/* * Test the re-enroll API to ensure it gracefully * handles a null X509 cert pointer. */ static void us898_test3 (void) { EST_CTX *ectx; EVP_PKEY *key; int pkcs7_len = 0; int rv; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * re-enroll using a null x509 pointer. */ rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NO_CERT); /* * Clean up */ EVP_PKEY_free(key); est_destroy(ectx); }
/* * Verify that a bogus user ID/password fails when * using HTTP digest auth. */ static void us898_test9 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Enable HTTP digest authentication */ st_enable_http_digest_auth(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_FAIL); est_destroy(ectx); /* * Re-enable HTTP basic authentication */ st_enable_http_basic_auth(); }
/* * Test the re-enroll API to ensure it gracefully * handles a null EVP_PKEY pointer. */ static void us898_test4 (void) { EST_CTX *ectx; int pkcs7_len = 0; int rv; X509 *cert = NULL; unsigned char *cert_raw; int cert_len; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in an old cert that we can use for re-enroll */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * re-enroll using a null EVP_KEY pointer. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, NULL); CU_ASSERT(rv == EST_ERR_NO_KEY); /* * Clean up */ X509_free(cert); est_destroy(ectx); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. The expired certs contains * several X509 extensions. We verify the new issued * cert preserves these extensions using grep. Note, * preserving these extensions requires the OpenSSL CA * to enable the "copy_extensions" knob in the OpenSSL * config file. This is why this test suite uses a * unique copy of estExampleCA.cnf. */ static void us898_test2 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; X509 *cert = NULL; BIO *in; char cmd[200]; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Save the cert to a local file */ rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len); CU_ASSERT(rv == 1); /* * Base 64 decode the cert response */ sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert the pkcs7 cert to a PEM cert */ sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM); rv = system(cmd); CU_ASSERT(rv == 0); /* * Convert PEM cert to a textual representation of the cert */ sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the jimbob DNS extension was preserved */ sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the bobcat DNS extension was preserved */ sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the IP address extension was preserved */ sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the Repudiation key usage extension was preserved */ sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Verify the public key was preserved */ sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT); rv = system(cmd); CU_ASSERT(rv == 0); /* * Clean up */ if (new_cert) free(new_cert); est_destroy(ectx); }
/* * Verify the client fails authentication when the * client sends an identy cert which doesn't match * the trust anchor. */ static void us898_test12 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Read in the private key */ key_len = read_binary_file(US898_TC12_KEY, &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file(US898_TC12_CERT, &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Set the authentication mode to use cert for re-enroll. * This should return an error since the certificate doesn't * match the trust anchor. */ rv = est_client_set_auth(ectx, NULL, NULL, cert, key); CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll a bad cert. The client should reject this cert. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION); }
/* * This function performs a basic simple enroll using * a UID/PWD to identify the client to the server. This * is used for a variet of test cases in this module. */ static void us898_test1 (void) { EST_CTX *ectx; EVP_PKEY *key; int rv; int pkcs7_len = 0; unsigned char *new_cert = NULL; PKCS7 *p7 = NULL; BIO *b64, *out; X509 *cert = NULL; STACK_OF(X509) *certs = NULL; int i; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * generate a private key */ key = generate_private_key(); CU_ASSERT(key != NULL); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Use the simplified API to enroll a CSR */ rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); if (rv != EST_ERR_NONE) return; /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); } /* * Convert the cert to an X509. Be warned this is * pure hackery. */ b64 = BIO_new(BIO_f_base64()); out = BIO_new_mem_buf(new_cert, pkcs7_len); out = BIO_push(b64, out); p7 = d2i_PKCS7_bio(out,NULL); CU_ASSERT(p7 != NULL); BIO_free_all(out); i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: certs = p7->d.sign->cert; break; case NID_pkcs7_signedAndEnveloped: certs = p7->d.signed_and_enveloped->cert; break; default: break; } CU_ASSERT(certs != NULL); if (!certs) return; /* our new cert should be the one and only * cert in the pkcs7 blob. We shouldn't have to * iterate through the full list to find it. */ cert = sk_X509_value(certs, 0); CU_ASSERT(cert != NULL); /* * Wow, that's a lot of work, but we finally have the X509. * (don't you just love OpenSSL!!!) * Now that we have an X509 representation of the cert, * let's try to re-enroll this cert with the CA */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Cleanup */ if (cert) X509_free(cert); EVP_PKEY_free(key); if (new_cert) free(new_cert); est_destroy(ectx); }
