/*
* Test1 - exercise the est_client_get_csrattrs() API.
*/
static void us896_test1(void) {
int rc;
unsigned char *csr_data;
int csr_len;
EST_CTX *ctx = NULL;
LOG_FUNC_NM
;
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, NULL, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, NULL);
CU_ASSERT(rc != EST_ERR_NONE);
}
/*
* Test the re-enroll API to ensure it gracefully
* handles a null X509 cert pointer.
*/
static void us898_test3 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
int pkcs7_len = 0;
int rv;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Generate a private key
*/
key = generate_private_key();
CU_ASSERT(key != NULL);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* re-enroll using a null x509 pointer.
*/
rv = est_client_reenroll(ectx, NULL, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NO_CERT);
/*
* Clean up
*/
EVP_PKEY_free(key);
est_destroy(ectx);
}
static int regular_csr_attempt (EST_CTX *ectx)
{
int rv;
unsigned char *attr_data = NULL;
int attr_len;
char file_name[MAX_FILENAME_LEN];
/*
* Just get the CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
if (rv != EST_ERR_NONE) {
printf("\nWarning: CSR attributes were not available");
} else {
snprintf(file_name, MAX_FILENAME_LEN, "%s/csr.base64", out_dir);
write_binary_file(file_name, attr_data, attr_len);
}
return (rv);
}
/*
* Verify the server fails authentication when the
* client sends an expired identy cert and uses
* valid HTTP auth credentials.
*/
static void us898_test11 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC11_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC11_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use the expired certificate
* and valid HTTP auth credentials.
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, cert, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
/*
* Re-Enroll the cert
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_SSL_CONNECT);
est_destroy(ectx);
}
/*
* Verify the server fails authentication when the
* client sends a valid identity cert but doesn't
* provide HTTP auth credentials.
*/
static void us898_test10 (void)
{
char cmd[200];
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a CSR
*/
sprintf(cmd, "openssl req -new -nodes -out %s -newkey rsa:2048 -keyout %s -subj /CN=127.0.0.1 "
"-config CA/estExampleCA.cnf",
US898_TC10_CSR, US898_TC10_KEY);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Sign the CSR using our local CA
*/
sprintf(cmd, "openssl ca -out %s -batch -config CA/estExampleCA.cnf -infiles %s",
US898_TC10_CERT, US898_TC10_CSR);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC10_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC10_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use the certificate
* No HTTP auth credentials are provided.
*/
rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a cert, should fail because we
* didn't provide valid HTTP auth credentials
*/
rv = est_client_enroll(ectx, "TC-US898-10", &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_AUTH_FAIL);
/*
* Re-Enroll the cert, should work since
* we provide a valid cert to identify ourselves
* and HTTP auth isn't required for re-enroll even when
* the server has enabled HTTP auth.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
est_destroy(ectx);
}
static int regular_enroll_attempt (EST_CTX *ectx)
{
int pkcs7_len = 0;
int rv;
char file_name[MAX_FILENAME_LEN];
unsigned char *new_client_cert;
unsigned char *attr_data = NULL;
unsigned char *der_ptr = NULL;
int attr_len, der_len, nid;
X509_REQ *csr;
/*
* We need to get the CSR attributes first, which allows libest
* to know if the challengePassword needs to be included in the
* CSR.
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
if (rv != EST_ERR_NONE) {
printf("\nWarning: CSR attributes were not available");
return (rv);
}
/* Generate a CSR */
csr = X509_REQ_new();
if (csr == NULL) {
printf("\nFailed to get X509_REQ");
return (EST_ERR_NO_CSR);
}
rv = populate_x509_csr(csr, priv_key, "EST-client");
if (rv) {
printf("\nFailed to populate X509_REQ");
return (EST_ERR_X509_PUBKEY);
}
rv = est_decode_attributes_helper((char*)attr_data, attr_len, &der_ptr, &der_len);
if (rv != EST_ERR_NONE) {
printf("\nFailed to decode attributes");
return (rv);
}
while (der_len) {
rv = est_get_attributes_helper(&der_ptr, &der_len, &nid);
if (rv == EST_ERR_NONE) {
/*
* This switch can be enhanced to include all NID values
* of interest by the client/server. In addition the last
* parameter can be enhanced to provide the character string
* type information that is included with the NID.
