diff --git a/Makefile.am b/Makefile.am index 10e38fd..63b6440 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,9 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -if ENABLE_CLIENT_ONLY -SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/client-brski -else -SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/server example/proxy example/client-brski -endif - -EXTRA_DIST = autogen.sh example/util LICENSE README.brski $(srcdir)/build.gradle $(srcdir)/example/build_examples.gradle +SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/server example/proxy +EXTRA_DIST = autogen.sh example/util LICENSE $(srcdir)/build.gradle $(srcdir)/example/build_examples.gradle diff --git a/Makefile.in b/Makefile.in index 7a94842..6e288b4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -157,9 +157,7 @@ am__define_uniq_tagged_files = \ ETAGS = etags CTAGS = ctags CSCOPE = cscope -DIST_SUBDIRS = safe_c_stub src java/jni example/client \ - example/client-simple example/server example/proxy \ - example/client-brski +DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/version.in \ $(top_srcdir)/config/compile $(top_srcdir)/config/config.guess \ $(top_srcdir)/config/config.sub \ @@ -334,9 +332,8 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ ACLOCAL_AMFLAGS = -I m4 -@ENABLE_CLIENT_ONLY_FALSE@SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/server example/proxy example/client-brski -@ENABLE_CLIENT_ONLY_TRUE@SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/client-brski -EXTRA_DIST = autogen.sh example/util LICENSE README.brski $(srcdir)/build.gradle $(srcdir)/example/build_examples.gradle +SUBDIRS = safe_c_stub src java/jni example/client example/client-simple example/server example/proxy +EXTRA_DIST = autogen.sh example/util LICENSE $(srcdir)/build.gradle $(srcdir)/example/build_examples.gradle all: all-recursive .SUFFIXES: diff --git a/README.brski b/README.brski deleted file mode 100644 index 0205f0f..0000000 --- a/README.brski +++ /dev/null @@ -1,71 +0,0 @@ - -The BRSKI support in libEST is a work in progress. The functionality that's -implemented does not yet address every aspect of the BRSKI draft, and is not -yet integrated into the full functionality of libEST. - -The following work items are being worked on and will be made available as -they are completed, -- Uplift to the lasted version of the BRSKI draft and Voucher profile draft -- Support for provisional TLS connections -- Support for signed voucher requests and vouchers -- Support for unprintable ASCII characters in JSON based payloads -- Support for Registrar Discovery - -Building libEST -================= - -The following steps are used to build and use the BRSKI support in libEST, - -1. At a minimum, libEST requires OpenSSL. It's best to get the latest -OpenSSL, build and install it, and use it in the building of libEST. - -2. The BRSKI support is conditioned off a compile time flag. This flag is set -by adding '--enable-brski' on the configure statement. - -./configure --prefix= \ - --with-ssl-dir= \ - --enable-brski - -3. libEST can be conditionally compiled to only include the client side -functionality. This is enabled by adding '--enable-client-only' on the -configure command. The name of the library that is created changes from -libest.so to libest_client.so to differentiate it from the full function -libEST library. - -Running libEST's BRSKI support -================================ - -libEST is a library and is not a standalone executable. That being said, -there are simple example applications that utilize the libEST APIs. Two of -these applications have been enhanced to make use of the BRSKI APIs, -estclient_brski and estserver. estclient_brski is a new example application -based on the estclient_simple application. - -1. It helps to set up the following in the environment before invoking the -estserver example application, - -export EST_DIR= -export OPENSSL_DIR= -export CURL_DIR= -export URIPARSER_DIR= -export LD_LIBRARY_PATH=$OPENSSL_DIR/lib:$WORKSPACE/src/est/.libs:$URIPARSER_DIR/lib -export PATH=$OPENSSL_DIR/bin:$PATH - -# set up the keys and certs used by the server -cd example/server -echo "S" | ./createCA.sh - -export EST_TRUSTED_CERTS=./estCA/cacert.crt -export EST_CACERTS_RESP=./estCA/cacert.crt -export EST_OPENSSL_CACONFIG=./estExampleCA.cnf - -The server example application is started with BRSKI support using the -following command - -./estserver -p 9231 -c estCA/private/estservercertandkey.pem -k estCA/private/estservercertandkey.pem -r estrealm -v --enable-brski -n - -2. The estclient example with BRSKI support is invoked with the following command - -export EST_OPENSSL_CACERT=../server/estCA/cacert.crt -./estclient_brski -s 127.0.0.1 -p 9231 -c ../server/estCA/private/estservercertandkey.pem -k ../server/estCA/private/estservercertandkey.pem - diff --git a/configure b/configure index 396b4e1..2599d09 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libest 2.1.0p.brski. +# Generated by GNU Autoconf 2.69 for libest 2.1.0p. # # Report bugs to . # @@ -589,15 +589,14 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libest' PACKAGE_TARNAME='libest' -PACKAGE_VERSION='2.1.0p.brski' -PACKAGE_STRING='libest 2.1.0p.brski' +PACKAGE_VERSION='2.1.0p' +PACKAGE_STRING='libest 2.1.0p' PACKAGE_BUGREPORT='libest-dev' PACKAGE_URL='' ac_unique_file="src/est/est.c" ac_unique_file="example/client/estclient.c" ac_unique_file="example/client-simple/estclient-simple.c" -ac_unique_file="example/client-brski/estclient-brski.c" ac_unique_file="example/server/estserver.c" ac_unique_file="example/proxy/estproxy.c" # Factoring default headers for most tests. @@ -649,10 +648,6 @@ SSL_LDFLAGS SSL_CFLAGS DISABLE_PTHREAD_FALSE DISABLE_PTHREAD_TRUE -ENABLE_BRSKI_FALSE -ENABLE_BRSKI_TRUE -ENABLE_CLIENT_ONLY_FALSE -ENABLE_CLIENT_ONLY_TRUE JAVA_HOME_SET_FALSE JAVA_HOME_SET_TRUE ENABLE_JNI_FALSE @@ -791,8 +786,6 @@ with_gnu_ld with_sysroot enable_libtool_lock enable_jni -enable_client_only -enable_brski enable_pthreads with_ssl_dir with_libcurl_dir @@ -1358,7 +1351,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libest 2.1.0p.brski to adapt to many kinds of systems. +\`configure' configures libest 2.1.0p to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1429,7 +1422,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libest 2.1.0p.brski:";; + short | recursive ) echo "Configuration of libest 2.1.0p:";; esac cat <<\_ACEOF @@ -1452,9 +1445,6 @@ Optional Features: optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-jni Enable support for JNI library - --enable-client-only Enable the building of only the client mode of - libEST - --enable-brski Enable support for brski bootstrap functionality --disable-pthreads Disable support for pthreads Optional Packages: @@ -1551,7 +1541,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libest configure 2.1.0p.brski +libest configure 2.1.0p generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1829,7 +1819,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libest $as_me 2.1.0p.brski, which was +It was created by libest $as_me 2.1.0p, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2213,7 +2203,6 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. - am__api_version='1.15' # Find a good install program. We prefer a C program (faster), @@ -2700,7 +2689,7 @@ fi # Define the identity of the package. PACKAGE='libest' - VERSION='2.1.0p.brski' + VERSION='2.1.0p' cat >>confdefs.h <<_ACEOF @@ -2838,7 +2827,7 @@ fi # Define the identity of the package. PACKAGE='libest' - VERSION='2.1.0p.brski' + VERSION='2.1.0p' cat >>confdefs.h <<_ACEOF @@ -12251,8 +12240,6 @@ See \`config.log' for more details" "$LINENO" 5; } fi fi - - # Check whether --enable-jni was given. if test "${enable_jni+set}" = set; then : enableval=$enable_jni; jni_on=1 @@ -12286,55 +12273,6 @@ else fi -# Check whether --enable-client-only was given. -if test "${enable_client_only+set}" = set; then : - enableval=$enable_client_only; clientonly_on=1 -else - clientonly_on=0 -fi - - if test x$clientonly_on = x1; then - ENABLE_CLIENT_ONLY_TRUE= - ENABLE_CLIENT_ONLY_FALSE='#' -else - ENABLE_CLIENT_ONLY_TRUE='#' - ENABLE_CLIENT_ONLY_FALSE= -fi - -if test -z "$ENABLE_CLIENT_ONLY_TRUE"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Client only build enabled" >&5 -$as_echo "Client only build enabled" >&6; } - $as_echo "#define ENABLE_CLIENT_ONLY 1" >>confdefs.h - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Client Only support is disabled" >&5 -$as_echo "Client Only support is disabled" >&6; } -fi - -# Check whether --enable-brski was given. -if test "${enable_brski+set}" = set; then : - enableval=$enable_brski; brski_on=1 -else - brski_on=0 -fi - - if test x$brski_on = x1; then - ENABLE_BRSKI_TRUE= - ENABLE_BRSKI_FALSE='#' -else - ENABLE_BRSKI_TRUE='#' - ENABLE_BRSKI_FALSE= -fi - -if test -z "$ENABLE_BRSKI_TRUE"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: BRSKI support enabled" >&5 -$as_echo "BRSKI support enabled" >&6; } - $as_echo "#define ENABLE_BRSKI 1" >>confdefs.h - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: BRSKI support is disabled" >&5 -$as_echo "BRSKI support is disabled" >&6; } -fi # Check whether --enable-pthreads was given. if test "${enable_pthreads+set}" = set; then : @@ -12740,7 +12678,7 @@ LIBS="$LIBS -lsafe_lib" cp confdefs.h est_config.h -ac_config_files="$ac_config_files Makefile version safe_c_stub/Makefile safe_c_stub/lib/Makefile java/jni/Makefile src/Makefile src/est/Makefile example/client/Makefile example/client-simple/Makefile example/client-brski/Makefile example/server/Makefile example/proxy/Makefile" +ac_config_files="$ac_config_files Makefile version safe_c_stub/Makefile safe_c_stub/lib/Makefile java/jni/Makefile src/Makefile src/est/Makefile example/client/Makefile example/client-simple/Makefile example/server/Makefile example/proxy/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -12939,14 +12877,6 @@ if test -z "${JAVA_HOME_SET_TRUE}" && test -z "${JAVA_HOME_SET_FALSE}"; then as_fn_error $? "conditional \"JAVA_HOME_SET\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${ENABLE_CLIENT_ONLY_TRUE}" && test -z "${ENABLE_CLIENT_ONLY_FALSE}"; then - as_fn_error $? "conditional \"ENABLE_CLIENT_ONLY\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi -if test -z "${ENABLE_BRSKI_TRUE}" && test -z "${ENABLE_BRSKI_FALSE}"; then - as_fn_error $? "conditional \"ENABLE_BRSKI\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${DISABLE_PTHREAD_TRUE}" && test -z "${DISABLE_PTHREAD_FALSE}"; then as_fn_error $? "conditional \"DISABLE_PTHREAD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -13348,7 +13278,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libest $as_me 2.1.0p.brski, which was +This file was extended by libest $as_me 2.1.0p, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13405,7 +13335,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libest config.status 2.1.0p.brski +libest config.status 2.1.0p configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -13817,7 +13747,6 @@ do "src/est/Makefile") CONFIG_FILES="$CONFIG_FILES src/est/Makefile" ;; "example/client/Makefile") CONFIG_FILES="$CONFIG_FILES example/client/Makefile" ;; "example/client-simple/Makefile") CONFIG_FILES="$CONFIG_FILES example/client-simple/Makefile" ;; - "example/client-brski/Makefile") CONFIG_FILES="$CONFIG_FILES example/client-brski/Makefile" ;; "example/server/Makefile") CONFIG_FILES="$CONFIG_FILES example/server/Makefile" ;; "example/proxy/Makefile") CONFIG_FILES="$CONFIG_FILES example/proxy/Makefile" ;; diff --git a/configure.ac b/configure.ac index 6c40238..186e0bf 100644 --- a/configure.ac +++ b/configure.ac @@ -1,10 +1,9 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([libest],[2.1.0p.brski],[libest-dev]) +AC_INIT([libest],[2.1.0p],[libest-dev]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_SRCDIR(src/est/est.c) AC_CONFIG_SRCDIR(example/client/estclient.c) AC_CONFIG_SRCDIR(example/client-simple/estclient-simple.c) -AC_CONFIG_SRCDIR(example/client-brski/estclient-brski.c) AC_CONFIG_SRCDIR(example/server/estserver.c) AC_CONFIG_SRCDIR(example/proxy/estproxy.c) AC_CONFIG_MACRO_DIR([m4]) @@ -30,8 +29,6 @@ AM_COND_IF([FREEBSD], AC_MSG_RESULT([FreeBSD is set]), AC_MSG_RESULT([FreeBSD no AM_COND_IF([FREEBSD], AC_MSG_RESULT([Skipping libdl check]), AC_CHECK_LIB([dl], [dlopen], [], [AC_MSG_FAILURE([can't find libdl])])) - - AC_ARG_ENABLE([jni], [AS_HELP_STRING([--enable-jni], [Enable support for JNI library])], @@ -44,27 +41,6 @@ AM_COND_IF([ENABLE_JNI], AC_MSG_RESULT([JNI support is disabled])) AM_CONDITIONAL([JAVA_HOME_SET], [test ! -z "$JAVA_HOME"]) -AC_ARG_ENABLE([client-only], - [AS_HELP_STRING([--enable-client-only], - [Enable the building of only the client mode of libEST])], - [clientonly_on=1], - [clientonly_on=0]) -AM_CONDITIONAL([ENABLE_CLIENT_ONLY], [test x$clientonly_on = x1]) -AM_COND_IF([ENABLE_CLIENT_ONLY], - AC_MSG_RESULT([Client only build enabled]) - AC_DEFINE([ENABLE_CLIENT_ONLY]), - AC_MSG_RESULT([Client Only support is disabled])) - -AC_ARG_ENABLE([brski], - [AS_HELP_STRING([--enable-brski], - [Enable support for brski bootstrap functionality])], - [brski_on=1], - [brski_on=0]) -AM_CONDITIONAL([ENABLE_BRSKI], [test x$brski_on = x1]) -AM_COND_IF([ENABLE_BRSKI], - AC_MSG_RESULT([BRSKI support enabled]) - AC_DEFINE([ENABLE_BRSKI]), - AC_MSG_RESULT([BRSKI support is disabled])) AC_ARG_ENABLE([pthreads], [AS_HELP_STRING([--disable-pthreads], @@ -167,5 +143,5 @@ AC_PREFIX_DEFAULT([/usr/local/est]) cp confdefs.h est_config.h -AC_CONFIG_FILES([Makefile version safe_c_stub/Makefile safe_c_stub/lib/Makefile java/jni/Makefile src/Makefile src/est/Makefile example/client/Makefile example/client-simple/Makefile example/client-brski/Makefile example/server/Makefile example/proxy/Makefile]) +AC_CONFIG_FILES([Makefile version safe_c_stub/Makefile safe_c_stub/lib/Makefile java/jni/Makefile src/Makefile src/est/Makefile example/client/Makefile example/client-simple/Makefile example/server/Makefile example/proxy/Makefile]) AC_OUTPUT diff --git a/doxygen.cfg b/doxygen.cfg index 2cf052b..a70a1dc 100644 --- a/doxygen.cfg +++ b/doxygen.cfg @@ -32,7 +32,7 @@ PROJECT_NAME = "LibEST" # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.1.0p.brksi +PROJECT_NUMBER = 2.1.0p # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer diff --git a/example/client-brski/Makefile.am b/example/client-brski/Makefile.am deleted file mode 100644 index 7f274b6..0000000 --- a/example/client-brski/Makefile.am +++ /dev/null @@ -1,15 +0,0 @@ -bin_PROGRAMS = estclient_brski -estclient_brski_includedir=$(includedir)/est -estclient_brski_SOURCES = estclient-brski.c ../util/utils.c ../util/jsmn.c -AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g -if FREEBSD -DL= -else -DL=-ldl -endif - -if ENABLE_CLIENT_ONLY -estclient_brski_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest_client -lssl -lcrypto -else -estclient_brski_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto -endif diff --git a/example/client-brski/Makefile.in b/example/client-brski/Makefile.in deleted file mode 100644 index f45d9b7..0000000 --- a/example/client-brski/Makefile.in +++ /dev/null @@ -1,662 +0,0 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2014 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -bin_PROGRAMS = estclient_brski$(EXEEXT) -subdir = example/client-brski -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) -mkinstalldirs = $(install_sh) -d -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" -PROGRAMS = $(bin_PROGRAMS) -am__dirstamp = $(am__leading_dot)dirstamp -am_estclient_brski_OBJECTS = estclient-brski.$(OBJEXT) \ - ../util/utils.$(OBJEXT) ../util/jsmn.$(OBJEXT) -estclient_brski_OBJECTS = $(am_estclient_brski_OBJECTS) -estclient_brski_LDADD = $(LDADD) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -estclient_brski_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(estclient_brski_LDFLAGS) $(LDFLAGS) \ - -o $@ -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -depcomp = $(SHELL) $(top_srcdir)/config/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(estclient_brski_SOURCES) -DIST_SOURCES = $(estclient_brski_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/config/depcomp \ - README -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ -MAINT = @MAINT@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -RANLIB = @RANLIB@ -SAFEC_CFLAGS = @SAFEC_CFLAGS@ -SAFEC_DIR = @SAFEC_DIR@ -SAFEC_LDFLAGS = @SAFEC_LDFLAGS@ -SAFEC_STUB_DIR = @SAFEC_STUB_DIR@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SSL_CFLAGS = @SSL_CFLAGS@ -SSL_LDFLAGS = @SSL_LDFLAGS@ -STRIP = @STRIP@ -VERSION = @VERSION@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localedir = @localedir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -runstatedir = @runstatedir@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -estclient_brski_includedir = $(includedir)/est -estclient_brski_SOURCES = estclient-brski.c ../util/utils.c ../util/jsmn.c -AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g -@FREEBSD_FALSE@DL = -ldl -@FREEBSD_TRUE@DL = -@ENABLE_CLIENT_ONLY_FALSE@estclient_brski_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto -@ENABLE_CLIENT_ONLY_TRUE@estclient_brski_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest_client -lssl -lcrypto -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu example/client-brski/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu example/client-brski/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(bindir)" && rm -f $$files - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list -../util/$(am__dirstamp): - @$(MKDIR_P) ../util - @: > ../util/$(am__dirstamp) -../util/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) ../util/$(DEPDIR) - @: > ../util/$(DEPDIR)/$(am__dirstamp) -../util/utils.$(OBJEXT): ../util/$(am__dirstamp) \ - ../util/$(DEPDIR)/$(am__dirstamp) -../util/jsmn.$(OBJEXT): ../util/$(am__dirstamp) \ - ../util/$(DEPDIR)/$(am__dirstamp) - -estclient_brski$(EXEEXT): $(estclient_brski_OBJECTS) $(estclient_brski_DEPENDENCIES) $(EXTRA_estclient_brski_DEPENDENCIES) - @rm -f estclient_brski$(EXEEXT) - $(AM_V_CCLD)$(estclient_brski_LINK) $(estclient_brski_OBJECTS) $(estclient_brski_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -rm -f ../util/*.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@../util/$(DEPDIR)/jsmn.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@../util/$(DEPDIR)/utils.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/estclient-brski.Po@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(PROGRAMS) -installdirs: - for dir in "$(DESTDIR)$(bindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -rm -f ../util/$(DEPDIR)/$(am__dirstamp) - -rm -f ../util/$(am__dirstamp) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -rf ../util/$(DEPDIR) ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: install-binPROGRAMS - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ../util/$(DEPDIR) ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ - clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ - ctags ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-binPROGRAMS - -.PRECIOUS: Makefile - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/example/client-brski/README b/example/client-brski/README deleted file mode 100644 index 50e400b..0000000 --- a/example/client-brski/README +++ /dev/null @@ -1,73 +0,0 @@ -This directory contains a test EST client BRSKI application. This example -code shows how the BRSKI APIs can be used. This application assumes that -CiscoEST code base has been built with BRSKI support by adding -enable-brski -to the ./configure operation. This README assumes the EST server is listening -on the local host using port 8085. The EST process works as follows: - - - First, the BRSKI support enabled and configures by - calling est_client_brski_mode() - - Next, est_client_brski_get_voucher() is invoked to obtain - the BRSKI voucher from the server. - - The BRSKI voucher contains the trust anchor to be used and - to obtain this voucher, est_client_brski_copy_voucher() is - invoked. - - Next, est_client_brski_send_voucher_status() is called to - indicate that this voucher has been retrieved and is going to be - used. - - At this point, a normal EST enroll process is performed. - - Once the certificate is obtained from the enroll process, - est_client_brski_send_enroll_status() is called to indicate - that this certificate has been obtained and will now be used. - - -To run the example: - -1. Set LD_LIBRARY_PATH to include the directories where libest.so - and libcrypto.so are installed. For example... - - export LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/est/lib - -2. Set the following environment variable to specify the location - of the file containing the CA certificates used for verifying - the server. In this example we use the trusted certs for - the example EST server: - - export EST_OPENSSL_CACERT=../server/estCA/cacert.crt - - PDB NOTE: This can likely be removed since the first request of - the request voucher will obtain the CA certificate. The first - connection will need to be overridden by this application layer - code. - -3. Connect to the EST server listening on port 8085 and request to - bootstrap. The example EST server uses the user ID and - password estuser/estpwd: - - ./estclient_brski -s 127.0.0.1 -p 8085 -u estuser -h estpwd - - Note: The user ID and password are hard-coded in this example. - There is currently no way to change the user ID presented - to the EST server. - -After successfully provisioning a new certificate, the following -files are generated in the current working directory: - - newcacerts.pkcs7 This file contains the latest copy of - the CA certifications from the EST server. - cert-b64.pkcs7 This file contains the newly provisioned - certificate. - new_key.pem This file contains the new keypair that - was generated when creating the certificate - request. This contains the private key that - matches the public key in the new cert. - -Use this command to view the new CA certs returned by the server: - - openssl base64 -d -in ./newcacerts.pkcs7 | \ - openssl pkcs7 -inform DER -text -print_certs - -Use this command to view the new certificate from the server: - - openssl base64 -d -in ./cert-b64.pkcs7 | \ - openssl pkcs7 -inform DER -text -print_certs - diff --git a/example/client-brski/estclient-brski.c b/example/client-brski/estclient-brski.c deleted file mode 100644 index 5192d2e..0000000 --- a/example/client-brski/estclient-brski.c +++ /dev/null @@ -1,656 +0,0 @@ -/*------------------------------------------------------------------ - * estclient-brski.c - Example application that utilizes libest.so for - * EST client operations. This module utilizes OpenSSL - * for SSL and crypto services. - * - * - * October, 2013 - * - * Copyright (c) 2013, 2016 by cisco Systems, Inc. - * All rights reserved. - *------------------------------------------------------------------ - */ - -#include "stdio.h" -#include - -#include -#include -#include -#ifndef WIN32 -#include -#endif -#include -#include -#include "../util/utils.h" -#include "../util/jsmn.h" - -#if ENABLE_BRSKI - -#define MAX_SERVER_LEN 32 -#define MAX_FILENAME_LEN 255 - -#ifdef WIN32 -static CRITICAL_SECTION logger_critical_section; -static void windows_logger_stderr (char *format, va_list l) -{ - EnterCriticalSection(&logger_critical_section); - vfprintf(stderr, format, l); - fflush(stderr); - LeaveCriticalSection(&logger_critical_section); -} -#endif - -/* - * Global variables to hold command line options - */ -static unsigned char *cacerts = NULL; -static int cacerts_len = 0; -static char est_http_uid[MAX_UID_LEN+1]; -static char est_http_pwd[MAX_PWD_LEN+1]; -static char est_srp_uid[MAX_UID_LEN]; -static char est_srp_pwd[MAX_PWD_LEN]; -static char est_server[MAX_SERVER_LEN]; -static char est_auth_token[MAX_AUTH_TOKEN_LEN]; -static int est_port; -static int srp = 0; -static char client_key_file[MAX_FILENAME_LEN]; -static char client_cert_file[MAX_FILENAME_LEN]; -static int token_auth_mode = 0; -static int force_voucher_failure = 0; -static int force_enroll_failure = 0; -static int sign_voucher = 0; -static pem_password_cb *priv_key_cb = NULL; -static char *est_path_seg = NULL; - -static EVP_PKEY *client_priv_key; -static X509 *client_cert; - - -#define cert_file_name "cert-b64.pkcs7" -#define ca_file_name "newcacerts.pkcs7" - - -static void print_ssl_version () -{ - printf("Using %s\n", SSLeay_version(SSLEAY_VERSION)); -} - - -static void show_usage_and_exit (void) -{ - printf("estclient: BRSKI bootstrapping\n"); - printf("Usage:\n"); - printf("\nAvailable client OPTIONS\n" - " -s Enrollment server IP address\n" - " -p TCP port# for enrollment server\n" - " -u Specify user name for HTTP authentication.\n" - " -h Specify password for HTTP authentication.\n" - " -c Identity certificate to use for the TLS session\n" - " -k Use with -c option to specify private key for the identity cert\n" - " --srp Enable TLS-SRP cipher suites. Use with --srp-user and --srp-password options.\n" - " --srp-user Specify the SRP user name.\n" - " --srp-password Specify the SRP password.\n" - " --auth-token Specify the token to be used with HTTP token authentication.\n" - "\n"); - exit(255); -} - -/* - * auth_credentials_token_cb() is the application layer callback function that will - * return a token based authentication credential when called. It's registered - * with the EST Client using the est_client_set_auth_cred_cb(). - * The test function is required to set some global values in order to make this - * callback operate the way that the test case wants. - * - auth_cred_force_error = tell this function to force a response code error - * - test_token = pointer to a hard coded string that is the token string to return - * - * This callback must provide the token credentials in a heap based buffer, and - * ownership of that buffer is implicitly transferred to the ET client library upon - * return. - */ -static -EST_HTTP_AUTH_CRED_RC auth_credentials_token_cb(EST_HTTP_AUTH_HDR *auth_credentials) -{ - char *token_ptr = NULL; - int token_len = 0; - - printf("\nHTTP Token authentication credential callback invoked from EST client library\n"); - - if (auth_credentials->mode == AUTH_TOKEN) { - /* - * If the test_token is set to anything, then we need to allocate - * space from the heap and copy in the value. - */ - if (est_auth_token[0] != '\0') { - token_len = strlen(est_auth_token); - - if (token_len == 0) { - printf("\nError determining length of token string used for credentials\n"); - return EST_HTTP_AUTH_CRED_NOT_AVAILABLE; - } - token_ptr = malloc(token_len+1); - if (token_ptr == NULL){ - printf("\nError allocating token string used for credentials\n"); - return EST_HTTP_AUTH_CRED_NOT_AVAILABLE; - } - strncpy(token_ptr, est_auth_token, strlen(est_auth_token)); - token_ptr[token_len] = '\0'; - } - /* - * If we made it this far, token_ptr is pointing to a string - * containing the token to be returned. Assign it and return success - */ - auth_credentials->auth_token = token_ptr; - - printf("Returning access token = %s\n\n", auth_credentials->auth_token); - - return (EST_HTTP_AUTH_CRED_SUCCESS); - } - - return (EST_HTTP_AUTH_CRED_NOT_AVAILABLE); -} - - -/* - * This routine intializes an EST context, which can later - * be used to issue commands to an EST server. - */ -static EST_CTX *setup_est_context (void) -{ - EST_CTX *ectx; - EST_ERROR rv; - - /* - * Initialize an EST context. We must provide the trust - * anchor certs at this time. - */ - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, NULL); - if (!ectx) { - printf("\nUnable to initialize EST context. Aborting!!!\n"); - exit(1); - } - - /* - * Set the local authentication credentials. We're not using - * a certificate to identify ourselves to the server. We're - * simply hard-coding the userID and password, which will be - * used for HTTP authentication. - */ - rv = est_client_set_auth(ectx, est_http_uid, est_http_pwd, client_cert, client_priv_key); - if (rv != EST_ERR_NONE) { - printf("\nUnable to configure client authentication. Aborting!!!\n"); - printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - - if (srp) { - rv = est_client_enable_srp(ectx, SRP_MINIMAL_N, est_srp_uid, est_srp_pwd); - if (rv != EST_ERR_NONE) { - printf("\nUnable to enable SRP. Aborting!!!\n"); - exit(1); - } - } - - if (token_auth_mode) { - rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); - if (rv != EST_ERR_NONE) { - printf("\nUnable to register token auth callback. Aborting!!!\n"); - exit(1); - } - } - - /* - * Specify the EST server address and TCP port# - */ - rv = est_client_set_server(ectx, est_server, est_port, est_path_seg); - if (rv != EST_ERR_NONE) { - printf("\nUnable to configure server address. Aborting!!!