/* * This function performs a basic simple enroll using * a UID/PWD to identify the client to the server. This * is used for a variet of test cases in this module. */ static void us898_test1 (void) { EST_CTX *ectx; EVP_PKEY *key; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; PKCS7 *p7 = NULL; BIO *b64, *out; X509 *cert = NULL; STACK_OF(X509) *certs = NULL; int i; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Use the simplified API to enroll a CSR */ rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); if (rv != EST_ERR_NONE) return; /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Convert the cert to an X509. Be warned this is * pure hackery. */ b64 = BIO_new(BIO_f_base64()); out = BIO_new_mem_buf(new_cert, pkcs7_len); out = BIO_push(b64, out); p7 = d2i_PKCS7_bio(out,NULL); CU_ASSERT(p7 != NULL); BIO_free_all(out); i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: certs = p7->d.sign->cert; break; case NID_pkcs7_signedAndEnveloped: certs = p7->d.signed_and_enveloped->cert; break; default: break; } CU_ASSERT(certs != NULL); if (!certs) return; /* our new cert should be the one and only * cert in the pkcs7 blob. We shouldn't have to * iterate through the full list to find it. */ cert = sk_X509_value(certs, 0); CU_ASSERT(cert != NULL); /* * Wow, that's a lot of work, but we finally have the X509. * (don't you just love OpenSSL!!!) * Now that we have an X509 representation of the cert, * let's try to re-enroll this cert with the CA */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ if (cert) X509_free(cert); EVP_PKEY_free(key); if (new_cert) free(new_cert); est_destroy(ectx); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. The expired certs contains * several X509 extensions. We verify the new issued * cert preserves these extensions using grep. Note, * preserving these extensions requires the OpenSSL CA * to enable the "copy_extensions" knob in the OpenSSL * config file. This is why this test suite uses a * unique copy of estExampleCA.cnf. */ static void us898_test2 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; X509 *cert = NULL; BIO *in; char cmd[200]; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Save the cert to a local file */ rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len); CU_ASSERT(rv == 1); /* * Base 64 decode the cert response */ sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert the pkcs7 cert to a PEM cert */ sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert PEM cert to a textual representation of the cert */ sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the jimbob DNS extension was preserved */ sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the bobcat DNS extension was preserved */ sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the IP address extension was preserved */ sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the Repudiation key usage extension was preserved */ sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the public key was preserved */ sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Clean up */ if (new_cert) free(new_cert); est_destroy(ectx); }
static int regular_enroll_attempt (EST_CTX *ectx) { int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; unsigned char *attr_data = NULL; unsigned char *der_ptr = NULL; int attr_len, der_len, nid; X509_REQ *csr; /* * We need to get the CSR attributes first, which allows libest * to know if the challengePassword needs to be included in the * CSR. */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); if (rv != EST_ERR_NONE) { printf("\nWarning: CSR attributes were not available"); return (rv); } /* Generate a CSR */ csr = X509_REQ_new(); if (csr == NULL) { printf("\nFailed to get X509_REQ"); return (EST_ERR_NO_CSR); } rv = populate_x509_csr(csr, priv_key, "EST-client"); if (rv) { printf("\nFailed to populate X509_REQ"); return (EST_ERR_X509_PUBKEY); } rv = est_decode_attributes_helper((char*)attr_data, attr_len, &der_ptr, &der_len); if (rv != EST_ERR_NONE) { printf("\nFailed to decode attributes"); return (rv); } while (der_len) { rv = est_get_attributes_helper(&der_ptr, &der_len, &nid); if (rv == EST_ERR_NONE) { /* * This switch can be enhanced to include all NID values * of interest by the client/server. In addition the last * parameter can be enhanced to provide the character string * type information that is included with the NID. * * Presently only character string types are supported, but at * some point OID or groups of strings/OIDs may need to be * supported. * * Note that challenge password should not be included here * as it is handled by libest client code. */ switch (nid) { case NID_commonName: /* add the attribute to the request */ rv = est_add_attributes_helper(csr, nid, "test\n", 0); break; case NID_pkcs9_emailAddress: /* add the attribute to the request */ rv = est_add_attributes_helper(csr, nid, "[email protected]\0", 0); break; case NID_undef: printf("\nNID is undefined; skipping it\n"); break; default: rv = est_add_attributes_helper(csr, nid, "", 0); break; } if (rv != EST_ERR_NONE) { printf("\n Error adding NID=%d", nid); } } } X509_REQ_print_fp(stderr, csr); rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, priv_key); if (verbose) { printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for enrollment cert failed\n"); } return (EST_ERR_MALLOC); } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nenrollment copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } return (rv); }