*
* Presently only character string types are supported, but at
* some point OID or groups of strings/OIDs may need to be
* supported.
*
* Note that challenge password should not be included here
* as it is handled by libest client code.
*/
switch (nid) {
case NID_commonName:
/* add the attribute to the request */
rv = est_add_attributes_helper(csr, nid, "test\n", 0);
break;
case NID_pkcs9_emailAddress:
/* add the attribute to the request */
rv = est_add_attributes_helper(csr, nid, "[email protected]\0", 0);
break;
case NID_undef:
printf("\nNID is undefined; skipping it\n");
break;
default:
rv = est_add_attributes_helper(csr, nid, "", 0);
break;
}
if (rv != EST_ERR_NONE) {
printf("\n Error adding NID=%d", nid);
}
}
}
X509_REQ_print_fp(stderr, csr);
rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, priv_key);
if (verbose) {
printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n",
rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
}
if (rv == EST_ERR_NONE) {
/*
* client library has obtained the new client certificate.
* now retrieve it from the library
*/
new_client_cert = malloc(pkcs7_len);
if (new_client_cert == NULL) {
if (verbose) {
printf("\nmalloc of destination buffer for enrollment cert failed\n");
}
return (EST_ERR_MALLOC);
}
rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
if (verbose) {
printf("\nenrollment copy rv = %d\n", rv);
}
if (rv == EST_ERR_NONE) {
/*
* Enrollment copy worked, dump the pkcs7 cert to stdout
*/
if (verbose) {
dumpbin(new_client_cert, pkcs7_len);
}
}
snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
save_cert(file_name, new_client_cert, pkcs7_len);
free(new_client_cert);
}
return (rv);
}
/*
* Test the re-enroll API to ensure it gracefully
* handles a null EVP_PKEY pointer.
*/
static void us898_test4 (void)
{
EST_CTX *ectx;
int pkcs7_len = 0;
int rv;
X509 *cert = NULL;
unsigned char *cert_raw;
int cert_len;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in an old cert that we can use for re-enroll
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* re-enroll using a null EVP_KEY pointer.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, NULL);
CU_ASSERT(rv == EST_ERR_NO_KEY);
/*
* Clean up
*/
X509_free(cert);
est_destroy(ectx);
}
/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. The expired certs contains
* several X509 extensions. We verify the new issued
* cert preserves these extensions using grep. Note,
* preserving these extensions requires the OpenSSL CA
* to enable the "copy_extensions" knob in the OpenSSL
* config file. This is why this test suite uses a
* unique copy of estExampleCA.cnf.
*/
static void us898_test2 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
X509 *cert = NULL;
BIO *in;
char cmd[200];
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Save the cert to a local file
*/
rv = write_binary_file(US898_TC2_CERT_B64, new_cert, pkcs7_len);
CU_ASSERT(rv == 1);
/*
* Base 64 decode the cert response
*/
sprintf(cmd, "openssl base64 -d -in %s -out %s", US898_TC2_CERT_B64, US898_TC2_CERT_PK7);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert the pkcs7 cert to a PEM cert
*/
sprintf(cmd, "openssl pkcs7 -in %s -inform DER -print_certs -out %s", US898_TC2_CERT_PK7, US898_TC2_CERT_PEM);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Convert PEM cert to a textual representation of the cert
*/
sprintf(cmd, "openssl x509 -text -in %s > %s", US898_TC2_CERT_PEM, US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the jimbob DNS extension was preserved
*/
sprintf(cmd, "grep jimbob %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the bobcat DNS extension was preserved
*/
sprintf(cmd, "grep bobcat %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the IP address extension was preserved
*/
sprintf(cmd, "grep 172 %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the Repudiation key usage extension was preserved
*/
sprintf(cmd, "grep Repudiation %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Verify the public key was preserved
*/
sprintf(cmd, "grep '00:e3:ca:38:65:fb:9c:46:a6:22:b1:be:17:bc:50' %s", US898_TC2_CERT_TXT);
rv = system(cmd);
CU_ASSERT(rv == 0);
/*
* Clean up
*/
if (new_cert) free(new_cert);
est_destroy(ectx);
}
/*
* Simple enroll - PoP check succeeds with estclient
*
* This test case verifies the proxy is
* verifying the PoP from the client CSR. We use
* estclient since it supports the PoP.