\n"); - printf("EST error code %d (%s)\n", rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - - return (ectx); -} - -typedef enum { - EST_BRSKI_SUCCESS = 0, - EST_BRSKI_INVALID_PARAMETER, - EST_BRSKI_MISSING_NONCE, - EST_BRSKI_MISSING_CACERTS, - EST_BRSKI_FAILURE, -} EST_BRSKI_RC; - -static EST_ERROR send_brski_voucher_req (EST_CTX *ectx, int *cacert_len) -{ - EST_ERROR rv = EST_ERR_NONE; - /* - * issue the request - */ - rv = est_client_brski_get_voucher(ectx, cacert_len, sign_voucher); - - return (rv); -} - -static EST_ERROR send_brski_voucher_status_ind (EST_CTX *ectx) -{ - EST_ERROR rv = EST_ERR_NONE; - int http_status; - EST_BRSKI_STATUS_VALUE status; - char *reason; - - status = force_voucher_failure?EST_BRSKI_STATUS_FAIL:EST_BRSKI_STATUS_SUCCESS; - reason = force_voucher_failure?"Voucher rejected":"Voucher Accepted"; - - /* - * send the status indication - */ - rv = est_client_brski_send_voucher_status(ectx, status, reason); - if (rv != EST_ERR_NONE) { - printf("Error: Unable to send voucher status. rv = %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - return (rv); - } - - /* - * HTTP response should be ignored by the client (draft 7, section 3.5) - * But get it anyway and print it out. - */ - http_status = est_client_get_last_http_status(ectx); - printf("HTTP status from voucher status indication = %d\n", http_status); - - return (rv); -} - -static EST_ERROR send_brski_enrollment_status_ind (EST_CTX *ectx, - unsigned char *subject_key_id) -{ - EST_ERROR rv = EST_ERR_NONE; - EST_BRSKI_STATUS_VALUE status; - char *reason; - int http_status; - - status = force_enroll_failure?EST_BRSKI_STATUS_FAIL:EST_BRSKI_STATUS_SUCCESS; - reason = force_enroll_failure?"Enrollent Rejected":""; - - /* - * send the status indication - */ - rv = est_client_brski_send_enroll_status(ectx, status, reason, subject_key_id); - if (rv != EST_ERR_NONE) { - printf("Error: Unable to send enroll status. rv = %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - return (rv); - } - - /* - * HTTP response should be ignored by the client - */ - http_status = est_client_get_last_http_status(ectx); - printf("HTTP status from enroll status indication = %d\n", http_status); - - return (rv); -} - -int main (int argc, char **argv) -{ - EST_ERROR rv; - char c; - char *key_data; - EVP_PKEY *key; - char *trustanchor_file; - EST_CTX *ectx; -#if 1 - int p7_len; - int ca_certs_len; - unsigned char *new_client_cert; - unsigned char *new_certs; -#endif - BIO *certin; - int cacert_len = 0; - unsigned char returned_cacerts[EST_BRSKI_MAX_VOUCHER_LEN+1]; - - static struct option long_options[] = { - {"srp", 0, 0, 0}, - {"srp-user", 1, 0, 0}, - {"srp-password", 1, 0, 0}, - {"auth-token", 1, 0, 0}, - {"path-seg", 1, 0, 0}, - {NULL, 0, NULL, 0} - }; - int option_index = 0; - - memset(client_key_file, 0, 1); - memset(client_cert_file, 0, 1); - memset(est_http_uid, 0, MAX_UID_LEN+1); - memset(est_http_pwd, 0, MAX_PWD_LEN+1); - - while ((c = getopt_long(argc, argv, "s:p:u:h:c:k:", long_options, &option_index)) != -1) { - switch (c) { - case 0: - if (!strncmp(long_options[option_index].name,"sign-voucher", strlen("sign_voucher"))) { - sign_voucher = 1; - } - if (!strncmp(long_options[option_index].name,"srp", strlen("srp"))) { - srp = 1; - } - if (!strncmp(long_options[option_index].name,"srp-user", strlen("srp-user"))) { - strncpy(est_srp_uid, optarg, MAX_UID_LEN); - } - if (!strncmp(long_options[option_index].name,"srp-password", strlen("srp-password"))) { - strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); - } - if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { - strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); - token_auth_mode = 1; - } - if (!strncmp(long_options[option_index].name,"path-seg", strlen("path-seg"))) { - est_path_seg = calloc(EST_MAX_PATH_SEGMENT_LEN+1, sizeof(char)); - strncpy(est_path_seg, optarg, EST_MAX_PATH_SEGMENT_LEN); - } - break; - case 'u': - strncpy(est_http_uid, optarg, MAX_UID_LEN); - break; - case 'h': - strncpy(est_http_pwd, optarg, MAX_PWD_LEN); - break; - case 's': - strncpy(est_server, optarg, MAX_SERVER_LEN); - break; - case 'p': - est_port = atoi(optarg); - break; - case 'k': - strncpy(client_key_file, optarg, MAX_FILENAME_LEN); - break; - case 'c': - strncpy(client_cert_file, optarg, MAX_FILENAME_LEN); - break; - default: - show_usage_and_exit(); - break; - } - } - if (optind < argc) { - printf ("non-option ARGV-elements: "); - while (optind < argc) - printf ("%s ", argv[optind++]); - printf ("\n"); - } - argc -= optind; - argv += optind; - - if (est_http_uid[0] && !est_http_pwd[0]) { - printf ("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); - exit(1); - } - - /* - * Initialize the library, including OpenSSL - */ - est_apps_startup(); - - print_ssl_version(); - printf("\nUsing EST server %s:%d", est_server, est_port); - - if (client_cert_file[0]) printf("\nUsing identity client cert file %s", client_cert_file); - if (client_key_file [0]) printf("\nUsing identity private key file %s", client_key_file); - - /* - * Read in the current client certificate - */ - if (client_cert_file[0]) { - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, client_cert_file) <= 0) { - printf("\nUnable to read client certificate file %s\n", client_cert_file); - exit(1); - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file); - exit(1); - } - BIO_free(certin); - } - - /* - * Read in the client's private key - */ - if (client_key_file[0]) { - client_priv_key = read_private_key(client_key_file, priv_key_cb); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", client_key_file); - ERR_print_errors_fp(stderr); - exit(1); - } - } - - /* - * Read in the trusted certificates, which are used by - * CiscoEST to verify the identity of the EST server. - * - */ - trustanchor_file = getenv("EST_OPENSSL_CACERT"); - cacerts_len = read_binary_file(trustanchor_file, &cacerts); - if (cacerts_len <= 0) { - printf("\nTrusted certs file could not be read. Did you set EST_OPENSSL_CACERT?\n"); - exit(1); - } - - /* - * This is not required, but we'll enable full debugs - */ -#ifndef WIN32 - /* Initialize the EST logging */ - est_init_logger(EST_LOG_LVL_INFO, NULL); -#else - InitializeCriticalSection (&logger_critical_section); - est_init_logger(EST_LOG_LVL_INFO, &windows_logger_stderr); -#endif - - /* - * Create a public/private key pair that will be used for - * the enrollment. We'll write this out to a local - * file called new_key.pem. - */ - key_data = generate_private_RSA_key(2048, NULL/* no password_cb */); - - write_binary_file("./new_key.pem", (unsigned char *)key_data, strlen(key_data)); - - /* - * Use the load_clear macro to load in an unencrypted key - */ - key = load_clear_private_key_PEM(key_data); - - if(!key) { - printf("\nUnable to load newly created key from PEM file\n"); - exit(1); - } - memset(key_data, 0, strlen(key_data)); - free(key_data); - key_data = NULL; - - ectx = setup_est_context(); - if (!ectx) { - printf("\nUnable to create EST client context\n"); - exit(1); - } - - /* - * BRSKI API usage - */ - - /* - * Put the EST library into BRSKI mode - */ - rv = est_client_set_brski_mode(ectx); - if (rv != EST_ERR_NONE) { - printf("\nEST Client: BRSKI: failed to configure BRSKI mode with error %s\n", - EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - - /* - * Call to request that the voucher request is sent. - */ - rv = send_brski_voucher_req(ectx, &cacert_len); - if (rv != EST_ERR_NONE) { - printf("Failed to send BRSKI request voucher. error = %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - - /* - * Retrieve the PKI domain CA Cert from the received voucher - */ - memset(returned_cacerts, 0, EST_BRSKI_MAX_VOUCHER_LEN+1); - rv = est_client_brski_copy_cacert(ectx, &returned_cacerts[0]); - if (rv != EST_ERR_NONE) { - printf("Failed to retrieve CA cert from voucher.\n"); - exit(1); - } - - printf("Returned domain CA certs = %s \n", returned_cacerts); - - /* - * Send the Voucher status indication. This indicates that we've recieved - * and accepted the voucher from the Registrar - */ - rv = send_brski_voucher_status_ind(ectx); - if (rv != EST_ERR_NONE) { - printf("Failed to send BRSKI voucher status. error = %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - -#if 1 - /* - * Attempt to provision a new cert - */ - rv = est_client_provision_cert(ectx, "localhost", &p7_len, &ca_certs_len, key); - if (rv != EST_ERR_NONE) { - printf("Provisioning failed with error %s\n", EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - EVP_PKEY_free(key); - - /* - * Retrieve a copy of the cert - */ - new_client_cert = malloc(p7_len); - if (new_client_cert == NULL){ - printf("Failed to allocate memory for the newly provisioned cert\n"); - exit(1); - } - rv = est_client_copy_enrolled_cert(ectx, new_client_cert); - if (rv != EST_ERR_NONE) { - printf("Failed to copy new cert with code %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } -#endif - /* - * PDB TODO: Need to figure out the "SubjectKeyIdentifier" - * value that needs to be passed back when the enrollment fails. - */ -#if 0 /* Need to obtain the SubjectKeyIdentifier from the new cert */ - { - int new_client_cert_pem_len = 0; - unsigned char *new_client_cert_pem = NULL; - ASN1_OCTET_STRING *skid; - - new_client_cert_pem_len = est_convert_p7b64_to_pem(new_client_cert, p7_len, - &new_client_cert_pem); - - skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); - printf(" PDB: new_client_cert Subject Key Identifier: %s\n", skid->data; - } -#endif - -/* PDB: 20 byte hex string. Needs to be extracted from the enrolled cert */ -/* #define key_subject "12345678901234567890" */ - unsigned char *subject_key_id = (unsigned char *)"12345678901234567890"; - -#if 0 - { - - int i; - -/* i = EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos); */ - - BIGNUM *bn = NULL; - - bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); - if (!bn) - goto err; - if (BN_is_zero(bn)) - row[DB_serial] = BUF_strdup("00"); - else - row[DB_serial] = BN_bn2hex(bn); - BN_free(bn); - - i = X509_NAME_get_index_by_NID(subj, NID_subject_key_identifier, -1); - if (i == -1) { - EST_LOG_ERR("Serial Number element not defined in certificate subject attribute"); - return (NULL); - } - - } - -#endif - - /* - * Send the enrollment status indication - */ - rv = send_brski_enrollment_status_ind(ectx, (unsigned char *) subject_key_id); - if (rv != EST_ERR_NONE) { - printf("\nEST Client: BRSKI: failed to send BRSKI voucher status. error = %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } -#if 1 - /* - * Save the cert to local storage - */ - write_binary_file(cert_file_name, new_client_cert, p7_len); - free(new_client_cert); - - /* - * Retrieve a copy of the new trust anchor - */ - new_certs = malloc(ca_certs_len); - rv = est_client_copy_cacerts(ectx, new_certs); - if (rv != EST_ERR_NONE) { - printf("\nFailed to copy new CA certs with code %d (%s)\n", - rv, EST_ERR_NUM_TO_STR(rv)); - exit(1); - } - - /* - * Your appliations should save the CA certs to local storage in case - * they're needed for future use. - */ - write_binary_file(ca_file_name, new_certs, ca_certs_len); - free(new_certs); -#endif - printf("\n\nSuccess!!!\n"); - - free(cacerts); - est_destroy(ectx); - - est_apps_shutdown(); - - printf("\n"); - return 0; -} -#else -int main (int argc, char **argv) -{ - printf("CiscoEST was not built with BRSKI support. Rebuild CiscoEST with --enable-brski configure option.\n"); -} -#endif diff --git a/example/client-simple/Makefile.am b/example/client-simple/Makefile.am index d5a0ae4..c7eb0cd 100644 --- a/example/client-simple/Makefile.am +++ b/example/client-simple/Makefile.am @@ -7,9 +7,4 @@ DL= else DL=-ldl endif - -if ENABLE_CLIENT_ONLY -estclient_simple_LDFLAGS = -L../../src/est/.libs $(DL) -lest_client -lssl -lcrypto -else estclient_simple_LDFLAGS = -L../../src/est/.libs $(DL) -lest -lssl -lcrypto -endif diff --git a/example/client-simple/Makefile.in b/example/client-simple/Makefile.in index a7bd7ec..3b81d54 100644 --- a/example/client-simple/Makefile.in +++ b/example/client-simple/Makefile.in @@ -307,8 +307,7 @@ estclient_simple_SOURCES = estclient-simple.c ../util/utils.c AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g @FREEBSD_FALSE@DL = -ldl @FREEBSD_TRUE@DL = -@ENABLE_CLIENT_ONLY_FALSE@estclient_simple_LDFLAGS = -L../../src/est/.libs $(DL) -lest -lssl -lcrypto -@ENABLE_CLIENT_ONLY_TRUE@estclient_simple_LDFLAGS = -L../../src/est/.libs $(DL) -lest_client -lssl -lcrypto +estclient_simple_LDFLAGS = -L../../src/est/.libs $(DL) -lest -lssl -lcrypto all: all-am .SUFFIXES: diff --git a/example/client/Makefile.am b/example/client/Makefile.am index 5259ea6..6b24fb9 100644 --- a/example/client/Makefile.am +++ b/example/client/Makefile.am @@ -14,8 +14,4 @@ else PTHREAD=-lpthread endif -if ENABLE_CLIENT_ONLY -estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest_client -lssl -lcrypto -else -estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto -endif +estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto \ No newline at end of file diff --git a/example/client/Makefile.in b/example/client/Makefile.in index 01cfd77..0034f4e 100644 --- a/example/client/Makefile.in +++ b/example/client/Makefile.in @@ -307,8 +307,7 @@ AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g @FREEBSD_TRUE@DL = @DISABLE_PTHREAD_FALSE@PTHREAD = -lpthread @DISABLE_PTHREAD_TRUE@PTHREAD = -@ENABLE_CLIENT_ONLY_FALSE@estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto -@ENABLE_CLIENT_ONLY_TRUE@estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest_client -lssl -lcrypto +estclient_LDFLAGS = -L../../src/est/.libs $(DL) $(PTHREAD) -lest -lssl -lcrypto all: all-am .SUFFIXES: diff --git a/example/client/estclient.c b/example/client/estclient.c index 6df1c17..ea3336a 100644 --- a/example/client/estclient.c +++ b/example/client/estclient.c @@ -6,7 +6,7 @@ * * November, 2012 * - * Copyright (c) 2012-2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2012-2013, 2016 by cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ */ @@ -163,7 +163,7 @@ static void show_usage_and_exit (void) " -t Number of threads to start for multi-threaded test (default=1)\n" #endif " -i Number of enrollments to perform per thread (default=1)\n" - " -w Timeout in seconds to wait for server response (default=10)\n" //EST_SSL_READ_TIMEOUT_DEF + " -w Timeout in seconds to wait for server response (default=10)\n" //EST_SSL_READ_TIMEOUT_DEF " -f Runs EST Client in FIPS MODE = ON\n" " -u Specify user name for HTTP authentication.\n" " -h Specify password for HTTP authentication.\n" @@ -891,27 +891,6 @@ static void worker_thread (void *ptr) operation = "Re-enrollment"; rv = est_client_reenroll(ectx, client_cert_dup, &pkcs7_len, client_priv_key); - - if (rv == EST_ERR_CA_ENROLL_RETRY) { - - /* - * go get the retry period - */ - rv = est_client_copy_retry_after(ectx, &retry_delay, &retry_time); - if (verbose) printf("\nretry after period copy rv = %d " - "Retry-After delay seconds = %d " - "Retry-After delay time = %s\n", - rv, retry_delay, ctime(&retry_time) ); - if (rv == EST_ERR_NONE) { - retry_enroll_delay(retry_delay, retry_time); - } - - /* - * now that we're back, try to re-enroll again - */ - rv = est_client_reenroll(ectx, client_cert_dup, &pkcs7_len, client_priv_key); - } - if (verbose) printf("\nreenroll rv = %d (%s) with pkcs7 length = %d\n", rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len); if (rv == EST_ERR_NONE) { diff --git a/example/proxy/estproxy.c b/example/proxy/estproxy.c index 0c4b846..74890dd 100644 --- a/example/proxy/estproxy.c +++ b/example/proxy/estproxy.c @@ -533,11 +533,9 @@ int main (int argc, char **argv) } BIO_free(keyin); + est_init_logger(EST_LOG_LVL_INFO, NULL); if (verbose) { - est_init_logger(EST_LOG_LVL_INFO, NULL); est_enable_backtrace(1); - } else { - est_init_logger(EST_LOG_LVL_ERR, NULL); } ectx = est_proxy_init(trustcerts, trustcerts_len, cacerts_raw, cacerts_len, EST_CERT_FORMAT_PEM, realm, x, priv_key, "estuser", "estpwd"); diff --git a/example/server/Makefile.am b/example/server/Makefile.am index 08e134d..ca7d111 100644 --- a/example/server/Makefile.am +++ b/example/server/Makefile.am @@ -1,6 +1,6 @@ bin_PROGRAMS = estserver estclient_includedir=$(includedir)/est -estserver_SOURCES = estserver.c ossl_srv.c ../util/utils.c ../util/simple_server.c ../util/jsmn.c +estserver_SOURCES = estserver.c ossl_srv.c ../util/utils.c ../util/simple_server.c AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g if FREEBSD DL= diff --git a/example/server/Makefile.in b/example/server/Makefile.in index 7189068..bbfabaa 100644 --- a/example/server/Makefile.in +++ b/example/server/Makefile.in @@ -105,8 +105,7 @@ am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp am_estserver_OBJECTS = estserver.$(OBJEXT) ossl_srv.$(OBJEXT) \ - ../util/utils.$(OBJEXT) ../util/simple_server.$(OBJEXT) \ - ../util/jsmn.$(OBJEXT) + ../util/utils.$(OBJEXT) ../util/simple_server.$(OBJEXT) estserver_OBJECTS = $(am_estserver_OBJECTS) estserver_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) @@ -303,7 +302,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ estclient_includedir = $(includedir)/est -estserver_SOURCES = estserver.c ossl_srv.c ../util/utils.c ../util/simple_server.c ../util/jsmn.c +estserver_SOURCES = estserver.c ossl_srv.c ../util/utils.c ../util/simple_server.c AM_CFLAGS = -I../.. -I$(srcdir)/../../src/est -I$(SSL_CFLAGS) -g @FREEBSD_FALSE@DL = -ldl @FREEBSD_TRUE@DL = @@ -403,8 +402,6 @@ clean-binPROGRAMS: ../util/$(DEPDIR)/$(am__dirstamp) ../util/simple_server.$(OBJEXT): ../util/$(am__dirstamp) \ ../util/$(DEPDIR)/$(am__dirstamp) -../util/jsmn.$(OBJEXT): ../util/$(am__dirstamp) \ - ../util/$(DEPDIR)/$(am__dirstamp) estserver$(EXEEXT): $(estserver_OBJECTS) $(estserver_DEPENDENCIES) $(EXTRA_estserver_DEPENDENCIES) @rm -f estserver$(EXEEXT) @@ -417,7 +414,6 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@../util/$(DEPDIR)/jsmn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../util/$(DEPDIR)/simple_server.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../util/$(DEPDIR)/utils.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/estserver.Po@am__quote@ diff --git a/example/server/estserver.c b/example/server/estserver.c index 8d2c27f..a5dcf5c 100644 --- a/example/server/estserver.c +++ b/example/server/estserver.c @@ -8,7 +8,7 @@ * * November, 2012 * - * Copyright (c) 2012-2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2012-2013, 2016 by cisco Systems, Inc. * All rights reserved. **------------------------------------------------------------------ */ @@ -33,7 +33,6 @@ #include "ossl_srv.h" #include "../util/utils.h" #include "../util/simple_server.h" -#include "../util/jsmn.h" /* * Abstract OpenSSL threading platfrom callbacks @@ -83,9 +82,6 @@ static int disable_forced_http_auth = 0; static int set_fips_return = 0; static unsigned long set_fips_error = 0; static int test_app_data = 0xDEADBEEF; -static int brski_mode = 0; -static int brski_ca_certs_len; -static unsigned char *brski_ca_certs; char certfile[EST_MAX_FILE_LEN]; char keyfile[EST_MAX_FILE_LEN]; @@ -198,7 +194,6 @@ static void show_usage_and_exit (void) " --srp Enable TLS-SRP authentication of client using the specified SRP parameters file\n" " --enforce-csr Enable CSR attributes enforcement. The client must provide all the attributes in the CSR.\n" " --token Use HTTP Bearer Token auth.\n" - " --enable-brski Enable BRSKI bootstrapping support.\n" "\n"); exit(255); } @@ -731,7 +726,7 @@ int process_pkcs10_enrollment (unsigned char * pkcs10, int p10_len, //The following is a default CSR attributes response that also //contains challengePassword #define TEST_CSR "MCYGBysGAQEBARYGCSqGSIb3DQEJAQYFK4EEACIGCWCGSAFlAwQCAg==" -unsigned char * process_csrattrs_request (int *csr_len, char *path_seg, X509 *peer_cert, +unsigned char * process_csrattrs_request (int *csr_len, char *path_seg, void *app_data) { unsigned char *csr_data; @@ -757,543 +752,13 @@ unsigned char * process_csrattrs_request (int *csr_len, char *path_seg, X509 *pe return (csr_data); } -static int jsoneq(const char *json, jsmntok_t *tok, const char *s) { - if (tok->type == JSMN_STRING && (int) strlen(s) == tok->end - tok->start && - strncmp(json + tok->start, s, tok->end - tok->start) == 0) { - return 0; - } - return -1; -} - - -static int dump(const char *js, jsmntok_t *t, size_t count, int indent) { - int i, j, k; - if (count == 0) { - return 0; - } - if (t->type == JSMN_PRIMITIVE) { - printf("%.*s", t->end - t->start, js+t->start); - return 1; - } else if (t->type == JSMN_STRING) { - printf("'%.*s'", t->end - t->start, js+t->start); - return 1; - } else if (t->type == JSMN_OBJECT) { - printf("\n"); - j = 0; - for (i = 0; i < t->size; i++) { - for (k = 0; k < indent; k++) printf(" "); - j += dump(js, t+1+j, count-j, indent+1); - printf(": "); - j += dump(js, t+1+j, count-j, indent+1); - printf("\n"); - } - return j+1; - } else if (t->type == JSMN_ARRAY) { - j = 0; - printf("\n"); - for (i = 0; i < t->size; i++) { - for (k = 0; k < indent-1; k++) printf(" "); - printf(" - "); - j += dump(js, t+1+j, count-j, indent+1); - printf("\n"); - } - return j+1; - } - return 0; -} - - -/* { */ -/* "ietf-voucher:voucher": { */ -/* "nonce": "62a2e7693d82fcda2624de58fb6722e5", */ -/* "assertion": "logging" */ -/* "pinned-domain-cert": "" */ -/* "serial-number": "JADA123456789" */ -/* } */ -/* } */ -#define BRSKI_DEVICE_SERIAL_NUM "F7BE0D" -#define VOUCHER "{\n\r\"ietf-voucher:voucher\":{\n\r\"nonce\":\"%s\",\n\r\"assertion\":\"logging\",\n\r\"pinned-domain-cert\":\"%s\",\n\r\"serial-number\":\"%s\"}\n\r}" - -/* - * Callback function used by EST stack to process a BRSK - * voucher request. The parameters are: - * - * voucher_req Contains the voucher request from the client - * voucher_req_len Length of the voucher request - * voucher Pointer to a buffer pointer that will contain - * the voucher to be returned - * voucher_len Pointer to an integer that will be set to the length - * of the returned voucher. - * peer_cert - client certificate, if available, in internal X509 - * structure format - */ - -EST_BRSKI_CALLBACK_RC -process_brski_voucher_request (char *voucher_req, int voucher_req_len, - char **voucher, int *voucher_len, X509 *peer_cert) -{ - char *voucher_buf = NULL; - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int nonce_found = 0; - int incoming_server_cert_found = 0; - char incoming_nonce[EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1]; - char incoming_server_cert[EST_BRSKI_MAX_CACERT_LEN+1]; - char *ser_num_str = NULL; - - memset(incoming_nonce, 0, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1); - memset(incoming_server_cert, 0, EST_BRSKI_MAX_CACERT_LEN+1); - - printf("BRSKI voucher request received\n"); - printf(" voucher_req = %s\n voucher_req_len = %d\n", - voucher_req, voucher_req_len); - - /* - * Parse the voucher request and obtain the nonce - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)voucher_req, (size_t)voucher_req_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Voucher request parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)voucher_req, tok, p.toknext, 0); - printf("Voucher request parsed\n"); - } - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_req, &tok[i], "nonce") == 0) { - sprintf(incoming_nonce, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_req + tok[i+1].start); - printf("Found nonce %s\n", incoming_nonce); - nonce_found = 1; - break; - } - } - if (!nonce_found) { - printf("Nonce missing from voucher request\n"); - return (EST_BRSKI_CB_FAILURE); - } - - /* - * Now look for the Registrar's cert - */ - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_req, &tok[i], "pinned-domain-cert") == 0) { - sprintf(incoming_server_cert, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_req + tok[i+1].start); - printf("Found pinned domain cert %s\n", incoming_server_cert); - incoming_server_cert_found = 1; - break; - } - } - if (!incoming_server_cert_found) { - printf("Pinned domain cert missing from voucher request\n"); - return (EST_BRSKI_CB_FAILURE); - } - - /* - * Obtain the serial number of the pledge device from its ID cert - */ - ser_num_str = est_find_ser_num_in_subj(peer_cert); - if (ser_num_str == NULL) { - char *subj; - - printf("Pledge MFG cert does not contain a serial number."); - - subj = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0); - printf("Client MFG cert subject: %s", subj); - OPENSSL_free(subj); - - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - } - - voucher_buf = calloc(EST_BRSKI_MAX_VOUCHER_LEN, sizeof(char)); - if (voucher_buf) { - *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, - incoming_nonce, brski_ca_certs, ser_num_str); - *voucher = voucher_buf; - printf("Voucher to be returned = %s\n", *voucher); - } else { - *voucher = NULL; - *voucher_len = 0; - return (EST_BRSKI_CB_FAILURE); - } - - return EST_BRSKI_CB_SUCCESS; -} - -/* - * Callback function used by EST stack to process a BRSK - * voucher status indication. The parameters are: - * - * voucher_status Pointer buffer containing the voucher status - * voucher_status_len Integer containing the length of the voucher_status buffer - * peer_cert certificate of the client used in the TLS connection. - * - */ -static -EST_BRSKI_CALLBACK_RC -process_brski_voucher_status (char *voucher_status, int voucher_status_len, X509 *peer_cert) -{ - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int status_found = 0; - char incoming_status[5+1]; - int reason_found = 0; - char incoming_reason[EST_BRSKI_MAX_REASON_LEN]; - - memset(incoming_status, 0, 5+1); - - printf("BRSKI voucher status received\n"); - printf(" voucher_status = %s\n voucher_status_len = %d\n", - voucher_status, voucher_status_len); - - /* - * Parse the voucher response and obtain the status and reason - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)voucher_status, (size_t)voucher_status_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Voucher response parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)voucher_status, tok, p.toknext, 0); - printf("Voucher status parsed\n"); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_status, &tok[i], "Status") == 0) { - sprintf(incoming_status, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_status + tok[i+1].start); - printf("Found status %s\n", incoming_status); - status_found = 1; - break; - } - } - if (!status_found) { - printf("Status value missing from voucher status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_status, &tok[i], "Reason") == 0) { - sprintf(incoming_reason, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_status + tok[i+1].start); - printf("Found reason %s\n", incoming_reason); - reason_found = 1; - break; - } - } - if (!reason_found) { - printf("Reason value missing from voucher status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - return EST_BRSKI_CB_SUCCESS; -} - - -/* - * Callback function used by EST stack to process a BRSK - * enrollment status. The parameters are: - * - * enroll_status Pointer buffer containing the voucher status - * enroll_status_len Integer containing the length of the voucher_status buffer - * peer_cert certificate of the client used in the TLS connection. - */ -EST_BRSKI_CALLBACK_RC -process_brski_enroll_status (char *enroll_status, int enroll_status_len, X509 *peer_cert) -{ - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int status_found = 0; - char incoming_status[5+1]; - int reason_found = 0; - char incoming_reason[EST_BRSKI_MAX_REASON_LEN]; - - memset(incoming_status, 0, 5+1); - - printf("BRSKI enroll status received\n"); - printf(" enroll_status = %s\n enroll_status_len = %d\n", - enroll_status, enroll_status_len); - - /* - * Parse the voucher response and obtain the status and reason - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)enroll_status, (size_t)enroll_status_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Enroll response parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)enroll_status, tok, p.toknext, 0); - printf("Enroll status parsed\n"); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(enroll_status, &tok[i], "Status") == 0) { - sprintf(incoming_status, "%.*s", tok[i+1].end-tok[i+1].start, - enroll_status + tok[i+1].start); - printf("Found status %s\n", incoming_status); - status_found = 1; - break; - } - } - if (!status_found) { - printf("Status value missing from enroll status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(enroll_status, &tok[i], "Reason") == 0) { - sprintf(incoming_reason, "%.*s", tok[i+1].end-tok[i+1].start, - enroll_status + tok[i+1].start); - printf("Found reason: %s\n", incoming_reason); - reason_found = 1; - break; - } - } - if (!reason_found) { - printf("Reason value missing from enroll status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - return EST_BRSKI_CB_SUCCESS; -} - - -/* - * This function is used to read the CERTS in a BIO and build a - * stack of X509* pointers. This is used during the PEM to - * PKCS7 conversion process. - */ -static int est_add_certs_from_BIO (STACK_OF(X509) *stack, BIO *in) -{ - int count = 0; - int ret = -1; - - STACK_OF(X509_INFO) * sk = NULL; - X509_INFO *xi; - - - /* This loads from a file, a stack of x509/crl/pkey sets */ - sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); - if (sk == NULL) { - printf("Unable to read certs from PEM encoded data"); - return (ret); - } - - /* scan over it and pull out the CRL's */ - while (sk_X509_INFO_num(sk)) { - xi = sk_X509_INFO_shift(sk); - if (xi->x509 != NULL) { - sk_X509_push(stack, xi->x509); - xi->x509 = NULL; - count++; - } - X509_INFO_free(xi); - } - - ret = count; - - /* never need to OPENSSL_free x */ - if (sk != NULL) { - sk_X509_INFO_free(sk); - } - return (ret); -} - - -/* - * Converts from PEM to pkcs7 encoded certs. Optionally - * applies base64 encoding to the output. This is used - * when creating the cached cacerts response. The returned - * BIO contains the PKCS7 encoded certs. The response - * can optionally be base64 encoded by passing in a - * non-zero value for the do_base_64 argument. The caller - * of this function should invoke BIO_free_all() on the - * return value to avoid memory leaks. Note, BIO_free() - * will not be sufficient. - */ -static -BIO * est_get_certs_pkcs7 (BIO *in, int do_base_64) -{ - STACK_OF(X509) * cert_stack = NULL; - PKCS7_SIGNED *p7s = NULL; - PKCS7 *p7 = NULL; - BIO *out = NULL; - BIO *b64; - int buflen = 0; - - /* - * Create a PKCS7 object - */ - if ((p7 = PKCS7_new()) == NULL) { - printf("pkcs7_new failed"); - goto cleanup; - } - /* - * Create the PKCS7 signed object - */ - if ((p7s = PKCS7_SIGNED_new()) == NULL) { - printf("pkcs7_signed_new failed"); - goto cleanup; - } - /* - * Set the version - */ - if (!ASN1_INTEGER_set(p7s->version, 1)) { - printf("ASN1_integer_set failed"); - goto cleanup; - } - - /* - * Create a stack of X509 certs - */ - if ((cert_stack = sk_X509_new_null()) == NULL) { - printf("stack malloc failed"); - goto cleanup; - } - - /* - * Populate the cert stack - */ - if (est_add_certs_from_BIO(cert_stack, in) < 0) { - printf("Unable to load certificates"); - ossl_dump_ssl_errors(); - goto cleanup; - } - - /* - * Create the BIO which will receive the output - */ - out = BIO_new(BIO_s_mem()); - if (!out) { - printf("BIO_new failed"); - goto cleanup; - } - - /* - * Add the base64 encoder if needed - */ - if (do_base_64) { - b64 = BIO_new(BIO_f_base64()); - if (b64 == NULL) { - printf("BIO_new failed while attempting to create base64 BIO"); - ossl_dump_ssl_errors(); - goto cleanup; - } - out = BIO_push(b64, out); - } - - p7->type = OBJ_nid2obj(NID_pkcs7_signed); - p7->d.sign = p7s; - p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); - p7s->cert = cert_stack; - - /* - * Convert from PEM to PKCS7 - */ - buflen = i2d_PKCS7_bio(out, p7); - if (!buflen) { - printf("PEM_write_bio_PKCS7 failed"); - ossl_dump_ssl_errors(); - BIO_free_all(out); - out = NULL; - goto cleanup; - } - (void)BIO_flush(out); - -cleanup: - /* - * Only need to cleanup p7. This frees up the p7s and - * cert_stack allocations for us since these are linked - * to the p7. - */ - if (p7) { - PKCS7_free(p7); - } - - return out; -} - -static -EST_ERROR est_load_ca_certs (unsigned char *raw, int size) -{ - BIO *cacerts = NULL; - BIO *in; - unsigned char *retval; - - in = BIO_new_mem_buf(raw, size); - if (in == NULL) { - printf("Unable to open the raw cert buffer"); - return (EST_ERR_LOAD_CACERTS); - } - - /* - * convert the CA certs to PKCS7 encoded char array - * This is used by an EST server to respond to the - * cacerts request. - */ - cacerts = est_get_certs_pkcs7(in, 1); - if (!cacerts) { - printf("est_get_certs_pkcs7 failed"); - BIO_free(in); - return (EST_ERR_LOAD_CACERTS); - } - - brski_ca_certs_len = (int) BIO_get_mem_data(cacerts, (char**)&retval); - if (brski_ca_certs_len <= 0) { - printf("Failed to copy PKCS7 data"); - BIO_free_all(cacerts); - BIO_free(in); - return (EST_ERR_LOAD_CACERTS); - } - - brski_ca_certs = malloc(brski_ca_certs_len); - if (!brski_ca_certs) { - printf("malloc failed"); - BIO_free_all(cacerts); - BIO_free(in); - return (EST_ERR_LOAD_CACERTS); - } - memcpy(brski_ca_certs, retval, brski_ca_certs_len); - BIO_free_all(cacerts); - BIO_free(in); - return (EST_ERR_NONE); -} - static char digest_user[3][34] = { "estuser", "estrealm", ""}; /* - * This callback is invoked by CiscoEST when performing - * HTTP authentication of the EST client. CiscoEST will + * This callback is invoked by libEST when performing + * HTTP authentication of the EST client. libEST will * parse the auth credentials from the HTTP header. We - * must validate the user ourselves since CiscoEST does + * must validate the user ourselves since libEST does * not maintain a user database. This allows us to hook * into a Radius server, or some other external user * database. @@ -1321,7 +786,7 @@ int process_http_auth (EST_CTX *ctx, EST_HTTP_AUTH_HDR *ah, X509 *peer_cert, * or some external database to authenticate a * userID/password. But for this example code, * we just hard-code a local user for testing - * the CiscoEST API. + * the libEST API. */ if (!strcmp(ah->user, "estuser") && !strcmp(ah->pwd, "estpwd")) { /* The user is valid */ @@ -1505,7 +970,6 @@ int main (int argc, char **argv) {"srp", 1, NULL, 0}, {"enforce-csr", 0, NULL, 0}, {"token", 1, 0, 0}, - {"enable-brski", 0, 0, 0}, {"keypass", 1, 0, 0}, {"keypass_stdin", 1, 0, 0 }, {"keypass_arg", 1, 0, 0 }, @@ -1556,10 +1020,6 @@ int main (int argc, char **argv) strncpy(priv_key_pwd, optarg, MAX_PWD_LEN); priv_key_cb = string_password_cb; } - if (!strncmp(long_options[option_index].name, "enable-brski", - strlen("enable-brski"))) { - brski_mode = 1; - } break; case 'm': manual_enroll = 1; @@ -1785,46 +1245,12 @@ int main (int argc, char **argv) printf("\nUnable to set EST CSR Attributes callback. Aborting!!!