/
sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the Repudiation key usage extension was preserved
*/
sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the public key was preserved
*/
sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Clean up
*/
if (new_cert) free(new_cert);
est_destroy(ectx);
}
static int regular_enroll_attempt (EST_CTX *ectx)
{
int pkcs7_len = 0;
int rv;
char file_name[MAX_FILENAME_LEN];
unsigned char *new_client_cert;
unsigned char *attr_data = NULL;
unsigned char *der_ptr = NULL;
int attr_len, der_len, nid;
X509_REQ *csr;
/*
* We need to get the CSR attributes first, which allows libest
* to know if the challengePassword needs to be included in the
* CSR.
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
if (rv != EST_ERR_NONE) {
printf("\nWarning: CSR attributes were not available");
return (rv);
}
/* Generate a CSR */
csr = X509_REQ_new();
if (csr == NULL) {
printf("\nFailed to get X509_REQ");
return (EST_ERR_NO_CSR);
}
rv = populate_x509_csr(csr, priv_key, "EST-client");
if (rv) {
printf("\nFailed to populate X509_REQ");
return (EST_ERR_X509_PUBKEY);
}
rv = est_decode_attributes_helper((char*)attr_data, attr_len, &der_ptr, &der_len);
if (rv != EST_ERR_NONE) {
printf("\nFailed to decode attributes");
return (rv);
}
while (der_len) {
rv = est_get_attributes_helper(&der_ptr, &der_len, &nid);
if (rv == EST_ERR_NONE) {
/*
* This switch can be enhanced to include all NID values
* of interest by the client/server. In addition the last
* parameter can be enhanced to provide the character string
* type information that is included with the NID.
*
* Presently only character string types are supported, but at
* some point OID or groups of strings/OIDs may need to be
* supported.
*
* Note that challenge password should not be included here
* as it is handled by libest client code.
*/
switch (nid) {
case NID_commonName:
/* add the attribute to the request */
rv = est_add_attributes_helper(csr, nid, "test\n", 0);
break;
case NID_pkcs9_emailAddress:
/* add the attribute to the request */
rv = est_add_attributes_helper(csr, nid, "[email protected]\0", 0);
break;
case NID_undef:
printf("\nNID is undefined; skipping it\n");
break;
default:
rv = est_add_attributes_helper(csr, nid, "", 0);
break;
}
if (rv != EST_ERR_NONE) {
printf("\n Error adding NID=%d", nid);
}
}
}
X509_REQ_print_fp(stderr, csr);
rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, priv_key);
if (verbose) {
printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n",
rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
}
if (rv == EST_ERR_NONE) {
/*
* client library has obtained the new client certificate.
* now retrieve it from the library
*/
new_client_cert = malloc(pkcs7_len);
if (new_client_cert == NULL) {
if (verbose) {
printf("\nmalloc of destination buffer for enrollment cert failed\n");
}
return (EST_ERR_MALLOC);
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (verbose) {
printf("\nenrollment copy rv = %d\n", rv);
}
if (rv == EST_ERR_NONE) {
/*
* Enrollment copy worked, dump the pkcs7 cert to stdout
*/
if (verbose) {
dumpbin(new_client_cert, pkcs7_len);
}
}
snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
save_cert(file_name, new_client_cert, pkcs7_len);
free(new_client_cert);
}
return (rv);
}
static void do_operation ()
{
EST_CTX *ectx;
unsigned char *pkcs7;
int pkcs7_len = 0;
int rv;
char file_name[MAX_FILENAME_LEN];
unsigned char *new_client_cert;
int retry_delay = 0;
time_t retry_time = 0;
char *operation;
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
if (!ectx) {
printf("\nUnable to initialize EST context. Aborting!!!\n");
exit(1);
}
rv = est_client_set_read_timeout(ectx, read_timeout);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure read timeout from server. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key);
if (rv != EST_ERR_NONE) {
printf("\nUnable to configure client authentication. Aborting!!!\n");
printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
if (srp) {
rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd);
if (rv != EST_ERR_NONE) {
printf("\nUnable to enable SRP. Aborting!!!\n");
exit(1);
}
}
if (token_auth_mode) {
rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb);
if (rv != EST_ERR_NONE) {
printf("\nUnable to register token auth callback. Aborting!!!\n");
exit(1);
}
}
est_client_set_server(ectx, est_server, est_port);
if (getcert) {
operation = "Get CA Cert";
rv = est_client_get_cacerts(ectx, &pkcs7_len);
if (rv == EST_ERR_NONE) {
if (verbose) {
printf("\nGet CA Cert success\n");
}
/*
* allocate a buffer to retrieve the CA certs
* and get them copied in
*/
pkcs7 = malloc(pkcs7_len);
rv = est_client_copy_cacerts(ectx, pkcs7);
/*
* Dump the retrieved cert to stdout
*/
if (verbose) {
dumpbin(pkcs7, pkcs7_len);
}
/*
* Generate the output file name, which contains the thread ID
* and iteration number.