*/
static void us748_test7 (void)
{
long rv;
EST_CTX *c_ctx;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* This test case requires PoP to be enabled
*/
st_enable_pop();
/*
* Create a client context
*/
c_ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(c_ctx != NULL);
if (!c_ctx) {
return;
}
/*
* Specify user ID and password since the server is running
* in Basic Authentication mode.
*/
rv = est_client_set_auth(c_ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(c_ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* get a keypair to be used in the enroll.
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(c_ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll a CSR
*/
rv = est_client_enroll(c_ctx, "US748-test7 CN", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Client library has obtained the new client certificate.
* Now retrieve it from the library.
*/
pkcs7 = malloc(pkcs7_len);
if (!pkcs7) {
return;
}
rv = est_client_copy_enrolled_cert (c_ctx, pkcs7);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Clean up
*/
est_destroy(c_ctx);
EVP_PKEY_free(new_pkey);
free(pkcs7);
/*
* Disable PoP for future test cases
*/
st_disable_pop();
}
/*
* This test attempts to re-enroll a corrupted cert
* The public key in the cert is has been corrupted.
*/
static void us898_test5 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-corrupt.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-corrupt.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a cert with wrong signature that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CLIENT_INVALID_KEY);
/*
* Clean up
*/
est_destroy(ectx);
}
/*
* This test case uses an existing expired cert and
* attempts to re-enroll it. PoP is disabled on
* the EST server.
*/
static void us893_test8 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
X509 *cert = NULL;
int rv;
int pkcs7_len = 0;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
est_destroy(ectx);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
}
static void us893_test7 (void)
{
int rv;
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure PoP is disabled on the server
*/
st_disable_pop();
/*
* Stop the proxy server so we can restart
* it using a different identity cert.
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_SERVER_CERTKEY,
US893_SERVER_CERTKEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
ectx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_HTTP_BAD_REQ);
/*
* Stop the proxy server
*/
st_proxy_stop();
/*
* Restart the proxy server using the other cert
*/
rv = st_proxy_start(US893_TCP_PROXY_PORT,
US893_PROXY_CERT,
US893_PROXY_KEY,
"US893 test realm",
"CA/estCA/cacert.crt",
"CA/trustedcerts.crt",
"estuser",
"estpwd",
"127.0.0.1",
US893_TCP_SERVER_PORT,
0,
0);
CU_ASSERT(rv == 0);
/*
* Re-enable PoP on the server for the forthcoming test cases.
*/
st_enable_pop();
est_destroy(ectx);
}
/*
* This test attempts to re-enroll an expired cert
* while the EST server is configured for manual
* approval. The server will send back a retry-after
* response. This verifies the proxy propagates the
* retry-after response to the client.
*/
static void us893_test4 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
int retry_val = 0;
time_t time_val;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval enabled
*/
rv = us893_start_server(1, 0);
CU_ASSERT(rv == 0);
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
NULL);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US893_UID, US893_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US893_SERVER_IP, US893_TCP_PROXY_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US893/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US893/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CA_ENROLL_RETRY);
/*
* The server should be configured with a retry-after
* value of 3600 seconds, which is the default.
*/
rv = est_client_copy_retry_after(ectx, &retry_val, &time_val);
CU_ASSERT(rv == EST_ERR_NONE);
CU_ASSERT(retry_val == 3600);
/*
* Clean up
*/
est_destroy(ectx);
/*
* Stop the server.