static void do_operation () { EST_CTX *ectx; unsigned char *pkcs7; int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; int retry_delay = 0; time_t retry_time = 0; char *operation; ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } rv = est_client_set_read_timeout(ectx, read_timeout); if (rv != EST_ERR_NONE) { printf("\nUnable to configure read timeout from server. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key); if (rv != EST_ERR_NONE) { printf("\nUnable to configure client authentication. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } if (srp) { rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } est_client_set_server(ectx, est_server, est_port); if (getcert) { operation = "Get CA Cert"; rv = est_client_get_cacerts(ectx, &pkcs7_len); if (rv == EST_ERR_NONE) { if (verbose) { printf("\nGet CA Cert success\n"); } /* * allocate a buffer to retrieve the CA certs * and get them copied in */ pkcs7 = malloc(pkcs7_len); rv = est_client_copy_cacerts(ectx, pkcs7); /* * Dump the retrieved cert to stdout */ if (verbose) { dumpbin(pkcs7, pkcs7_len); } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir); write_binary_file(file_name, pkcs7, pkcs7_len); free(pkcs7); } } if (enroll && getcsr) { operation = "Regular enrollment with server-defined attributes"; rv = regular_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = regular_enroll_attempt(ectx); } } else if (enroll && !getcsr) { operation = "Simple enrollment without server-defined attributes"; rv = simple_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = simple_enroll_attempt(ectx); } } else if (!enroll && getcsr) { operation = "Get CSR attribues"; rv = regular_csr_attempt(ectx); } /* Split reenroll from enroll to allow both messages to be sent */ if (reenroll) { operation = "Re-enrollment"; rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key); if (verbose) { printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for reenroll cert failed\n"); } } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nreenroll copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } } if (rv != EST_ERR_NONE) { /* * something went wrong. */ printf("\n%s failed with code %d (%s)\n", operation, rv, EST_ERR_NUM_TO_STR(rv)); } est_destroy(ectx); ERR_clear_error(); ERR_remove_thread_state(NULL); }
static int simple_enroll_attempt (EST_CTX *ectx) { int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; X509_REQ *csr = NULL; if (force_pop) { rv = est_client_force_pop(ectx); if (rv != EST_ERR_NONE) { printf("\nFailed to enable force PoP"); } } if (csr_file[0]) { csr = read_csr(csr_file); if (csr == NULL) { rv = EST_ERR_PEM_READ; }else { rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, NULL); } }else { rv = est_client_enroll(ectx, subj_cn, &pkcs7_len, priv_key); } if (csr) { X509_REQ_free(csr); } if (verbose) { printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for enrollment cert failed\n"); } return (EST_ERR_MALLOC); } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nenrollment copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } return (rv); }
static void us748_test9 (void) { EST_CTX *ctx; int rv; unsigned char *cacerts; int caclen = 0; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len = 0; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * Make sure our EST server has PoP disabled */ st_disable_pop(); /* * Read in the CA certs */ caclen = read_binary_file(US748_CACERTS, &cacerts); CU_ASSERT(cacerts_len > 0); /* * Init the client context */ ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM, client_manual_cert_verify); /* * We'll use simple HTTP auth to identify ourselves */ rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * Create some space to hold the cert and generate * a private key */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll */ ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); pkcs7 = malloc(pkcs7_len); rv = est_client_copy_enrolled_cert(ctx, pkcs7); free(pkcs7); est_destroy(ctx); }
/* * Simple enroll - PoP check succeeds with estclient * * This test case verifies the proxy is * verifying the PoP from the client CSR. We use * estclient since it supports the PoP. */ static void us748_test7 (void) { long rv; EST_CTX *c_ctx; EVP_PKEY *new_pkey; unsigned char *pkcs7; int pkcs7_len; unsigned char *attr_data; int attr_len; LOG_FUNC_NM; /* * This test case requires PoP to be enabled */ st_enable_pop(); /* * Create a client context */ c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(c_ctx != NULL); if (!c_ctx) { return; } /* * Specify user ID and password since the server is running * in Basic Authentication mode. */ rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT); /* * get a keypair to be used in the enroll. */ new_pkey = generate_private_key(); rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Attempt to enroll a CSR */ rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey); CU_ASSERT(rv == EST_ERR_NONE); /* * Client library has obtained the new client certificate. * Now retrieve it from the library. */ pkcs7 = malloc(pkcs7_len); if (!pkcs7) { return; } rv = est_client_copy_enrolled_cert (c_ctx, pkcs7); CU_ASSERT(rv == EST_ERR_NONE); /* * Clean up */ est_destroy(c_ctx); EVP_PKEY_free(new_pkey); free(pkcs7); /* * Disable PoP for future test cases */ st_disable_pop(); }