/* * Verify the server fails authentication when the * client sends a valid identity cert but doesn't * provide HTTP auth credentials. */ static void us898_test10 (void) { char cmd[200]; int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a CSR */ sprintf(cmd, "openssl req -new -nodes -out %s -newkey rsa:2048 -keyout %s -subj /CN=127.0.0.1 " "-config CA/estExampleCA.cnf", US898_TC10_CSR, US898_TC10_KEY); rv = system(cmd); CU_ASSERT(rv == 0); /* * Sign the CSR using our local CA */ sprintf(cmd, "openssl ca -out %s -batch -config CA/estExampleCA.cnf -infiles %s", US898_TC10_CERT, US898_TC10_CSR); rv = system(cmd); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Read in the private key */ key_len = read_binary_file(US898_TC10_KEY, &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file(US898_TC10_CERT, &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Set the authentication mode to use the certificate * No HTTP auth credentials are provided. */ rv = est_client_set_auth(ectx, NULL, NULL, cert, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll a cert, should fail because we * didn't provide valid HTTP auth credentials */ rv = est_client_enroll(ectx, "TC-US898-10", &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_AUTH_FAIL); /* * Re-Enroll the cert, should work since * we provide a valid cert to identify ourselves * and HTTP auth isn't required for re-enroll even when * the server has enabled HTTP auth. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); est_destroy(ectx); }
/* * Verify the server fails authentication when the * client sends an expired identy cert and uses * valid HTTP auth credentials. */ static void us898_test11 (void) { int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Read in the private key */ key_len = read_binary_file(US898_TC11_KEY, &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file(US898_TC11_CERT, &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Set the authentication mode to use the expired certificate * and valid HTTP auth credentials. */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, cert, key); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); /* * Re-Enroll the cert */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_SSL_CONNECT); est_destroy(ectx); }
static void do_operation () { EST_CTX *ectx; unsigned char *pkcs7; int pkcs7_len = 0; int rv; char file_name[MAX_FILENAME_LEN]; unsigned char *new_client_cert; int retry_delay = 0; time_t retry_time = 0; char *operation; ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); if (!ectx) { printf("\nUnable to initialize EST context. Aborting!!!\n"); exit(1); } rv = est_client_set_read_timeout(ectx, read_timeout); if (rv != EST_ERR_NONE) { printf("\nUnable to configure read timeout from server. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key); if (rv != EST_ERR_NONE) { printf("\nUnable to configure client authentication. Aborting!!!\n"); printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } if (srp) { rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { printf("\nUnable to enable SRP. Aborting!!!\n"); exit(1); } } if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { printf("\nUnable to register token auth callback. Aborting!!!\n"); exit(1); } } est_client_set_server(ectx, est_server, est_port); if (getcert) { operation = "Get CA Cert"; rv = est_client_get_cacerts(ectx, &pkcs7_len); if (rv == EST_ERR_NONE) { if (verbose) { printf("\nGet CA Cert success\n"); } /* * allocate a buffer to retrieve the CA certs * and get them copied in */ pkcs7 = malloc(pkcs7_len); rv = est_client_copy_cacerts(ectx, pkcs7); /* * Dump the retrieved cert to stdout */ if (verbose) { dumpbin(pkcs7, pkcs7_len); } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/cacert.pkcs7", out_dir); write_binary_file(file_name, pkcs7, pkcs7_len); free(pkcs7); } } if (enroll && getcsr) { operation = "Regular enrollment with server-defined attributes"; rv = regular_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = regular_enroll_attempt(ectx); } } else if (enroll && !getcsr) { operation = "Simple enrollment without server-defined attributes"; rv = simple_enroll_attempt(ectx); if (rv == EST_ERR_CA_ENROLL_RETRY) { /* * go get the retry period */ rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); if (verbose) { printf("\nretry after period copy rv = %d " "Retry-After delay seconds = %d " "Retry-After delay time = %s\n", rv, retry_delay, ctime(&retry_time) ); } if (rv == EST_ERR_NONE) { retry_enroll_delay(retry_delay, retry_time); } /* * now that we're back, try to enroll again */ rv = simple_enroll_attempt(ectx); } } else if (!enroll && getcsr) { operation = "Get CSR attribues"; rv = regular_csr_attempt(ectx); } /* Split reenroll from enroll to allow both messages