*/
st_stop();
st_proxy_stop();
/*
* Restart the server with manual approval disabled
*/
rv = us893_start_server(0, 0);
CU_ASSERT(rv == 0);
}
/*
* Test2 - exercise the response variations triggered
* by est_client_get_csrattrs()
*/
static void us896_test2(void) {
EST_CTX *ctx;
unsigned char *pkey = NULL;
unsigned char *cacerts = NULL;
int cacerts_len = 0;
EST_ERROR rc = EST_ERR_NONE;
unsigned char *retrieved_cacerts = NULL;
int retrieved_cacerts_len = 0;
EVP_PKEY *priv_key;
SLEEP(1);
LOG_FUNC_NM
;
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Read in the private key file
*/
priv_key = read_private_key(CLIENT_UT_PUBKEY);
if (priv_key == NULL) {
printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY);
return;
}
ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ctx != NULL);
rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
CU_ASSERT(rc == EST_ERR_NONE);
est_client_set_server(ctx, US896_SERVER_IP, US896_SERVER_PORT, NULL);
/*
* issue the get ca certs request
*/
rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len);
/*
* should be successful, and should have obtained a valid buffer
* containing the CA certs
*/
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(retrieved_cacerts_len > 0);
retrieved_cacerts = malloc(retrieved_cacerts_len);
rc = est_client_copy_cacerts(ctx, retrieved_cacerts);
/*
* output the retrieved ca certs and compare to what they should be
*/
if (retrieved_cacerts) {
printf("\nRetrieved CA Certs buffer:\n %s\n", retrieved_cacerts);
printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len);
}
free(retrieved_cacerts);
/*
* All of these are negative tests and require that code in the
* EST server is modified such that it will allow bad/corrupted
* attributes to be initialized so they can be sent to the client.
*/
#ifdef NEGATIVE_UNIT_TEST
unsigned char *csr_data;
int csr_len;
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR1, strlen(TEST_CORRUPT_ATTR1));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
rc = est_server_init_csrattrs(ectx, TEST_CORRUPT_ATTR2, strlen(TEST_CORRUPT_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
rc = est_server_init_csrattrs(ectx, TEST_SHORT_ATTR, strlen(TEST_SHORT_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc != EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
#endif
if (ctx) {
est_destroy(ctx);
}
if (cacerts) {
free(cacerts);
}
if (pkey) {
free(pkey);
}
}
/*
* Verify the client fails authentication when the
* client sends an identy cert which doesn't match
* the trust anchor.
*/
static void us898_test12 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Read in the private key
*/
key_len = read_binary_file(US898_TC12_KEY, &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file(US898_TC12_CERT, &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Set the authentication mode to use cert for re-enroll.
* This should return an error since the certificate doesn't
* match the trust anchor.
*/
rv = est_client_set_auth(ectx, NULL, NULL, cert, key);
CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll a bad cert. The client should reject this cert.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_CERT_VERIFICATION);
}
/*
* This function performs a basic simple enroll using
* a UID/PWD to identify the client to the server. This
* is used for a variet of test cases in this module.
*/
static void us898_test1 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
int rv;
int pkcs7_len = 0;
unsigned char *new_cert = NULL;
PKCS7 *p7 = NULL;
BIO *b64, *out;
X509 *cert = NULL;
STACK_OF(X509) *certs = NULL;
int i;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, US898_UID, US898_PWD, NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* generate a private key
*/
key = generate_private_key();
CU_ASSERT(key != NULL);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Use the simplified API to enroll a CSR
*/
rv = est_client_enroll(ectx, "TC-US898-1", &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
if (rv != EST_ERR_NONE) return;
/*
* Retrieve the cert that was given to us by the EST server
*/
if (rv == EST_ERR_NONE) {
new_cert = malloc(pkcs7_len);
CU_ASSERT(new_cert != NULL);
rv = est_client_copy_enrolled_cert(ectx, new_cert);
CU_ASSERT(rv == EST_ERR_NONE);
}
/*
* Convert the cert to an X509. Be warned this is
* pure hackery.