static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv) { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; int ca_certs_len = 0; unsigned char *new_cert = NULL; struct est_dumb_ctx *ed; /* * Create a client context */ if (use_ta) { ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); } else { ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); } CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, port); if (use_srp) { rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); } if (cipher_suite) { /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); CU_ASSERT(rv == 1); } /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key); CU_ASSERT(rv == expected_rv); if (rv != expected_rv) { printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv); } EVP_PKEY_free(new_key); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Retrieve a copy of the new CA certs */ if (rv == EST_ERR_NONE) { new_cert = malloc(ca_certs_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_cacerts(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Cleanup */ est_destroy(ectx); }
int main (int argc, char **argv) { EST_ERROR rv; char c; char *key_data; EVP_PKEY *key; char *trustanchor_file; EST_CTX *ectx; int p7_len; int ca_certs_len; unsigned char *new_client_cert; unsigned char *new_certs; static struct option long_options[] = { {"srp", 0, 0, 0}, {"srp-user", 1, 0, 0}, {"srp-password", 1, 0, 0}, {"auth-token", 1, 0, 0}, {NULL, 0, NULL, 0} }; int option_index = 0; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; while ((c = getopt_long(argc, argv, "s:p:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name,"srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name,"srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'p': est_port = atoi(optarg); break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf ("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } /* * Initialize the library, including OpenSSL */ est_apps_startup(); print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); /* * Read in the trusted certificates, which are used by * libEST to verify the identity of the EST server. */ trustanchor_file = getenv("EST_OPENSSL_CACERT"); cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nTrusted certs file could not be read. Did you set EST_OPENSSL_CACERT?\n"); exit(1); } /* * This is not required, but we'll enable full debugs */ #ifndef WIN32 /* Initialize the EST logging */ est_init_logger(EST_LOG_LVL_INFO, NULL); #else InitializeCriticalSection (&logger_critical_section); est_init_logger(EST_LOG_LVL_INFO, &windows_logger_stderr); #endif /* * Create a public/private key pair that will be used for * the enrollment. We'll write this out to a local * file called new_key.pem. */ key_data = generate_private_RSA_key(2048, NULL/* no password_cb */); write_binary_file("./new_key.pem", (unsigned char *)key_data, strlen(key_data)); /* * Use the load_clear macro to load in an unencrypted key */ key = load_clear_private_key_PEM(key_data); if(!key) { printf("\nUnable to load newly created key from PEM file\n"); exit(1); } memset(key_data, 0, strlen(key_data)); free(key_data); key_data = NULL; ectx = setup_est_context(); if (!ectx) { printf("\nUnable to create EST client context\n"); exit(1); } /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "localhost", &p7_len, &ca_certs_len, key); if (rv != EST_ERR_NONE) { printf("\nProvisioning failed with error %s\n", EST_ERR_NUM_TO_STR(rv)); exit(1); } EVP_PKEY_free(key); /* * Retrieve a copy of the cert */ new_client_cert = malloc(p7_len); if (new_client_cert == NULL){ printf("\nFailed to allocate memory for the newly provisioned cert\n"); exit(1); } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new cert with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Save the cert to local storage */ write_binary_file(cert_file_name, new_client_cert, p7_len); free(new_client_cert); /* * Retrieve a copy of the new trust anchor */ new_certs = malloc(ca_certs_len); rv = est_client_copy_cacerts(ectx, new_certs); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new CA certs with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Your appliations should save the CA certs to local storage in case * they're needed for future use. */ write_binary_file(ca_file_name, new_certs, ca_certs_len); free(new_certs); printf("\n\nSuccess!!!\n"); free(cacerts); est_destroy(ectx); est_apps_shutdown(); printf("\n"); return 0; }