to be sent */ if (reenroll) { operation = "Re-enrollment"; rv = est_client_reenroll(ectx, client_cert, &pkcs7_len, client_priv_key); if (verbose) { printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); } if (rv == EST_ERR_NONE) { /* * client library has obtained the new client certificate. * now retrieve it from the library */ new_client_cert = malloc(pkcs7_len); if (new_client_cert == NULL) { if (verbose) { printf("\nmalloc of destination buffer for reenroll cert failed\n"); } } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (verbose) { printf("\nreenroll copy rv = %d\n", rv); } if (rv == EST_ERR_NONE) { /* * Enrollment copy worked, dump the pkcs7 cert to stdout */ if (verbose) { dumpbin(new_client_cert, pkcs7_len); } } /* * Generate the output file name, which contains the thread ID * and iteration number. */ snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir); save_cert(file_name, new_client_cert, pkcs7_len); free(new_client_cert); } } if (rv != EST_ERR_NONE) { /* * something went wrong. */ printf("\n%s failed with code %d (%s)\n", operation, rv, EST_ERR_NUM_TO_STR(rv)); } est_destroy(ectx); ERR_clear_error(); ERR_remove_thread_state(NULL); }
/* * This test attempts to re-enroll a corrupted cert * The public key in the cert is has been corrupted. */ static void us898_test5 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, client_manual_cert_verify); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT); /* * Read in the private key */ key_len = read_binary_file("US898/key-corrupt.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US898/cert-corrupt.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll a cert with wrong signature that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CLIENT_INVALID_KEY); /* * Clean up */ est_destroy(ectx); }
/* * This test case uses an existing expired cert and * attempts to re-enroll it. PoP is disabled on * the EST server. */ static void us893_test8 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; X509 *cert = NULL; int rv; int pkcs7_len = 0; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_NONE); est_destroy(ectx); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); }
static void us893_test7 (void) { int rv; EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Make sure PoP is disabled on the server */ st_disable_pop(); /* * Stop the proxy server so we can restart * it using a different identity cert. */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_SERVER_CERTKEY, US893_SERVER_CERTKEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this //We need to force the challengePassword into the CSR rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ); /* * Stop the proxy server */ st_proxy_stop(); /* * Restart the proxy server using the other cert */ rv = st_proxy_start(US893_TCP_PROXY_PORT, US893_PROXY_CERT, US893_PROXY_KEY, "US893 test realm", "CA/estCA/cacert.crt", "CA/trustedcerts.crt", "estuser", "estpwd", "127.0.0.1", US893_TCP_SERVER_PORT, 0, 0); CU_ASSERT(rv == 0); /* * Re-enable PoP on the server for the forthcoming test cases. */ st_enable_pop(); est_destroy(ectx); }
/* * This test attempts to re-enroll an expired cert * while the EST server is configured for manual * approval. The server will send back a retry-after * response. This verifies the proxy propagates the * retry-after response to the client. */ static void us893_test4 (void) { EST_CTX *ectx; EVP_PKEY *key; unsigned char *key_raw; int key_len; unsigned char *cert_raw; int cert_len; int rv; int pkcs7_len = 0; X509 *cert = NULL; BIO *in; int retry_val = 0; time_t time_val; unsigned char *attr_data = NULL; int attr_len; LOG_FUNC_NM; /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval enabled */ rv = us893_start_server(1, 0); CU_ASSERT(rv == 0); /* * Create a client context */ ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT); /* * Read in the private key */ key_len = read_binary_file("US893/key-expired.pem", &key_raw); CU_ASSERT(key_len > 0); key = est_load_key(key_raw, key_len, EST_FORMAT_PEM); CU_ASSERT(key != NULL); free(key_raw); /* * Read in the old cert */ cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw); CU_ASSERT(cert_len > 0); in = BIO_new_mem_buf(cert_raw, cert_len); CU_ASSERT(in != NULL); if (!in) return; cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); CU_ASSERT(cert != NULL); if (!cert) return; BIO_free_all(in); free(cert_raw); /* * Get the latest CSR attributes */ rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len); CU_ASSERT(rv == EST_ERR_NONE); /* * Enroll an expired cert that contains x509 extensions. */ rv = est_client_reenroll(ectx, cert, &pkcs7_len, key); CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY); /* * The server should be configured with a retry-after * value of 3600 seconds, which is the default. */ rv = est_client_copy_retry_after(ectx, &retry_val, &time_val); CU_ASSERT(rv == EST_ERR_NONE); CU_ASSERT(retry_val == 3600); /* * Clean up */ est_destroy(ectx); /* * Stop the server. */ st_stop(); st_proxy_stop(); /* * Restart the server with manual approval disabled */ rv = us893_start_server(0, 0); CU_ASSERT(rv == 0); }