*/
b64 = BIO_new(BIO_f_base64());
out = BIO_new_mem_buf(new_cert, pkcs7_len);
out = BIO_push(b64, out);
p7 = d2i_PKCS7_bio(out,NULL);
CU_ASSERT(p7 != NULL);
BIO_free_all(out);
i=OBJ_obj2nid(p7->type);
switch (i) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
break;
}
CU_ASSERT(certs != NULL);
if (!certs) return;
/* our new cert should be the one and only
* cert in the pkcs7 blob. We shouldn't have to
* iterate through the full list to find it. */
cert = sk_X509_value(certs, 0);
CU_ASSERT(cert != NULL);
/*
* Wow, that's a lot of work, but we finally have the X509.
* (don't you just love OpenSSL!!!)
* Now that we have an X509 representation of the cert,
* let's try to re-enroll this cert with the CA
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Cleanup
*/
if (cert) X509_free(cert);
EVP_PKEY_free(key);
if (new_cert) free(new_cert);
est_destroy(ectx);
}
static void us748_test9 (void)
{
EST_CTX *ctx;
int rv;
unsigned char *cacerts;
int caclen = 0;
EVP_PKEY *new_pkey;
unsigned char *pkcs7;
int pkcs7_len = 0;
unsigned char *attr_data;
int attr_len;
LOG_FUNC_NM;
/*
* Make sure our EST server has PoP disabled
*/
st_disable_pop();
/*
* Read in the CA certs
*/
caclen = read_binary_file(US748_CACERTS, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Init the client context
*/
ctx = est_client_init(cacerts, caclen, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
/*
* We'll use simple HTTP auth to identify ourselves
*/
rv = est_client_set_auth(ctx, "estuser", "estpwd", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
est_client_set_server(ctx, "127.0.0.1", US748_TCP_PROXY_PORT);
/*
* Create some space to hold the cert and generate
* a private key
*/
new_pkey = generate_private_key();
rv = est_client_get_csrattrs(ctx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Attempt to enroll
*/
ctx->csr_pop_required = 1; //This is a hack for testing only, do not attempt this
//We need to force the challengePassword into the CSR
rv = est_client_enroll(ctx, "TestCase9", &pkcs7_len, new_pkey);
CU_ASSERT(rv == EST_ERR_NONE);
pkcs7 = malloc(pkcs7_len);
rv = est_client_copy_enrolled_cert(ctx, pkcs7);
free(pkcs7);
est_destroy(ctx);
}
/*
* Test1 - exercise the server side variations triggered
* by est_client_get_csrattrs()
*/
static void us895_test1 (void)
{
EST_CTX *ctx;
unsigned char *pkey = NULL;
unsigned char *cacerts = NULL;
int cacerts_len = 0;
EST_ERROR rc = EST_ERR_NONE;
EVP_PKEY * priv_key;
int csr_len;
unsigned char *csr_data = NULL;
SLEEP(1);
LOG_FUNC_NM
;
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(SERVER_UT_CACERT, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Read in the private key file
*/
priv_key = read_private_key(SERVER_UT_PUBKEY);
if (priv_key == NULL) {
printf("\nError while reading private key file %s\n", SERVER_UT_PUBKEY);
return;
}
ctx = est_client_init(
cacerts,
cacerts_len,
EST_CERT_FORMAT_PEM,
proxy_manual_cert_verify);
CU_ASSERT(ctx != NULL);
rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
CU_ASSERT(rc == EST_ERR_NONE);
est_client_set_server(ctx, US895_SERVER_IP, US895_PROXY_PORT, NULL);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
/* should get 204 with no data */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
/* Real base64 string - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Setting the smallest base64 size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2));
CU_ASSERT(strncmp(TEST_ATTR2, (const char *) csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR3));
CU_ASSERT(strncmp(TEST_ATTR3, (const char *) csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
rc = est_server_init_csrattrs(
ectx,
TEST_1024_NOPOP,
strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *) csr_data, csr_len) == 0);
/* Enable PoP and test responses with PoP added */
st_enable_pop();
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_data != NULL);
CU_ASSERT(csr_len = 20);
