static void us1060_easy_provision (int use_srp, int use_ta, char *cipher_suite, int port, int expected_rv) { EST_CTX *ectx; EVP_PKEY *new_key; int rv; int pkcs7_len = 0; int ca_certs_len = 0; unsigned char *new_cert = NULL; struct est_dumb_ctx *ed; /* * Create a client context */ if (use_ta) { ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); } else { ectx = est_client_init(NULL, 0, EST_CERT_FORMAT_PEM, NULL); } CU_ASSERT(ectx != NULL); /* * Set the authentication mode to use a user id/password */ rv = est_client_set_auth(ectx, US1060_UID, US1060_PWD, NULL, NULL); CU_ASSERT(rv == EST_ERR_NONE); /* * Set the EST server address/port */ est_client_set_server(ectx, US1060_SERVER_IP, port); if (use_srp) { rv = est_client_enable_srp(ectx, 1024, US1060_UID, US1060_PWD); } if (cipher_suite) { /* * This is not an approved use of the EST API. We do this * here only to increase code coverage for testing * purposes only. If you are looking at this code as * an example of how to use the EST API, do not do this! */ ed = (struct est_dumb_ctx*)ectx; rv = SSL_CTX_set_cipher_list(ed->ssl_ctx, cipher_suite); CU_ASSERT(rv == 1); } /* * generate a new private key */ new_key = generate_private_key(); CU_ASSERT(new_key != NULL); /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "US1060_TEST1xx", &pkcs7_len, &ca_certs_len, new_key); CU_ASSERT(rv == expected_rv); if (rv != expected_rv) { printf("\nExpected rv was %d, rv returned was %d", expected_rv, rv); } EVP_PKEY_free(new_key); /* * Retrieve the cert that was given to us by the EST server */ if (rv == EST_ERR_NONE) { new_cert = malloc(pkcs7_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_enrolled_cert(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Retrieve a copy of the new CA certs */ if (rv == EST_ERR_NONE) { new_cert = malloc(ca_certs_len); CU_ASSERT(new_cert != NULL); rv = est_client_copy_cacerts(ectx, new_cert); CU_ASSERT(rv == EST_ERR_NONE); if (new_cert) free(new_cert); } else { est_destroy(ectx); return; } /* * Cleanup */ est_destroy(ectx); }
int main (int argc, char **argv) { EST_ERROR rv; char c; char *key_data; EVP_PKEY *key; char *trustanchor_file; EST_CTX *ectx; int p7_len; int ca_certs_len; unsigned char *new_client_cert; unsigned char *new_certs; static struct option long_options[] = { {"srp", 0, 0, 0}, {"srp-user", 1, 0, 0}, {"srp-password", 1, 0, 0}, {"auth-token", 1, 0, 0}, {NULL, 0, NULL, 0} }; int option_index = 0; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; while ((c = getopt_long(argc, argv, "s:p:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name,"srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name,"srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'p': est_port = atoi(optarg); break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf ("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } /* * Initialize the library, including OpenSSL */ est_apps_startup(); print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); /* * Read in the trusted certificates, which are used by * libEST to verify the identity of the EST server. */ trustanchor_file = getenv("EST_OPENSSL_CACERT"); cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nTrusted certs file could not be read. Did you set EST_OPENSSL_CACERT?\n"); exit(1); } /* * This is not required, but we'll enable full debugs */ #ifndef WIN32 /* Initialize the EST logging */ est_init_logger(EST_LOG_LVL_INFO, NULL); #else InitializeCriticalSection (&logger_critical_section); est_init_logger(EST_LOG_LVL_INFO, &windows_logger_stderr); #endif /* * Create a public/private key pair that will be used for * the enrollment. We'll write this out to a local * file called new_key.pem. */ key_data = generate_private_RSA_key(2048, NULL/* no password_cb */); write_binary_file("./new_key.pem", (unsigned char *)key_data, strlen(key_data)); /* * Use the load_clear macro to load in an unencrypted key */ key = load_clear_private_key_PEM(key_data); if(!key) { printf("\nUnable to load newly created key from PEM file\n"); exit(1); } memset(key_data, 0, strlen(key_data)); free(key_data); key_data = NULL; ectx = setup_est_context(); if (!ectx) { printf("\nUnable to create EST client context\n"); exit(1); } /* * Attempt to provision a new cert */ rv = est_client_provision_cert(ectx, "localhost", &p7_len, &ca_certs_len, key); if (rv != EST_ERR_NONE) { printf("\nProvisioning failed with error %s\n", EST_ERR_NUM_TO_STR(rv)); exit(1); } EVP_PKEY_free(key); /* * Retrieve a copy of the cert */ new_client_cert = malloc(p7_len); if (new_client_cert == NULL){ printf("\nFailed to allocate memory for the newly provisioned cert\n"); exit(1); } rv = est_client_copy_enrolled_cert(ectx, new_client_cert); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new cert with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Save the cert to local storage */ write_binary_file(cert_file_name, new_client_cert, p7_len); free(new_client_cert); /* * Retrieve a copy of the new trust anchor */ new_certs = malloc(ca_certs_len); rv = est_client_copy_cacerts(ectx, new_certs); if (rv != EST_ERR_NONE) { printf("\nFailed to copy new CA certs with code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); exit(1); } /* * Your appliations should save the CA certs to local storage in case * they're needed for future use. */ write_binary_file(ca_file_name, new_certs, ca_certs_len); free(new_certs); printf("\n\nSuccess!!!\n"); free(cacerts); est_destroy(ectx); est_apps_shutdown(); printf("\n"); return 0; }