*/
snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir);
write_binary_file(file_name, pkcs7, pkcs7_len);
free(pkcs7);
}
}
if (enroll && getcsr) {
operation = "Regular enrollment with server-defined attributes";
rv = regular_enroll_attempt(ectx);
if (rv == EST_ERR_CA_ENROLL_RETRY) {
/*
* go get the retry period
*/
rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time);
if (verbose) {
printf("\nretry after period copy rv = %d "
"Retry-After delay seconds = %d "
"Retry-After delay time = %s\n",
rv, retry_delay, ctime(&retry_time) );
}
if (rv == EST_ERR_NONE) {
retry_enroll_delay(retry_delay, retry_time);
}
/*
* now that we're back, try to enroll again
*/
rv = regular_enroll_attempt(ectx);
}
} else if (enroll && !getcsr) {
operation = "Simple enrollment without server-defined attributes";
rv = simple_enroll_attempt(ectx);
if (rv == EST_ERR_CA_ENROLL_RETRY) {
/*
* go get the retry period
*/
rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time);
if (verbose) {
printf("\nretry after period copy rv = %d "
"Retry-After delay seconds = %d "
"Retry-After delay time = %s\n",
rv, retry_delay, ctime(&retry_time) );
}
if (rv == EST_ERR_NONE) {
retry_enroll_delay(retry_delay, retry_time);
}
/*
* now that we're back, try to enroll again
*/
rv = simple_enroll_attempt(ectx);
}
} else if (!enroll && getcsr) {
operation = "Get CSR attribues";
rv = regular_csr_attempt(ectx);
}
/* Split reenroll from enroll to allow both messages to be sent */
if (reenroll) {
operation = "Re-enrollment";
rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key);
if (verbose) {
printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n",
rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
}
if (rv == EST_ERR_NONE) {
/*
* client library has obtained the new client certificate.
* now retrieve it from the library
*/
new_client_cert = malloc(pkcs7_len);
if (new_client_cert == NULL) {
if (verbose) {
printf("\nmalloc of destination buffer for reenroll cert failed\n");
}
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (verbose) {
printf("\nreenroll copy rv = %d\n", rv);
}
if (rv == EST_ERR_NONE) {
/*
* Enrollment copy worked, dump the pkcs7 cert to stdout
*/
if (verbose) {
dumpbin(new_client_cert, pkcs7_len);
}
}
/*
* Generate the output file name, which contains the thread ID
* and iteration number.
*/
snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
save_cert(file_name, new_client_cert, pkcs7_len);
free(new_client_cert);
}
}
if (rv != EST_ERR_NONE) {
/*
* something went wrong.
*/
printf("\n%s failed with code %d (%s)\n",
operation, rv, EST_ERR_NUM_TO_STR(rv));
}
est_destroy(ectx);
ERR_clear_error();
ERR_remove_thread_state(NULL);
}
static int simple_enroll_attempt (EST_CTX *ectx)
{
int pkcs7_len = 0;
int rv;
char file_name[MAX_FILENAME_LEN];
unsigned char *new_client_cert;
X509_REQ *csr = NULL;
if (force_pop) {
rv = est_client_force_pop(ectx);
if (rv != EST_ERR_NONE) {
printf("\nFailed to enable force PoP");
}
}
if (csr_file[0]) {
csr = read_csr(csr_file);
if (csr == NULL) {
rv = EST_ERR_PEM_READ;
}else {
rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, NULL);
}
}else {
rv = est_client_enroll(ectx, subj_cn, &pkcs7_len, priv_key);
}
if (csr) {
X509_REQ_free(csr);
}
if (verbose) {
printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n",
rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
}
if (rv == EST_ERR_NONE) {
/*
* client library has obtained the new client certificate.