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(
ectx,
TEST_1024_NOPOP,
strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_POP));
CU_ASSERT(strncmp(TEST_1024_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
CU_ASSERT(
strncmp(TEST_ATTR4_122POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
CU_ASSERT(
strncmp(TEST_ATTR5_117POP, (const char *) csr_data, csr_len) == 0);
/* Real base64 string needs PoP added - should pass */
rc = est_server_init_csrattrs(
ectx,
TEST_ATTR_NOPOP,
strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(
strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);
/* Setting the size 116 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 244 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 245 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 250 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(
strncmp(TEST_ATTR_NOPOPPOP, (const char *) csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *) csr_data, csr_len) == 0);
/* disable PoP */
st_disable_pop();
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Real base64 string PoP should not be added - should pass */
rc = est_server_init_csrattrs(
ectx,
TEST_ATTR_NOPOP,
strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *) csr_data, csr_len) == 0);
/* All ASN.1 types supported by CiscoSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *) csr_data, csr_len) == 0);
if (ctx) {
est_destroy(ctx);
}
if (cacerts) {
free(cacerts);
}
if (pkey) {
free(pkey);
}
}
/*
* This function is used by the server side of the EST proxy to respond to an
* incoming CSR Attributes request. This function is similar to the Client API
* function, est_client_get_csrattrs().
*/
static int est_proxy_handle_csr_attrs (EST_CTX *ctx, void *http_ctx)
{
int rv = EST_ERR_NONE;
int pop_present;
char *csr_data, *csr_data_pop;
int csr_len, csr_pop_len;
EST_CTX *client_ctx;
/*
* get the client context for this thread
*/
client_ctx = get_client_ctx(ctx);
if (!client_ctx) {
EST_LOG_ERR("Unable to obtain client context for proxy operation");
return (EST_ERR_NO_CTX);
}
/*
* Invoke client code to retrieve the CSR attributes.
* Note: there is no need to authenticate the client (see sec 4.5)
*/
EST_LOG_INFO("Proxy get csr attributes");
rv = est_client_get_csrattrs(client_ctx, (unsigned char **)&csr_data, &csr_len);
/*
* csr_data points to the memory allocated to hold the csr attributes,
* which will be freed in this call stack. To prevent a double-free
* we null the to pointer on the client context.
*/
client_ctx->retrieved_csrattrs = NULL;
client_ctx->retrieved_csrattrs_len = 0;
if (rv == EST_ERR_NONE) {
ctx->csr_pop_present = 0;
if (ctx->server_enable_pop) {
rv = est_is_challengePassword_present(csr_data, csr_len, &pop_present);
if (rv != EST_ERR_NONE) {
EST_LOG_ERR("Error during PoP/sanity check");
est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
return (EST_ERR_NONE);
}
ctx->csr_pop_present = pop_present;
if (!ctx->csr_pop_present) {
if (csr_len == 0) {
csr_data = malloc(EST_CSRATTRS_POP_LEN + 1);
if (!csr_data) {
return (EST_ERR_MALLOC);
}
strncpy(csr_data, EST_CSRATTRS_POP, EST_CSRATTRS_POP_LEN);
csr_data[EST_CSRATTRS_POP_LEN] = 0;
csr_len = EST_CSRATTRS_POP_LEN;
return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx));
}
rv = est_add_challengePassword(csr_data, csr_len, &csr_data_pop, &csr_pop_len);
if (rv != EST_ERR_NONE) {
if (csr_data) {
free(csr_data);
}
EST_LOG_ERR("Error during add PoP");
est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
return (EST_ERR_NONE);
}
if (csr_data) {
free(csr_data);
}
csr_data = csr_data_pop;
csr_len = csr_pop_len;
}
}
} else {
EST_LOG_ERR("Server not reachable or sent corrupt attributes");
est_send_http_error(ctx, http_ctx, EST_ERR_HTTP_NO_CONTENT);
return (EST_ERR_NONE);
}
return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx));
}
/*
* Verify that a bogus user ID/password fails when
* using HTTP digest auth.