\n"); exit(1); } - if (brski_mode) { - /* - * register the brski call backs. - */ - if (est_set_brski_voucher_req_cb(ectx, &process_brski_voucher_request)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - exit(1); - } - if (est_set_brski_voucher_status_cb(ectx, &process_brski_voucher_status)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - exit(1); - } - if (est_set_brski_enroll_status_cb(ectx, &process_brski_enroll_status)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - exit(1); - } - - /* - * For EST /cacerts, the CA certs response can be processed two ways, - * they can be provided to the EST library and the library repsonds - * directly, or the application layer can provide a call back and - * it provides the response buffer containing the CA certs. The estserver - * test app does it the first way, so the EST library responds directly. - * With BRSKI, this response of the CA certs is contained in the voucher, so - * the application layer needs to be responsible for preparing the response. - * The following code is replicated from the EST library. - */ - if (est_load_ca_certs(cacerts_raw, cacerts_len)) { - printf("Failed to load CA certificates response buffer"); - } - } if (!http_auth_disable) { if (est_set_http_auth_cb(ectx, &process_http_auth)) { printf("\nUnable to set EST HTTP AUTH callback. Aborting!!!\n"); exit(1); } - } + } if (disable_forced_http_auth) { if (verbose) printf( diff --git a/example/server/ossl_srv.c b/example/server/ossl_srv.c index 4503c66..0b9abd0 100644 --- a/example/server/ossl_srv.c +++ b/example/server/ossl_srv.c @@ -2144,7 +2144,6 @@ BIO * ossl_simple_enroll(const char *p10buf, int p10len) { conf = NULL; key = NULL; section = NULL; - memset(buf[2], 0, sizeof(buf[2])); preserve = 0; msie_hack = 0; diff --git a/example/util/jsmn.c b/example/util/jsmn.c deleted file mode 100644 index bcd6392..0000000 --- a/example/util/jsmn.c +++ /dev/null @@ -1,314 +0,0 @@ -#include "jsmn.h" - -/** - * Allocates a fresh unused token from the token pull. - */ -static jsmntok_t *jsmn_alloc_token(jsmn_parser *parser, - jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *tok; - if (parser->toknext >= num_tokens) { - return NULL; - } - tok = &tokens[parser->toknext++]; - tok->start = tok->end = -1; - tok->size = 0; -#ifdef JSMN_PARENT_LINKS - tok->parent = -1; -#endif - return tok; -} - -/** - * Fills token type and boundaries. - */ -static void jsmn_fill_token(jsmntok_t *token, jsmntype_t type, - int start, int end) { - token->type = type; - token->start = start; - token->end = end; - token->size = 0; -} - -/** - * Fills next available token with JSON primitive. - */ -static int jsmn_parse_primitive(jsmn_parser *parser, const char *js, - size_t len, jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *token; - int start; - - start = parser->pos; - - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - switch (js[parser->pos]) { -#ifndef JSMN_STRICT - /* In strict mode primitive must be followed by "," or "}" or "]" */ - case ':': -#endif - case '\t' : case '\r' : case '\n' : case ' ' : - case ',' : case ']' : case '}' : - goto found; - } - if (js[parser->pos] < 32 || js[parser->pos] >= 127) { - parser->pos = start; - return JSMN_ERROR_INVAL; - } - } -#ifdef JSMN_STRICT - /* In strict mode primitive must be followed by a comma/object/array */ - parser->pos = start; - return JSMN_ERROR_PART; -#endif - -found: - if (tokens == NULL) { - parser->pos--; - return 0; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) { - parser->pos = start; - return JSMN_ERROR_NOMEM; - } - jsmn_fill_token(token, JSMN_PRIMITIVE, start, parser->pos); -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - parser->pos--; - return 0; -} - -/** - * Fills next token with JSON string. - */ -static int jsmn_parse_string(jsmn_parser *parser, const char *js, - size_t len, jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *token; - - int start = parser->pos; - - parser->pos++; - - /* Skip starting quote */ - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - char c = js[parser->pos]; - - /* Quote: end of string */ - if (c == '\"') { - if (tokens == NULL) { - return 0; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) { - parser->pos = start; - return JSMN_ERROR_NOMEM; - } - jsmn_fill_token(token, JSMN_STRING, start+1, parser->pos); -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - return 0; - } - - /* Backslash: Quoted symbol expected */ - if (c == '\\' && parser->pos + 1 < len) { - int i; - parser->pos++; - switch (js[parser->pos]) { - /* Allowed escaped symbols */ - case '\"': case '/' : case '\\' : case 'b' : - case 'f' : case 'r' : case 'n' : case 't' : - break; - /* Allows escaped symbol \uXXXX */ - case 'u': - parser->pos++; - for(i = 0; i < 4 && parser->pos < len && js[parser->pos] != '\0'; i++) { - /* If it isn't a hex character we have an error */ - if(!((js[parser->pos] >= 48 && js[parser->pos] <= 57) || /* 0-9 */ - (js[parser->pos] >= 65 && js[parser->pos] <= 70) || /* A-F */ - (js[parser->pos] >= 97 && js[parser->pos] <= 102))) { /* a-f */ - parser->pos = start; - return JSMN_ERROR_INVAL; - } - parser->pos++; - } - parser->pos--; - break; - /* Unexpected symbol */ - default: - parser->pos = start; - return JSMN_ERROR_INVAL; - } - } - } - parser->pos = start; - return JSMN_ERROR_PART; -} - -/** - * Parse JSON string and fill tokens. - */ -int jsmn_parse(jsmn_parser *parser, const char *js, size_t len, - jsmntok_t *tokens, unsigned int num_tokens) { - int r; - int i; - jsmntok_t *token; - int count = parser->toknext; - - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - char c; - jsmntype_t type; - - c = js[parser->pos]; - switch (c) { - case '{': case '[': - count++; - if (tokens == NULL) { - break; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) - return JSMN_ERROR_NOMEM; - if (parser->toksuper != -1) { - tokens[parser->toksuper].size++; -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - } - token->type = (c == '{' ? JSMN_OBJECT : JSMN_ARRAY); - token->start = parser->pos; - parser->toksuper = parser->toknext - 1; - break; - case '}': case ']': - if (tokens == NULL) - break; - type = (c == '}' ? JSMN_OBJECT : JSMN_ARRAY); -#ifdef JSMN_PARENT_LINKS - if (parser->toknext < 1) { - return JSMN_ERROR_INVAL; - } - token = &tokens[parser->toknext - 1]; - for (;;) { - if (token->start != -1 && token->end == -1) { - if (token->type != type) { - return JSMN_ERROR_INVAL; - } - token->end = parser->pos + 1; - parser->toksuper = token->parent; - break; - } - if (token->parent == -1) { - if(token->type != type || parser->toksuper == -1) { - return JSMN_ERROR_INVAL; - } - break; - } - token = &tokens[token->parent]; - } -#else - for (i = parser->toknext - 1; i >= 0; i--) { - token = &tokens[i]; - if (token->start != -1 && token->end == -1) { - if (token->type != type) { - return JSMN_ERROR_INVAL; - } - parser->toksuper = -1; - token->end = parser->pos + 1; - break; - } - } - /* Error if unmatched closing bracket */ - if (i == -1) return JSMN_ERROR_INVAL; - for (; i >= 0; i--) { - token = &tokens[i]; - if (token->start != -1 && token->end == -1) { - parser->toksuper = i; - break; - } - } -#endif - break; - case '\"': - r = jsmn_parse_string(parser, js, len, tokens, num_tokens); - if (r < 0) return r; - count++; - if (parser->toksuper != -1 && tokens != NULL) - tokens[parser->toksuper].size++; - break; - case '\t' : case '\r' : case '\n' : case ' ': - break; - case ':': - parser->toksuper = parser->toknext - 1; - break; - case ',': - if (tokens != NULL && parser->toksuper != -1 && - tokens[parser->toksuper].type != JSMN_ARRAY && - tokens[parser->toksuper].type != JSMN_OBJECT) { -#ifdef JSMN_PARENT_LINKS - parser->toksuper = tokens[parser->toksuper].parent; -#else - for (i = parser->toknext - 1; i >= 0; i--) { - if (tokens[i].type == JSMN_ARRAY || tokens[i].type == JSMN_OBJECT) { - if (tokens[i].start != -1 && tokens[i].end == -1) { - parser->toksuper = i; - break; - } - } - } -#endif - } - break; -#ifdef JSMN_STRICT - /* In strict mode primitives are: numbers and booleans */ - case '-': case '0': case '1' : case '2': case '3' : case '4': - case '5': case '6': case '7' : case '8': case '9': - case 't': case 'f': case 'n' : - /* And they must not be keys of the object */ - if (tokens != NULL && parser->toksuper != -1) { - jsmntok_t *t = &tokens[parser->toksuper]; - if (t->type == JSMN_OBJECT || - (t->type == JSMN_STRING && t->size != 0)) { - return JSMN_ERROR_INVAL; - } - } -#else - /* In non-strict mode every unquoted value is a primitive */ - default: -#endif - r = jsmn_parse_primitive(parser, js, len, tokens, num_tokens); - if (r < 0) return r; - count++; - if (parser->toksuper != -1 && tokens != NULL) - tokens[parser->toksuper].size++; - break; - -#ifdef JSMN_STRICT - /* Unexpected char in strict mode */ - default: - return JSMN_ERROR_INVAL; -#endif - } - } - - if (tokens != NULL) { - for (i = parser->toknext - 1; i >= 0; i--) { - /* Unmatched opened object or array */ - if (tokens[i].start != -1 && tokens[i].end == -1) { - return JSMN_ERROR_PART; - } - } - } - - return count; -} - -/** - * Creates a new parser based over a given buffer with an array of tokens - * available. - */ -void jsmn_init(jsmn_parser *parser) { - parser->pos = 0; - parser->toknext = 0; - parser->toksuper = -1; -} - diff --git a/example/util/jsmn.h b/example/util/jsmn.h deleted file mode 100644 index 5a5200e..0000000 --- a/example/util/jsmn.h +++ /dev/null @@ -1,76 +0,0 @@ -#ifndef __JSMN_H_ -#define __JSMN_H_ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * JSON type identifier. Basic types are: - * o Object - * o Array - * o String - * o Other primitive: number, boolean (true/false) or null - */ -typedef enum { - JSMN_UNDEFINED = 0, - JSMN_OBJECT = 1, - JSMN_ARRAY = 2, - JSMN_STRING = 3, - JSMN_PRIMITIVE = 4 -} jsmntype_t; - -enum jsmnerr { - /* Not enough tokens were provided */ - JSMN_ERROR_NOMEM = -1, - /* Invalid character inside JSON string */ - JSMN_ERROR_INVAL = -2, - /* The string is not a full JSON packet, more bytes expected */ - JSMN_ERROR_PART = -3 -}; - -/** - * JSON token description. - * type type (object, array, string etc.) - * start start position in JSON data string - * end end position in JSON data string - */ -typedef struct { - jsmntype_t type; - int start; - int end; - int size; -#ifdef JSMN_PARENT_LINKS - int parent; -#endif -} jsmntok_t; - -/** - * JSON parser. Contains an array of token blocks available. Also stores - * the string being parsed now and current position in that string - */ -typedef struct { - unsigned int pos; /* offset in the JSON string */ - unsigned int toknext; /* next token to allocate */ - int toksuper; /* superior token node, e.g parent object or array */ -} jsmn_parser; - -/** - * Create JSON parser over an array of tokens - */ -void jsmn_init(jsmn_parser *parser); - -/** - * Run JSON parser. It parses a JSON data string into and array of tokens, each describing - * a single JSON object. - */ -int jsmn_parse(jsmn_parser *parser, const char *js, size_t len, - jsmntok_t *tokens, unsigned int num_tokens); - -#ifdef __cplusplus -} -#endif - -#endif /* __JSMN_H_ */ diff --git a/example/util/utils.c b/example/util/utils.c index 9caf5c1..688aa75 100644 --- a/example/util/utils.c +++ b/example/util/utils.c @@ -3,7 +3,7 @@ * * August, 2013 * - * Copyright (c) 2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013, 2016 by cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ */ @@ -22,31 +22,6 @@ */ #define EST_PRIVATE_KEY_ENC EVP_aes_128_cbc() - -/* - * This function can be used to output the OpenSSL - * error buffer. This is useful when an OpenSSL - * API call fails and you'd like to provide some - * detail to the user regarding the cause of the - * failure. - */ -void ossl_dump_ssl_errors () -{ - BIO *e = NULL; - BUF_MEM *bptr = NULL; - - e = BIO_new(BIO_s_mem()); - if (!e) { - EST_LOG_ERR("BIO_new failed"); - return; - } - ERR_print_errors(e); - (void)BIO_flush(e); - BIO_get_mem_ptr(e, &bptr); - EST_LOG_WARN("OSSL error: %s", bptr->data); - BIO_free_all(e); -} - /* * Reads a file into an unsigned char array. * The array should not be allocated prior to calling this @@ -204,15 +179,9 @@ char *generate_private_EC_key (int curve_nid, pem_password_cb *cb) } group = EC_GROUP_new_by_curve_name(curve_nid); - if (!group) { - return NULL; - } EC_GROUP_set_asn1_flag(group, asn1_flag); EC_GROUP_set_point_conversion_form(group, form); EC_KEY_set_group(eckey, group); - if (!EC_KEY_set_group(eckey, group)) { - return NULL; - } if (!EC_KEY_generate_key(eckey)) { return (NULL); } diff --git a/example/util/utils.h b/example/util/utils.h index ed98e55..644bb53 100644 --- a/example/util/utils.h +++ b/example/util/utils.h @@ -3,7 +3,7 @@ * * August, 2013 * - * Copyright (c) 2013 by cisco Systems, Inc. + * Copyright (c) 2013, 2016 by cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ */ @@ -14,7 +14,6 @@ #define MAX_UID_LEN 255 #define MAX_PWD_LEN 255 -void ossl_dump_ssl_errors (); int read_binary_file(char *filename, unsigned char **contents); void write_binary_file(char *filename, unsigned char *contents, int len); void dumpbin(unsigned char *buf, int len); diff --git a/src/est/Makefile.am b/src/est/Makefile.am index 6e48f9d..ee2d2db 100644 --- a/src/est/Makefile.am +++ b/src/est/Makefile.am @@ -1,25 +1,10 @@ -if ENABLE_CLIENT_ONLY -lib_LTLIBRARIES = libest_client.la -AM_CFLAGS = -I$(SSL_CFLAGS) -I../.. -I$(SAFEC_CFLAGS)/include $(LIBCURL_CFLAGS) -libest_client_la_LDFLAGS = -release $(PACKAGE_VERSION) -libest_client_la_SOURCES = est.c est_client.c est_client_http.c est_ossl_util.c est_client_proxy.c jsmn.c - -libest_client_la_LIBADD = $(SAFEC_LDFLAGS) -library_includedir=$(includedir)/est -library_include_HEADERS = est.h -EXTRA_DIST = est_locl.h est_ossl_util.h est_client_proxy.h est_sock_compat.h jsmn.h - -else - lib_LTLIBRARIES = libest.la AM_CFLAGS = -I$(SSL_CFLAGS) -I../.. -I$(SAFEC_CFLAGS)/include $(LIBCURL_CFLAGS) libest_la_LDFLAGS = -release $(PACKAGE_VERSION) libest_la_SOURCES = est.c est_client.c est_server.c est_server_http.c \ - est_proxy.c est_client_http.c est_ossl_util.c est_client_proxy.c jsmn.c + est_proxy.c est_client_http.c est_ossl_util.c est_client_proxy.c libest_la_LIBADD = $(SAFEC_LDFLAGS) library_includedir=$(includedir)/est library_include_HEADERS = est.h -EXTRA_DIST = est_locl.h est_ossl_util.h est_server.h est_server_http.h est_client_proxy.h est_sock_compat.h jsmn.h - -endif \ No newline at end of file +EXTRA_DIST = est_locl.h est_ossl_util.h est_server.h est_server_http.h est_client_proxy.h est_sock_compat.h diff --git a/src/est/Makefile.in b/src/est/Makefile.in index 6ab5ac0..2525cbd 100644 --- a/src/est/Makefile.in +++ b/src/est/Makefile.in @@ -97,8 +97,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am \ - $(am__library_include_HEADERS_DIST) $(am__DIST_COMMON) +DIST_COMMON = $(srcdir)/Makefile.am $(library_include_HEADERS) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = @@ -133,16 +133,10 @@ am__installdirs = "$(DESTDIR)$(libdir)" \ "$(DESTDIR)$(library_includedir)" LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = -@ENABLE_CLIENT_ONLY_FALSE@libest_la_DEPENDENCIES = \ -@ENABLE_CLIENT_ONLY_FALSE@ $(am__DEPENDENCIES_1) -am__libest_la_SOURCES_DIST = est.c est_client.c est_server.c \ - est_server_http.c est_proxy.c est_client_http.c \ - est_ossl_util.c est_client_proxy.c jsmn.c -@ENABLE_CLIENT_ONLY_FALSE@am_libest_la_OBJECTS = est.lo est_client.lo \ -@ENABLE_CLIENT_ONLY_FALSE@ est_server.lo est_server_http.lo \ -@ENABLE_CLIENT_ONLY_FALSE@ est_proxy.lo est_client_http.lo \ -@ENABLE_CLIENT_ONLY_FALSE@ est_ossl_util.lo est_client_proxy.lo \ -@ENABLE_CLIENT_ONLY_FALSE@ jsmn.lo +libest_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libest_la_OBJECTS = est.lo est_client.lo est_server.lo \ + est_server_http.lo est_proxy.lo est_client_http.lo \ + est_ossl_util.lo est_client_proxy.lo libest_la_OBJECTS = $(am_libest_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -151,21 +145,6 @@ am__v_lt_1 = libest_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libest_la_LDFLAGS) $(LDFLAGS) -o $@ -@ENABLE_CLIENT_ONLY_FALSE@am_libest_la_rpath = -rpath $(libdir) -@ENABLE_CLIENT_ONLY_TRUE@libest_client_la_DEPENDENCIES = \ -@ENABLE_CLIENT_ONLY_TRUE@ $(am__DEPENDENCIES_1) -am__libest_client_la_SOURCES_DIST = est.c est_client.c \ - est_client_http.c est_ossl_util.c est_client_proxy.c jsmn.c -@ENABLE_CLIENT_ONLY_TRUE@am_libest_client_la_OBJECTS = est.lo \ -@ENABLE_CLIENT_ONLY_TRUE@ est_client.lo est_client_http.lo \ -@ENABLE_CLIENT_ONLY_TRUE@ est_ossl_util.lo est_client_proxy.lo \ -@ENABLE_CLIENT_ONLY_TRUE@ jsmn.lo -libest_client_la_OBJECTS = $(am_libest_client_la_OBJECTS) -libest_client_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(libest_client_la_LDFLAGS) $(LDFLAGS) \ - -o $@ -@ENABLE_CLIENT_ONLY_TRUE@am_libest_client_la_rpath = -rpath $(libdir) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -200,15 +179,13 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libest_la_SOURCES) $(libest_client_la_SOURCES) -DIST_SOURCES = $(am__libest_la_SOURCES_DIST) \ - $(am__libest_client_la_SOURCES_DIST) +SOURCES = $(libest_la_SOURCES) +DIST_SOURCES = $(libest_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac -am__library_include_HEADERS_DIST = est.h HEADERS = $(library_include_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -354,24 +331,16 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -@ENABLE_CLIENT_ONLY_FALSE@lib_LTLIBRARIES = libest.la -@ENABLE_CLIENT_ONLY_TRUE@lib_LTLIBRARIES = libest_client.la -@ENABLE_CLIENT_ONLY_FALSE@AM_CFLAGS = -I$(SSL_CFLAGS) -I../.. -I$(SAFEC_CFLAGS)/include $(LIBCURL_CFLAGS) -@ENABLE_CLIENT_ONLY_TRUE@AM_CFLAGS = -I$(SSL_CFLAGS) -I../.. -I$(SAFEC_CFLAGS)/include $(LIBCURL_CFLAGS) -@ENABLE_CLIENT_ONLY_TRUE@libest_client_la_LDFLAGS = -release $(PACKAGE_VERSION) -@ENABLE_CLIENT_ONLY_TRUE@libest_client_la_SOURCES = est.c est_client.c est_client_http.c est_ossl_util.c est_client_proxy.c jsmn.c -@ENABLE_CLIENT_ONLY_TRUE@libest_client_la_LIBADD = $(SAFEC_LDFLAGS) -@ENABLE_CLIENT_ONLY_FALSE@library_includedir = $(includedir)/est -@ENABLE_CLIENT_ONLY_TRUE@library_includedir = $(includedir)/est -@ENABLE_CLIENT_ONLY_FALSE@library_include_HEADERS = est.h -@ENABLE_CLIENT_ONLY_TRUE@library_include_HEADERS = est.h -@ENABLE_CLIENT_ONLY_FALSE@EXTRA_DIST = est_locl.h est_ossl_util.h est_server.h est_server_http.h est_client_proxy.h est_sock_compat.h jsmn.h -@ENABLE_CLIENT_ONLY_TRUE@EXTRA_DIST = est_locl.h est_ossl_util.h est_client_proxy.h est_sock_compat.h jsmn.h -@ENABLE_CLIENT_ONLY_FALSE@libest_la_LDFLAGS = -release $(PACKAGE_VERSION) -@ENABLE_CLIENT_ONLY_FALSE@libest_la_SOURCES = est.c est_client.c est_server.c est_server_http.c \ -@ENABLE_CLIENT_ONLY_FALSE@ est_proxy.c est_client_http.c est_ossl_util.c est_client_proxy.c jsmn.c - -@ENABLE_CLIENT_ONLY_FALSE@libest_la_LIBADD = $(SAFEC_LDFLAGS) +lib_LTLIBRARIES = libest.la +AM_CFLAGS = -I$(SSL_CFLAGS) -I../.. -I$(SAFEC_CFLAGS)/include $(LIBCURL_CFLAGS) +libest_la_LDFLAGS = -release $(PACKAGE_VERSION) +libest_la_SOURCES = est.c est_client.c est_server.c est_server_http.c \ + est_proxy.c est_client_http.c est_ossl_util.c est_client_proxy.c + +libest_la_LIBADD = $(SAFEC_LDFLAGS) +library_includedir = $(includedir)/est +library_include_HEADERS = est.h +EXTRA_DIST = est_locl.h est_ossl_util.h est_server.h est_server_http.h est_client_proxy.h est_sock_compat.h all: all-am .SUFFIXES: @@ -442,10 +411,7 @@ clean-libLTLIBRARIES: } libest.la: $(libest_la_OBJECTS) $(libest_la_DEPENDENCIES) $(EXTRA_libest_la_DEPENDENCIES) - $(AM_V_CCLD)$(libest_la_LINK) $(am_libest_la_rpath) $(libest_la_OBJECTS) $(libest_la_LIBADD) $(LIBS) - -libest_client.la: $(libest_client_la_OBJECTS) $(libest_client_la_DEPENDENCIES) $(EXTRA_libest_client_la_DEPENDENCIES) - $(AM_V_CCLD)$(libest_client_la_LINK) $(am_libest_client_la_rpath) $(libest_client_la_OBJECTS) $(libest_client_la_LIBADD) $(LIBS) + $(AM_V_CCLD)$(libest_la_LINK) -rpath $(libdir) $(libest_la_OBJECTS) $(libest_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -461,7 +427,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/est_proxy.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/est_server.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/est_server_http.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/jsmn.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ diff --git a/src/est/est.c b/src/est/est.c index 5abbd95..c4afc8a 100644 --- a/src/est/est.c +++ b/src/est/est.c @@ -42,10 +42,8 @@ #endif /* DISABLE_BACKTRACE*/ #endif /* WIN32*/ -#ifndef ENABLE_CLIENT_ONLY static char hex_chpw[] = {0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x07}; -#endif const char *EST_ERR_STRINGS[] = { "EST_ERR_NONE", @@ -414,7 +412,7 @@ EVP_PKEY *est_load_key (unsigned char *key, int key_len, int format) } -#ifndef ENABLE_CLIENT_ONLY + /* * This function is used to read the CERTS in a BIO and build a * stack of X509* pointers. This is used during the PEM to @@ -576,6 +574,9 @@ static BIO * est_get_certs_pkcs7 (BIO *in, int do_base_64) * in and loads the certificates on to the context as pkcs7 certs. This is * stored on the EST context and used to respond to the /cacerts request, * which requires PKCS7 encoding. + * + * This function also loads the x509 store on the context used to + * verify the peer. */ EST_ERROR est_load_ca_certs (EST_CTX *ctx, unsigned char *raw, int size) { @@ -628,7 +629,6 @@ EST_ERROR est_load_ca_certs (EST_CTX *ctx, unsigned char *raw, int size) BIO_free(in); return (EST_ERR_NONE); } -#endif /* * Takes a char array containing the PEM encoded CA certificates, @@ -764,18 +764,6 @@ EST_ERROR est_destroy (EST_CTX *ctx) free(ctx->uri_path_segment); } - if(ctx->brski_retrieved_cacert) { - free(ctx->brski_retrieved_cacert); - } - - if(ctx->brski_retrieved_voucher) { - free(ctx->brski_retrieved_voucher); - } - - if (ctx->client_cert_ser_num) { - free(ctx->client_cert_ser_num); - } - if (ctx->dh_tmp) { DH_free(ctx->dh_tmp); } @@ -796,12 +784,10 @@ EST_ERROR est_destroy (EST_CTX *ctx) SSL_CTX_free(ctx->ssl_ctx); } -#ifndef ENABLE_CLIENT_ONLY if (ctx->est_mode == EST_PROXY) { proxy_cleanup(ctx); } -#endif - + /* * And finally free the EST context itself */ @@ -912,6 +898,7 @@ int est_base64_decode (const char *src, char *dst, int dst_size) return (len); } + /* * This routine is used to encode base64 data. * Pass in the unencoded data, the length of the source buffer, @@ -1062,8 +1049,7 @@ char * est_get_tls_uid (SSL *ssl, int is_client) /* * This is a utility function to convert a hex value * to a string. This is used with the HTTP digest - * authentication logic and converting a nonce value to - * a string. + * authentication logic. */ void est_hex_to_str (char *dst, unsigned char *src, int len) { @@ -1173,7 +1159,6 @@ EST_ERROR est_asn1_sanity_test (const unsigned char *string, long out_len, return (EST_ERR_NONE); } -#ifndef ENABLE_CLIENT_ONLY /* * est_is_challengePassword_present - take a base64 * encoded ASN.1 string and scan through it to see @@ -1193,7 +1178,7 @@ EST_ERROR est_is_challengePassword_present (const char *base64_ptr, int b64_len, } return (est_asn1_parse_attributes(base64_ptr, b64_len, presence)); } -#endif + /* * est_asn1_parse_attributes - base64 decode and sanity test @@ -1238,7 +1223,6 @@ EST_ERROR est_asn1_parse_attributes (const char *p, int len, int *pop_present) } -#ifndef ENABLE_CLIENT_ONLY /* * est_add_challengePassword - caller has verified that challengePassword * is configured and not included, so add it to the attributes here. @@ -1353,7 +1337,6 @@ EST_ERROR est_add_challengePassword (const char *base64_ptr, int b64_len, } return (EST_ERR_NONE); } -#endif /*! @brief est_add_attributes_helper() Add a NID and its character string to an X509_REQ as an attribute. @@ -1615,14 +1598,6 @@ EST_OPERATION est_parse_operation (char *op_path) operation = EST_OP_SIMPLE_ENROLL; } else if (!est_strcasecmp_s(op_path, EST_SIMPLE_REENROLL)) { operation = EST_OP_SIMPLE_REENROLL; -#if ENABLE_BRSKI - } else if (!est_strcasecmp_s(op_path, EST_BRSKI_GET_VOUCHER)) { - operation = EST_OP_BRSKI_REQ_VOUCHER; - } else if (!est_strcasecmp_s(op_path, EST_BRSKI_VOUCHER_STATUS)) { - operation = EST_OP_BRSKI_VOUCHER_STATUS; - } else if (!est_strcasecmp_s(op_path, EST_BRSKI_ENROLL_STATUS)) { - operation = EST_OP_BRSKI_ENROLL_STATUS; -#endif } else { operation = EST_OP_MAX; } @@ -1818,14 +1793,6 @@ EST_ERROR est_parse_uri (char *uri, EST_OPERATION *operation, *operation = EST_OP_SIMPLE_REENROLL; } else if (strncmp(uri, EST_CSR_ATTRS_URI, EST_URI_MAX_LEN) == 0) { *operation = EST_OP_CSRATTRS; -#if ENABLE_BRSKI - } else if (strncmp(uri, EST_BRSKI_GET_VOUCHER_URI, EST_URI_MAX_LEN) == 0) { - *operation = EST_OP_BRSKI_REQ_VOUCHER; - } else if (strncmp(uri, EST_BRSKI_VOUCHER_STATUS_URI, EST_URI_MAX_LEN) == 0) { - *operation = EST_OP_BRSKI_VOUCHER_STATUS; - } else if (strncmp(uri, EST_BRSKI_ENROLL_STATUS_URI, EST_URI_MAX_LEN) == 0) { - *operation = EST_OP_BRSKI_ENROLL_STATUS; -#endif } else { *operation = EST_OP_MAX; rc = EST_ERR_HTTP_INVALID_PATH_SEGMENT; @@ -1855,8 +1822,8 @@ EST_ERROR est_store_path_segment (EST_CTX *ctx, char *path_segment, return EST_ERR_MALLOC; } - if (EOK != strcpy_s(ctx->uri_path_segment, path_segment_len+1, - path_segment)) { + if (EOK != strncpy_s(ctx->uri_path_segment, path_segment_len+1, + path_segment, path_segment_len)) { return EST_ERR_HTTP_INVALID_PATH_SEGMENT; } ctx->uri_path_segment[path_segment_len] = '\0'; @@ -1873,110 +1840,12 @@ int est_strcasecmp_s (char *s1, char *s2) safec_rc = strcasecmp_s(s1, strnlen_s(s1, RSIZE_MAX_STR), s2, &diff); if (safec_rc != EOK) { - /* - * Log that we encountered a SafeC error - */ - EST_LOG_INFO("strcasecmp_s error 0x%xO\n", safec_rc); + /* + * Log that we encountered a SafeC error + */ + EST_LOG_INFO("strcasecmp_s error 0x%xO\n", safec_rc); } return diff; } -size_t est_strcspn(const char * str1,const char * str2) -{ - rsize_t count; - errno_t safec_rc; - - if ((str1 != NULL) && (str1[0] == '\0')) { - return 0; - } - - safec_rc = strcspn_s(str1, strnlen_s(str1, RSIZE_MAX_STR), - str2, RSIZE_MAX_STR, &count); - if (safec_rc != EOK) { - EST_LOG_INFO("strcspn_s error 0x%xO\n", safec_rc); - return 0; - } - - return count; -} - - -size_t est_strspn(const char * str1,const char * str2) -{ - rsize_t count; - errno_t safec_rc; - - if ((str1 != NULL) && (str1[0] == '\0')) { - return 0; - } - - safec_rc = strspn_s(str1, strnlen_s(str1, RSIZE_MAX_STR), - str2, RSIZE_MAX_STR, &count); - if (safec_rc != EOK) { - EST_LOG_INFO("strspn_s error 0x%xO\n", safec_rc); - return 0; - } - - return count; - -} - - -// Skip the characters until one of the delimiters characters found. -// 0-terminate resulting word. Skip the delimiter and following whitespaces. -// Advance pointer to buffer to the next word. Return found 0-terminated word. -// Delimiters can be quoted with quotechar. -char *skip_quoted (char **buf, const char *delimiters, - const char *whitespace, char quotechar) -{ - char *p, *begin_word, *end_word, *end_whitespace; - - begin_word = *buf; - - end_word = begin_word + est_strcspn(begin_word,delimiters); - - // Check for quotechar - if (end_word > begin_word) { - p = end_word - 1; - while (*p == quotechar) { - // If there is anything beyond end_word, copy it - if (*end_word == '\0') { - *p = '\0'; - break; - } else { - - rsize_t end_off = (rsize_t) est_strcspn(end_word + 1, delimiters); - memmove_s(p, end_off + 1, end_word, end_off + 1); - p += end_off; // p must correspond to end_word - 1 - end_word += end_off + 1; - } - } - for (p++; p < end_word; p++) { - *p = '\0'; - } - } - - if (*end_word == '\0') { - *buf = end_word; - } else { - - end_whitespace = end_word + 1 + est_strspn(end_word + 1, whitespace); - - for (p = end_word; p < end_whitespace; p++) { - *p = '\0'; - } - - *buf = end_whitespace; - } - - return begin_word; -} - -// Simplified version of skip_quoted without quote char -// and whitespace == delimiters -char *skip (char **buf, const char *delimiters) -{ - return skip_quoted(buf, delimiters, delimiters, 0); -} - diff --git a/src/est/est.h b/src/est/est.h index 0c0a380..67cac82 100644 --- a/src/est/est.h +++ b/src/est/est.h @@ -140,14 +140,6 @@ typedef enum { E(EST_ERR_CLIENT_PROXY_MODE_NOT_SUPPORTED) \ E(EST_ERR_INVALID_CLIENT_PROXY_PROTOCOL) \ E(EST_ERR_INVALID_CLIENT_PROXY_AUTH) \ - E(EST_ERR_CLIENT_BRSKI_MODE_NOT_SUPPORTED) \ - E(EST_ERR_CLIENT_BRSKI_NO_VOUCHER) \ - E(EST_ERR_CLIENT_BRSKI_NONCE_MISSING) \ - E(EST_ERR_CLIENT_BRSKI_NONCE_MISMATCH) \ - E(EST_ERR_CLIENT_BRSKI_NONCE_TOO_LARGE) \ - E(EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING) \ - E(EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISMATCH) \ - E(EST_ERR_CLIENT_BRSKI_SERIAL_NUM_TOO_LARGE) \ E(EST_ERR_UNKNOWN) #define GENERATE_ENUM(ENUM) ENUM, @@ -233,15 +225,6 @@ typedef enum { \n EST_ERR_CLIENT_PROXY_MODE_NOT_SUPPORTED LibEST was not built with libcurl support. Libcurl is required for client proxy mode. \n EST_ERR_INVALID_CLIENT_PROXY_PROTOCOL Invalid proxy protocol specified when configuring client mode for HTTP/Socks proxy. \n EST_ERR_INVALID_CLIENT_PROXY_AUTH Invalid proxy authentication mode specified when configuring client mode for HTTP/Socks proxy. -\n EST_ERR_CLIENT_BRSKI_MODE_NOT_SUPPORTED LibEST was not built with BRSKI mode enabled. -\n EST_ERR_CLIENT_BRSKI_NO_VOUCHER BRSKI mode: no voucher to pass up to application. -\n EST_ERR_CLIENT_BRSKI_NONCE_MISSING BRSKI mode: Nonce missing from voucher. -\n EST_ERR_CLIENT_BRSKI_NONCE_MISMATCH BRSKI mode: returned nonce does not match nonce sent. -\n EST_ERR_CLIENT_BRSKI_NONCE_TOO_LARGE BRSKI mode: returned nonce larger than maximum length. -\n EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING BRSKI mode: Serial Number missing from client cert. -\n EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISMATCH BRSKI mode: Serial Number in voucher does not match with mfg serial number. -\n EST_ERR_CLIENT_BRSKI_SERIAL_NUM_TOO_LARGE BRSKI mode: Serial Number in voucher is larger than maximum length. - \n EST_ERR_LAST Last error in the enum definition. Should never be used. */ typedef enum { @@ -301,21 +284,6 @@ typedef enum { #define MAX_AUTH_TOKEN_LEN (512) #define MAX_HTTP_METHOD_LEN (5) -#define EST_BRSKI_MAX_SER_NUM_LEN (64) -#define EST_BRSKI_MAX_VOUCHER_REQ_LEN (16384) -#define EST_BRSKI_MAX_VOUCHER_LEN (16384) -#define EST_BRSKI_MAX_CACERT_LEN (8192) -#define EST_BRSKI_VOUCHER_REQ_NONCE_SIZE (32) -#define EST_BRSKI_MAX_SUBJ_KEY_ID_LEN (24) -#define