* now retrieve it from the library
*/
new_client_cert = malloc(pkcs7_len);
if (new_client_cert == NULL) {
if (verbose) {
printf("\nmalloc of destination buffer for enrollment cert failed\n");
}
return (EST_ERR_MALLOC);
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (verbose) {
printf("\nenrollment copy rv = %d\n", rv);
}
if (rv == EST_ERR_NONE) {
/*
* Enrollment copy worked, dump the pkcs7 cert to stdout
*/
if (verbose) {
dumpbin(new_client_cert, pkcs7_len);
}
}
snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
save_cert(file_name, new_client_cert, pkcs7_len);
free(new_client_cert);
}
return (rv);
}
static void us748_test9 (void)
{
EST_CTX *ctx;
int rv;
unsigned char *cacerts;
int caclen = 0;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len = 0;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure our EST server has PoP disabled
*/
st_disable_pop();
/*
* Read in the CA certs
*/
caclen = read_binary_file(US748_CACERTS, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Init the client context
*/
ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
/*
* We'll use simple HTTP auth to identify ourselves
*/
rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* Create some space to hold the cert and generate
* a private key
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll
*/
ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
pkcs7 = malloc(pkcs7_len);
rv = est_client_copy_enrolled_cert(ctx, pkcs7);
free(pkcs7);
est_destroy(ctx);
}
/*
* Simple enroll - PoP check succeeds with estclient
*
* This test case verifies the proxy is
* verifying the PoP from the client CSR. We use
* estclient since it supports the PoP.
*/
static void us748_test7 (void)
{
long rv;
EST_CTX *c_ctx;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* This test case requires PoP to be enabled
*/
st_enable_pop();
/*
* Create a client context
*/
c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(c_ctx != NULL);
if (!c_ctx) {
return;
}
/*
* Specify user ID and password since the server is running
* in Basic Authentication mode.
*/
rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* get a keypair to be used in the enroll.
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll a CSR
*/
rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Client library has obtained the new client certificate.
* Now retrieve it from the library.
*/
pkcs7 = malloc(pkcs7_len);
if (!pkcs7) {
return;
}
rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Clean up
*/
est_destroy(c_ctx);
EVP_PKEY_free(new_pkey);
free(pkcs7);
/*
* Disable PoP for future test cases
*/
st_disable_pop();
}
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv)
{
EST_CTX *ectx;
EVP_PKEY *new_key;
int rv;
int pkcs7_len = 0;
int ca_certs_len = 0;
unsigned char *new_cert = NULL;
struct est_dumb_ctx *ed;
/*
* Create a client context
*/
if (use_ta) {
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
} else {
ectx = est_client_init(NULL, 0,
EST_CERT_FORMAT_PEM,
NULL);
}
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US1060_SERVER_IP, port);
if (use_srp) {
rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD);
}
if (cipher_suite) {
/*
* This is not an approved use of the EST API. We do this
* here only to increase code coverage for testing
* purposes only. If you are looking at this code as
* an example of how to use the EST API, do not do this!
*/
ed = (struct est_dumb_ctx*)ectx;
rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite);
CU_ASSERT(rv == 1);
}
/*
* generate a new private key
*/
new_key = generate_private_key();
CU_ASSERT(new_key != NULL);
/*
* Attempt to provision a new cert
*/
rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key);
CU_ASSERT(rv == expected_rv);
if (rv != expected_rv) {
printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv);
}
EVP_PKEY_free(new_key);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Retrieve a copy of the new CA certs
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(ca_certs_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_cacerts(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
if (new_cert) free(new_cert);
} else {
est_destroy(ectx);
return;
}
/*
* Cleanup
*/
est_destroy(ectx);
}
int main (int argc, char **argv)
{