*/
static void us898_test9 (void)
{
EST_CTX *ectx;
EVP_PKEY *key;
unsigned char *key_raw;
int key_len;
unsigned char *cert_raw;
int cert_len;
int rv;
int pkcs7_len = 0;
X509 *cert = NULL;
BIO *in;
unsigned char *attr_data = NULL;
int attr_len;
LOG_FUNC_NM;
/*
* Enable HTTP digest authentication
*/
st_enable_http_digest_auth();
/*
* Create a client context
*/
ectx = est_client_init(cacerts, cacerts_len,
EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ectx != NULL);
/*
* Set the authentication mode to use a user id/password
*/
rv = est_client_set_auth(ectx, "jdoe", "panthers", NULL, NULL);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Set the EST server address/port
*/
est_client_set_server(ectx, US898_SERVER_IP, US898_SERVER_PORT);
/*
* Read in the private key
*/
key_len = read_binary_file("US898/key-expired.pem", &key_raw);
CU_ASSERT(key_len > 0);
key = est_load_key(key_raw, key_len, EST_FORMAT_PEM);
CU_ASSERT(key != NULL);
free(key_raw);
/*
* Read in the old cert
*/
cert_len = read_binary_file("US898/cert-expired.pem", &cert_raw);
CU_ASSERT(cert_len > 0);
in = BIO_new_mem_buf(cert_raw, cert_len);
CU_ASSERT(in != NULL);
if (!in) return;
cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
CU_ASSERT(cert != NULL);
if (!cert) return;
BIO_free_all(in);
free(cert_raw);
/*
* Get the latest CSR attributes
*/
rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
CU_ASSERT(rv == EST_ERR_NONE);
/*
* Enroll an expired cert that contains x509 extensions.
*/
rv = est_client_reenroll(ectx, cert, &pkcs7_len, key);
CU_ASSERT(rv == EST_ERR_AUTH_FAIL);
est_destroy(ectx);
/*
* Re-enable HTTP basic authentication
*/
st_enable_http_basic_auth();
}
/*
* Test2 - exercise the server side variations triggered
* by est_client_get_csrattrs()
*/
static void us900_test2 (void)
{
EST_CTX *ctx;
unsigned char *pkey = NULL;
unsigned char *cacerts = NULL;
int cacerts_len = 0;
EST_ERROR rc = EST_ERR_NONE;
unsigned char *retrieved_cacerts = NULL;
int retrieved_cacerts_len = 0;
EVP_PKEY *priv_key;
int csr_len;
unsigned char *csr_data = NULL;
sleep(1);
LOG_FUNC_NM;
/*
* Read in the CA certificates
*/
cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts);
CU_ASSERT(cacerts_len > 0);
/*
* Read in the private key file
*/
priv_key = read_private_key(CLIENT_UT_PUBKEY);
if (priv_key == NULL) {
printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY);
return;
}
ctx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM,
client_manual_cert_verify);
CU_ASSERT(ctx != NULL);
rc = est_client_set_auth(ctx, "", "", NULL, priv_key);
CU_ASSERT(rc == EST_ERR_NONE);
est_client_set_server(ctx, US900_SERVER_IP, US900_SERVER_PORT);
/*
* issue the get ca certs request
*/
rc = est_client_get_cacerts(ctx, &retrieved_cacerts_len);
/*
* should be successful, and should have obtained a valid buffer
* containing the CA certs
*/
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(retrieved_cacerts_len > 0);
retrieved_cacerts = malloc(retrieved_cacerts_len);
rc = est_client_copy_cacerts(ctx, retrieved_cacerts);
/*
* output the retrieved ca certs and compare to what they should be
*/
if (retrieved_cacerts) {
printf("\nRetrieved CA Certs buffer:\n %.*s\n", retrieved_cacerts_len, retrieved_cacerts);
printf("Retrieved CA certs buffer length: %d\n", retrieved_cacerts_len);
}
free(retrieved_cacerts);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
/* should get 204 with no data */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
CU_ASSERT(csr_data == NULL);
/* Real base64 string - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_corrupt_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_short_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_long_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* callback should supersede init csrattrs */
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2));
CU_ASSERT(strncmp(TEST_ATTR2, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_ATTR3, strlen(TEST_ATTR3));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR3));
