static void do_operation () { EST_CTX *ectx; unsigned char *pkcs7; int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; int retry_delay = 0; time_t retry_time = 0; char *operation; ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } rv = est_client_set_read_timeout(ectx, read_timeout); if (rv != EST_ERR_NONE) { printf("\nUnable to configure read timeout from server. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key); if (rv != EST_ERR_NONE) { printf("\nUnable to configure client authentication. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } if (srp) { rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } est_client_set_server(ectx, est_server, est_port); if (getcert) { operation = "Get CA Cert"; rv = est_client_get_cacerts(ectx, &pkcs7_len); if (rv == EST_ERR_NONE) { if (verbose) { printf("\nGet CA Cert success\n"); } /* * allocate a buffer to retrieve the CA certs * and get them copied in */ pkcs7 = malloc(pkcs7_len); rv = est_client_copy_cacerts(ectx, pkcs7); /* * Dump the retrieved cert to stdout */ if (verbose) { dumpbin(pkcs7, pkcs7_len); } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir); write_binary_file(file_name, pkcs7, pkcs7_len); free(pkcs7); } } if (enroll && getcsr) { operation = "Regular enrollment with server-defined attributes"; rv = regular_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = regular_enroll_attempt(ectx); } } else if (enroll && !getcsr) { operation = "Simple enrollment without server-defined attributes"; rv = simple_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = simple_enroll_attempt(ectx); } } else if (!enroll && getcsr) { operation = "Get CSR attribues"; rv = regular_csr_attempt(ectx); } /* Split reenroll from enroll to allow both messages to be sent */ if (reenroll) { operation = "Re-enrollment"; rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key); if (verbose) { printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for reenroll cert failed\n"); } } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nreenroll copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } } if (rv != EST_ERR_NONE) { /* * something went wrong. */ printf("\n%s failed with code %d (%s)\n", operation, rv, EST_ERR_NUM_TO_STR(rv)); } est_destroy(ectx); ERR_clear_error(); ERR_remove_thread_state(NULL); }
/* * This test attempts to re-enroll an expired cert * while the EST server is configured for manual * approval. The server will send back a retry-after * response. This verifies the proxy propagates the * retry-after response to the client. */ static void us893_test4 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; int retry_val = 0; time_t time_val; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval enabled */ rv = us893_start_server(1, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY); /* * The server should be configured with a retry-after * value of 3600 seconds, which is the default. */ rv = est_client_copy_retry_after(ectx, &retry_val, &time_val); CU_ASSERT(rv == EST_ERR_NONE); CU_ASSERT(retry_val == 3600); /* * Clean up */ est_destroy(ectx); /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval disabled */ rv = us893_start_server(0, 0); CU_ASSERT(rv == 0); }