EST_ERROR rv;
char c;
char *key_data;
EVP_PKEY *key;
char *trustanchor_file;
EST_CTX *ectx;
int p7_len;
int ca_certs_len;
unsigned char *new_client_cert;
unsigned char *new_certs;
static struct option long_options[] = {
{"srp", 0, 0, 0},
{"srp-user", 1, 0, 0},
{"srp-password", 1, 0, 0},
{"auth-token", 1, 0, 0},
{NULL, 0, NULL, 0}
};
int option_index = 0;
est_http_uid[0] = 0x0;
est_http_pwd[0] = 0x0;
while ((c = getopt_long(argc, argv, "s:p:u:h:", long_options, &option_index)) != -1) {
switch (c) {
case 0:
if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) {
srp = 1;
}
if (!strncmp(long_options[option_index].name,"srp-user", strlen("srp-user"))) {
strncpy(est_srp_uid, optarg, MAX_UID_LEN);
}
if (!strncmp(long_options[option_index].name,"srp-password", strlen("srp-password"))) {
strncpy(est_srp_pwd, optarg, MAX_PWD_LEN);
}
if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) {
strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN);
token_auth_mode = 1;
}
break;
case 'u':
strncpy(est_http_uid, optarg, MAX_UID_LEN);
break;
case 'h':
strncpy(est_http_pwd, optarg, MAX_PWD_LEN);
break;
case 's':
strncpy(est_server, optarg, MAX_SERVER_LEN);
break;
case 'p':
est_port = atoi(optarg);
break;
default:
show_usage_and_exit();
break;
}
}
if (optind < argc) {
printf ("non-option ARGV-elements: ");
while (optind < argc)
printf ("%s ", argv[optind++]);
printf ("\n");
}
argc -= optind;
argv += optind;
if (est_http_uid[0] && !est_http_pwd[0]) {
printf ("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n");
exit(1);
}
/*
* Initialize the library, including OpenSSL
*/
est_apps_startup();
print_version();
printf("\nUsing EST server %s:%d", est_server, est_port);
/*
* Read in the trusted certificates, which are used by
* libEST to verify the identity of the EST server.
*/
trustanchor_file = getenv("EST_OPENSSL_CACERT");
cacerts_len = read_binary_file(trustanchor_file, &cacerts);
if (cacerts_len <= 0) {
printf("\nTrusted certs file could not be read. Did you set EST_OPENSSL_CACERT?\n");
exit(1);
}
/*
* This is not required, but we'll enable full debugs
*/
#ifndef WIN32
/* Initialize the EST logging */
est_init_logger(EST_LOG_LVL_INFO, NULL);
#else
InitializeCriticalSection (&logger_critical_section);
est_init_logger(EST_LOG_LVL_INFO, &windows_logger_stderr);
#endif
/*
* Create a public/private key pair that will be used for
* the enrollment. We'll write this out to a local
* file called new_key.pem.
*/
key_data = generate_private_RSA_key(2048, NULL/* no password_cb */);
write_binary_file("./new_key.pem", (unsigned char *)key_data, strlen(key_data));
/*
* Use the load_clear macro to load in an unencrypted key
*/
key = load_clear_private_key_PEM(key_data);
if(!key) {
printf("\nUnable to load newly created key from PEM file\n");
exit(1);
}
memset(key_data, 0, strlen(key_data));
free(key_data);
key_data = NULL;
ectx = setup_est_context();
if (!ectx) {
printf("\nUnable to create EST client context\n");
exit(1);
}
/*
* Attempt to provision a new cert
*/
rv = est_client_provision_cert(ectx, "localhost", &p7_len, &ca_certs_len, key);
if (rv != EST_ERR_NONE) {
printf("\nProvisioning failed with error %s\n", EST_ERR_NUM_TO_STR(rv));
exit(1);
}
EVP_PKEY_free(key);
/*
* Retrieve a copy of the cert
*/
new_client_cert = malloc(p7_len);
if (new_client_cert == NULL){
printf("\nFailed to allocate memory for the newly provisioned cert\n");
exit(1);
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (rv != EST_ERR_NONE) {
printf("\nFailed to copy new cert with code %d (%s)\n",
rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
/*
* Save the cert to local storage
*/
write_binary_file(cert_file_name, new_client_cert, p7_len);
free(new_client_cert);
/*
* Retrieve a copy of the new trust anchor
*/
new_certs = malloc(ca_certs_len);
rv = est_client_copy_cacerts(ectx, new_certs);
if (rv != EST_ERR_NONE) {
printf("\nFailed to copy new CA certs with code %d (%s)\n",
rv, EST_ERR_NUM_TO_STR(rv));
exit(1);
}
/*
* Your appliations should save the CA certs to local storage in case
* they're needed for future use.
*/
write_binary_file(ca_file_name, new_certs, ca_certs_len);
free(new_certs);
printf("\n\nSuccess!!!\n");
free(cacerts);
est_destroy(ectx);
est_apps_shutdown();
printf("\n");
return 0;
}