CU_ASSERT(strncmp(TEST_ATTR3, (const char *)csr_data, csr_len) == 0);
/* clear csrattrs */
rc = est_server_init_csrattrs(ectx, NULL, 0);
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == 0);
rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_NOPOP));
CU_ASSERT(strncmp(TEST_1024_NOPOP, (const char *)csr_data, csr_len) == 0);
/* Enable PoP and test responses with PoP added */
st_enable_pop();
rc = est_server_init_csrattrs(ectx, TEST_ATTR_POP, strlen(TEST_ATTR_POP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_data != NULL);
CU_ASSERT(csr_len = 20);
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_1024_NOPOP, strlen(TEST_1024_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_1024_POP));
CU_ASSERT(strncmp(TEST_1024_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 122 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR4_122, strlen(TEST_ATTR4_122));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR4_122POP));
CU_ASSERT(strncmp(TEST_ATTR4_122POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 117 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR5_117, strlen(TEST_ATTR5_117));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR5_117POP));
CU_ASSERT(strncmp(TEST_ATTR5_117POP, (const char *)csr_data, csr_len) == 0);
/* Real base64 string needs PoP added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);
/* Not a real base64 string - should fail */
rc = est_server_init_csrattrs(ectx, "US900 test1", 11);
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_POP));
CU_ASSERT(strncmp(TEST_ATTR_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the smallest size */
rc = est_server_init_csrattrs(ectx, TEST_ATTR2, strlen(TEST_ATTR2));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);
/* Setting the size 116 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR6_116, strlen(TEST_ATTR6_116));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 244 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_244, strlen(TEST_ATTR_244));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 245 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_245, strlen(TEST_ATTR_245));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
/* Setting the size 250 */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_250, strlen(TEST_ATTR_250));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_250POP));
CU_ASSERT(strncmp(TEST_ATTR_250POP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_correct_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR1));
CU_ASSERT(strncmp(TEST_ATTR1, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_nopop_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOPPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOPPOP, (const char *)csr_data, csr_len) == 0);
if (est_set_csr_cb(ectx, &handle_empty_csrattrs_request)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR2_POP));
CU_ASSERT(strncmp(TEST_ATTR2_POP, (const char *)csr_data, csr_len) == 0);
/* disable PoP */
st_disable_pop();
/* clear callback */
if (est_set_csr_cb(ectx, NULL)) {
printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n");
exit(1);
}
/* Real base64 string PoP should not be added - should pass */
rc = est_server_init_csrattrs(ectx, TEST_ATTR_NOPOP, strlen(TEST_ATTR_NOPOP));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ATTR_NOPOP));
CU_ASSERT(strncmp(TEST_ATTR_NOPOP, (const char *)csr_data, csr_len) == 0);
/* All ASN.1 types supported by OpenSSL */
rc = est_server_init_csrattrs(ectx, TEST_ALL_ATTR, strlen(TEST_ALL_ATTR));
CU_ASSERT(rc == EST_ERR_NONE);
rc = est_client_get_csrattrs(ctx, &csr_data, &csr_len);
CU_ASSERT(rc == EST_ERR_NONE);
CU_ASSERT(csr_len == strlen(TEST_ALL_ATTR));
CU_ASSERT(strncmp(TEST_ALL_ATTR, (const char *)csr_data, csr_len) == 0);
rc = est_server_init_csrattrs(ectx, TEST_1025_NOPOP, strlen(TEST_1025_NOPOP));
CU_ASSERT(rc != EST_ERR_NONE);
rc = est_server_init_csrattrs(ectx, TEST_LONG_ATTR, strlen(TEST_LONG_ATTR));
CU_ASSERT(rc != EST_ERR_NONE);
if (ctx) {
est_destroy(ctx);
}
if (cacerts) {
free(cacerts);
}
if (pkey) {
free(pkey);
}
}