EST_BRSKI_MAX_REASON_LEN (255) -#define EST_BRSKI_MAX_STATUS_LEN (128+EST_BRSKI_MAX_REASON_LEN) /* both voucher and enroll */ -#define BRSKI_VERSION "1" - -typedef enum { - EST_BRSKI_STATUS_SUCCESS = 1, - EST_BRSKI_STATUS_FAIL, -} EST_BRSKI_STATUS_VALUE; - /* * The following values define the minimum, maximum, and default * values for the timeout value for the SSL read operations. @@ -409,66 +377,6 @@ typedef struct est_ctx EST_CTX; */ typedef EST_HTTP_AUTH_CRED_RC (*auth_credentials_cb)(EST_HTTP_AUTH_HDR *auth_credentials); -/* - * Defines the valid return codes that the application layer's BRSKI callback - * function can provide. - */ -typedef enum { - EST_BRSKI_CB_SUCCESS = 1, - EST_BRSKI_CB_RETRY, - EST_BRSKI_CB_INVALID_PARAMETER, - EST_BRSKI_CB_FAILURE, -} EST_BRSKI_CALLBACK_RC; - -/*! @typedef brski_voucher_req_cb - * @brief This typedef defines the prototype of the callback function that is - * to reside in the application code. The application can register - * this function callback using the est_set_brski_voucher_req_cb() API - * function. This callback is called by the EST server library when - * it receives a BRSKI voucher request from an EST client. This - * callback function takes as input a pointer to received voucher - * request and an integer set to the length of the voucher request. - * This request will be in a JSON formatted request and will - * not be base64 encoded. The callback function will return a pointer - * to the obtained voucher and an integer set to the length of the - * voucher being returned. libEST will forward this voucher back to - * EST client and will free up the passed buffer. - */ -typedef EST_BRSKI_CALLBACK_RC (*brski_voucher_req_cb)(char *voucher_req, int voucher_req_len, - char **voucher, int *voucher_len, - X509 *peer_cert); - - -/*! @typedef brski_voucher_status_cb - * @brief This typedef defines the prototype of the callback function that is - * to reside in the application code. The application can register - * this function callback using the est_set_brski_voucher_status_cb() - * API function. This callback is called by the EST server library - * when it receives a BRSKI voucher status indication from an EST - * client. This callback function takes as input a pointer to - * received voucher status. It also takes in the length of the - * voucher status buffer and the certificate used by the client - * during TLS handshake. - */ -typedef EST_BRSKI_CALLBACK_RC (*brski_voucher_status_cb)(char *voucher_status, - int voucher_status_len, - X509 *peer_cert); - - -/*! @typedef brski_enroll_status_cb - * @brief This typedef defines the prototype of the callback function that is - * to reside in the application code. The application can register - * this function callback using the est_set_brski_enroll_status_cb() - * API function. This callback is called by the EST server library - * when it has receives a BRSKI enrollment status indication from an - * EST client. This callback function takes as input a pointer to - * received enrollment status. This status will be in JSON format and - * will not be base64 encoded. It also takes in the length of the - * enrollment status buffer and the certificate used by the client - * during TLS handshake. - */ -typedef EST_BRSKI_CALLBACK_RC (*brski_enroll_status_cb)(char *cert_status, int cert_status_len, - X509 *peer_cert); /* * Begin the public API prototypes @@ -557,25 +465,6 @@ LIBEST_API EST_ERROR est_client_unforce_pop(EST_CTX *ctx); LIBEST_API EST_ERROR est_client_enable_srp(EST_CTX *ctx, int strength, char *uid, char *pwd); LIBEST_API int est_client_get_last_http_status(EST_CTX *ctx); -/* - * The following defines the BRSKI extension to libEST client mode - */ -LIBEST_API EST_ERROR est_client_set_brski_mode(EST_CTX *ctx); -LIBEST_API EST_ERROR est_client_brski_get_voucher(EST_CTX *ctx, int *cacert_len, int sign_voucher); -LIBEST_API EST_ERROR est_client_brski_copy_cacert(EST_CTX *ctx, unsigned char *cacert); -LIBEST_API EST_ERROR est_client_brski_send_voucher_status(EST_CTX *ctx, - EST_BRSKI_STATUS_VALUE status, - char *reason); -LIBEST_API EST_ERROR est_client_brski_send_enroll_status(EST_CTX *ctx, - EST_BRSKI_STATUS_VALUE status, - char *reason, - unsigned char *subject_key_id); - -/* - * The following defines the BRSKI extension to libEST server mode - */ -LIBEST_API EST_ERROR est_server_set_brski_retry_period (EST_CTX *ctx, int seconds); - /* * The following callback entry points must be set by the application * when acting as an EST server or proxy. @@ -588,19 +477,12 @@ LIBEST_API EST_ERROR est_set_ca_reenroll_cb(EST_CTX *ctx, int (*cb)(unsigned cha unsigned char **pkcs7, int *pkcs7_len, char *user_id, X509 *peer_cert, char *path_seg, void *ex_data)); -LIBEST_API EST_ERROR est_set_csr_cb(EST_CTX * ctx, unsigned char *(*cb)(int*csr_len, char *path_seg, X509 *peer_cert, void *ex_data)); +LIBEST_API EST_ERROR est_set_csr_cb(EST_CTX * ctx, unsigned char *(*cb)(int*csr_len, char *path_seg, void *ex_data)); LIBEST_API EST_ERROR est_set_cacerts_cb(EST_CTX * ctx, unsigned char *(*cb)(int*csr_len, char *path_seg, void *ex_data)); LIBEST_API EST_ERROR est_set_http_auth_cb(EST_CTX * ctx, int (*cb)(EST_CTX*, EST_HTTP_AUTH_HDR*, X509*, char *, void*)); -/* - * The following define the BRSKI extension to libEST server mode - */ -LIBEST_API EST_ERROR est_set_brski_voucher_req_cb(EST_CTX *ctx, brski_voucher_req_cb cb); -LIBEST_API EST_ERROR est_set_brski_voucher_status_cb(EST_CTX *ctx, brski_voucher_status_cb cb); -LIBEST_API EST_ERROR est_set_brski_enroll_status_cb(EST_CTX *ctx, brski_enroll_status_cb cb); - LIBEST_API EST_ERROR est_set_http_auth_required(EST_CTX * ctx, EST_HTTP_AUTH_REQUIRED required); LIBEST_API EST_ERROR est_add_attributes_helper(X509_REQ *req, int nid, void *string, int chtype); @@ -616,7 +498,6 @@ LIBEST_API X509_REQ *est_read_x509_request(unsigned char *csr, int csr_len, EST_CERT_FORMAT csr_format); LIBEST_API EVP_PKEY *est_load_key(unsigned char *key, int key_len, int format); LIBEST_API int est_convert_p7b64_to_pem(unsigned char *certs_p7, int certs_len, unsigned char **pem); -LIBEST_API char *est_find_ser_num_in_subj(X509 *cert); /* * These are helper macros that an application can use diff --git a/src/est/est_client.c b/src/est/est_client.c index b27a700..06e2d22 100644 --- a/src/est/est_client.c +++ b/src/est/est_client.c @@ -37,7 +37,6 @@ #include "est.h" #include "est_locl.h" #include "est_ossl_util.h" -#include "jsmn.h" #include "safe_mem_lib.h" #include "safe_str_lib.h" #include @@ -48,10 +47,7 @@ #ifdef WIN32 #define close(socket) closesocket(socket) WSADATA wsaData; -#define SLEEP(x) Sleep(x*1000) -#else -#define SLEEP(x) sleep(x) -#endif +#endif #define SSL_EXDATA_INDEX_INVALID -1 @@ -635,7 +631,6 @@ static EST_ERROR verify_cacert_resp (EST_CTX *ctx, unsigned char *cacerts, EST_LOG_WARN("Certificate failed verification (%s)", current_cert->name); failed = 1; } - X509_STORE_CTX_cleanup(store_ctx); } /* @@ -1039,7 +1034,7 @@ static void est_client_retrieve_credentials (EST_CTX *ctx, EST_HTTP_AUTH_MODE au EST_LOG_ERR("Userid provided is larger than the max of %d", MAX_UIDPWD); user[0] = '\0'; } else { - if (EOK != strcpy_s(user, MAX_UIDPWD, auth_credentials.user)) { + if (EOK != strncpy_s(user, MAX_UIDPWD, auth_credentials.user, MAX_UIDPWD)) { EST_LOG_ERR("Invalid User ID provided"); } } @@ -1050,7 +1045,7 @@ static void est_client_retrieve_credentials (EST_CTX *ctx, EST_HTTP_AUTH_MODE au EST_LOG_ERR("Password provided is larger than the max of %d", MAX_UIDPWD); pwd[0] = '\0'; } else { - if (EOK != strcpy_s(pwd, MAX_UIDPWD, auth_credentials.pwd)) { + if (EOK != strncpy_s(pwd, MAX_UIDPWD, auth_credentials.pwd, MAX_UIDPWD)) { EST_LOG_ERR("Invalid User password provided"); } } @@ -1156,10 +1151,10 @@ static void est_client_add_auth_hdr (EST_CTX *ctx, char *hdr, char *uri) est_client_retrieve_credentials(ctx, ctx->auth_mode, user, pwd); } else { - if (EOK != strcpy_s(user, MAX_UIDPWD, ctx->userid)) { + if (EOK != strncpy_s(user, MAX_UIDPWD, ctx->userid, MAX_UIDPWD)) { EST_LOG_ERR("Invalid User ID provided"); } - if (EOK != strcpy_s(pwd, MAX_UIDPWD, ctx->password)) { + if (EOK != strncpy_s(pwd, MAX_UIDPWD, ctx->password, MAX_UIDPWD)) { EST_LOG_ERR("Invalid User password provided"); } } @@ -1170,7 +1165,6 @@ static void est_client_add_auth_hdr (EST_CTX *ctx, char *hdr, char *uri) /* Force hdr to a null string */ memzero_s(hdr, EST_HTTP_REQ_TOTAL_LEN); memzero_s(ctx->c_nonce, MAX_NONCE+1); - memzero_s(user, MAX_UIDPWD+1); memzero_s(pwd, MAX_UIDPWD+1); break; @@ -1280,11 +1274,6 @@ static int est_client_build_cacerts_header (EST_CTX *ctx, char *hdr) EST_LOG_WARN("CA Certs header took up the maximum amount in buffer (%d)", EST_HTTP_REQ_TOTAL_LEN); } - - if(hdr_len > EST_HTTP_HDR_MAX) { - EST_LOG_ERR("CA Certs header is too big (%d) > (%d)", hdr_len, EST_HTTP_HDR_MAX); - return 0; - } return (hdr_len); } @@ -1318,12 +1307,6 @@ static int est_client_build_csr_header (EST_CTX *ctx, char *hdr) EST_LOG_WARN("CSR attributes request header took up the maximum amount in buffer (%d)", EST_HTTP_REQ_TOTAL_LEN); } - - if(hdr_len > EST_HTTP_HDR_MAX) { - EST_LOG_ERR("CSR attributes header is too big (%d) > (%d)", hdr_len, EST_HTTP_HDR_MAX); - return 0; - } - return (hdr_len); } @@ -1452,11 +1435,6 @@ static int est_client_build_enroll_header (EST_CTX *ctx, char *hdr, int pkcs10_l EST_LOG_WARN("Client enroll request header took up the maximum amount in buffer (%d)", EST_HTTP_REQ_TOTAL_LEN); } - - if(hdr_len > EST_HTTP_HDR_MAX) { - EST_LOG_ERR("Client enroll request header is too big (%d) > (%d)", hdr_len, EST_HTTP_HDR_MAX); - return 0; - } return (hdr_len); } @@ -1493,12 +1471,6 @@ static int est_client_build_reenroll_header (EST_CTX *ctx, char *hdr, int pkcs10 EST_LOG_WARN("Client reenroll request header took up the maximum amount in buffer (%d)", EST_HTTP_REQ_TOTAL_LEN); } - - if(hdr_len > EST_HTTP_HDR_MAX) { - EST_LOG_ERR("Client reenroll request header is too big (%d) > (%d)", hdr_len, EST_HTTP_HDR_MAX); - return 0; - } - return (hdr_len); } @@ -2491,10 +2463,6 @@ EST_ERROR est_client_connect (EST_CTX *ctx, SSL **ssl) return (EST_ERR_IP_CONNECT); } - /* - * PDB TODO: Figure out why the following is needed and remove - * if not necessary - */ /* * Enable TCP keep-alive */ @@ -2647,12 +2615,6 @@ static int est_client_send_cacerts_request (EST_CTX *ctx, SSL *ssl, } hdr_len = est_client_build_cacerts_header(ctx, http_data); - if(hdr_len == 0) { - EST_LOG_ERR("Unable to build CA Cert header"); - free(http_data); - return (EST_ERR_HTTP_CANNOT_BUILD_HEADER); - } - /* * terminate the HTTP header */ @@ -2789,19 +2751,11 @@ EST_ERROR est_client_set_uid_pw (EST_CTX *ctx, const char *uid, const char *pwd) * if uid/pwd set, then we're doing basic/digest authentication */ if (uid != NULL) { - if ( MAX_UIDPWD < strnlen_s(uid, MAX_UIDPWD+1)) { - EST_LOG_ERR("Invalid User ID provided, too long."); - return EST_ERR_INVALID_PARAMETERS; - } - if (EOK != strcpy_s(ctx->userid, MAX_UIDPWD, uid)) { + if (EOK != strncpy_s(ctx->userid, MAX_UIDPWD, uid, MAX_UIDPWD)) { EST_LOG_ERR("Invalid User ID provided"); return EST_ERR_INVALID_PARAMETERS; } - if ( MAX_UIDPWD < strnlen_s(pwd, MAX_UIDPWD+1)) { - EST_LOG_ERR("Invalid Password provided, too long."); - return EST_ERR_INVALID_PARAMETERS; - } - if (EOK != strcpy_s(ctx->password, MAX_UIDPWD, pwd)) { + if (EOK != strncpy_s(ctx->password, MAX_UIDPWD, pwd, MAX_UIDPWD)) { EST_LOG_ERR("Invalid Password provided"); return EST_ERR_INVALID_PARAMETERS; } @@ -2883,7 +2837,7 @@ EST_ERROR est_client_enroll_csr (EST_CTX *ctx, X509_REQ *csr, int *pkcs7_len, EV } if (priv_key) { - rv = est_client_enroll_pkcs10(ctx, ssl, csr, pkcs7_len, priv_key, 0); + rv = est_client_enroll_pkcs10(ctx, ssl, csr, pkcs7_len, priv_key, 0); } else { rv = est_client_enroll_req(ctx, ssl, csr, pkcs7_len, 0); } @@ -2904,10 +2858,10 @@ EST_ERROR est_client_enroll_csr (EST_CTX *ctx, X509_REQ *csr, int *pkcs7_len, EV } /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); + EST_LOG_INFO("HTTP Auth failed, trying again with digest/basic parameters"); rv = est_client_connect(ctx, &ssl); if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Connection failed on second attempt with basic/digest parameters"); goto err; } if (priv_key) { @@ -2916,7 +2870,7 @@ EST_ERROR est_client_enroll_csr (EST_CTX *ctx, X509_REQ *csr, int *pkcs7_len, EV rv = est_client_enroll_req(ctx, ssl, csr, pkcs7_len, 0); } if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Enroll failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Enroll failed on second attempt during basic/digest authentication"); } est_client_disconnect(ctx, &ssl); } @@ -2997,15 +2951,15 @@ EST_ERROR est_client_enroll (EST_CTX *ctx, char *cn, int *pkcs7_len, } /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); + EST_LOG_INFO("HTTP Auth failed, trying again with basic/digest/token parameters"); rv = est_client_connect(ctx, &ssl); if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Connection failed on second attempt with basic/digest/token parameters"); goto err; } rv = est_client_enroll_cn(ctx, ssl, cn, pkcs7_len, new_public_key); if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Enroll failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Enroll failed on second attempt during basic/digest authentication"); /* * If we're attempting token mode for the second time, and @@ -3317,15 +3271,15 @@ EST_ERROR est_client_reenroll (EST_CTX *ctx, X509 *cert, int *pkcs7_len, EVP_PKE } /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); + EST_LOG_INFO("HTTP Auth failed, trying again with digest/basic parameters"); rv = est_client_connect(ctx, &ssl); if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Connection failed on second attempt with basic/digest parameters"); goto err; } rv = est_client_enroll_pkcs10(ctx, ssl, req, pkcs7_len, priv_key, 1); if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Reenroll failed on second attempt with HTTP Auth credentials"); + EST_LOG_ERR("Reenroll failed on second attempt during basic/digest authentication"); /* * If we're attempting token mode for the second time, and @@ -3350,7 +3304,9 @@ EST_ERROR est_client_reenroll (EST_CTX *ctx, X509 *cert, int *pkcs7_len, EVP_PKE } X509_REQ_free(req); - return (rv); + return (rv); + + } /*! @brief est_client_copy_enrolled_cert() passes back the client certificate @@ -3746,9 +3702,10 @@ EST_ERROR est_client_enable_srp (EST_CTX *ctx, int strength, char *uid, char *pw and digest based authentication @param pwd char buffer containing the passowrd to be used for basic and digest based authentication - @param client_cert char buffer containing the client application + @param client_cert_raw char buffer containing the client application certificate. - @param private_key Private key that can be used with the client cert + @param pkey_raw Private key that can be used with the client cert + @param pkey_len Length of buffer holding the private key This function allows an application to provide the information required for authenticating the EST client with the EST server. Until this call is @@ -4132,12 +4089,8 @@ EST_ERROR est_client_set_server (EST_CTX *ctx, const char *server, int port, return EST_ERR_INVALID_PORT_NUM; } - if (EST_MAX_SERVERNAME_LEN < strnlen_s(server, EST_MAX_SERVERNAME_LEN+1)) { - EST_LOG_ERR("Invalid server name provided, too long."); - return EST_ERR_INVALID_SERVER_NAME; - } - - if (EOK != strcpy_s(ctx->est_server, EST_MAX_SERVERNAME_LEN, server)) { + if (EOK != strncpy_s(ctx->est_server, EST_MAX_SERVERNAME_LEN, server, + EST_MAX_SERVERNAME_LEN)) { return EST_ERR_INVALID_SERVER_NAME; } @@ -4254,7 +4207,8 @@ EST_ERROR est_client_set_proxy (EST_CTX *ctx, EST_CLIENT_PROXY_PROTO proxy_proto } ctx->proxy_server[0] = '\0'; - if (EOK != strcpy_s(ctx->proxy_server, sizeof(ctx->proxy_server), proxy_server)) { + if (EOK != strncpy_s(ctx->proxy_server, sizeof(ctx->proxy_server), + proxy_server, sizeof(ctx->proxy_server))) { return EST_ERR_INVALID_SERVER_NAME; } @@ -4286,7 +4240,8 @@ EST_ERROR est_client_set_proxy (EST_CTX *ctx, EST_CLIENT_PROXY_PROTO proxy_proto } ctx->proxy_username[0] = '\0'; - if (EOK != strcpy_s(ctx->proxy_username, sizeof(ctx->proxy_username), username)) { + if (EOK != strncpy_s(ctx->proxy_username, sizeof(ctx->proxy_username), + username, sizeof(ctx->proxy_username))) { return EST_ERR_INVALID_PARAMETERS; } @@ -4299,7 +4254,8 @@ EST_ERROR est_client_set_proxy (EST_CTX *ctx, EST_CLIENT_PROXY_PROTO proxy_proto } ctx->proxy_password[0] = '\0'; - if (EOK != strcpy_s(ctx->proxy_password, sizeof(ctx->proxy_password), password)) { + if (EOK != strncpy_s(ctx->proxy_password, sizeof(ctx->proxy_password), password, + sizeof(ctx->proxy_password))) { return EST_ERR_INVALID_PARAMETERS; } @@ -4547,1463 +4503,3 @@ int est_client_get_last_http_status (EST_CTX *ctx) return 0; } } - -#if ENABLE_BRSKI -/*! @brief est_client_set_brski_mode() is called by the application layer to - configure and enable BRSKI mode. It must be called after est_client_init() - and prior to issuing any of the other BRSKI specific calls. - - @param ctx Pointer to EST context for a client session - - @return EST_ERROR_NONE on success, or EST based error - - est_client_set_brski_mode error checks its input parameters and sets the - BRSKI mode flag in the EST context. -*/ -EST_ERROR est_client_set_brski_mode (EST_CTX *ctx) -{ - /* - * error check inputs - */ - if (!ctx) { - return EST_ERR_NO_CTX; - } - - if (!ctx->est_client_initialized) { - return EST_ERR_CLIENT_NOT_INITIALIZED; - } - - if (ctx->brski_mode == BRSKI_ENABLED) { - EST_LOG_ERR("BRSKI mode already enabled"); - return EST_ERR_INVALID_PARAMETERS; - } - - /* - * Enable BRSKI mode - */ - ctx->brski_mode = BRSKI_ENABLED; - - return EST_ERR_NONE; -} - -/* - * This function is used to build the HTTP header for - * the BRSKI voucher request flow. - * - * Parameters: - * ctx: EST context - * hdr: pointer to the buffer to hold the header - * sign_voucher: Flag indicating whether or not the voucher request - * is signed - * req_buf_len length of the voucher req buffer that is ready for - * transmission - */ -static int est_client_brski_build_voucherreq_header (EST_CTX *ctx, char *hdr, - int sign_voucher, int req_buf_len) -{ - int hdr_len; - - snprintf(hdr, EST_HTTP_REQ_TOTAL_LEN, "POST %s%s%s/%s HTTP/1.1\r\n" - "User-Agent: %s\r\n" - "Connection: close\r\n" - "Host: %s:%d\r\n" - "Accept: */*\r\n" - "Content-Type: %s\r\n" - "Content-Length: %d\r\n", - EST_PATH_PREFIX, - (ctx->uri_path_segment?"/":""), - (ctx->uri_path_segment?ctx->uri_path_segment:""), - EST_BRSKI_GET_VOUCHER, - EST_HTTP_HDR_EST_CLIENT, - ctx->est_server, ctx->est_port_num, - sign_voucher?EST_BRSKI_CT_VREQ_SIGNED:EST_BRSKI_CT_VREQ, - req_buf_len); - est_client_add_auth_hdr(ctx, hdr, EST_BRSKI_GET_VOUCHER_URI); - hdr_len = (int) strnlen_s(hdr, EST_HTTP_REQ_TOTAL_LEN); - if (hdr_len == EST_HTTP_REQ_TOTAL_LEN) { - EST_LOG_WARN("BRSKI voucher request header took up the maximum amount in buffer (%d)", - EST_HTTP_REQ_TOTAL_LEN); - } - - return (hdr_len); -} - - -/* - * This function performs the work for the BRSKI get voucher request flow. - * It builds the necessary headers, includes the voucher request as payload, - * writes the message on the TLS connection, retrieves the response from the - * server, and stores the voucher in the context. - * - * - * Parameters: - * ctx: EST context - * ssl: SSL context - * sign_voucher: indicate whether voucher has been signed. This controls - * the HTTP media type. - * req_buf: pointer to buffer containing the JSON based voucher request - * req_len: voucher request buffer len - */ -static int est_client_brski_send_voucher_request (EST_CTX *ctx, SSL *ssl, - int sign_voucher, - char *req_buf, int req_buf_len) -{ - char *http_data; - int hdr_len; - int write_size; - int rv; - unsigned char *voucher_buf = NULL; - int voucher_buf_len = 0; - errno_t safec_rc; - - /* - * Build the HTTP request - * - allocate buffer: header, voucher req, terminating characters - * - build the header - * - data - voucher request - * - terminate it - */ - http_data = malloc(EST_HTTP_REQ_TOTAL_LEN); - if (http_data == NULL) { - EST_LOG_ERR("Unable to allocate memory for http_data"); - return EST_ERR_MALLOC; - } - /* - * build the HTTP headers - */ - hdr_len = est_client_brski_build_voucherreq_header(ctx, http_data, - sign_voucher, - req_buf_len); - /* - * terminate the HTTP header - */ - snprintf(http_data + hdr_len, EST_HTTP_REQ_TOTAL_LEN-hdr_len,"\r\n"); - hdr_len += 2; - - /* - * Build the HTTP body containing the voucher request - */ - safec_rc = memcpy_s(http_data + hdr_len, EST_HTTP_REQ_DATA_MAX, - req_buf, req_buf_len); - if (safec_rc != EOK) { - EST_LOG_ERR("memcpy_s failed with 0x%xO", safec_rc); - free(http_data); - return (EST_ERR_SYSCALL); - } - hdr_len += req_buf_len; - - /* - * terminate the HTTP request - */ - snprintf(http_data + hdr_len, EST_HTTP_REQ_TOTAL_LEN-hdr_len,"\r\n"); - hdr_len += 2; - - /* - * Send the request to the server and wait for a response - */ - ctx->last_http_status = 0; - write_size = SSL_write(ssl, http_data, hdr_len); - if (write_size < 0) { - EST_LOG_ERR("TLS write error"); - free(http_data); - ossl_dump_ssl_errors(); - rv = EST_ERR_SSL_WRITE; - } else { - EST_LOG_INFO("TLS wrote %d bytes, attempted %d bytes\n", - write_size, hdr_len); - - /* - * Try to get the response from the server - */ - rv = est_io_get_response(ctx, ssl, EST_OP_BRSKI_REQ_VOUCHER, - &voucher_buf, &voucher_buf_len); - switch (rv) { - case EST_ERR_NONE: - - /* - * Make sure that even though we got a success return code, that we - * actually received something - */ - if (voucher_buf_len == 0) { - EST_LOG_ERR("Retrieved voucher buf is zero bytes in length"); - rv = EST_ERR_ZERO_LENGTH_BUF; - break; - } - if (voucher_buf_len+1 > EST_CA_MAX) { - EST_LOG_ERR("Retrieved voucher buf is larger than maximum allowed"); - rv = EST_ERR_BUF_EXCEEDS_MAX_LEN; - break; - } - - /* - * Resize the buffer holding the retrieved voucher and link it - * into the ctx. Get rid of the http hdr and any extra space on - * the back. If for some reason there is one already linked - * to the context, get rid of it to make room for this new one. - */ - if (ctx->brski_retrieved_voucher != NULL){ - free(ctx->brski_retrieved_voucher); - } - ctx->brski_retrieved_voucher = malloc(voucher_buf_len+1); - if (ctx->brski_retrieved_voucher == NULL) { - - EST_LOG_ERR("Unable to allocate voucher buffer"); - rv = EST_ERR_MALLOC; - break; - } - - ctx->brski_retrieved_voucher[voucher_buf_len] = '\0'; - memcpy_s(ctx->brski_retrieved_voucher, voucher_buf_len+1, voucher_buf, - voucher_buf_len); - ctx->brski_retrieved_voucher_len = voucher_buf_len; - - EST_LOG_INFO("BRSKI Voucher buf: %s", ctx->brski_retrieved_voucher); - EST_LOG_INFO("BRSKI Voucher length: %d", ctx->brski_retrieved_voucher_len); - break; - case EST_ERR_AUTH_FAIL: - EST_LOG_ERR("HTTP auth failure"); - break; - case EST_ERR_CA_ENROLL_RETRY: - EST_LOG_INFO("HTTP request failed with a RETRY AFTER resp"); - break; - default: - EST_LOG_ERR("EST request failed: %d (%s)", rv, EST_ERR_NUM_TO_STR(rv)); - break; - } - } - - if (http_data) { - free(http_data); - } - if (voucher_buf) { - free(voucher_buf); - } - - return (rv); -} - -/* - * Utility function to determine if a JSON token equals a specific value. - */ -static int jsoneq(const char *json, jsmntok_t *tok, const char *s) { - if (tok->type == JSMN_STRING && (int) strlen(s) == tok->end - tok->start && - strncmp(json + tok->start, s, tok->end - tok->start) == 0) { - return 0; - } - return -1; -} - -static int retrieve_token_from_voucher (unsigned char *voucher, - unsigned char *token_value, - int max_token_value_size, - int parser_resp, - jsmntok_t *tok, - char *token) -{ - int i; - int token_found = 0; - - for (i = 1; i < parser_resp; i++) { - if (jsoneq((const char *)voucher, &tok[i], token) == 0) { - token_found = 1; - if (tok[i+1].type == JSMN_UNDEFINED) { - EST_LOG_ERR("token \"%s\" is last in JSON with no assigned value\n", token); - *token_value = '\0'; - break; - } - snprintf((char *)token_value, max_token_value_size, "%.*s", - tok[i+1].end-tok[i+1].start, voucher+tok[i+1].start); - EST_LOG_INFO("Found token %s = %s\n", token, token_value); - break; - } - } - return (token_found); -} - -/* - * parse up the voucher, check the nonce to make sure it matches, - * extract and return the cacert - */ -static EST_ERROR brski_parse_voucher (EST_CTX *ctx, char *sent_nonce, - unsigned char *returned_cacert, - int *cacert_len) -{ - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; /* PDB: Need to determine a final value for this */ - int parser_resp; - int cacert_found = 0; - int nonce_found = 0; - int ser_num_found = 0; - unsigned char returned_nonce[EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+2]; - unsigned char returned_ser_num[EST_BRSKI_MAX_SER_NUM_LEN+2]; - int returned_nonce_len; - int returned_ser_num_len; - int diff; - errno_t safec_rc; - EST_ERROR rv; - - *cacert_len = 0; - - /* - * PDB: BRSKI states that the voucher is to be in a CMS signed-data - * content type. Verify the signature of this before parsing begins. - */ - - /* - * Parse the returned voucher. - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - EST_LOG_ERR("calloc(): errno=%d\n", errno); - return (EST_ERR_MALLOC); - } - parser_resp = jsmn_parse(&p, (char *)ctx->brski_retrieved_voucher, - (size_t)ctx->brski_retrieved_voucher_len, - tok, tokcount); - if (parser_resp < 0) { - EST_LOG_ERR("Voucher parse failed. Parse error = %d ", parser_resp); - free(tok); - return (EST_ERR_MALLOC); - } else { - EST_LOG_INFO("Voucher parsed\n"); - } - - /* - * Verify the nonce if it exists - */ - nonce_found = retrieve_token_from_voucher(ctx->brski_retrieved_voucher, - returned_nonce, - EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+2, - parser_resp, tok, "nonce"); - if (!nonce_found) { - EST_LOG_WARN("Nonce missing from voucher\n"); - } else { - - /* - * Make sure returned nonce is not larger than maximum supported size - */ - returned_nonce_len = strnlen_s((char *)returned_nonce, - EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1); - if (returned_nonce_len > EST_BRSKI_VOUCHER_REQ_NONCE_SIZE) { - EST_LOG_ERR("Nonce in voucher larger than maximum length"); - free(tok); - return (EST_ERR_CLIENT_BRSKI_NONCE_TOO_LARGE); - } - - /* - * Check that the returned nonce matches what we sent. If it does - * then proceed with the parsing, else return an error. - */ - safec_rc = memcmp_s(sent_nonce, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE, - returned_nonce ,EST_BRSKI_VOUCHER_REQ_NONCE_SIZE, - &diff); - if (safec_rc != EOK) { - EST_LOG_ERR("memcmp_s error 0x%xO\n", safec_rc); - free(tok); - return (EST_ERR_SYSCALL); - } - if (diff) { - EST_LOG_ERR("Nonce in voucher did not match nonce in request"); - free(tok); - return (EST_ERR_CLIENT_BRSKI_NONCE_MISMATCH); - } - } - - - /* - * In case the nonce is missing, check the serial number to prove that this - * voucher is really for us - */ - ser_num_found = retrieve_token_from_voucher(ctx->brski_retrieved_voucher, - returned_ser_num, - EST_BRSKI_MAX_SER_NUM_LEN+2, - parser_resp, tok, "serial-number"); - if (!ser_num_found) { - EST_LOG_ERR("Serial Number missing from voucher\n"); - free(tok); - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - } else { - - /* - * Make sure returned serial number is not larger than maximum supported size - */ - returned_ser_num_len = strnlen_s((char *)returned_ser_num, - EST_BRSKI_MAX_SER_NUM_LEN+1); - if (returned_ser_num_len > EST_BRSKI_MAX_SER_NUM_LEN) { - EST_LOG_ERR("Serial Number in voucher larger than maximum supported size"); - free(tok); - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_TOO_LARGE); - } - - /* - * Check that the returned serial number matches what we sent. If it does - * then save away the CA certs - */ - safec_rc = memcmp_s(ctx->client_cert_ser_num, returned_ser_num_len+1, - returned_ser_num, returned_ser_num_len+1, - &diff); - if (safec_rc != EOK) { - EST_LOG_ERR("memcmp_s error 0x%xO\n", safec_rc); - free(tok); - return (EST_ERR_SYSCALL); - } - if (diff) { - EST_LOG_ERR("Serial Number in voucher does not match serial number in client certificate"); - free(tok); - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISMATCH); - } - } - - /* - * Attempt to get the ca_cert from the voucher, store it in the ctx - */ - cacert_found = retrieve_token_from_voucher(ctx->brski_retrieved_voucher, - returned_cacert, - EST_BRSKI_MAX_CACERT_LEN+1, - parser_resp, tok, "pinned-domain-cert"); - if (!cacert_found) { - EST_LOG_ERR("CA certs missing from voucher"); - free(tok); - return (EST_ERR_NO_CERT); - } - if (ctx->brski_retrieved_cacert != NULL){ - free(ctx->brski_retrieved_cacert); - } - ctx->brski_retrieved_cacert_len = strnlen_s((const char *)returned_cacert, - EST_BRSKI_MAX_CACERT_LEN); - if (ctx->brski_retrieved_cacert) { - free(ctx->brski_retrieved_cacert); - } - ctx->brski_retrieved_cacert = malloc(ctx->brski_retrieved_cacert_len+1); - if (ctx->brski_retrieved_cacert == NULL) { - EST_LOG_ERR("Unable to allocate cacert buffer"); - free(tok); - return (EST_ERR_MALLOC); - } - ctx->brski_retrieved_cacert[ctx->brski_retrieved_cacert_len] = '\0'; - safec_rc = memcpy_s(ctx->brski_retrieved_cacert, ctx->brski_retrieved_cacert_len+1, - returned_cacert, ctx->brski_retrieved_cacert_len); - if (safec_rc != EOK) { - EST_LOG_ERR("memcpy_s failed with 0x%xO", safec_rc); - free(ctx->brski_retrieved_cacert); - ctx->brski_retrieved_cacert = NULL; - ctx->brski_retrieved_cacert_len = 0; - free(tok); - return (EST_ERR_SYSCALL); - } - - /* - * Verify the returned CA cert that was in the voucher - */ - rv = verify_cacert_resp(ctx, ctx->brski_retrieved_cacert, - &ctx->brski_retrieved_cacert_len); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Returned CA Cert in voucher was invalid. rv = %s", - EST_ERR_NUM_TO_STR(rv)); - free(ctx->brski_retrieved_cacert); - ctx->brski_retrieved_cacert = NULL; - ctx->brski_retrieved_cacert_len = 0; - free(tok); - return (rv); - } - - EST_LOG_INFO("BRSKI Voucher cacert : %s", ctx->brski_retrieved_cacert); - EST_LOG_INFO("BRSKI Voucher cacert length: %d", ctx->brski_retrieved_cacert_len); - - free(tok); - return (EST_ERR_NONE); -} - - -/* - * Utility function to take a list of certs in a BIO and - * convert it to a stack of X509 records. - */ -static int ossl_add_certs_from_BIO (STACK_OF(X509) *stack, BIO *in) -{ - int count=0; - int ret= -1; - STACK_OF(X509_INFO) *sk=NULL; - X509_INFO *xi; - - /* This loads from a file, a stack of x509/crl/pkey sets */ - sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL); - if (sk == NULL) { - EST_LOG_ERR("EST Client: error reading certs from BIO"); - goto end; - } - - /* scan over it and pull out the CRL's */ - while (sk_X509_INFO_num(sk)) { - xi=sk_X509_INFO_shift(sk); - if (xi->x509 != NULL) { - sk_X509_push(stack,xi->x509); - xi->x509=NULL; - count++; - } - X509_INFO_free(xi); - } - - ret=count; -end: - /* never need to OPENSSL_free x */ - if (in != NULL) BIO_free(in); - if (sk != NULL) sk_X509_INFO_free(sk); - return(ret); -} - -/* - * This utility function takes a list of certificate that hav been written - * to a BIO, reads the BIO, and converts it to a pkcs7 certificate. - * The input form is PEM encoded X509 certificates in a BIO. - * The pkcs7 data is then written to a new BIO and returned to the - * caller. - */ -static BIO * ossl_get_certs_pkcs7(BIO *in) -{ - STACK_OF(X509) *cert_stack=NULL; - PKCS7_SIGNED *p7s = NULL; - PKCS7 *p7 = NULL; - BIO *out = NULL; - BIO *b64; - int rv = 0; - - if ((p7=PKCS7_new()) == NULL) { - EST_LOG_ERR("EST Client: pkcs7_new failed"); - goto end; - } - if ((p7s=PKCS7_SIGNED_new()) == NULL) { - EST_LOG_ERR("EST Client: pkcs7_signed_new failed"); - goto end; - } - p7->type=OBJ_nid2obj(NID_pkcs7_signed); - p7->d.sign=p7s; - p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data); - if (!ASN1_INTEGER_set(p7s->version,1)) { - EST_LOG_ERR("EST Client: ASN1_integer_set failed"); - goto end; - } - - if ((cert_stack=sk_X509_new_null()) == NULL) { - EST_LOG_ERR("EST Client: X509 stack malloc failed"); - goto end; - } - p7s->cert=cert_stack; - - if (ossl_add_certs_from_BIO(cert_stack, in) < 0) { - EST_LOG_ERR("EST Client: error loading certificates"); - ossl_dump_ssl_errors(); - goto end; - } - - /* Output BASE64 encoded ASN.1 (DER) PKCS7 cert */ - b64 = BIO_new(BIO_f_base64()); - if (!b64) { - EST_LOG_ERR("EST Client: BIO_new failed"); - goto end; - } - out = BIO_new(BIO_s_mem()); - if (!out) { - BIO_free_all(b64); - b64 = NULL; - EST_LOG_ERR("EST Client: BIO_new failed"); - goto end; - } - out = BIO_push(b64, out); - rv = i2d_PKCS7_bio(out, p7); - (void)BIO_flush(out); - if (!rv) { - EST_LOG_ERR("EST Client: error in PEM_write_bio_PKCS7"); - ossl_dump_ssl_errors(); - BIO_free_all(out); - out = NULL; - goto end; - } - end: - if (p7) PKCS7_free(p7); - return out; -} - - -/* - * Call into OpenSSL to obtain the server's ID certificate. It comes - * from OpenSSL as a X509 structure and need to get it into PKCS7 and - * base64 encoded. Return this in in achar string. - */ -EST_ERROR est_brski_get_server_cert (char *server_cert, SSL *ssl) -{ - X509 *server_cert_x509; - char *server_cert_p7_b64 = NULL; - int server_cert_p7_b64_len = 0; - BIO *p7out; - BIO *server_cert_pem = NULL; - - /* - * Obtain the registrar's certificate to use as the pinned-domain-cert and - * convert it to PKCS7 and base64 encode it. - */ - server_cert_x509 = SSL_get_peer_certificate(ssl); - server_cert_pem = BIO_new(BIO_s_mem()); - if (server_cert_pem == NULL) { - EST_LOG_ERR("PEM_write_bio_PKCS7 failed"); - return (EST_ERR_LOAD_CACERTS); - } - PEM_write_bio_X509(server_cert_pem, server_cert_x509); - /* - * Done with the X509 struct. - */ - X509_free(server_cert_x509); - - p7out = ossl_get_certs_pkcs7(server_cert_pem); - if (!p7out) { - EST_LOG_ERR("PEM_write_bio_PKCS7 failed"); - BIO_free_all(server_cert_pem); - return (EST_ERR_LOAD_CACERTS); - } - server_cert_p7_b64_len = (int) BIO_get_mem_data(p7out, (char**)&server_cert_p7_b64); - if (server_cert_p7_b64_len <= 0) { - EST_LOG_ERR("Failed to copy PKCS7 data"); - BIO_free_all(server_cert_pem); - BIO_free_all(p7out); - return (EST_ERR_LOAD_CACERTS); - } - - memcpy_s(server_cert, EST_BRSKI_MAX_CACERT_LEN, server_cert_p7_b64, server_cert_p7_b64_len); - - BIO_free_all(p7out); - return (EST_ERR_NONE); -} - -/* - * Take in the pieces needed to build the voucher request and also sign - * it if needed. - */ -static -void est_brski_build_voucher_req (char *voucher_req, int *voucher_req_len, - char *nonce_str, char *time_str, char *assertion, - char *server_cert, int sign_voucher) -{ - /* - * create the voucher request - */ - snprintf(voucher_req, EST_BRSKI_MAX_VOUCHER_REQ_LEN, "{\r\n" - "\"ietf-voucher:voucher\": {\r\n" - "\"nonce\": \"%s\",\r\n" - "\"created-on\": \"%s\",\r\n" - "\"assertion\": \"%s\",\r\n" - "\"pinned-domain-cert\": \"%s\"\r\n" - "}}",nonce_str, time_str, assertion, server_cert); - *voucher_req_len = strnlen_s(voucher_req, EST_BRSKI_MAX_VOUCHER_REQ_LEN); - - if (sign_voucher) { - /* - * PDB TODO: need to sign the voucher - * - * YANG-defined JSON document that has been signed using a PKCS#7 - * structure. Need to get the private key to use. Likely use - * ctx->client_key = private_key; - * this is the key used on the TLS connections so this would be the - * private key of the MFG key pair. - */ - } -} - - -/* est_client_brski_send_get_voucher() performs a BRSKI voucher request to - the EST server. - - ctx Pointer to an EST context. - cacert_len Pointer to an integer to hold the length of the cacert - that is returned in the voucher. - sign_voucher Integer indicating whether or not the voucher request is - to be signed. - - @return EST_ERROR_NONE on success, or EST based error - - est_client_brski_send_get_voucher() connects to the EST server, builds a BRSKI - request voucher and sends the request. The returned voucher is parsed and - the domain CA cert within the voucher is extracted into a NULL terminated - string buffer and stored in the EST context. The length of the CA cert is - returned to the calling application. The application layer can then call - est_client_brski_copy_cacert() to retrieve the CA certificate. - */ -static EST_ERROR est_client_brski_send_get_voucher (EST_CTX *ctx, int *cacert_len, - int sign_voucher) -{ - EST_ERROR rv = EST_ERR_NONE; - SSL *ssl = NULL; - int voucher_req_len; - char voucher_req[EST_BRSKI_MAX_VOUCHER_REQ_LEN+1]; - unsigned char nonce[EST_BRSKI_VOUCHER_REQ_NONCE_SIZE/2+1]; - char nonce_str[EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1]; - unsigned char returned_cacert[EST_BRSKI_MAX_CACERT_LEN]; - time_t epoch_time; - char time_str[26]; /* PDB: Look for standard macro defining the length */ - char *assertion = ""; - struct tm brkn_down_time; - char *server_cert = NULL; - - /* - * Establish the connection. We need the server cert from the handshake - * to insert into the voucher request. - */ - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - return (rv); - } - - /* - * Build the voucher request - * - nonce - * - time stamp - * - proximity assertion - * - server cert - */ - memset(voucher_req, 0, EST_BRSKI_MAX_VOUCHER_REQ_LEN+1); - memset(nonce, 0, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE/2+1); - memset(nonce_str, 0, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1); - - if (!RAND_bytes(nonce, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE/2)) { - EST_LOG_ERR("Unable to obtain nonce value."); - return EST_ERR_SYSCALL; - } - est_hex_to_str(nonce_str, nonce, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE/2); - epoch_time = time(NULL); - if (epoch_time != -1) { - gmtime_r(&epoch_time, &brkn_down_time); - strftime(time_str, 26, "%Y-%m-%dT%H:%M:%SZ", &brkn_down_time); - } else { - EST_LOG_ERR("Unable to obtain current time when creating voucher request"); - return EST_ERR_SYSCALL; - } - - /* - * Determine the proximity setting. This must be included if the - * server's ID cert is to be included. - */ - assertion = "proximity"; - - server_cert = calloc(EST_BRSKI_MAX_CACERT_LEN+1, sizeof(char)); - if (server_cert == NULL) { - EST_LOG_ERR("calloc(): errno=%d\n", errno); - return (EST_ERR_MALLOC); - } - - rv = est_brski_get_server_cert(server_cert, ssl); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Failed to obtain server's certificate from TLS connection"); - free(server_cert); - return (rv); - } - - est_brski_build_voucher_req(voucher_req, &voucher_req_len, - nonce_str, time_str, assertion, - server_cert, sign_voucher); - rv = est_client_brski_send_voucher_request(ctx, ssl, sign_voucher, - voucher_req, voucher_req_len); - - est_client_disconnect(ctx, &ssl); - - /* - * Handle the case where the server is requesting further authentication - */ - if (rv == EST_ERR_AUTH_FAIL && - (ctx->auth_mode == AUTH_DIGEST || - ctx->auth_mode == AUTH_BASIC || - ctx->auth_mode == AUTH_TOKEN)) { - - /* - * HTTPS digest mode requires the use of MD5. Make sure we're not - * in FIPS mode and can use MD5 - */ - if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){ - EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode"); - rv = EST_ERR_BAD_MODE; - goto err; - } - - /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); - goto err; - } - - /* - * Go get the server cert again since this is new connection and registrar - * may have changed it from the first attempt. - */ - rv = est_brski_get_server_cert(server_cert, ssl); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Failed to obtain server's certificate from TLS connection"); - goto err; - } - - est_brski_build_voucher_req(voucher_req, &voucher_req_len, - nonce_str, time_str, assertion, - server_cert, sign_voucher); - - rv = est_client_brski_send_voucher_request(ctx, ssl, sign_voucher, - voucher_req, voucher_req_len); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Voucher request failed on second attempt with HTTP Auth credentials"); - } - - est_client_disconnect(ctx, &ssl); - } - - /* - * If there was an auth request from the server we've processed it and - * we're now looking at the subsequent voucher, OR, we didn't receive a - * auth request and we're ready to see if we got a valid response on the - * voucher request. - */ - if (rv == EST_ERR_NONE) { - - /* - * Parse the voucher and extract the cacert and store it in the ctx - */ - rv = brski_parse_voucher(ctx, nonce_str, &returned_cacert[0], cacert_len); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Unable to parse voucher. rv = %d(%s)", rv, EST_ERR_NUM_TO_STR(rv)); - } - } - - ctx->auth_mode = AUTH_NONE; - err: - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - if (server_cert) { - free(server_cert); - } - - return (rv); -} - - -/*! @brief est_client_brski_get_voucher() performs a BRSKI voucher request to - the EST server. - - @param ctx Pointer to an EST context. - @param cacert_len Pointer to an integer to hold the length of the cacert - that is returned in the voucher. - @param sign_voucher Integer indicating whether or not the voucher request is - to be signed. - - @return EST_ERROR_NONE on success, or EST based error - - est_client_brski_get_voucher() is the main entry point for sending a - voucher request and handles the higher level processing of sending a BRSKI - request voucher to the registrar, primarily the processing of a retry - response from the registrar. - */ -EST_ERROR est_client_brski_get_voucher (EST_CTX *ctx, int *cacert_len, - int sign_voucher) -{ - EST_ERROR rv = EST_ERR_NONE; - int actual_retry_delay = 0; - char *ser_num_str = NULL; - int ser_num_len = 0; - - if (!ctx) { - return (EST_ERR_NO_CTX); - } - - if (!ctx->est_client_initialized) { - return EST_ERR_CLIENT_NOT_INITIALIZED; - } - - if (ctx->brski_mode != BRSKI_ENABLED) { - EST_LOG_ERR("BRSKI mode not enabled or supported"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (cacert_len == NULL) { - EST_LOG_ERR("cacert_len is NULL"); - return EST_ERR_INVALID_PARAMETERS; - } - - /* - * It's now time to connect with the Registrar, and this connection - * must use a certificate. If one has not been provided, or the - * one that has been provided does not contain a serialNumber element in - * in the DN, then error out. - */ - if (!ctx->client_cert) { - EST_LOG_ERR("No client MFG cert provided."); - return (EST_ERR_NO_CERT); - } - - ser_num_str = est_find_ser_num_in_subj(ctx->client_cert); - if (ser_num_str == NULL) { - char *subj; - - EST_LOG_ERR("Client MFG cert does not contain a serial number."); - - subj = X509_NAME_oneline(X509_get_subject_name(ctx->client_cert), NULL, 0); - EST_LOG_ERR("Client MFG cert subject: %s", subj); - OPENSSL_free(subj); - - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - } - ser_num_len = strnlen_s(ser_num_str, EST_BRSKI_MAX_SER_NUM_LEN+1); - if (ser_num_len > EST_BRSKI_MAX_SER_NUM_LEN) { - EST_LOG_ERR("Client MFG cert contains serial number that is too long."); - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_TOO_LARGE); - } - - if (ctx->client_cert_ser_num) { - free(ctx->client_cert_ser_num); - } - ctx->client_cert_ser_num = calloc(ser_num_len+1, sizeof(char)); - if (ctx->client_cert_ser_num == NULL) { - EST_LOG_ERR("calloc(): errno=%d\n", errno); - return (EST_ERR_MALLOC); - } - memcpy_s(ctx->client_cert_ser_num, ser_num_len, - ser_num_str, ser_num_len); - - /* - * Unlike an EST enroll, the processing of a retry-after response on a - * BRSKI voucher request needs to be handled by the library to ensure it - * meets the requirements of the standard. The BRSKI spec states that the - * pledge must limit the retry time to no more than 60 seconds and to - * allow only one retry attempt to help prevent a DoS attack from a - * malicious Registrar. - * - * Perform the first attempt at sending the voucher request - */ - rv = est_client_brski_send_get_voucher(ctx, cacert_len, sign_voucher); - - /* - * If it resulted in a retry-after response, wait the appropriate amount - * of time and try again. - */ - if (rv == EST_ERR_CA_ENROLL_RETRY) { - - if (ctx->retry_after_delay > EST_BRSKI_CLIENT_RETRY_MAX) { - EST_LOG_WARN("Retry attempt. Registrar indicated a delay greater than 60 seconds." - " Overriding to 60 seconds"); - actual_retry_delay = EST_BRSKI_CLIENT_RETRY_MAX; - } else { - actual_retry_delay = ctx->retry_after_delay; - } - EST_LOG_INFO("Retry attempt. Delaying for %d seconds", actual_retry_delay); - SLEEP(actual_retry_delay); - - /* Try one more time now that we've waited the retry time delay */ - EST_LOG_INFO("Attempting retry after a retry-after delay."); - - rv = est_client_brski_send_get_voucher(ctx, cacert_len, sign_voucher); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Voucher request failed on attempt after retry timeout delay"); - } - } - - return (rv); -} - - -/*! @brief est_client_brski_copy_cacert() copies the previously retrieved - BRSKI based cacert to the application's buffer. - - @param ctx Pointer to the current EST context. - @param cacert Pointer to the buffer into which the retrieved BRSKI cacert - is to be copied. - - @return EST_ERROR_NONE on success, or EST based error - - est_client_brski_copy_cacert() copies the most recently retrieved BRSKI - cacert from the EST server. Once the cacert is copied - to the application's buffer pointed to by cacert it is removed from - the EST client context. - - */ -EST_ERROR est_client_brski_copy_cacert (EST_CTX *ctx, unsigned char *cacert) -{ - errno_t safec_rc; - - if (!ctx) { - return (EST_ERR_NO_CTX); - } - - if (!ctx->est_client_initialized) { - return EST_ERR_CLIENT_NOT_INITIALIZED; - } - - if (ctx->brski_mode != BRSKI_ENABLED) { - EST_LOG_ERR("BRSKI mode not enabled or supported"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (cacert == NULL) { - EST_LOG_ERR("cacert ptr is NULL"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (ctx->brski_retrieved_cacert == NULL) { - EST_LOG_ERR("No BRSKI cacert to copy"); - return(EST_ERR_NO_CERT); - } - - memzero_s(cacert, ctx->brski_retrieved_cacert_len); - safec_rc = memcpy_s(cacert, ctx->brski_retrieved_cacert_len, - ctx->brski_retrieved_cacert, - ctx->brski_retrieved_cacert_len); - if (safec_rc != EOK) { - EST_LOG_ERR("memcpy_s failed with 0x%xO", safec_rc); - return (EST_ERR_SYSCALL); - } - memzero_s(ctx->brski_retrieved_cacert, ctx->brski_retrieved_cacert_len); - - return (EST_ERR_NONE); -} - - -/* - * This function is used to build the HTTP headers for - * the BRSKI status indication flow. - * - * Parameters: - * ctx: EST context - * hdr: pointer to the buffer to hold the header - * req_buf_len:length fo the status indictation buffer that is ready for - * transmission - * uri: buffer containing which operation is to be performed. - */ -static int est_client_brski_build_status_header (EST_CTX *ctx, char *hdr, - int req_buf_len, char * uri) -{ - int hdr_len; - - snprintf(hdr, EST_HTTP_REQ_TOTAL_LEN, "POST %s%s%s/%s HTTP/1.1\r\n" - "User-Agent: %s\r\n" - "Connection: close\r\n" - "Host: %s:%d\r\n" - "Accept: */*\r\n" - "Content-Type: %s\r\n" - "Content-Length: %d\r\n", - EST_PATH_PREFIX, - (ctx->uri_path_segment?"/":""), - (ctx->uri_path_segment?ctx->uri_path_segment:""), - uri, - EST_HTTP_HDR_EST_CLIENT, - ctx->est_server, ctx->est_port_num, - EST_BRSKI_CT_STATUS, - req_buf_len); - est_client_add_auth_hdr(ctx, hdr, EST_BRSKI_GET_VOUCHER_URI); - hdr_len = (int) strnlen_s(hdr, EST_HTTP_REQ_TOTAL_LEN); - if (hdr_len == EST_HTTP_REQ_TOTAL_LEN) { - EST_LOG_WARN("BRSKI voucher request header took up the maximum amount in buffer (%d)", - EST_HTTP_REQ_TOTAL_LEN); - } - - return (hdr_len); -} - -/* - * This function does the work for the voucher status indication flow. - * - * Parameters: - * ctx: EST context - * ssl: SSL context - * status: pointer to buffer containing the JSON status indication - * status_len: length of the status buffer - * opcode: Indicates which of the two status operations to be performed. - */ -static int send_status (EST_CTX *ctx, SSL *ssl, char *status, int status_len, - EST_OPERATION opcode) -{ - char *http_data; - int hdr_len; - int write_size; - int rv; - unsigned char *resp_buf; - int resp_buf_len; - char *uri; - errno_t safec_rc; - - /* - * Build the HTTP request - */ - http_data = malloc(EST_HTTP_REQ_TOTAL_LEN); - if (http_data == NULL) { - EST_LOG_ERR("Unable to allocate memory for http_data"); - return EST_ERR_MALLOC; - } - - if (opcode == EST_OP_BRSKI_VOUCHER_STATUS) { - uri = EST_BRSKI_VOUCHER_STATUS; - } else if (opcode == EST_OP_BRSKI_ENROLL_STATUS){ - uri = EST_BRSKI_ENROLL_STATUS; - } - hdr_len = est_client_brski_build_status_header(ctx, http_data, status_len, uri); - /* - * terminate the HTTP header - */ - snprintf(http_data + hdr_len, EST_HTTP_REQ_TOTAL_LEN-hdr_len,"\r\n"); - hdr_len += 2; - - /* - * Build the HTTP body containing the status indication - */ - safec_rc = memcpy_s(http_data + hdr_len, EST_HTTP_REQ_DATA_MAX, - status, status_len); - if (safec_rc != EOK) { - EST_LOG_ERR("memcpy_s failed with 0x%xO", safec_rc); - free(http_data); - return (EST_ERR_SYSCALL); - } - - hdr_len += status_len; - - /* - * terminate the HTTP request - */ - snprintf(http_data + hdr_len,EST_HTTP_REQ_TOTAL_LEN-hdr_len, "\r\n"); - hdr_len += 2; - - /* - * Send the request to the server and wait for a response - */ - ctx->last_http_status = 0; - write_size = SSL_write(ssl, http_data, hdr_len); - if (write_size < 0) { - EST_LOG_ERR("TLS write error"); - ossl_dump_ssl_errors(); - free(http_data); - rv = EST_ERR_SSL_WRITE; - } else { - EST_LOG_INFO("TLS wrote %d bytes, attempted %d bytes\n", - write_size, hdr_len); - - /* - * Try to get the response from the server - */ - rv = est_io_get_response(ctx, ssl, opcode, &resp_buf, &resp_buf_len); - - switch (rv) { - case EST_ERR_NONE: - break; - case EST_ERR_AUTH_FAIL: - EST_LOG_ERR("HTTP auth failure"); - break; - case EST_ERR_CA_ENROLL_RETRY: - EST_LOG_INFO("HTTP request failed with a RETRY AFTER resp"); - break; - default: - EST_LOG_ERR("EST request failed: %d (%s)", rv, EST_ERR_NUM_TO_STR(rv)); - break; - } - } - - if (http_data) { - free(http_data); - } - - return (rv); -} - - -/*! @brief est_client_brski_send_voucher_status() sends a BRSKI voucher status - indication to the EST server. - - @param ctx Pointer to an EST context - @param status Enum value defined in the enum EST_BRSKI_STATUS_VALUE - @param reason NULL terminated string containing the reason. - - @return EST_ERROR_NONE on success, or EST based error - - est_client_brski_send_voucher_status() implements the BRSKI - /voucher_status. It connects to the EST server, builds the BRSKI voucher - status message, and sends the status message. The HTTP status returned - from the EST server represents the status of the sending of this BRSKI - message. The application can call est_client_get_last_http_status() to - obtain the HTTP status of this message. - - */ -EST_ERROR est_client_brski_send_voucher_status (EST_CTX *ctx, EST_BRSKI_STATUS_VALUE status, - char *reason) -{ - EST_ERROR rv = EST_ERR_NONE; - SSL *ssl = NULL; - int voucher_status_len; - char voucher_status[EST_BRSKI_MAX_STATUS_LEN]; - char *status_str; - - if (!ctx) { - return (EST_ERR_NO_CTX); - } - - if (!ctx->est_client_initialized) { - return EST_ERR_CLIENT_NOT_INITIALIZED; - } - - if (ctx->brski_mode != BRSKI_ENABLED) { - EST_LOG_ERR("BRSKI mode not enabled or supported"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (status == EST_BRSKI_STATUS_SUCCESS) { - status_str = "true"; - } else if (status == EST_BRSKI_STATUS_FAIL) { - status_str = "false"; - } else { - EST_LOG_ERR("BRSKI send voucher status not valid"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (reason == NULL || *reason == '\n') { - EST_LOG_ERR("Reason buffer is NULL or is an empty string"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (strnlen_s(reason, EST_BRSKI_MAX_REASON_LEN+1) > EST_BRSKI_MAX_REASON_LEN) { - EST_LOG_ERR("Reason buffer exceeds maximum"); - return EST_ERR_INVALID_PARAMETERS; - } - - /* - * build up the voucher status buffer - */ - snprintf(voucher_status, EST_BRSKI_MAX_STATUS_LEN, - "{\r\n" - "\"version\":\"%s\",\r\n" - "\"Status\":%s,\r\n" /* no quotes to simulate a JSON boolean */ - "\"Reason\":\"%s\"\r\n" - "}", BRSKI_VERSION, status_str, reason); - - voucher_status_len = strnlen_s(voucher_status, EST_BRSKI_MAX_STATUS_LEN+1); - if (voucher_status_len > EST_BRSKI_MAX_STATUS_LEN) { - EST_LOG_ERR("Status buffer too large"); - return EST_ERR_INVALID_PARAMETERS; - } - - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - return (rv); - } - - rv = send_status(ctx, ssl, voucher_status, voucher_status_len, EST_OP_BRSKI_VOUCHER_STATUS); - est_client_disconnect(ctx, &ssl); - - /* - * Handle the case where the server is requesting further authentication - */ - if (rv == EST_ERR_AUTH_FAIL && - (ctx->auth_mode == AUTH_DIGEST || - ctx->auth_mode == AUTH_BASIC || - ctx->auth_mode == AUTH_TOKEN)) { - - /* - * HTTPS digest mode requires the use of MD5. Make sure we're not - * in FIPS mode and can use MD5 - */ - if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){ - EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode"); - rv = EST_ERR_BAD_MODE; - goto err; - } - - /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); - goto err; - } - - rv = send_status(ctx, ssl, voucher_status, voucher_status_len, EST_OP_BRSKI_VOUCHER_STATUS); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Voucher status failed on second attempt with HTTP Auth credentials"); - } - - est_client_disconnect(ctx, &ssl); - } - - ctx->auth_mode = AUTH_NONE; - err: - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - - return (rv); -} - - -/*! @brief est_client_send_cert_status() sends a certificate status - indication to the EST server. - - @param ctx Pointer to an EST context - @param status Enum value defined in the enum EST_BRSKI_STATUS_VALUE - @param reason Pointer to buffer containing the enroll status - reason being sent back to the EST server. This can be an empty - string when status is success. - @param subject_key_id Pointer to buffer containing the SubjectKeyIdentifier - of the certificate that was just returned from the CA as a result of the - enrollment process. - - @return EST_ERROR_NONE on success, or EST based error - - est_client_send_cert_status() connects to the EST server, builds - enrollment status message, and sends the message. The response is just - the HTTP response. The application can call est_client_get_last_http_status() - to obtain the HTTP status of this message. - */ -EST_ERROR est_client_brski_send_enroll_status (EST_CTX *ctx, EST_BRSKI_STATUS_VALUE status, - char *reason, - unsigned char *subject_key_id) -{ - EST_ERROR rv = EST_ERR_NONE; - char enroll_status[EST_BRSKI_MAX_STATUS_LEN]; - SSL *ssl = NULL; - int enroll_status_len; - unsigned char subject_key_b64[EST_BRSKI_MAX_SUBJ_KEY_ID_LEN*2]; - /* PDB: *2 to cover b64 growth */ - int ski_b64_len = 0; - char *status_str; - - if (!ctx) { - return (EST_ERR_NO_CTX); - } - - if (!ctx->est_client_initialized) { - return EST_ERR_CLIENT_NOT_INITIALIZED; - } - - if (ctx->brski_mode != BRSKI_ENABLED) { - EST_LOG_ERR("BRSKI mode not enabled or supported"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (status == EST_BRSKI_STATUS_SUCCESS) { - status_str = "true"; - } else if (status == EST_BRSKI_STATUS_FAIL) { - status_str = "false"; - } else { - EST_LOG_ERR("BRSKI send voucher status not valid"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (reason != NULL && strnlen_s(reason, EST_BRSKI_MAX_REASON_LEN+1) > EST_BRSKI_MAX_REASON_LEN) { - EST_LOG_ERR("Reason buffer exceeds maximum"); - return EST_ERR_INVALID_PARAMETERS; - } - - /* - * If the status is a failure, then there needs to be a reason. - */ - if (status == EST_BRSKI_STATUS_FAIL) { - if (reason == NULL) { - EST_LOG_ERR("Reason buffer is NULL, and status is FAIL"); - return EST_ERR_INVALID_PARAMETERS; - } - } - - if (subject_key_id == NULL || *subject_key_id == '\n') { - EST_LOG_ERR("Subject Key Identifier buffer is NULL or is an empty string"); - return EST_ERR_INVALID_PARAMETERS; - } - - if (strnlen_s((char *)subject_key_id, EST_BRSKI_MAX_SUBJ_KEY_ID_LEN+1) > EST_BRSKI_MAX_SUBJ_KEY_ID_LEN) { - EST_LOG_ERR("Subject key identifier buffer exceeds maximum"); - return EST_ERR_INVALID_PARAMETERS; - } - - ski_b64_len = est_base64_encode((const char *)subject_key_id, - strnlen_s((char *)subject_key_id, EST_BRSKI_MAX_SUBJ_KEY_ID_LEN), - (char *)subject_key_b64, - (EST_BRSKI_MAX_SUBJ_KEY_ID_LEN*2)); - if (ski_b64_len == 0) { - EST_LOG_ERR("Cannot base64 encode Subject Key Identifier"); - return EST_ERR_INVALID_PARAMETERS; - } - - /* - * build up the enroll status buffer - */ - snprintf(enroll_status, EST_BRSKI_MAX_STATUS_LEN, - "{\r\n" - "\"version\":\"%s\",\r\n" - "\"Status\":%s,\r\n" - "\"Reason\":\"%s\",\r\n" - "\"SubjectKeyIdentifier\":\"%s\"\r\n" - "}", - BRSKI_VERSION, status_str, reason, subject_key_b64); - - enroll_status_len = strnlen_s(enroll_status, EST_BRSKI_MAX_STATUS_LEN+1); - if (enroll_status_len > EST_BRSKI_MAX_STATUS_LEN) { - EST_LOG_ERR("Status buffer too large"); - return EST_ERR_INVALID_PARAMETERS; - } - - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - return (rv); - } - - rv = send_status(ctx, ssl, enroll_status, enroll_status_len, EST_OP_BRSKI_ENROLL_STATUS); - est_client_disconnect(ctx, &ssl); - - /* - * Handle the case where the server is requesting further authentication - */ - if (rv == EST_ERR_AUTH_FAIL && - (ctx->auth_mode == AUTH_DIGEST || - ctx->auth_mode == AUTH_BASIC || - ctx->auth_mode == AUTH_TOKEN)) { - - /* - * HTTPS digest mode requires the use of MD5. Make sure we're not - * in FIPS mode and can use MD5 - */ - if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){ - EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode"); - rv = EST_ERR_BAD_MODE; - goto err; - } - - /* Try one more time if we're doing Digest auth */ - EST_LOG_INFO("HTTP Auth failed, trying again with HTTP Auth credentials"); - rv = est_client_connect(ctx, &ssl); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Connection failed on second attempt with HTTP Auth credentials"); - goto err; - } - - rv = send_status(ctx, ssl, enroll_status, enroll_status_len, EST_OP_BRSKI_ENROLL_STATUS); - if (rv != EST_ERR_NONE) { - EST_LOG_ERR("Enroll status failed on second attempt with HTTP Auth credentials"); - } - - est_client_disconnect(ctx, &ssl); - } - - ctx->auth_mode = AUTH_NONE; - err: - if (ssl) { - SSL_shutdown(ssl); - SSL_free(ssl); - } - - return (rv); -} -#endif // BRSKI Support diff --git a/src/est/est_client_http.c b/src/est/est_client_http.c index f91850c..784c2d1 100644 --- a/src/est/est_client_http.c +++ b/src/est/est_client_http.c @@ -608,26 +608,12 @@ static int parsedate(const char *date, time_t *output) * the response from the server meets the EST draft. This * table is implicitly tied to EST_OPERATION. If that ENUM * changes, this table must change. - * - * NOTE: BRSKI voucher status and enroll status deviate from the rest of the - * EST and BRSKI primitives in that the response to these two do not - * contain any content. est_op_map is used to verify the responses, - * specifically, the content headers, which are not applicable when - * there is no content. These two are being left in to this matrix to - * maintain parity with EST_OPERATION in case other operations are added - * later. - * */ EST_OP_DEF est_op_map [EST_OP_MAX] = { { EST_OP_SIMPLE_ENROLL, EST_SIMPLE_ENROLL_URI, EST_HTTP_CT_PKCS7_CO, sizeof(EST_HTTP_CT_PKCS7_CO) }, { EST_OP_SIMPLE_REENROLL, EST_RE_ENROLL_URI, EST_HTTP_CT_PKCS7_CO, sizeof(EST_HTTP_CT_PKCS7_CO) }, { EST_OP_CACERTS, EST_CACERTS_URI, EST_HTTP_CT_PKCS7, sizeof(EST_HTTP_CT_PKCS7) }, - { EST_OP_CSRATTRS, EST_CSR_ATTRS_URI, EST_HTTP_CT_CSRATTRS, sizeof(EST_HTTP_CT_CSRATTRS) }, -#if ENABLE_BRSKI - { EST_OP_BRSKI_REQ_VOUCHER, EST_BRSKI_GET_VOUCHER_URI, EST_BRSKI_CT_VRSP, sizeof(EST_BRSKI_CT_VRSP)}, - { EST_OP_BRSKI_VOUCHER_STATUS, EST_BRSKI_VOUCHER_STATUS_URI, EST_BRSKI_CT_STATUS, sizeof(EST_BRSKI_CT_STATUS)}, - { EST_OP_BRSKI_ENROLL_STATUS, EST_BRSKI_ENROLL_STATUS_URI, EST_BRSKI_CT_STATUS, sizeof(EST_BRSKI_CT_STATUS)}, -#endif + { EST_OP_CSRATTRS, EST_CSR_ATTRS_URI, EST_HTTP_CT_CSRATTRS, sizeof(EST_HTTP_CT_CSRATTRS) } }; /********************************************************************** @@ -751,7 +737,7 @@ static EST_ERROR est_io_parse_auth_tokens (EST_CTX *ctx, char *hdr) while ((token = HTNextField(&p))) { if (!est_strcasecmp_s(token, "realm")) { if ((value = HTNextField(&p))) { - if (EOK != strcpy_s(ctx->realm, MAX_REALM, value)) { + if (EOK != strncpy_s(ctx->realm, MAX_REALM, value, MAX_REALM)) { rv = EST_ERR_INVALID_TOKEN; } } else { @@ -759,7 +745,7 @@ static EST_ERROR est_io_parse_auth_tokens (EST_CTX *ctx, char *hdr) } } else if (!est_strcasecmp_s(token, "nonce")) { if ((value = HTNextField(&p))) { - if (EOK != strcpy_s(ctx->s_nonce, MAX_NONCE, value)) { + if (EOK != strncpy_s(ctx->s_nonce, MAX_NONCE, value, MAX_NONCE)) { rv = EST_ERR_INVALID_TOKEN; } } else { @@ -792,7 +778,7 @@ static EST_ERROR est_io_parse_auth_tokens (EST_CTX *ctx, char *hdr) } } else if (!est_strcasecmp_s(token, "error")) { if ((value = HTNextField(&p))) { - if (EOK != strcpy_s(ctx->token_error, MAX_TOKEN_ERROR, value)) { + if (EOK != strncpy_s(ctx->token_error, MAX_TOKEN_ERROR, value, MAX_TOKEN_ERROR)) { rv = EST_ERR_INVALID_TOKEN; } } else { @@ -800,7 +786,7 @@ static EST_ERROR est_io_parse_auth_tokens (EST_CTX *ctx, char *hdr) } } else if (!est_strcasecmp_s(token, "error_description")) { if ((value = HTNextField(&p))) { - if (EOK != strcpy_s(ctx->token_error_desc, MAX_TOKEN_ERROR_DESC, value)) { + if (EOK != strncpy_s(ctx->token_error_desc, MAX_TOKEN_ERROR_DESC, value, MAX_TOKEN_ERROR_DESC)) { rv = EST_ERR_INVALID_TOKEN; } } else { @@ -907,16 +893,13 @@ static HTTP_HEADER * parse_http_headers (unsigned char **buf, int *num_headers) * unrecognized codes will result in an error. * Note that HTTP 1.1 is expected. */ -static int est_io_parse_response_status_code (unsigned char *buf, char *reason_phrase) +static int est_io_parse_response_status_code (unsigned char *buf) { if (!strncmp((const char *)buf, EST_HTTP_HDR_200, strnlen_s(EST_HTTP_HDR_200, EST_HTTP_HDR_MAX))) { return 200; } else if (!strncmp((const char *)buf, EST_HTTP_HDR_202, strnlen_s(EST_HTTP_HDR_202, EST_HTTP_HDR_MAX))) { - buf = buf + strnlen_s(EST_HTTP_HDR_202, EST_HTTP_HDR_MAX); - memcpy_s(reason_phrase, EST_HTTP_MAX_REASON_PHRASE, buf, - strnlen_s((const char *)buf, EST_HTTP_MAX_REASON_PHRASE)); return 202; } else if (!strncmp((const char *)buf, EST_HTTP_HDR_204, strnlen_s(EST_HTTP_HDR_204, EST_HTTP_HDR_MAX))) { @@ -1250,7 +1233,6 @@ EST_ERROR est_io_get_response (EST_CTX *ctx, SSL *ssl, EST_OPERATION op, HTTP_HEADER *hdrs; int hdr_cnt; int http_status; - char reason_phrase[EST_HTTP_MAX_REASON_PHRASE]; unsigned char *raw_buf, *payload_buf, *payload; int raw_len = 0; @@ -1283,7 +1265,7 @@ EST_ERROR est_io_get_response (EST_CTX *ctx, SSL *ssl, EST_OPERATION op, * Parse the HTTP header to get the status * Look for status 200 for success */ - http_status = est_io_parse_response_status_code(raw_buf, &(reason_phrase[0])); + http_status = est_io_parse_response_status_code(raw_buf); ctx->last_http_status = http_status; hdrs = parse_http_headers(&payload, &hdr_cnt); EST_LOG_INFO("HTTP status %d received", http_status); @@ -1351,48 +1333,37 @@ EST_ERROR est_io_get_response (EST_CTX *ctx, SSL *ssl, EST_OPERATION op, } if (rv == EST_ERR_NONE) { -#if (ENABLE_BRSKI) /* - * Voucher status and enroll status responses do not contain - * any content so no need to check the content related headers + * Get the Content-Type and Content-Length headers + * and verify the HTTP response contains the correct amount + * of data. */ - if (op != EST_OP_BRSKI_VOUCHER_STATUS && - op != EST_OP_BRSKI_ENROLL_STATUS) { -#endif + *payload_len = est_io_check_http_hdrs(hdrs, hdr_cnt, op); + EST_LOG_INFO("HTTP Content len=%d", *payload_len); + + if (*payload_len > EST_CA_MAX) { + EST_LOG_ERR("Content Length larger than maximum value of %d.", + EST_CA_MAX); + rv = EST_ERR_UNKNOWN; + *payload_len = 0; + *buf = NULL; + } else if (*payload_len == 0) { + *payload_len = 0; + *buf = NULL; + } else { /* - * Get the Content-Type and Content-Length headers - * and verify the HTTP response contains the correct amount - * of data. + * Allocate the buffer to hold the payload to be passed back */ - *payload_len = est_io_check_http_hdrs(hdrs, hdr_cnt, op); - EST_LOG_INFO("HTTP Content len=%d", *payload_len); - - if (*payload_len > EST_CA_MAX) { - EST_LOG_ERR("Content Length larger than maximum value of %d.", - EST_CA_MAX); - rv = EST_ERR_UNKNOWN; - *payload_len = 0; - *buf = NULL; - } else if (*payload_len == 0) { - *payload_len = 0; - *buf = NULL; - } else { - /* - * Allocate the buffer to hold the payload to be passed back - */ - payload_buf = malloc(*payload_len); - if (!payload_buf) { - EST_LOG_ERR("Unable to allocate memory"); - free(raw_buf); - free(hdrs); - return EST_ERR_MALLOC; - } - memcpy_s(payload_buf, *payload_len, payload, *payload_len); - *buf = payload_buf; + payload_buf = malloc(*payload_len); + if (!payload_buf) { + EST_LOG_ERR("Unable to allocate memory"); + free(raw_buf); + free(hdrs); + return EST_ERR_MALLOC; } -#if (ENABLE_BRSKI) + memcpy_s(payload_buf, *payload_len, payload, *payload_len); + *buf = payload_buf; } -#endif } if (raw_buf) { diff --git a/src/est/est_client_proxy.c b/src/est/est_client_proxy.c index 705136c..1b289e8 100755 --- a/src/est/est_client_proxy.c +++ b/src/est/est_client_proxy.c @@ -69,7 +69,7 @@ static int addr_to_str (struct sockaddr *addr, char *str, size_t str_size, } dw_str_size = str_size; if (addr_len != 0 && - WSAAddressToStringA(addr, addr_len, NULL, str, &dw_str_size) == 0) { + WSAAddressToStringW(addr, addr_len, NULL, (LPWSTR)str, &dw_str_size) == 0) { ret = 0; } #else @@ -100,31 +100,16 @@ static int addr_to_str (struct sockaddr *addr, char *str, size_t str_size, return ret; } -static int fd_is_valid(int fd) -{ - return (fcntl(fd, F_GETFD) != -1 || errno != EBADF); -} - static tcw_err_t tcw_direct_close (tcw_sock_t *sock) { tcw_err_t ret = TCW_OK; - /* - * Make sure that the socket is still valid. If it is, then go ahead and - * attempt to close it. This is not fool proof. The server may close - * their side between when checking to see if it's valid and actually - * performing the close, but this at least reduces the output of the error - * log message. - */ - if (fd_is_valid(sock->sock_fd)) { - if (CLOSE_SOCKET(sock->sock_fd) != 0) { - EST_LOG_ERR("close failed: %d", GET_SOCK_ERR()); - ret = TCW_ERR_CLOSE; - /* SOCK_ERR already set */ - goto done; - } + if (CLOSE_SOCKET(sock->sock_fd) != 0) { + EST_LOG_ERR("close failed: %d", GET_SOCK_ERR()); + ret = TCW_ERR_CLOSE; + /* SOCK_ERR already set */ + goto done; } - sock->sock_fd = SOCK_INVALID; done: diff --git a/src/est/est_locl.h b/src/est/est_locl.h index 14174f4..63cca4f 100644 --- a/src/est/est_locl.h +++ b/src/est/est_locl.h @@ -82,7 +82,6 @@ #define EST_HTTP_STAT_404_TXT "Not Found" #define EST_HTTP_STAT_423_TXT "Locked" -#define EST_HTTP_MAX_REASON_PHRASE 256 #define EST_HTTP_HDR_MAX 1024 #define EST_HTTP_HDR_200 "HTTP/1.1 200 OK" #define EST_HTTP_HDR_STAT_200 "Status: 200 OK" @@ -107,7 +106,7 @@ #define EST_CSRATTRS_POP "MAsGCSqGSIb3DQEJBw==" #define EST_CSRATTRS_POP_LEN 20 -#define EST_HTTP_HDR_EST_CLIENT "Cisco EST client 2.0 with BRSKI" +#define EST_HTTP_HDR_EST_CLIENT "LibEST client 1.0" #define EST_HTTP_REQ_DATA_MAX 4096 #define EST_HTTP_REQ_TERMINATOR_LEN 5 @@ -144,30 +143,6 @@ #define EST_CACERTS_URI "/.well-known/est/cacerts" #define EST_KEYGEN_URI "/.well-known/est/serverkeygen" -/* - * BRSKI Support - */ -#define EST_BRSKI_GET_VOUCHER "requestvoucher" -#define EST_BRSKI_VOUCHER_STATUS "voucher_status" -#define EST_BRSKI_ENROLL_STATUS "enrollstatus" -#define EST_BRSKI_GET_VOUCHER_URI EST_PATH_PREFIX"/"EST_BRSKI_GET_VOUCHER -#define EST_BRSKI_VOUCHER_STATUS_URI EST_PATH_PREFIX"/"EST_BRSKI_VOUCHER_STATUS -#define EST_BRSKI_ENROLL_STATUS_URI EST_PATH_PREFIX"/"EST_BRSKI_ENROLL_STATUS - -#define EST_BRSKI_CT_VREQ_SIGNED "application/voucherrequest" -#define EST_BRSKI_CT_VREQ "application/unsignedvoucherrequest" -#define EST_BRSKI_CT_VRSP "application/voucher+cms" -#define EST_BRSKI_CT_STATUS "application/json" - -#define BRSKI_ENABLED 1 -#define EST_BRSKI_CLIENT_RETRY_MAX 60 - -/* The server retry-after values below are in seconds */ -#define EST_BRSKI_RETRY_PERIOD_DEF 30 -#define EST_BRSKI_RETRY_PERIOD_MIN 1 -#define EST_BRSKI_RETRY_PERIOD_MAX 70 - - #define EST_BEARER_TOKEN_STR "Bearer " typedef enum { @@ -190,19 +165,14 @@ typedef enum { EST_OP_SIMPLE_REENROLL, EST_OP_CACERTS, EST_OP_CSRATTRS, -#if ENABLE_BRSKI - EST_OP_BRSKI_REQ_VOUCHER, - EST_OP_BRSKI_VOUCHER_STATUS, - EST_OP_BRSKI_ENROLL_STATUS, -#endif EST_OP_MAX } EST_OPERATION; typedef struct { EST_OPERATION op; - char *uri; - char *content_type; - int length; + char *uri; + char *content_type; + int length; } EST_OP_DEF; #define INITIAL_PROXY_CLIENT_CTXS 8 @@ -254,17 +224,10 @@ struct est_ctx { char *path_seg, void *ex_data); unsigned char *(*est_get_cacerts_cb)(int *cacerts_len, char *path_seg, void *ex_data); - unsigned char *(*est_get_csr_cb)(int *csr_len, char *path_seg, X509 *peer_cert, void *ex_data); + unsigned char *(*est_get_csr_cb)(int *csr_len, char *path_seg, void *ex_data); int (*est_http_auth_cb)(struct est_ctx *ctx, EST_HTTP_AUTH_HDR *ah, X509 *peer_cert, char *path_seg, void *ex_data); - /* - * BRSKI based call backs - */ - brski_voucher_req_cb est_brski_voucher_req_cb; - brski_voucher_status_cb est_brski_voucher_status_cb; - brski_enroll_status_cb est_brski_enroll_status_cb; - /* * Client mode configuration options */ @@ -272,7 +235,6 @@ struct est_ctx { int est_port_num; char *uri_path_segment; X509 *client_cert; - char *client_cert_ser_num; EVP_PKEY *client_key; EST_HTTP_AUTH_CRED_RC (*auth_credentials_cb)(EST_HTTP_AUTH_HDR *auth_credentials); EST_HTTP_AUTH_MODE auth_mode; @@ -299,22 +261,7 @@ struct est_ctx { tcw_sock_t tcw_sock; int tcw_sock_connected; - int est_client_initialized; - - /* - * BRSKI mode - */ - /* client */ - int brski_mode; - unsigned char *brski_retrieved_voucher; - int brski_retrieved_voucher_len; - unsigned char *brski_retrieved_cacert; - int brski_retrieved_cacert_len; - - /* server */ - int brski_retry_period; /* Number of seconds client should wait - to attempt voucher request */ - + int est_client_initialized; /* * The following are used for server and/or proxy mode */ @@ -470,13 +417,8 @@ EST_ERROR est_send_csrattr_data(EST_CTX *ctx, char *csr_data, int csr_len, void void cleanse_auth_credentials(EST_HTTP_AUTH_HDR *auth_cred); EST_ERROR est_parse_uri (char *uri, EST_OPERATION *operation, char **path_seg); -LIBEST_TEST_API EST_ERROR est_store_path_segment (EST_CTX *ctx, char *path_segment, +EST_ERROR est_store_path_segment (EST_CTX *ctx, char *path_segment, int path_segment_len); EST_OPERATION est_parse_operation (char *op_path); int est_strcasecmp_s (char *s1, char *s2); - -char *skip(char **buf, const char *delimiters); -char *skip_quoted(char **buf, const char *delimiters, const char *whitespace, - char quotechar); -size_t est_strcspn(const char * str1,const char * str2); #endif diff --git a/src/est/est_ossl_util.c b/src/est/est_ossl_util.c index db57a33..0b92e02 100644 --- a/src/est/est_ossl_util.c +++ b/src/est/est_ossl_util.c @@ -321,7 +321,7 @@ int est_convert_p7b64_to_pem (unsigned char *certs_p7, int certs_len, unsigned c /* * Now that we've decoded the certs, get a reference - * to the stack of certs + * the the stack of certs */ nid=OBJ_obj2nid(p7->type); switch (nid) @@ -340,7 +340,7 @@ int est_convert_p7b64_to_pem (unsigned char *certs_p7, int certs_len, unsigned c } if (!certs) { - EST_LOG_ERR("Failed to obtain X509 cert stack from PKCS7 data"); + EST_LOG_ERR("Failed to attain X509 cert stack from PKCS7 data"); PKCS7_free(p7); return (-1); } @@ -384,29 +384,3 @@ int est_convert_p7b64_to_pem (unsigned char *certs_p7, int certs_len, unsigned c return (pem_len); } -#if ENABLE_BRSKI - -char *est_find_ser_num_in_subj(X509 *cert) -{ - X509_NAME *subj = X509_get_subject_name(cert); - ASN1_STRING *ser_num_asn1 = NULL; - X509_NAME_ENTRY *entry; - int i; - char *ser_num_str; - - i = X509_NAME_get_index_by_NID(subj, NID_serialNumber, -1); - if (i == -1) { - EST_LOG_ERR("Serial Number element not defined in certificate subject attribute"); - return (NULL); - } - - /* - * Serial number exists in the subject. Extract the value and return it - */ - entry = X509_NAME_get_entry(subj, i); - ser_num_asn1 = X509_NAME_ENTRY_get_data(entry); - ser_num_str = (char *)ASN1_STRING_data(ser_num_asn1); - EST_LOG_INFO("Found Serial Number. Serial number = %s", ser_num_str); - return(ser_num_str); -} -#endif diff --git a/src/est/est_proxy.c b/src/est/est_proxy.c index fd110f6..dafa77b 100644 --- a/src/est/est_proxy.c +++ b/src/est/est_proxy.c @@ -9,7 +9,7 @@ * * May, 2013 * - * Copyright (c) 2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013, 2016 by cisco Systems, Inc. * All rights reserved. **------------------------------------------------------------------ */ @@ -754,7 +754,8 @@ static int est_proxy_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, if (!csr_data) { return (EST_ERR_MALLOC); } - strcpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, EST_CSRATTRS_POP); + strncpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, + EST_CSRATTRS_POP, EST_CSRATTRS_POP_LEN); csr_data[EST_CSRATTRS_POP_LEN] = 0; csr_len = EST_CSRATTRS_POP_LEN; return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx)); @@ -1269,7 +1270,7 @@ EST_CTX * est_proxy_init (unsigned char *ca_chain, int ca_chain_len, ctx->ca_chain_raw[ca_chain_len] = '\0'; ctx->ca_chain_raw_len = ca_chain_len; - strcpy_s(ctx->realm, MAX_REALM, http_realm); + strncpy_s(ctx->realm, MAX_REALM, http_realm, MAX_REALM); ctx->server_cert = tls_id_cert; ctx->server_priv_key = tls_id_key; ctx->auth_mode = AUTH_BASIC; @@ -1417,7 +1418,8 @@ EST_ERROR est_proxy_set_server (EST_CTX *ctx, const char *server, int port) return EST_ERR_INVALID_PORT_NUM; } - strcpy_s(ctx->est_server, EST_MAX_SERVERNAME_LEN, server); + strncpy_s(ctx->est_server, EST_MAX_SERVERNAME_LEN, server, + EST_MAX_SERVERNAME_LEN); ctx->est_port_num = port; return EST_ERR_NONE; diff --git a/src/est/est_server.c b/src/est/est_server.c index d31382c..da0b309 100644 --- a/src/est/est_server.c +++ b/src/est/est_server.c @@ -9,7 +9,7 @@ * * April, 2013 * - * Copyright (c) 2013-2014, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013-2014, 2016 by cisco Systems, Inc. * All rights reserved. **------------------------------------------------------------------ */ @@ -111,13 +111,13 @@ int est_handle_cacerts (EST_CTX *ctx, unsigned char *ca_certs, int ca_certs_len, snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %s%s", EST_HTTP_HDR_CT, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CT, EST_HTTP_CT_PKCS7, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %s%s", EST_HTTP_HDR_CE, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CE, EST_HTTP_CE_BASE64, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %d%s%s", EST_HTTP_HDR_CL, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %d%s%s", EST_HTTP_HDR_CL, ca_certs_len, EST_HTTP_HDR_EOL, EST_HTTP_HDR_EOL); if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { return (EST_ERR_HTTP_WRITE); @@ -836,7 +836,7 @@ static EST_ERROR est_server_build_csr_oid_list (EST_OID_LIST **list, char *body, * against the attributes in the CSR. If any attributes are * missing from the CSR, then an error is returned. */ -static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int body_len, X509 *peer_cert) +static EST_ERROR est_server_all_csrattrs_present(EST_CTX *ctx, char *body, int body_len) { int tag, xclass, j, found_match, nid; long len; @@ -848,6 +848,7 @@ static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int long out_len_save; unsigned char *der_data; int der_len, out_len; + int a_len; char tbuf[EST_MAX_ATTR_LEN]; EST_OID_LIST *csr_attr_oids = NULL; EST_OID_LIST *oid_entry; @@ -876,7 +877,7 @@ static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int * Use the callback if configured, otherwise use the local copy. */ if (ctx->est_get_csr_cb) { - csr_data = (char *)ctx->est_get_csr_cb(&csr_len, NULL, peer_cert, ctx->ex_data); + csr_data = (char *)ctx->est_get_csr_cb(&csr_len, NULL, ctx->ex_data); if (!csr_data) { EST_LOG_ERR("Application layer failed to return CSR attributes"); est_server_free_csr_oid_list(csr_attr_oids); @@ -889,7 +890,8 @@ static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int est_server_free_csr_oid_list(csr_attr_oids); return (EST_ERR_MALLOC); } - strcpy_s(csr_data, ctx->server_csrattrs_len + 1, (char *)ctx->server_csrattrs); + strncpy_s(csr_data, ctx->server_csrattrs_len + 1, + (char *)ctx->server_csrattrs, ctx->server_csrattrs_len); csr_data[ctx->server_csrattrs_len] = 0; csr_len = ctx->server_csrattrs_len; } @@ -985,7 +987,7 @@ static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int break; } - i2t_ASN1_OBJECT(tbuf, EST_MAX_ATTR_LEN, a_object); + a_len = i2t_ASN1_OBJECT(tbuf, EST_MAX_ATTR_LEN, a_object); EST_LOG_INFO("Looking for attr=%s in the CSR", tbuf); ASN1_OBJECT_free(a_object); @@ -1006,7 +1008,7 @@ static EST_ERROR est_server_all_csrattrs_present (EST_CTX *ctx, char *body, int */ while (oid_entry) { EST_LOG_INFO("Comparing %s to %s", tbuf, oid_entry->oid); - strcmp_s(oid_entry->oid, strnlen_s(oid_entry->oid, EST_MAX_ATTR_LEN), tbuf, &comparator); + strcmp_s(oid_entry->oid, (a_len < EST_MAX_ATTR_LEN ? a_len : EST_MAX_ATTR_LEN), tbuf, &comparator); if (!comparator) { found_match = 1; break; @@ -1156,7 +1158,7 @@ static EST_ERROR est_handle_simple_enroll (EST_CTX *ctx, void *http_ctx, SSL *ss * CSR attributes required by the CA. */ if (ctx->enforce_csrattrs) { - if (EST_ERR_NONE != est_server_all_csrattrs_present(ctx, body, body_len, peer_cert)) { + if (EST_ERR_NONE != est_server_all_csrattrs_present(ctx, body, body_len)) { X509_REQ_free(csr); X509_free(peer_cert); return (EST_ERR_CSR_ATTR_MISSING); @@ -1191,13 +1193,13 @@ static EST_ERROR est_handle_simple_enroll (EST_CTX *ctx, void *http_ctx, SSL *ss snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %s%s", EST_HTTP_HDR_CT, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CT, EST_HTTP_CT_PKCS7_CO, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %s%s", EST_HTTP_HDR_CE, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CE, EST_HTTP_CE_BASE64, EST_HTTP_HDR_EOL); hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX - hdrlen, "%s: %d%s%s", EST_HTTP_HDR_CL, + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %d%s%s", EST_HTTP_HDR_CL, cert_len, EST_HTTP_HDR_EOL, EST_HTTP_HDR_EOL); if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { free(cert); @@ -1239,13 +1241,12 @@ static EST_ERROR est_handle_simple_enroll (EST_CTX *ctx, void *http_ctx, SSL *ss * This function is used by the server to process an incoming * csr attributes request from the client. */ -static int est_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, SSL *ssl, char *path_seg) +static int est_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, char *path_seg) { int rv = EST_ERR_NONE; int pop_present; char *csr_data, *csr_data_pop; int csr_len, csr_pop_len; - X509 *peer_cert = NULL; if (!ctx->server_csrattrs && !ctx->est_get_csr_cb) { if (!ctx->server_enable_pop) { @@ -1258,27 +1259,21 @@ static int est_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, SSL *ssl, char *p if (!csr_data) { return (EST_ERR_MALLOC); } - strcpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, EST_CSRATTRS_POP); + strncpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, EST_CSRATTRS_POP, + EST_CSRATTRS_POP_LEN); csr_data[EST_CSRATTRS_POP_LEN] = 0; csr_len = EST_CSRATTRS_POP_LEN; return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx)); } } - /* - * Get the peer certificate if available. This - * identifies the client. The CA may desire - * this information. - */ - peer_cert = SSL_get_peer_certificate(ssl); - /* * Invoke CA server callback to retrieve the CSR. Callback takes priority * over saved values in the context. * Note: there is no need to authenticate the client (see sec 4.5) */ if (ctx->est_get_csr_cb) { - csr_data = (char *)ctx->est_get_csr_cb(&csr_len, path_seg, peer_cert, ctx->ex_data); + csr_data = (char *)ctx->est_get_csr_cb(&csr_len, path_seg, ctx->ex_data); rv = est_asn1_parse_attributes(csr_data, csr_len, &pop_present); if (csr_len && (rv != EST_ERR_NONE)) { if (csr_data) { @@ -1307,7 +1302,8 @@ static int est_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, SSL *ssl, char *p if (!csr_data) { return (EST_ERR_MALLOC); } - strcpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, EST_CSRATTRS_POP); + strncpy_s(csr_data, EST_CSRATTRS_POP_LEN + 1, + EST_CSRATTRS_POP, EST_CSRATTRS_POP_LEN); csr_data[EST_CSRATTRS_POP_LEN] = 0; csr_len = EST_CSRATTRS_POP_LEN; return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx)); @@ -1331,329 +1327,14 @@ static int est_handle_csr_attrs (EST_CTX *ctx, void *http_ctx, SSL *ssl, char *p if (!csr_data) { return (EST_ERR_MALLOC); } - strcpy_s(csr_data, ctx->server_csrattrs_len + 1, (char *)ctx->server_csrattrs); + strncpy_s(csr_data, ctx->server_csrattrs_len + 1, + (char *)ctx->server_csrattrs, ctx->server_csrattrs_len); csr_data[ctx->server_csrattrs_len] = 0; csr_len = ctx->server_csrattrs_len; } return (est_send_csrattr_data(ctx, csr_data, csr_len, http_ctx)); } -#if ENABLE_BRSKI -/* - * This function is used by the server to process an incoming - * voucher request - */ -static EST_ERROR est_brski_handle_voucher_req (EST_CTX *ctx, void *http_ctx, SSL *ssl, - const char *ct, char *body, int body_len, - char *path_seg) -{ - EST_BRSKI_CALLBACK_RC rv; - char http_hdr[EST_HTTP_HDR_MAX]; - int hdrlen; - X509 *peer_cert = NULL; - char *voucher = NULL; - int voucher_len = 0; - - if (!ctx->est_brski_voucher_req_cb) { - EST_LOG_ERR("Null voucher request callback"); - return (EST_ERR_NULL_CALLBACK); - } - - /* - * Make sure the client has sent the correct content type for a voucher request - */ - if ((strncmp(ct, EST_BRSKI_CT_VREQ_SIGNED, sizeof(EST_BRSKI_CT_VREQ_SIGNED))) && - (strncmp(ct, EST_BRSKI_CT_VREQ, sizeof(EST_BRSKI_CT_VREQ)))) { - EST_LOG_ERR("Voucher request contains incorrect Content Type"); - return (EST_ERR_BAD_CONTENT_TYPE); - } - - /* - * Authenticate the client - */ - switch (est_enroll_auth(ctx, http_ctx, ssl, path_seg, 0)) { - case EST_HTTP_AUTH: - case EST_SRP_AUTH: - case EST_CERT_AUTH: - /* - * this means the user was authorized, either through - * HTTP authoriztion or certificate authorization - */ - break; - case EST_HTTP_AUTH_PENDING: - return (EST_ERR_AUTH_PENDING); - break; - case EST_UNAUTHORIZED: - default: - return (EST_ERR_AUTH_FAIL); - break; - } - - /* - * Get the peer certificate if available. This - * identifies the client. The CA may desire - * this information. - */ - peer_cert = SSL_get_peer_certificate(ssl); - if (peer_cert == NULL) { - EST_LOG_WARN("No Client certifcate provided"); - } - - /* body now points to the voucher request, pass this to the application's - * voucher request callback - */ - rv = ctx->est_brski_voucher_req_cb(body, body_len, &voucher, &voucher_len, - peer_cert); - - /* - * Peer cert is no longer needed, delete it if we have one - */ - if (peer_cert) { - X509_free(peer_cert); - } - - if (rv == EST_BRSKI_CB_SUCCESS && voucher_len > 0) { - /* - * Send HTTP header - */ - snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, - EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); - hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CT, - EST_BRSKI_CT_VRSP, EST_HTTP_HDR_EOL); - hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CE, - EST_HTTP_CE_BASE64, EST_HTTP_HDR_EOL); - hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %d%s%s", EST_HTTP_HDR_CL, - voucher_len, EST_HTTP_HDR_EOL, EST_HTTP_HDR_EOL); - if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { - free(voucher); - return (EST_ERR_HTTP_WRITE); - } - /* - * Send the signed PKCS7 certificate in the body - */ - if (!mg_write(http_ctx, voucher, voucher_len)) { - free(voucher); - ossl_dump_ssl_errors(); - return (EST_ERR_HTTP_WRITE); - } - } else if (rv == EST_BRSKI_CB_RETRY) { - - EST_LOG_ERR("EST server: BRSKI: Registrar application layer indicates that a retry-after is required"); - /* - * The registrar did not provide the voucher at this time, but instead - * indicated that a retry-after should be sent in response. This may - * occur if the application layer registrar logic cannot provide the - * voucher within a set time frame. Send the HTTP retry response to - * the client. - */ - if (EST_ERR_NONE != est_server_send_http_retry_after(ctx, http_ctx, ctx->brski_retry_period)) { - return (EST_ERR_HTTP_WRITE); - } - - } else { - if (rv == EST_BRSKI_CB_INVALID_PARAMETER) { - /* - * Application claims we sent a bad parameter. - */ - EST_LOG_ERR("Invalid parameter on get voucher callback"); - } - if (voucher) { - free(voucher); - } - return (EST_ERR_CA_ENROLL_FAIL); - } - if (voucher) { - free(voucher); - } - return (EST_ERR_NONE); -} - -/* - * This function is used by the server to process an incoming - * voucher status - */ -static EST_ERROR est_brski_handle_voucher_status (EST_CTX *ctx, void *http_ctx, SSL *ssl, - const char *ct, char *body, int body_len, - char *path_seg) -{ - EST_BRSKI_CALLBACK_RC rv; - char http_hdr[EST_HTTP_HDR_MAX]; - X509 *peer_cert; - - if (!ctx->est_brski_voucher_status_cb) { - EST_LOG_ERR("Null voucher status callback"); - return (EST_ERR_NULL_CALLBACK); - } - - /* - * Make sure the client has sent the correct content type for a voucher request - */ - if (strncmp(ct, EST_BRSKI_CT_STATUS, sizeof(EST_BRSKI_CT_STATUS))) { - EST_LOG_ERR("Voucher request contains incorrect Content Type"); - return (EST_ERR_BAD_CONTENT_TYPE); - } - - /* - * Authenticate the client - */ - switch (est_enroll_auth(ctx, http_ctx, ssl, path_seg, 0)) { - case EST_HTTP_AUTH: - case EST_SRP_AUTH: - case EST_CERT_AUTH: - /* - * this means the user was authorized, either through - * HTTP authoriztion or certificate authorization - */ - break; - case EST_HTTP_AUTH_PENDING: - return (EST_ERR_AUTH_PENDING); - break; - case EST_UNAUTHORIZED: - default: - return (EST_ERR_AUTH_FAIL); - break; - } - - /* - * Get the peer certificate if available. This - * identifies the client. The CA may desire - * this information. - */ - peer_cert = SSL_get_peer_certificate(ssl); - if (peer_cert == NULL) { - EST_LOG_WARN("No Client certifcate provided"); - } - - /* body now points to the voucher status, pass this to the application's - * voucher status callback - */ - rv = ctx->est_brski_voucher_status_cb(body, body_len, peer_cert); - - /* - * Peer cert is no longer needed, delete it if we have one - */ - if (peer_cert) { - X509_free(peer_cert); - } - - if (rv == EST_BRSKI_CB_SUCCESS) { - /* - * Send HTTP header - */ - snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, - EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); - if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { - return (EST_ERR_HTTP_WRITE); - } - } else { - if (rv == EST_BRSKI_CB_INVALID_PARAMETER) { - /* - * Application claims we sent a bad parameter. - */ - EST_LOG_ERR("Invalid parameter on get voucher callback"); - } - return (EST_ERR_CA_ENROLL_FAIL); - } - return (EST_ERR_NONE); -} - -/* - * PDB NOTE: Once testing is about complete, if this is still effectviely - * Identical to voucher_status then merge them and pass in the op code - * - * This function is used by the server to process an incoming - * enroll status - */ -static EST_ERROR est_brski_handle_enroll_status (EST_CTX *ctx, void *http_ctx, SSL *ssl, - const char *ct, char *body, int body_len, - char *path_seg) -{ - EST_BRSKI_CALLBACK_RC rv; - char http_hdr[EST_HTTP_HDR_MAX]; - X509 *peer_cert; - - if (!ctx->est_brski_enroll_status_cb) { - EST_LOG_ERR("Null enroll status callback"); - return (EST_ERR_NULL_CALLBACK); - } - - /* - * Make sure the client has sent the correct content type for a voucher request - */ - if (strncmp(ct, EST_BRSKI_CT_STATUS, sizeof(EST_BRSKI_CT_STATUS))) { - EST_LOG_ERR("Voucher request contains incorrect Content Type"); - return (EST_ERR_BAD_CONTENT_TYPE); - } - - /* - * Authenticate the client - */ - switch (est_enroll_auth(ctx, http_ctx, ssl, path_seg, 0)) { - case EST_HTTP_AUTH: - case EST_SRP_AUTH: - case EST_CERT_AUTH: - /* - * this means the user was authorized, either through - * HTTP authoriztion or certificate authorization - */ - break; - case EST_HTTP_AUTH_PENDING: - return (EST_ERR_AUTH_PENDING); - break; - case EST_UNAUTHORIZED: - default: - return (EST_ERR_AUTH_FAIL); - break; - } - - /* - * Get the peer certificate if available. This - * identifies the client. The CA may desire - * this information. - */ - peer_cert = SSL_get_peer_certificate(ssl); - if (peer_cert == NULL) { - EST_LOG_WARN("No Client certifcate provided"); - } - - /* body now points to the voucher status, pass this to the application's - * voucher status callback - */ - rv = ctx->est_brski_enroll_status_cb(body, body_len, peer_cert); - - /* - * Peer cert is no longer needed, delete it if we have one - */ - if (peer_cert) { - X509_free(peer_cert); - } - - if (rv == EST_BRSKI_CB_SUCCESS) { - /* - * Send HTTP header - */ - snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, - EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); - if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { - return (EST_ERR_HTTP_WRITE); - } - } else { - if (rv == EST_BRSKI_CB_INVALID_PARAMETER) { - /* - * Application claims we sent a bad parameter. - */ - EST_LOG_ERR("EST server: BRSKI: Invalid parameter on get voucher callback"); - } - return (EST_ERR_CA_ENROLL_FAIL); - } - return (EST_ERR_NONE); -} -#endif - - /* * This function should be called by the web server layer when * a HTTP request arrives on the listening port of the EST server. @@ -1851,96 +1532,15 @@ int est_http_request (EST_CTX *ctx, void *http_ctx, return (EST_ERR_WRONG_METHOD); } - ssl = (SSL*)mg_get_conn_ssl(http_ctx); - if (!ssl) { - est_send_http_error(ctx, http_ctx, EST_ERR_NO_SSL_CTX); - free(path_seg); - path_seg = NULL; - return (EST_ERR_NO_SSL_CTX); - } - - rc = est_handle_csr_attrs(ctx, http_ctx, ssl, path_seg); + rc = est_handle_csr_attrs(ctx, http_ctx, path_seg); if (rc != EST_ERR_NONE) { est_send_http_error(ctx, http_ctx, rc); free(path_seg); path_seg = NULL; return (rc); } - } -#if ENABLE_BRSKI - /* - * voucher request, voucher status, enroll status - */ - else if (operation == EST_OP_BRSKI_REQ_VOUCHER || - operation == EST_OP_BRSKI_VOUCHER_STATUS || - operation == EST_OP_BRSKI_ENROLL_STATUS) { - /* POST is referenced in draft so make sure it's POST */ - if (strncmp(method, "POST", 4)) { - EST_LOG_WARN("Incoming HTTP request used wrong method\n"); - est_send_http_error(ctx, http_ctx, EST_ERR_WRONG_METHOD); - free(path_seg); - path_seg = NULL; - return (EST_ERR_WRONG_METHOD); - } - if (!ct) { - EST_LOG_WARN("Incoming HTTP header has no Content-Type header\n"); - est_send_http_error(ctx, http_ctx, EST_ERR_BAD_PKCS10); - free(path_seg); - path_seg = NULL; - return (EST_ERR_BAD_CONTENT_TYPE); - } - /* - * Get the SSL context, which is required for authenticating - * the client. - */ - ssl = (SSL*)mg_get_conn_ssl(http_ctx); - if (!ssl) { - est_send_http_error(ctx, http_ctx, EST_ERR_NO_SSL_CTX); - free(path_seg); - path_seg = NULL; - return (EST_ERR_NO_SSL_CTX); - } - switch (operation) { - case EST_OP_BRSKI_REQ_VOUCHER: - rc = est_brski_handle_voucher_req(ctx, http_ctx, ssl, ct, - body, body_len, - path_seg); - break; - case EST_OP_BRSKI_VOUCHER_STATUS: - rc = est_brski_handle_voucher_status(ctx, http_ctx, ssl, ct, - body, body_len, - path_seg); - break; - case EST_OP_BRSKI_ENROLL_STATUS: - rc = est_brski_handle_enroll_status(ctx, http_ctx, ssl, ct, - body, body_len, - path_seg); - break; - default: - /* - * We're here because operation was one of the above three, so - * this should never happen. - */ - EST_LOG_WARN("BRSKI request processing, invalid path\n"); - rc = EST_ERR_HTTP_NOT_FOUND; - } - - if (rc != EST_ERR_NONE && rc != EST_ERR_AUTH_PENDING) { - EST_LOG_WARN("Voucher request failed with rc=%d (%s)\n", - rc, EST_ERR_NUM_TO_STR(rc)); - if (rc == EST_ERR_AUTH_FAIL) { - est_send_http_error(ctx, http_ctx, EST_ERR_AUTH_FAIL); - } else { - est_send_http_error(ctx, http_ctx, EST_ERR_BAD_PKCS10); - } - free(path_seg); - path_seg = NULL; - return rc; - } - } -#endif // BRSKI /* * Send a 404 error if the URI didn't match */ @@ -2116,15 +1716,15 @@ EST_CTX * est_server_init (unsigned char *ca_chain, int ca_chain_len, ctx->retry_period = EST_RETRY_PERIOD_DEF; ctx->require_http_auth = HTTP_AUTH_REQUIRED; ctx->server_read_timeout = EST_SSL_READ_TIMEOUT_DEF; - - ctx->brski_retry_period = EST_BRSKI_RETRY_PERIOD_DEF; + /* * Load the CA certificates into local memory and retain * for future use. This will be used for /cacerts requests. * They are optional parameters. The alternative is for the - * app layer to provide a callback and return them on the fly. + * app layer to provide callback and return them on the fly. */ - if (cacerts_resp_chain) { + if (cacerts_resp_chain) + { if (est_load_ca_certs(ctx, cacerts_resp_chain, cacerts_resp_chain_len)) { EST_LOG_ERR("Failed to load CA certificates response buffer"); free(ctx); @@ -2137,7 +1737,7 @@ EST_CTX * est_server_init (unsigned char *ca_chain, int ca_chain_len, return NULL; } - strcpy_s(ctx->realm, MAX_REALM, http_realm); + strncpy_s(ctx->realm, MAX_REALM, http_realm, MAX_REALM); ctx->server_cert = tls_id_cert; ctx->server_priv_key = tls_id_key; ctx->auth_mode = AUTH_BASIC; @@ -2289,7 +1889,7 @@ EST_ERROR est_set_ca_reenroll_cb (EST_CTX *ctx, int (*cb)(unsigned char *pkcs10, @return EST_ERROR. */ -EST_ERROR est_set_csr_cb (EST_CTX *ctx, unsigned char *(*cb)(int*csr_len, char *path_seg, X509 *peer_cert, void *ex_data)) +EST_ERROR est_set_csr_cb (EST_CTX *ctx, unsigned char *(*cb)(int*csr_len, char *path_seg, void *ex_data)) { if (!ctx) { EST_LOG_ERR("Null context"); @@ -2734,7 +2334,7 @@ EST_ERROR est_server_init_csrattrs (EST_CTX *ctx, char *csrattrs, int csrattrs_l } ctx->server_csrattrs_len = csrattrs_len; - strcpy_s((char *)ctx->server_csrattrs, csrattrs_len + 1, csrattrs); + strncpy_s((char *)ctx->server_csrattrs, csrattrs_len + 1, csrattrs, csrattrs_len); ctx->server_csrattrs[csrattrs_len] = 0; if (csrattrs_data_pop) { free(csrattrs_data_pop); @@ -2815,145 +2415,3 @@ EST_ERROR est_server_set_read_timeout (EST_CTX *ctx, int timeout) ctx->server_read_timeout = timeout; return (EST_ERR_NONE); } - - -/*! @brief est_set_brski_voucher_req_cb() is used by an application to install - a handler for processing incoming BRSKI client voucher requests. - - @param ctx Pointer to the EST context - @param cb Function address of the handler - - This function must be called prior to starting the EST server. The - callback function must be defined to be of the brski_voucher_req_cb - function prototype. - - This function is called by libEST when in server mode and receives - a BRSKI /requestvoucher request. The callback function will be - passed the JSON based request from the BRSKI client - - @return EST_ERROR_NONE on success, or EST based error - */ -EST_ERROR est_set_brski_voucher_req_cb (EST_CTX *ctx, brski_voucher_req_cb cb) -{ - if (!ctx) { - EST_LOG_ERR("Null context"); - return (EST_ERR_NO_CTX); - } - - if (cb == NULL) { - EST_LOG_ERR("EST Server: BRSKI: voucher_req_cb is NULL"); - return EST_ERR_INVALID_PARAMETERS; - } - - ctx->est_brski_voucher_req_cb = cb; - - return (EST_ERR_NONE); -} - - -/*! @brief est_set_brski_voucher_status_cb() is used by an application to install - a handler for processing incoming BRSKI client voucher status indications. - - @param ctx Pointer to the EST context - @param cb Function address of the handler - - This function must be called prior to starting the EST server. The - callback function must be defined to be of the brski_voucher_status_cb - function prototype. - - This function is called by libEST when in server mode and receives - a BRSKI /voucher_status request. The callback function will be - passed the JSON based response from the BRSKI client - - @return EST_ERROR_NONE on success, or EST based error - */ -EST_ERROR est_set_brski_voucher_status_cb (EST_CTX *ctx, brski_voucher_status_cb cb) -{ - if (!ctx) { - EST_LOG_ERR("Null context"); - return (EST_ERR_NO_CTX); - } - - if (cb == NULL) { - EST_LOG_ERR("EST Server: BRSKI: voucher_status_cb is NULL"); - return EST_ERR_INVALID_PARAMETERS; - } - - ctx->est_brski_voucher_status_cb = cb; - - return (EST_ERR_NONE); -} - - -/*! @brief est_set_brski_enroll_status_cb() is used by an application to install - a handler for processing incoming BRSKI client certificate status indications. - - @param ctx Pointer to the EST context - @param cb Function address of the handler - - This function must be called prior to starting the EST server. The - callback function must be defined to be of the brski_enroll_status_cb - function prototype. - - This function is called by libEST when in server mode and receives - a BRSKI /enrollstatus primitive. The callback function will be - passed the JSON based status from the BRSKI client - - @return EST_ERROR_NONE on success, or EST based error - */ -EST_ERROR est_set_brski_enroll_status_cb (EST_CTX *ctx, brski_enroll_status_cb cb) -{ - if (!ctx) { - EST_LOG_ERR("Null context"); - return (EST_ERR_NO_CTX); - } - - if (cb == NULL) { - EST_LOG_ERR("EST Server: BRSKI: enroll_status_cb is NULL"); - return EST_ERR_INVALID_PARAMETERS; - } - - ctx->est_brski_enroll_status_cb = cb; - - return (EST_ERR_NONE); -} - - -/*! @brief est_server_set_brski_retry_period() is used by an application to - change the default retry-after period sent to the BRSKI pledge when the - registrar is not able to immediately provide the voucher. This - retry-after value notifies the client how long to wait before attempting - the voucher request operation again to see if the registrar is ready to - respond with a voucher. - - @param ctx Pointer to the EST context - @param seconds Number of seconds the server will use in the - retry-after response. - - This function may be called at any time after a context has - been created. - - @return EST_ERROR. - */ -EST_ERROR est_server_set_brski_retry_period (EST_CTX *ctx, int seconds) -{ - if (!ctx) { - EST_LOG_ERR("Null context"); - return (EST_ERR_NO_CTX); - } - - if (seconds > EST_BRSKI_RETRY_PERIOD_MAX) { - EST_LOG_ERR("Maximum retry-after period is %d seconds", - EST_BRSKI_RETRY_PERIOD_MAX); - return (EST_ERR_INVALID_PARAMETERS); - } - - if (seconds < EST_BRSKI_RETRY_PERIOD_MIN) { - EST_LOG_ERR("Minimum retry-after period is %d seconds", - EST_BRSKI_RETRY_PERIOD_MIN); - return (EST_ERR_INVALID_PARAMETERS); - } - - ctx->brski_retry_period = seconds; - return (EST_ERR_NONE); -} diff --git a/src/est/est_server_http.c b/src/est/est_server_http.c index aa95fe2..4accc22 100644 --- a/src/est/est_server_http.c +++ b/src/est/est_server_http.c @@ -12,7 +12,7 @@ * * May, 2013 * - * Copyright (c) 2013-2014, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013-2014, 2016 by cisco Systems, Inc. * All rights reserved. ***------------------------------------------------------------------ */ @@ -127,7 +127,6 @@ typedef int socklen_t; #define PATH_MAX 4096 #endif -static int mg_printf(struct mg_connection *conn, const char *fmt, ...); // Describes a string (chunk of memory). struct vec { @@ -162,7 +161,7 @@ static void sockaddr_to_string (char *buf, size_t len, (void*)&usa->sin6.sin6_addr, buf, (socklen_t) len); #elif defined(_WIN32) // Only Windoze Vista (and newer) have inet_ntop() - strcpy_s(buf, MAX_SRC_ADDR, inet_ntoa(usa->sin.sin_addr)); + strncpy_s(buf, MAX_SRC_ADDR, inet_ntoa(usa->sin.sin_addr), len); #else inet_ntop(usa->sa.sa_family, (void*)&usa->sin.sin_addr, buf, len); #endif @@ -313,6 +312,104 @@ static int mg_snprintf (struct mg_connection *conn, char *buf, size_t buflen, return n; } +static size_t est_strcspn(const char * str1,const char * str2){ + + rsize_t count; + errno_t safec_rc; + + if ((str1 != NULL) && (str1[0] == '\0')) { + return 0; + } + + safec_rc = strcspn_s(str1, strnlen_s(str1, RSIZE_MAX_STR), + str2, RSIZE_MAX_STR, &count); + if (safec_rc != EOK) { + EST_LOG_INFO("strcspn_s error 0x%xO\n", safec_rc); + return 0; + } + + return count; + + +} + +static size_t est_strspn(const char * str1,const char * str2) { + + rsize_t count; + errno_t safec_rc; + + if ((str1 != NULL) && (str1[0] == '\0')) { + return 0; + } + + safec_rc = strspn_s(str1, strnlen_s(str1, RSIZE_MAX_STR), + str2, RSIZE_MAX_STR, &count); + if (safec_rc != EOK) { + EST_LOG_INFO("strspn_s error 0x%xO\n", safec_rc); + return 0; + } + + return count; + +} + +// Skip the characters until one of the delimiters characters found. +// 0-terminate resulting word. Skip the delimiter and following whitespaces. +// Advance pointer to buffer to the next word. Return found 0-terminated word. +// Delimiters can be quoted with quotechar. +char *skip_quoted (char **buf, const char *delimiters, + const char *whitespace, char quotechar) +{ + char *p, *begin_word, *end_word, *end_whitespace; + + begin_word = *buf; + + end_word = begin_word + est_strcspn(begin_word,delimiters); + + // Check for quotechar + if (end_word > begin_word) { + p = end_word - 1; + while (*p == quotechar) { + // If there is anything beyond end_word, copy it + if (*end_word == '\0') { + *p = '\0'; + break; + } else { + + rsize_t end_off = (rsize_t) est_strcspn(end_word + 1, delimiters); + memmove_s(p, end_off + 1, end_word, end_off + 1); + p += end_off; // p must correspond to end_word - 1 + end_word += end_off + 1; + } + } + for (p++; p < end_word; p++) { + *p = '\0'; + } + } + + if (*end_word == '\0') { + *buf = end_word; + } else { + + end_whitespace = end_word + 1 + est_strspn(end_word + 1, whitespace); + + for (p = end_word; p < end_whitespace; p++) { + *p = '\0'; + } + + *buf = end_whitespace; + } + + return begin_word; +} + +// Simplified version of skip_quoted without quote char +// and whitespace == delimiters +char *skip (char **buf, const char *delimiters) +{ + return skip_quoted(buf, delimiters, delimiters, 0); +} + // Return HTTP header value, or NULL if not found. static const char *get_header (const struct mg_request_info *ri, @@ -660,7 +757,7 @@ int mg_write (struct mg_connection *conn, const void *buf, size_t len) return (int)total; } -static int mg_printf (struct mg_connection *conn, const char *fmt, ...) +int mg_printf (struct mg_connection *conn, const char *fmt, ...) { char mem[MG_BUF_LEN], *buf = mem; int len; @@ -866,7 +963,7 @@ static void mg_parse_auth_hdr_digest (struct mg_connection *conn, ah->mode = AUTH_DIGEST; // Make modifiable copy of the auth header - strcpy_s(buf, MAX_AUTH_HDR_LEN, auth_header + 7); + strncpy_s(buf, MAX_AUTH_HDR_LEN, auth_header + 7, MAX_AUTH_HDR_LEN); s = buf; // Parse authorization header @@ -1045,7 +1142,7 @@ EST_HTTP_AUTH_HDR_RESULT mg_parse_auth_header (struct mg_connection *conn, * Save the user ID on the connection context. * We will want to pass this to the CA later. */ - strcpy_s(conn->user_id, MG_UID_MAX, ah->user); + strncpy_s(conn->user_id, MG_UID_MAX, ah->user, MG_UID_MAX); } return EST_AUTH_HDR_GOOD; @@ -1666,7 +1763,7 @@ EST_ERROR est_server_handle_request (EST_CTX *ctx, int fd) conn->request_info.is_ssl = 1; /* - * EST requires TLS, Setup the TLS tunnel + * EST require TLS, Setup the TLS tunnel */ conn->ssl = SSL_new(conn->ctx->ssl_ctx); if (conn->ssl != NULL) { @@ -1778,7 +1875,7 @@ struct mg_context *mg_start (void *user_data) EST_ERROR est_send_csrattr_data (EST_CTX *ctx, char *csr_data, int csr_len, void *http_ctx) { char http_hdr[EST_HTTP_HDR_MAX]; - int hdr_len; + int hdrlen; if ((csr_len > 0) && csr_data) { /* @@ -1786,14 +1883,14 @@ EST_ERROR est_send_csrattr_data (EST_CTX *ctx, char *csr_data, int csr_len, void */ snprintf(http_hdr, EST_HTTP_HDR_MAX, "%s%s%s%s", EST_HTTP_HDR_200, EST_HTTP_HDR_EOL, EST_HTTP_HDR_STAT_200, EST_HTTP_HDR_EOL); - hdr_len = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdr_len, EST_HTTP_HDR_MAX - hdr_len, "%s: %s%s", EST_HTTP_HDR_CT, + hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CT, EST_HTTP_CT_CSRATTRS, EST_HTTP_HDR_EOL); - hdr_len = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdr_len, EST_HTTP_HDR_MAX - hdr_len, "%s: %s%s", EST_HTTP_HDR_CE, + hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %s%s", EST_HTTP_HDR_CE, EST_HTTP_CE_BASE64, EST_HTTP_HDR_EOL); - hdr_len = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); - snprintf(http_hdr + hdr_len, EST_HTTP_HDR_MAX - hdr_len, "%s: %d%s%s", EST_HTTP_HDR_CL, + hdrlen = strnlen_s(http_hdr, EST_HTTP_HDR_MAX); + snprintf(http_hdr + hdrlen, EST_HTTP_HDR_MAX, "%s: %d%s%s", EST_HTTP_HDR_CL, csr_len, EST_HTTP_HDR_EOL, EST_HTTP_HDR_EOL); if (!mg_write(http_ctx, http_hdr, strnlen_s(http_hdr, EST_HTTP_HDR_MAX))) { free(csr_data); diff --git a/src/est/est_server_http.h b/src/est/est_server_http.h index 7186bd6..8fbb7af 100644 --- a/src/est/est_server_http.h +++ b/src/est/est_server_http.h @@ -8,7 +8,7 @@ * * May, 2013 * - * Copyright (c) 2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013, 2016 by cisco Systems, Inc. * All rights reserved. **------------------------------------------------------------------ */ @@ -442,6 +442,8 @@ int mg_write(struct mg_connection *, const void *buf, size_t len); #endif #endif +int mg_printf(struct mg_connection *conn, const char *fmt, ...); + // Send contents of the entire file together with HTTP headers. //void mg_send_file(struct mg_connection *conn, const char *path); @@ -562,6 +564,9 @@ void mg_send_authorization_request(struct mg_connection *conn); // NOTE: can't mix use of global_passwords_file with this functionality (mongoose always uses global_passwords_file for all URLs) int mg_check_authorization(struct mg_connection *conn, const char *path, int degenerate); +char *skip(char **buf, const char *delimiters); +char *skip_quoted(char **buf, const char *delimiters, + const char *whitespace, char quotechar); EST_HTTP_AUTH_HDR_RESULT mg_parse_auth_header(struct mg_connection *conn, EST_HTTP_AUTH_HDR *ah); diff --git a/src/est/jsmn.c b/src/est/jsmn.c deleted file mode 100644 index bcd6392..0000000 --- a/src/est/jsmn.c +++ /dev/null @@ -1,314 +0,0 @@ -#include "jsmn.h" - -/** - * Allocates a fresh unused token from the token pull. - */ -static jsmntok_t *jsmn_alloc_token(jsmn_parser *parser, - jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *tok; - if (parser->toknext >= num_tokens) { - return NULL; - } - tok = &tokens[parser->toknext++]; - tok->start = tok->end = -1; - tok->size = 0; -#ifdef JSMN_PARENT_LINKS - tok->parent = -1; -#endif - return tok; -} - -/** - * Fills token type and boundaries. - */ -static void jsmn_fill_token(jsmntok_t *token, jsmntype_t type, - int start, int end) { - token->type = type; - token->start = start; - token->end = end; - token->size = 0; -} - -/** - * Fills next available token with JSON primitive. - */ -static int jsmn_parse_primitive(jsmn_parser *parser, const char *js, - size_t len, jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *token; - int start; - - start = parser->pos; - - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - switch (js[parser->pos]) { -#ifndef JSMN_STRICT - /* In strict mode primitive must be followed by "," or "}" or "]" */ - case ':': -#endif - case '\t' : case '\r' : case '\n' : case ' ' : - case ',' : case ']' : case '}' : - goto found; - } - if (js[parser->pos] < 32 || js[parser->pos] >= 127) { - parser->pos = start; - return JSMN_ERROR_INVAL; - } - } -#ifdef JSMN_STRICT - /* In strict mode primitive must be followed by a comma/object/array */ - parser->pos = start; - return JSMN_ERROR_PART; -#endif - -found: - if (tokens == NULL) { - parser->pos--; - return 0; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) { - parser->pos = start; - return JSMN_ERROR_NOMEM; - } - jsmn_fill_token(token, JSMN_PRIMITIVE, start, parser->pos); -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - parser->pos--; - return 0; -} - -/** - * Fills next token with JSON string. - */ -static int jsmn_parse_string(jsmn_parser *parser, const char *js, - size_t len, jsmntok_t *tokens, size_t num_tokens) { - jsmntok_t *token; - - int start = parser->pos; - - parser->pos++; - - /* Skip starting quote */ - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - char c = js[parser->pos]; - - /* Quote: end of string */ - if (c == '\"') { - if (tokens == NULL) { - return 0; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) { - parser->pos = start; - return JSMN_ERROR_NOMEM; - } - jsmn_fill_token(token, JSMN_STRING, start+1, parser->pos); -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - return 0; - } - - /* Backslash: Quoted symbol expected */ - if (c == '\\' && parser->pos + 1 < len) { - int i; - parser->pos++; - switch (js[parser->pos]) { - /* Allowed escaped symbols */ - case '\"': case '/' : case '\\' : case 'b' : - case 'f' : case 'r' : case 'n' : case 't' : - break; - /* Allows escaped symbol \uXXXX */ - case 'u': - parser->pos++; - for(i = 0; i < 4 && parser->pos < len && js[parser->pos] != '\0'; i++) { - /* If it isn't a hex character we have an error */ - if(!((js[parser->pos] >= 48 && js[parser->pos] <= 57) || /* 0-9 */ - (js[parser->pos] >= 65 && js[parser->pos] <= 70) || /* A-F */ - (js[parser->pos] >= 97 && js[parser->pos] <= 102))) { /* a-f */ - parser->pos = start; - return JSMN_ERROR_INVAL; - } - parser->pos++; - } - parser->pos--; - break; - /* Unexpected symbol */ - default: - parser->pos = start; - return JSMN_ERROR_INVAL; - } - } - } - parser->pos = start; - return JSMN_ERROR_PART; -} - -/** - * Parse JSON string and fill tokens. - */ -int jsmn_parse(jsmn_parser *parser, const char *js, size_t len, - jsmntok_t *tokens, unsigned int num_tokens) { - int r; - int i; - jsmntok_t *token; - int count = parser->toknext; - - for (; parser->pos < len && js[parser->pos] != '\0'; parser->pos++) { - char c; - jsmntype_t type; - - c = js[parser->pos]; - switch (c) { - case '{': case '[': - count++; - if (tokens == NULL) { - break; - } - token = jsmn_alloc_token(parser, tokens, num_tokens); - if (token == NULL) - return JSMN_ERROR_NOMEM; - if (parser->toksuper != -1) { - tokens[parser->toksuper].size++; -#ifdef JSMN_PARENT_LINKS - token->parent = parser->toksuper; -#endif - } - token->type = (c == '{' ? JSMN_OBJECT : JSMN_ARRAY); - token->start = parser->pos; - parser->toksuper = parser->toknext - 1; - break; - case '}': case ']': - if (tokens == NULL) - break; - type = (c == '}' ? JSMN_OBJECT : JSMN_ARRAY); -#ifdef JSMN_PARENT_LINKS - if (parser->toknext < 1) { - return JSMN_ERROR_INVAL; - } - token = &tokens[parser->toknext - 1]; - for (;;) { - if (token->start != -1 && token->end == -1) { - if (token->type != type) { - return JSMN_ERROR_INVAL; - } - token->end = parser->pos + 1; - parser->toksuper = token->parent; - break; - } - if (token->parent == -1) { - if(token->type != type || parser->toksuper == -1) { - return JSMN_ERROR_INVAL; - } - break; - } - token = &tokens[token->parent]; - } -#else - for (i = parser->toknext - 1; i >= 0; i--) { - token = &tokens[i]; - if (token->start != -1 && token->end == -1) { - if (token->type != type) { - return JSMN_ERROR_INVAL; - } - parser->toksuper = -1; - token->end = parser->pos + 1; - break; - } - } - /* Error if unmatched closing bracket */ - if (i == -1) return JSMN_ERROR_INVAL; - for (; i >= 0; i--) { - token = &tokens[i]; - if (token->start != -1 && token->end == -1) { - parser->toksuper = i; - break; - } - } -#endif - break; - case '\"': - r = jsmn_parse_string(parser, js, len, tokens, num_tokens); - if (r < 0) return r; - count++; - if (parser->toksuper != -1 && tokens != NULL) - tokens[parser->toksuper].size++; - break; - case '\t' : case '\r' : case '\n' : case ' ': - break; - case ':': - parser->toksuper = parser->toknext - 1; - break; - case ',': - if (tokens != NULL && parser->toksuper != -1 && - tokens[parser->toksuper].type != JSMN_ARRAY && - tokens[parser->toksuper].type != JSMN_OBJECT) { -#ifdef JSMN_PARENT_LINKS - parser->toksuper = tokens[parser->toksuper].parent; -#else - for (i = parser->toknext - 1; i >= 0; i--) { - if (tokens[i].type == JSMN_ARRAY || tokens[i].type == JSMN_OBJECT) { - if (tokens[i].start != -1 && tokens[i].end == -1) { - parser->toksuper = i; - break; - } - } - } -#endif - } - break; -#ifdef JSMN_STRICT - /* In strict mode primitives are: numbers and booleans */ - case '-': case '0': case '1' : case '2': case '3' : case '4': - case '5': case '6': case '7' : case '8': case '9': - case 't': case 'f': case 'n' : - /* And they must not be keys of the object */ - if (tokens != NULL && parser->toksuper != -1) { - jsmntok_t *t = &tokens[parser->toksuper]; - if (t->type == JSMN_OBJECT || - (t->type == JSMN_STRING && t->size != 0)) { - return JSMN_ERROR_INVAL; - } - } -#else - /* In non-strict mode every unquoted value is a primitive */ - default: -#endif - r = jsmn_parse_primitive(parser, js, len, tokens, num_tokens); - if (r < 0) return r; - count++; - if (parser->toksuper != -1 && tokens != NULL) - tokens[parser->toksuper].size++; - break; - -#ifdef JSMN_STRICT - /* Unexpected char in strict mode */ - default: - return JSMN_ERROR_INVAL; -#endif - } - } - - if (tokens != NULL) { - for (i = parser->toknext - 1; i >= 0; i--) { - /* Unmatched opened object or array */ - if (tokens[i].start != -1 && tokens[i].end == -1) { - return JSMN_ERROR_PART; - } - } - } - - return count; -} - -/** - * Creates a new parser based over a given buffer with an array of tokens - * available. - */ -void jsmn_init(jsmn_parser *parser) { - parser->pos = 0; - parser->toknext = 0; - parser->toksuper = -1; -} - diff --git a/src/est/jsmn.h b/src/est/jsmn.h deleted file mode 100644 index 5a5200e..0000000 --- a/src/est/jsmn.h +++ /dev/null @@ -1,76 +0,0 @@ -#ifndef __JSMN_H_ -#define __JSMN_H_ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * JSON type identifier. Basic types are: - * o Object - * o Array - * o String - * o Other primitive: number, boolean (true/false) or null - */ -typedef enum { - JSMN_UNDEFINED = 0, - JSMN_OBJECT = 1, - JSMN_ARRAY = 2, - JSMN_STRING = 3, - JSMN_PRIMITIVE = 4 -} jsmntype_t; - -enum jsmnerr { - /* Not enough tokens were provided */ - JSMN_ERROR_NOMEM = -1, - /* Invalid character inside JSON string */ - JSMN_ERROR_INVAL = -2, - /* The string is not a full JSON packet, more bytes expected */ - JSMN_ERROR_PART = -3 -}; - -/** - * JSON token description. - * type type (object, array, string etc.) - * start start position in JSON data string - * end end position in JSON data string - */ -typedef struct { - jsmntype_t type; - int start; - int end; - int size; -#ifdef JSMN_PARENT_LINKS - int parent; -#endif -} jsmntok_t; - -/** - * JSON parser. Contains an array of token blocks available. Also stores - * the string being parsed now and current position in that string - */ -typedef struct { - unsigned int pos; /* offset in the JSON string */ - unsigned int toknext; /* next token to allocate */ - int toksuper; /* superior token node, e.g parent object or array */ -} jsmn_parser; - -/** - * Create JSON parser over an array of tokens - */ -void jsmn_init(jsmn_parser *parser); - -/** - * Run JSON parser. It parses a JSON data string into and array of tokens, each describing - * a single JSON object. - */ -int jsmn_parse(jsmn_parser *parser, const char *js, size_t len, - jsmntok_t *tokens, unsigned int num_tokens); - -#ifdef __cplusplus -} -#endif - -#endif /* __JSMN_H_ */ diff --git a/test/UT/CA/estCA/crl.pem b/test/UT/CA/estCA/crl.pem index 9be67c0..6d2c395 100644 --- a/test/UT/CA/estCA/crl.pem +++ b/test/UT/CA/estCA/crl.pem @@ -1,7 +1,6 @@ -----BEGIN X509 CRL----- -MIHDMG0wCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFtcGxlQ0EXDTE3MTEx -NDIwNTYyNFoXDTE3MTIxNDIwNTYyNFowKTASAgEGFw0xMzA3MDIxNzM0MTVaMBMC -AgTGFw0xNzAyMDYxNTI0MDdaMAkGByqGSM49BAEDRwAwRAIgPg8tyy+i8gwNXpPd -dAbbLxteLDjmsCude4QZs7TDX0gCIBtMcU2OIYpDfIEhMy0E0GayC/KwTYg/OYLr -B3CjwMJl +MIGvMFgwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFtcGxlQ0EXDTE1MDcy +NTE4NTA1NFoXDTE1MDgyNDE4NTA1NFowFDASAgEGFw0xMzA3MDIxNzM0MTVaMAkG +ByqGSM49BAEDSAAwRQIhAIN61oP/OeSTg73lfECVRih9oaiNWd90irrCUJH1P2IC +AiASPTT9j9VBQWgprEBdKYj48BR4KDytLtNrS8/9yALWNA== -----END X509 CRL----- diff --git a/test/UT/CA/estCA/index.txt b/test/UT/CA/estCA/index.txt index 55acac7..1fa19b2 100644 --- a/test/UT/CA/estCA/index.txt +++ b/test/UT/CA/estCA/index.txt @@ -1219,4 +1219,222 @@ V 170421184107Z 04C2 unknown /CN=TC2174-4 V 170421184107Z 04C3 unknown /CN=TC2174-4 V 170421184108Z 04C4 unknown /CN=TC2174-4 V 170421184108Z 04C5 unknown /CN=TC2174-4 -R 290119152317Z 170206152407Z 04C6 unknown /CN=revoked-cert-test +V 290226175044Z 04C6 unknown /CN=TC4020-2 +V 290226175057Z 04C7 unknown /CN=TC4020-2 +V 290226175057Z 04C8 unknown /CN=TC4020-3 +V 290226175058Z 04C9 unknown /CN=TC4020-4 +V 290226175058Z 04CA unknown /CN=TC4020-5 +V 290226175058Z 04CB unknown /CN=TC4020-6 +V 290226175058Z 04CC unknown /CN=TC4020-6 +V 290226181216Z 04CD unknown /CN=TC4020-2 +V 290226181216Z 04CE unknown /CN=TC4020-4 +V 290226181216Z 04CF unknown /CN=TC4020-5 +V 290226181217Z 04D0 unknown /CN=TC4020-6 +V 290226181217Z 04D1 unknown /CN=TC4020-6 +V 290226181217Z 04D2 unknown /CN=TC4020-8 +V 290226181307Z 04D3 unknown /CN=TC4020-3 +V 290226181335Z 04D4 unknown /CN=TC4020-3 +V 290226181343Z 04D5 unknown /CN=TC4020-2 +V 290226181343Z 04D6 unknown /CN=TC4020-3 +V 290226181343Z 04D7 unknown /CN=TC4020-4 +V 290226181344Z 04D8 unknown /CN=TC4020-5 +V 290226181344Z 04D9 unknown /CN=TC4020-6 +V 290226181344Z 04DA unknown /CN=TC4020-6 +V 290226181344Z 04DB unknown /CN=TC4020-8 +V 180316181359Z 04DC unknown /CN=rsa doe +V 180316181359Z 04DD unknown /CN=EC doe +V 180316181359Z 04DE unknown /CN=dsa doe +V 180316181412Z 04DF unknown /CN=rsa doe +V 180316181424Z 04E0 unknown /CN=US748-test7 CN +V 180316181425Z 04E1 unknown /CN=TestCase9 +V 180316181512Z 04E2 unknown /CN=rsa doe +V 180316181513Z 04E3 unknown /CN=localhost +V 180316181542Z 04E4 unknown /CN=rsa doe +V 180316181555Z 04E5 unknown /CN=localhost +V 180316181555Z 04E6 unknown /CN=rsa doe +V 180316181656Z 04E7 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316181658Z 04E8 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316181702Z 04E9 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316181703Z 04EA unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316181716Z 04EB unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181832Z 04EC unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181842Z 04ED unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181847Z 04EE unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181857Z 04EF unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181903Z 04F0 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181933Z 04F1 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226181948Z 04F2 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182013Z 04F3 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182029Z 04F4 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182134Z 04F5 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182145Z 04F6 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182150Z 04F7 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182155Z 04F8 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182200Z 04F9 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182205Z 04FA unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182215Z 04FB unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182220Z 04FC unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182225Z 04FD unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182230Z 04FE unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182337Z 04FF unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182337Z 0500 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182358Z 0501 unknown /CN=US1060C_TEST1xx +V 290226182358Z 0502 unknown /CN=US1060C_TEST1xx +V 290226182405Z 0503 unknown /CN=US1060C_TEST1xx +V 290226182417Z 0504 unknown /CN=US1060C_TEST104 +V 290226182430Z 0505 unknown /CN=US1060C_TEST106b +V 290226182500Z 0506 unknown /CN=Test 1 +V 290226182500Z 0507 unknown /CN=Test 2/serialNumber=12349999B +V 290226182500Z 0508 unknown /CN=Test 10 +V 290226182501Z 0509 unknown /CN=Test 20/serialNumber=12349999B +V 290226182501Z 050A unknown /CN=Test 21/serialNumber=12349999B +V 290226182501Z 050B unknown /CN=Test 50 +V 290226182501Z 050C unknown /CN=Test 51 +V 290226182616Z 050D unknown /CN=rsa doe +V 290226182627Z 050E unknown /CN=TC1883-4 +V 290226182628Z 050F unknown /CN=TC1883-6 +V 290226182628Z 0510 unknown /CN=TC1883-7 +V 290226182628Z 0511 unknown /CN=TC1883-7 +V 290226182629Z 0512 unknown /CN=TC1883-6 +V 290226182729Z 0513 unknown /CN=rsa doe +V 290226182729Z 0514 unknown /CN=TC3512-2 +V 290226182729Z 0515 unknown /CN=TC-US898-1 +V 290226182729Z 0516 unknown /CN=TC-US898-1 +V 290226182732Z 0517 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182733Z 0518 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226182737Z 0519 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316182804Z 051A unknown /CN=rsa doe +V 180316182805Z 051B unknown /CN=EC doe +V 180316182805Z 051C unknown /CN=dsa doe +V 180316182818Z 051D unknown /CN=rsa doe +V 180316182830Z 051E unknown /CN=US748-test7 CN +V 180316182831Z 051F unknown /CN=TestCase9 +V 180316182841Z 0520 unknown /CN=rsa doe +V 180316182842Z 0521 unknown /CN=localhost +V 180316182911Z 0522 unknown /CN=rsa doe +V 180316182924Z 0523 unknown /CN=localhost +V 180316182924Z 0524 unknown /CN=rsa doe +V 180316182951Z 0525 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316182954Z 0526 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316182957Z 0527 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316182958Z 0528 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316183012Z 0529 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316183151Z 052A unknown /CN=TC-US898-1 +V 180316183151Z 052B unknown /CN=TC-US898-1 +V 180316183151Z 052C unknown /CN=localhost +V 180316183200Z 052D unknown /CN=localhost +V 290226183201Z 052E unknown /CN=127.0.0.1 +V 180316183201Z 052F unknown /CN=127.0.0.1 +V 290226183206Z 0530 unknown /CN=TC899-1 +V 290226183206Z 0531 unknown /CN=US899-TC2 +V 290226183206Z 0532 unknown /CN=US899-TC5 +V 290226183219Z 0533 unknown /CN=TC899-8 +V 290226183227Z 0534 unknown /CN=TC899-10 +V 290226183240Z 0535 unknown /CN=TC899-13 +V 290226183244Z 0536 unknown /CN=TC899-14 +V 290226183256Z 0537 unknown /CN=TEST16-CN +V 290226183322Z 0538 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183334Z 0539 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183413Z 053A unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183419Z 053B unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183442Z 053C unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183459Z 053D unknown /CN=rsa doe +V 290226183459Z 053E unknown /CN=EC doe +V 290226183459Z 053F unknown /CN=dsa doe +V 290226183504Z 0540 unknown /CN=rsa doe +V 290226183512Z 0541 unknown /CN=rsa doe +V 290226183512Z 0542 unknown /CN=EC doe +V 290226183512Z 0543 unknown /CN=dsa doe +V 290226183518Z 0544 unknown /CN=rsa doe +V 290226183522Z 0545 unknown /CN=US903-test7 CN +V 290226183526Z 0546 unknown /CN=rsa doe +V 290226183526Z 0547 unknown /CN=TestCase9 +V 290226183527Z 0548 unknown /CN=TESTCN +V 290226183531Z 0549 unknown /CN=TC1005-1 +V 290226183531Z 054A unknown /CN=TC1005-2 +V 290226183532Z 054B unknown /CN=TC1005-3 +V 290226183532Z 054C unknown /CN=TC1005-4 +V 290226183537Z 054D unknown /CN=TC1005-6 +V 290226183541Z 054E unknown /CN=TC1005-7 +V 290226183545Z 054F unknown /CN=TC1005-8 +V 290226183550Z 0550 unknown /CN=TC1005-9 +V 290226183554Z 0551 unknown /CN=TC1005-10 +V 290226183558Z 0552 unknown /CN=TC1005-11 +V 290226183603Z 0553 unknown /CN=TC1005-93 +V 290226183603Z 0554 unknown /CN=TC1005-94 +V 290226183614Z 0555 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183624Z 0556 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183629Z 0557 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183639Z 0558 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183645Z 0559 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183715Z 055A unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183730Z 055B unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183756Z 055C unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183811Z 055D unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183916Z 055E unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183927Z 055F unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183932Z 0560 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183937Z 0561 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183942Z 0562 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183947Z 0563 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226183957Z 0564 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184002Z 0565 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184007Z 0566 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184012Z 0567 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184119Z 0568 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184119Z 0569 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184132Z 056A unknown /CN=US1060C_TEST1xx +V 290226184132Z 056B unknown /CN=US1060C_TEST1xx +V 290226184139Z 056C unknown /CN=US1060C_TEST1xx +V 290226184152Z 056D unknown /CN=US1060C_TEST104 +V 290226184204Z 056E unknown /CN=US1060C_TEST106b +V 290226184213Z 056F unknown /CN=Test 1 +V 290226184213Z 0570 unknown /CN=Test 2/serialNumber=12349999B +V 290226184213Z 0571 unknown /CN=Test 10 +V 290226184213Z 0572 unknown /CN=Test 20/serialNumber=12349999B +V 290226184214Z 0573 unknown /CN=Test 21/serialNumber=12349999B +V 290226184214Z 0574 unknown /CN=Test 50 +V 290226184214Z 0575 unknown /CN=Test 51 +V 290226184227Z 0576 unknown /CN=rsa doe +V 290226184232Z 0577 unknown /CN=TC1883-4 +V 290226184232Z 0578 unknown /CN=TC1883-6 +V 290226184232Z 0579 unknown /CN=TC1883-7 +V 290226184232Z 057A unknown /CN=TC1883-7 +V 290226184233Z 057B unknown /CN=TC1883-6 +V 180316184245Z 057C unknown /CN=TC2174-4 +V 180316184246Z 057D unknown /CN=TC2174-4 +V 180316184246Z 057E unknown /CN=TC2174-4 +V 180316184247Z 057F unknown /CN=TC2174-4 +V 180316184247Z 0580 unknown /CN=TC2174-4 +V 290226184319Z 0581 unknown /CN=rsa doe +V 290226184319Z 0582 unknown /CN=TC3512-2 +V 290226184320Z 0583 unknown /CN=TC-US898-1 +V 290226184320Z 0584 unknown /CN=TC-US898-1 +V 290226184322Z 0585 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184323Z 0586 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184328Z 0587 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 290226184335Z 0588 unknown /CN=TCUS3612-1 +V 290226184335Z 0589 unknown /CN=TCUS3612-3 +V 290226184345Z 058A unknown /CN=TC4020-2 +V 290226184345Z 058B unknown /CN=TC4020-3 +V 290226184345Z 058C unknown /CN=TC4020-4 +V 290226184345Z 058D unknown /CN=TC4020-5 +V 290226184346Z 058E unknown /CN=TC4020-6 +V 290226184346Z 058F unknown /CN=TC4020-6 +V 290226184346Z 0590 unknown /CN=TC4020-8 +V 180316193239Z 0591 unknown /CN=rsa doe +V 180316193239Z 0592 unknown /CN=EC doe +V 180316193239Z 0593 unknown /CN=dsa doe +V 180316193252Z 0594 unknown /CN=rsa doe +V 180316193305Z 0595 unknown /CN=US748-test7 CN +V 180316193305Z 0596 unknown /CN=TestCase9 +V 180316193316Z 0597 unknown /CN=rsa doe +V 180316193316Z 0598 unknown /CN=localhost +V 180316193345Z 0599 unknown /CN=rsa doe +V 180316193358Z 059A unknown /CN=localhost +V 180316193358Z 059B unknown /CN=rsa doe +V 180316193426Z 059C unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316193428Z 059D unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316193432Z 059E unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316193433Z 059F unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 +V 180316193446Z 05A0 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 diff --git a/test/UT/CA/estCA/index.txt.old b/test/UT/CA/estCA/index.txt.old index 52bb10e..17f094a 100644 --- a/test/UT/CA/estCA/index.txt.old +++ b/test/UT/CA/estCA/index.txt.old @@ -1219,7 +1219,7 @@ V 170421184107Z 04C2 unknown /CN=TC2174-4 V 170421184107Z 04C3 unknown /CN=TC2174-4 V 170421184108Z 04C4 unknown /CN=TC2174-4 V 170421184108Z 04C5 unknown /CN=TC2174-4 -R 290119152317Z 170206152407Z 04C6 unknown /CN=revoked-cert-test +V 290226175044Z 04C6 unknown /CN=TC4020-2 V 290226175057Z 04C7 unknown /CN=TC4020-2 V 290226175057Z 04C8 unknown /CN=TC4020-3 V 290226175058Z 04C9 unknown /CN=TC4020-4 @@ -1437,72 +1437,3 @@ V 180316193426Z 059C unknown /CN=req by client in demo step 2/serialNumber=PID: V 180316193428Z 059D unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 V 180316193432Z 059E unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 V 180316193433Z 059F unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 -V 180316193446Z 05A0 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 -V 291027181901Z 05A1 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 -V 291027182025Z 05A2 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 -V 291027182348Z 05A3 unknown /CN=req by client in demo step 2/serialNumber=PID:Widget SN:2 -V 291027191222Z 05A4 unknown /CN=rsa doe -V 291027191222Z 05A5 unknown /CN=EC doe -V 291027191222Z 05A6 unknown /CN=dsa doe -V 291027191227Z 05A7 unknown /CN=rsa doe -V 291027191243Z 05A8 unknown /CN=rsa doe -V 291027191243Z 05A9 unknown /CN=EC doe -V 291027191244Z 05AA unknown /CN=dsa doe -V 291027191249Z 05AB unknown /CN=rsa doe -V 291027191253Z 05AC unknown /CN=US903-test7 CN -V 291027191257Z 05AD unknown /CN=rsa doe -V 291027191257Z 05AE unknown /CN=TestCase9 -V 291027191258Z 05AF unknown /CN=TESTCN -V 291027191643Z 05B0 unknown /CN=TC1005-1 -V 291027191643Z 05B1 unknown /CN=TC1005-2 -V 291027191643Z 05B2 unknown /CN=TC1005-3 -V 291027191644Z 05B3 unknown /CN=TC1005-4 -V 291027191648Z 05B4 unknown /CN=TC1005-6 -V 291027191652Z 05B5 unknown /CN=TC1005-7 -V 291027191657Z 05B6 unknown /CN=TC1005-8 -V 291027191701Z 05B7 unknown /CN=TC1005-9 -V 291027191706Z 05B8 unknown /CN=TC1005-10 -V 291027191710Z 05B9 unknown /CN=TC1005-11 -V 291027191714Z 05BA unknown /CN=TC1005-93 -V 291027191715Z 05BB unknown /CN=TC1005-94 -V 291027191753Z 05BC unknown /CN=Test 1 -V 291027191753Z 05BD unknown /CN=Test 2/serialNumber=12349999B -V 291027191754Z 05BE unknown /CN=Test 10 -V 291027191754Z 05BF unknown /CN=Test 20/serialNumber=12349999B -V 291027191754Z 05C0 unknown /CN=Test 21/serialNumber=12349999B -V 291027191754Z 05C1 unknown /CN=Test 50 -V 291027191755Z 05C2 unknown /CN=Test 51 -V 291027191823Z 05C3 unknown /CN=rsa doe -V 291027191836Z 05C4 unknown /CN=TC1883-4 -V 291027191836Z 05C5 unknown /CN=TC1883-6 -V 291027191836Z 05C6 unknown /CN=TC1883-7 -V 291027191836Z 05C7 unknown /CN=TC1883-7 -V 291027191837Z 05C8 unknown /CN=TC1883-6 -V 181114191858Z 05C9 unknown /CN=TC2174-4 -V 181114191859Z 05CA unknown /CN=TC2174-4 -V 181114191859Z 05CB unknown /CN=TC2174-4 -V 181114191859Z 05CC unknown /CN=TC2174-4 -V 181114191900Z 05CD unknown /CN=TC2174-4 -V 291027191945Z 05CE unknown /CN=TCUS3612-1 -V 291027191945Z 05CF unknown /CN=TCUS3612-3 -V 291027192002Z 05D0 unknown /CN=www.iotrus.com/serialNumber=IOTRUS-0123456789 -V 291027192027Z 05D1 unknown /CN=www.iotrus.com/serialNumber=IOTRUS-0123456789 -V 291027192313Z 05D2 unknown /CN=www.iotrus.com/serialNumber=IOTRUS-0123456789 -V 291027192328Z 05D3 unknown /CN=TC899-1 -V 291027192329Z 05D4 unknown /CN=US899-TC2 -V 291027192329Z 05D5 unknown /CN=US899-TC5 -V 291027192342Z 05D6 unknown /CN=TC899-8 -V 291027192418Z 05D7 unknown /CN=TEST16-CN -V 291027193115Z 05D8 unknown /CN=TC899-1 -V 291027193115Z 05D9 unknown /CN=US899-TC2 -V 291027193116Z 05DA unknown /CN=US899-TC5 -V 291027193128Z 05DB unknown /CN=TC899-8 -V 291027193137Z 05DC unknown /CN=TC899-10 -V 291027193149Z 05DD unknown /CN=TC899-13 -V 291027193154Z 05DE unknown /CN=TC899-14 -V 291027193205Z 05DF unknown /CN=TEST16-CN -V 181114203959Z 05E0 unknown /CN=rsa doe -V 181114203959Z 05E1 unknown /CN=EC doe -V 181114203959Z 05E2 unknown /CN=dsa doe -V 181114204012Z 05E3 unknown /CN=rsa doe -V 181114204025Z 05E4 unknown /CN=US748-test7 CN diff --git a/test/UT/CA/estCA/serial.old b/test/UT/CA/estCA/serial.old index f3d881d..3988462 100644 --- a/test/UT/CA/estCA/serial.old +++ b/test/UT/CA/estCA/serial.old @@ -1 +1 @@ -05E5 +05A0 diff --git a/test/UT/Makefile b/test/UT/Makefile index daafaee..5f6d6f3 100644 --- a/test/UT/Makefile +++ b/test/UT/Makefile @@ -24,11 +24,7 @@ SRC = runtest.c \ US3496/us3496.c \ US3512/us3512.c \ US3612/us3612.c \ - US3646/us3646.c \ US4020/us4020.c \ - US4778/us4778.c \ - US4784/us4784.c \ - ../util/cdets.c \ ../util/curl_utils.c \ ../util/test_utils.c \ ../util/st_server.c \ @@ -61,25 +57,17 @@ endif INCLUDES = -I../../src/est -I../.. -I../util -I$(OPENSSL_DIR)/include -I$(CURL_DIR)/include -I$(CUNIT_DIR)/include -I$(URIPARSER_DIR)/include # C++ compiler flags (-g -O2 -Wall) -CCFLAGS = -Wall -g -DHAVE_CUNIT -DNO_SSL_DL $(CURL_CC_DEFINE) $(CFLAGS) +CCFLAGS = -Wall -g -DHAVE_CUNIT -DNO_SSL_DL $(CURL_CC_DEFINE) # compiler CC = gcc # linker flags -ifdef DISABLE_SAFEC - LDFLAGS += -lcunit -ldl -lpthread -lssl -lcrypto -lest -lcurl $(URIPARSER_LDFLAGS) -else - LDFLAGS += -lcunit -ldl -lpthread -lssl -lcrypto -lest -lciscosafec -lcurl $(URIPARSER_LDFLAGS) -endif - +LDFLAGS += -lcunit -ldl -lpthread -lssl -lcrypto -lest -lcurl $(URIPARSER_LDFLAGS) # library paths -ifdef DISABLE_SAFEC - LIBS = -L../../src/est/.libs -L$(URIPARSER_DIR)/lib -L$(OPENSSL_DIR)/lib -L$(CURL_DIR)/lib -L$(CUNIT_DIR)/lib $(LDFLAGS) -else - LIBS = -L../../src/est/.libs -L$(CISCOSAFEC_DIR)/lib -L$(URIPARSER_DIR)/lib -L$(OPENSSL_DIR)/lib -L$(CURL_DIR)/lib -L$(CUNIT_DIR)/lib $(LDFLAGS) -endif +LIBS = -L../../src/est/.libs -L$(URIPARSER_DIR)/lib -L$(OPENSSL_DIR)/lib -L$(CURL_DIR)/lib -L$(CUNIT_DIR)/lib $(LDFLAGS) + @@ -96,3 +84,4 @@ runtest: $(OBJ) clean: rm -f $(OBJ) rm -f runtest + diff --git a/test/UT/US1159/us1159.c b/test/UT/US1159/us1159.c index e1deb33..c1c751c 100644 --- a/test/UT/US1159/us1159.c +++ b/test/UT/US1159/us1159.c @@ -49,7 +49,6 @@ static int cacerts_len = 0; static char *attrs; static unsigned char * handle_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; diff --git a/test/UT/US3646/us3646.c b/test/UT/US3646/us3646.c deleted file mode 100644 index ede5a75..0000000 --- a/test/UT/US3646/us3646.c +++ /dev/null @@ -1,1169 +0,0 @@ -/*------------------------------------------------------------------ - * us3646.c - Unit Tests for BRSKI support. - * - * February, 2017 - * - * Copyright (c) 2017 by cisco Systems, Inc. - * All rights reserved. - *------------------------------------------------------------------ - */ -#include -#ifndef WIN32 -#include -#endif -#include -#include -#include "curl_utils.h" -#ifdef HAVE_CUNIT -#include "CUnit/Basic.h" -#include "CUnit/Automated.h" -#endif -#include "../../util/test_utils.h" -#include "st_server.h" - -#include "../../src/est/est_locl.h" - -extern char tst_srvr_path_seg_enroll[]; -extern char tst_srvr_path_seg_auth[]; - -/* - * max command line length when generating system commands - */ -#define EST_UT_MAX_CMD_LEN 256 - -/* - * The CA certificate used to verify the EST server. Grab it from the server's directory - */ -/* #define CLIENT_UT_CACERT "../../example/server/estCA/cacert.crt" */ -#define CLIENT_UT_CACERT "CA/estCA/cacert.crt" -#define CLIENT_UT_PUBKEY "./est_client_ut_keypair" -#define CLIENT_UT_MFG_PRIVKEY "./est_client_ut_mfg_privkey.pem" -#define CLIENT_UT_MFG_CSR "./est_client_ut_mfg_csr.pem" -#define CLIENT_UT_MFG_CERT "./est_client_ut_mfg_cert.pem" -X509 *client_cert; -EVP_PKEY *client_priv_key; - -#define US3646_SERVER_PORT 29496 -#define US3646_SERVER_IP "127.0.0.1" -#define US3646_UIDPWD_GOOD "estuser:estpwd" -#define US3646_UID "estuser" -#define US3646_PWD "estpwd" -#ifndef WIN32 -#define US3646_CACERTS "CA/estCA/cacert.crt" -#define US3646_TRUST_CERTS "CA/trustedcerts.crt" -#define US3646_SERVER_CERTKEY "CA/estCA/private/estservercertandkey.pem" -#else -#define US3646_CACERTS "CA\\estCA\\cacert.crt" -#define US3646_TRUST_CERTS "CA\\trustedcerts.crt" -#define US3646_SERVER_CERTKEY "CA\\estCA\\private\\estservercertandkey.pem" - -static CRITICAL_SECTION logger_critical_section; -static void us3646_logger_stderr (char *format, va_list l) -{ - EnterCriticalSection(&logger_critical_section); - vfprintf(stderr, format, l); - fflush(stderr); - LeaveCriticalSection(&logger_critical_section); -} -#endif - -#define US3646_ENROLL_URL_BA "https://127.0.0.1:29496/.well-known/est/cacerts-somestring/simpleenroll" -#define US3646_PKCS10_CT "Content-Type: application/pkcs10" - -#define US3646_PKCS10_RSA2048 "MIICvTCCAaUCAQAweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMQwwCgYDVQQH\nDANSVFAxEjAQBgNVBAoMCVJTQWNlcnRjbzEMMAoGA1UECwwDcnNhMRAwDgYDVQQD\nDAdyc2EgZG9lMRowGAYJKoZIhvcNAQkBFgtyc2FAZG9lLmNvbTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAN6pCTBrK7T029Bganq0QHXHyNL8opvxc7JY\nXaQz39R3J9BoBE72XZ0QXsBtUEYGNhHOLaISASNzs2ZKWpvMHJWmPYNt39OCi48Y\nFOgLDbAn83mAOKSfcMLbibCcsh4HOlhaaFrWskRTAsew16MUOzFu6vBkw/AhI82J\nKPYws0dYOxuWFIgE1HL+m/gplbzq7FrBIdrqkNL+ddgyXoDd5NuLMJGDAK7vB1Ww\n9/Baw/6Ai9V5psye1v8fWDr6HW2gg9XnVtMwB4pCg1rl1lSYstumTGYbM6cxJywe\nLuMnDjj1ZwDsZ1wIXaBAXZaxEIS/rXOX0HnZMTefxY/gpFk1Kv0CAwEAAaAAMA0G\nCSqGSIb3DQEBBQUAA4IBAQB6rIwNjE8l8jFKR1hQ/qeSvee/bAQa58RufZ4USKuK\nlsih7UCf8bkQvgljnhscQuczIbnJzeqEPqSdnomFW6CvMc/ah+QfX87FGYxJgpwF\nutnUifjDiZhrWgf/jNNbtHrkecw/Zex4sZ/HC127jtE3cyEkDsrA1oBxYRCq93tC\nW2q9PLVmLlyjcZcS1KHVD2nya79kfS0YGMocsw1GelVL2iz/ocayAS5GB9Y2sEBw\nRkCaYZw6vhj5qjpCUzJ3E8Cl3VD4Kpi3j3bZGDJA9mdmd8j5ZyPY56eAuxarWssD\nciUM/h6E99w3tmrUZbLljkjJ7pBXRnontgm5WZmQFH4X" - -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error); - -static void us3646_clean (void) -{ -} - -static int us3646_start_server (int manual_enroll, int nid) -{ - int rv; - - rv = st_start(US3646_SERVER_PORT, - US3646_SERVER_CERTKEY, - US3646_SERVER_CERTKEY, - "US3646 test realm", - US3646_CACERTS, - US3646_TRUST_CERTS, - "CA/estExampleCA.cnf", - manual_enroll, - 0, - nid); - - SLEEP(1); - - /* - * if the starting of the single thread server was successful, - * go ahead and put it into BRSKI mode - */ - if (!rv) { - rv = st_set_brski_mode(); - if (rv) { - printf("Failed to put the server in BRSKI mode\n"); - return(rv); - } - - /* - * Initialize the BRSKI server testing modes - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - } - - return (rv); -} - -/* - * This routine is called when CUnit initializes this test - * suite. - * 1. Generate the keypair to be used for this EST Client UT suite - */ -static int us3646_init_suite (void) -{ - int rv = 0; - char cmd[EST_UT_MAX_CMD_LEN]; - BIO *certin; - - printf("Starting EST Client BRSKI unit tests.\n"); - - /* - * gen the mfg keypair that will be used to simulate what - * would come from the manufacturer, including a cert request with - * a hw serial number in the DN. - * - * Then, get the CSR signed by the ESTCA used for UT. - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl req -nodes -days 365 -sha256 -newkey rsa:2048 " - " -subj '/CN=www.iotrus.com/O=IOT-R-US, Inc./C=US/ST=NC/L=RTP/serialNumber=IOTRUS-0123456789' " - " -keyout %s -out %s", CLIENT_UT_MFG_PRIVKEY, CLIENT_UT_MFG_CSR); - printf("%s\n", cmd); - rv = system(cmd); - - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl ca -config CA/estExampleCA.cnf -in %s " - "-extensions v3_ca -out %s -batch", CLIENT_UT_MFG_CSR, CLIENT_UT_MFG_CERT); - printf("%s\n", cmd); - rv = system(cmd); - - { - certin = BIO_new(BIO_s_file_internal()); - if (certin == NULL) { - printf("\nUnable to allocate BIO\n"); - return -1; - } - - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - BIO_free(certin); - return -1; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - BIO_free(certin); - return -1; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - BIO_free(certin); - return -1; - } - BIO_free(certin); - } - - /* - * gen the keypair to be used for EST Client testing - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, - "openssl ecparam -name prime256v1 -genkey -out %s", CLIENT_UT_PUBKEY); - printf("%s\n", cmd); - - rv = system(cmd); - - /* - * start the server for the tests that need to talk to a server - */ - us3646_clean(); - /* - * Start an instance of the EST server - */ - rv = us3646_start_server(0, 0); - SLEEP(2); - - return rv; -} - - -/* - * This routine is called when CUnit uninitializes this test - * suite. This can be used to deallocate data or close any - * resources that were used for the test cases. - */ -static int us3646_destroy_suite (void) -{ - /* - * Return to a known state just in case - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - - st_stop(); - return 0; -} - -/* - * Callback function passed to est_client_init() - */ -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error) -{ - BIO *bio_err; - bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); - int approve = 0; - - /* - * Print out the specifics of this cert - */ - printf("%s: OpenSSL/EST server cert verification failed with the following error: openssl_cert_error = %d (%s)\n", - __FUNCTION__, openssl_cert_error, - X509_verify_cert_error_string(openssl_cert_error)); - - printf("Failing Cert:\n"); - X509_print_fp(stdout,cur_cert); - /* - * Next call prints out the signature which can be used as the fingerprint - * This fingerprint can be checked against the anticipated value to determine - * whether or not the server's cert should be approved. - */ - X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature); - - if (openssl_cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) { - approve = 1; - } - - BIO_free(bio_err); - - return approve; -} - - - -/* - * This test case tests the set brski mode with valid parameters, - */ -static void us3646_test1 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - - SLEEP(1); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * missing context - */ -static void us3646_test2 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(NULL); - CU_ASSERT(rc == EST_ERR_NO_CTX); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * get voucher, bad parameters - */ -static void us3646_test3 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int sign_voucher = 0; - - int voucher_cacert_len; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - /* - * too early - */ - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(NULL, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NO_CTX); - - rc = est_client_brski_get_voucher(ectx, NULL, sign_voucher); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * get voucher, valid - */ -static void us3646_test4 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - /* - * set the server to respond with a valid nonce - */ - st_set_brski_nonce_mode(1, 0, 0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * get voucher, valid with no nonce - */ -static void us3646_test5 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - /* - * set the server to respond with no nonce in the voucher - */ - st_set_brski_nonce_mode(0, 0, 0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * get voucher, voucher too long - */ -static void us3646_test6 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - /* - * set the server to respond with nonce that is too long - */ - st_set_brski_nonce_mode(1, 1, 0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_NONCE_TOO_LARGE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * get voucher, nonce mismatch - */ -static void us3646_test7 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - /* - * set the server to respond with nonce that is too long - */ - st_set_brski_nonce_mode(1, 0, 1); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_NONCE_MISMATCH); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * copy cacert, bad parameters - */ -static void us3646_test8 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - unsigned char returned_cacert[EST_BRSKI_MAX_CACERT_LEN]; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - /* - * too early - */ - rc = est_client_brski_copy_cacert(ectx, &returned_cacert[0]); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - /* - * Still too early, before the get voucher - */ - rc = est_client_brski_copy_cacert(ectx, &returned_cacert[0]); - CU_ASSERT(rc == EST_ERR_NO_CERT); - - rc = est_client_brski_copy_cacert(NULL, &returned_cacert[0]); - CU_ASSERT(rc == EST_ERR_NO_CTX); - - rc = est_client_brski_copy_cacert(ectx, NULL); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * get voucher, copy cacert, valid - */ -static void us3646_test9 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - unsigned char returned_cacert[EST_BRSKI_MAX_CACERT_LEN]; - - /* - * set the server to respond with a valid nonce - */ - st_set_brski_nonce_mode(1, 0, 0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_copy_cacert(ectx, &returned_cacert[0]); - CU_ASSERT(rc == EST_ERR_NONE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * voucher status, bad parameters - */ -static void us3646_test10 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len; - int sign_voucher = 0; - EST_BRSKI_STATUS_VALUE status; - char *reason; - - status = EST_BRSKI_STATUS_SUCCESS; - reason = "Enrollment Accepted"; - - /* - * set the server to respond with a valid nonce - */ - st_set_brski_nonce_mode(1, 0, 0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - /* - * too early - */ - rc = est_client_brski_send_voucher_status(ectx, status, reason); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_send_voucher_status(NULL, status, reason); - CU_ASSERT(rc == EST_ERR_NO_CTX); - - /* Invalid status value */ - rc = est_client_brski_send_voucher_status(ectx, EST_BRSKI_STATUS_FAIL+1, reason); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - rc = est_client_brski_send_voucher_status(ectx, status, NULL); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - reason = "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" - "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" - "12345678901234567890123456789012345678901234567890123456"; - rc = est_client_brski_send_voucher_status(ectx, status, reason); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * voucher status, valid - */ -static void us3646_test11 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len; - int sign_voucher = 0; - EST_BRSKI_STATUS_VALUE status; - char *reason; - int http_status; - - status = EST_BRSKI_STATUS_SUCCESS; - reason = "Enrollment Accepted"; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_send_voucher_status(ectx, status, reason); - CU_ASSERT(rc == EST_ERR_NONE); - - http_status = est_client_get_last_http_status(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - CU_ASSERT(http_status == 200); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * enroll status, bad parameters - */ -static void us3646_test12 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - EST_BRSKI_STATUS_VALUE status; - char *reason; - unsigned char *subject_key_id; - - status = EST_BRSKI_STATUS_SUCCESS; - reason = "Enrollment Accepted"; - subject_key_id = (unsigned char * )"12345678901234567890"; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - /* - * too early - */ - rc = est_client_brski_send_enroll_status(ectx, status, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_send_enroll_status(NULL, status, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_NO_CTX); - - rc = est_client_brski_send_enroll_status(ectx, EST_BRSKI_STATUS_FAIL+1, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - /* If SUCCESS no reason is needed */ - rc = est_client_brski_send_enroll_status(ectx, status, NULL, subject_key_id); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_send_enroll_status(ectx, status, reason, NULL); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - /* FAILing status without a reason */ - status = EST_BRSKI_STATUS_FAIL; - rc = est_client_brski_send_enroll_status(ectx, status, NULL, subject_key_id); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - /* FAILing status and reason is too long */ - reason = "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" - "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890" - "12345678901234567890123456789012345678901234567890123456"; - rc = est_client_brski_send_enroll_status(ectx, status, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - /* - * FAILING status, valid reason, subject key identifier too long - */ - reason = "Enrollment Failed"; - subject_key_id = (unsigned char * )"1234567890123456789012345"; - - rc = est_client_brski_send_enroll_status(ectx, status, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_INVALID_PARAMETERS); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - -/* - * enroll status, valid - */ -static void us3646_test13 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - EST_BRSKI_STATUS_VALUE status; - char *reason; - unsigned char *subject_key_id; - int http_status; - - status = EST_BRSKI_STATUS_SUCCESS; - reason = "Enrollment Accepted"; - subject_key_id = (unsigned char * )"12345678901234567890"; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US3646_SERVER_IP, US3646_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_send_enroll_status(ectx, status, reason, subject_key_id); - CU_ASSERT(rc == EST_ERR_NONE); - - http_status = est_client_get_last_http_status(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - CU_ASSERT(http_status == 200); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* The main() function for setting up and running the tests. - * Returns a CUE_SUCCESS on successful running, another - * CUnit error code on failure. - */ -int us3646_add_suite (void) -{ - CU_ErrorCode CU_error; - -#ifdef HAVE_CUNIT - CU_pSuite pSuite = NULL; - - /* add a suite to the registry */ - pSuite = CU_add_suite("us3646_BRSKI_client_support", - us3646_init_suite, - us3646_destroy_suite); - if (NULL == pSuite) { - CU_cleanup_registry(); - return CU_get_error(); - } - -#ifdef WIN32 - InitializeCriticalSection (&logger_critical_section); - est_init_logger(EST_LOG_LVL_INFO, &us3646_logger_stderr); -#else - est_init_logger(EST_LOG_LVL_INFO, NULL); -#endif - - /* add the tests to the suite */ - /* NOTE - ORDER IS IMPORTANT - MUST TEST fread() AFTER fprintf() */ - if ( - (NULL == CU_add_test(pSuite, "Set BRSKI mode: correct parameters", us3646_test1)) || - (NULL == CU_add_test(pSuite, "Set BRSKI mode: missing context", us3646_test2)) || - (NULL == CU_add_test(pSuite, "BRSKI get voucher: bad parameters", us3646_test3)) || - (NULL == CU_add_test(pSuite, "BRSKI get voucher: valid", us3646_test4)) || - (NULL == CU_add_test(pSuite, "BRSKI get voucher: no nonce", us3646_test5)) || - (NULL == CU_add_test(pSuite, "BRSKI get voucher: nonce too long", us3646_test6)) || - (NULL == CU_add_test(pSuite, "BRSKI get voucher: nonce mismatch", us3646_test7)) || - (NULL == CU_add_test(pSuite, "BRSKI copy voucher: bad parameters", us3646_test8)) || - (NULL == CU_add_test(pSuite, "BRSKI copy voucher: valid", us3646_test9)) || - (NULL == CU_add_test(pSuite, "BRSKI voucher status: bad parameters", us3646_test10)) || - (NULL == CU_add_test(pSuite, "BRSKI voucher status: valid", us3646_test11)) || - (NULL == CU_add_test(pSuite, "BRSKI enroll status: bad parameters", us3646_test12)) || - (NULL == CU_add_test(pSuite, "BRSKI enroll status: valid", us3646_test13)) - ) { - CU_error = CU_get_error(); - printf("%d\n", CU_error); - - CU_cleanup_registry(); - printf("%s\n", CU_get_error_msg()); - return CU_get_error(); - } - - - return CUE_SUCCESS; -#endif -} diff --git a/test/UT/US4020/us4020.c b/test/UT/US4020/us4020.c index f377809..aa220aa 100644 --- a/test/UT/US4020/us4020.c +++ b/test/UT/US4020/us4020.c @@ -1195,7 +1195,7 @@ int us4020_add_suite (void) CU_pSuite pSuite = NULL; /* add a suite to the registry */ - pSuite = CU_add_suite("us4020_client_proxy", + pSuite = CU_add_suite("us4020_tok_auth_client", us4020_init_suite, us4020_destroy_suite); if (NULL == pSuite) { diff --git a/test/UT/US4778/us4778.c b/test/UT/US4778/us4778.c deleted file mode 100644 index 3e72eda..0000000 --- a/test/UT/US4778/us4778.c +++ /dev/null @@ -1,494 +0,0 @@ -/*------------------------------------------------------------------ - * us4778.c - Unit Tests for retry-after processing of BRSKI - * voucher requests - * - * October, 2017 - * - * Copyright (c) 2017 by cisco Systems, Inc. - * All rights reserved. - *------------------------------------------------------------------ - */ -#include -#ifndef WIN32 -#include -#endif -#include -#include -#include "curl_utils.h" -#ifdef HAVE_CUNIT -#include "CUnit/Basic.h" -#include "CUnit/Automated.h" -#endif -#include "../../util/test_utils.h" -#include "st_server.h" - -#include "../../src/est/est_locl.h" - -extern char tst_srvr_path_seg_enroll[]; -extern char tst_srvr_path_seg_auth[]; - -/* - * max command line length when generating system commands - */ -#define EST_UT_MAX_CMD_LEN 256 - -/* - * The CA certificate used to verify the EST server. Grab it from the server's directory - */ -/* #define CLIENT_UT_CACERT "../../example/server/estCA/cacert.crt" */ -#define CLIENT_UT_CACERT "CA/estCA/cacert.crt" -#define CLIENT_UT_PUBKEY "./est_client_ut_keypair" -#define CLIENT_UT_MFG_PRIVKEY "./est_client_ut_mfg_privkey.pem" -#define CLIENT_UT_MFG_CSR "./est_client_ut_mfg_csr.pem" -#define CLIENT_UT_MFG_CERT "./est_client_ut_mfg_cert.pem" -X509 *client_cert; -EVP_PKEY *client_priv_key; - -#define US4778_SERVER_PORT 29496 -#define US4778_SERVER_IP "127.0.0.1" -#define US4778_UIDPWD_GOOD "estuser:estpwd" -#define US4778_UID "estuser" -#define US4778_PWD "estpwd" -#ifndef WIN32 -#define US4778_CACERTS "CA/estCA/cacert.crt" -#define US4778_TRUST_CERTS "CA/trustedcerts.crt" -#define US4778_SERVER_CERTKEY "CA/estCA/private/estservercertandkey.pem" -#else -#define US4778_CACERTS "CA\\estCA\\cacert.crt" -#define US4778_TRUST_CERTS "CA\\trustedcerts.crt" -#define US4778_SERVER_CERTKEY "CA\\estCA\\private\\estservercertandkey.pem" - -static CRITICAL_SECTION logger_critical_section; -static void us4778_logger_stderr (char *format, va_list l) -{ - EnterCriticalSection(&logger_critical_section); - vfprintf(stderr, format, l); - fflush(stderr); - LeaveCriticalSection(&logger_critical_section); -} -#endif - -#define US4778_ENROLL_URL_BA "https://127.0.0.1:29496/.well-known/est/cacerts-somestring/simpleenroll" -#define US4778_PKCS10_CT "Content-Type: application/pkcs10" - -#define US4778_PKCS10_RSA2048 "MIICvTCCAaUCAQAweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMQwwCgYDVQQH\nDANSVFAxEjAQBgNVBAoMCVJTQWNlcnRjbzEMMAoGA1UECwwDcnNhMRAwDgYDVQQD\nDAdyc2EgZG9lMRowGAYJKoZIhvcNAQkBFgtyc2FAZG9lLmNvbTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAN6pCTBrK7T029Bganq0QHXHyNL8opvxc7JY\nXaQz39R3J9BoBE72XZ0QXsBtUEYGNhHOLaISASNzs2ZKWpvMHJWmPYNt39OCi48Y\nFOgLDbAn83mAOKSfcMLbibCcsh4HOlhaaFrWskRTAsew16MUOzFu6vBkw/AhI82J\nKPYws0dYOxuWFIgE1HL+m/gplbzq7FrBIdrqkNL+ddgyXoDd5NuLMJGDAK7vB1Ww\n9/Baw/6Ai9V5psye1v8fWDr6HW2gg9XnVtMwB4pCg1rl1lSYstumTGYbM6cxJywe\nLuMnDjj1ZwDsZ1wIXaBAXZaxEIS/rXOX0HnZMTefxY/gpFk1Kv0CAwEAAaAAMA0G\nCSqGSIb3DQEBBQUAA4IBAQB6rIwNjE8l8jFKR1hQ/qeSvee/bAQa58RufZ4USKuK\nlsih7UCf8bkQvgljnhscQuczIbnJzeqEPqSdnomFW6CvMc/ah+QfX87FGYxJgpwF\nutnUifjDiZhrWgf/jNNbtHrkecw/Zex4sZ/HC127jtE3cyEkDsrA1oBxYRCq93tC\nW2q9PLVmLlyjcZcS1KHVD2nya79kfS0YGMocsw1GelVL2iz/ocayAS5GB9Y2sEBw\nRkCaYZw6vhj5qjpCUzJ3E8Cl3VD4Kpi3j3bZGDJA9mdmd8j5ZyPY56eAuxarWssD\nciUM/h6E99w3tmrUZbLljkjJ7pBXRnontgm5WZmQFH4X" - -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error); - -static void us4778_clean (void) -{ -} - -static int us4778_start_server (int manual_enroll, int nid) -{ - int rv; - - rv = st_start(US4778_SERVER_PORT, - US4778_SERVER_CERTKEY, - US4778_SERVER_CERTKEY, - "US4778 test realm", - US4778_CACERTS, - US4778_TRUST_CERTS, - "CA/estExampleCA.cnf", - manual_enroll, - 0, - nid); - - SLEEP(1); - - /* - * If the starting of the single thread server was successful, - * go ahead and put it into BRSKI mode - */ - if (!rv) { - rv = st_set_brski_mode(); - if (rv) { - printf("Failed to put the server in BRSKI mode\n"); - return(rv); - } - - /* - * Initialize the BRSKI server testing modes - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - } - - return (rv); -} - -/* - * This routine is called when CUnit initializes this test - * suite. - * 1. Generate the keypair to be used for this EST Client UT suite - */ -static int us4778_init_suite (void) -{ - int rv = 0; - char cmd[EST_UT_MAX_CMD_LEN]; - BIO *certin; - - printf("Starting EST Client BRSKI retry-after unit tests.\n"); - - /* - * gen the mfg keypair that will be used to simulate what - * would come from the manufacturer, including a cert request with - * a hw serial number in the DN. - * - * Then, get the CSR signed by the ESTCA used for UT. - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl req -nodes -days 365 -sha256 -newkey rsa:2048 " - " -subj '/CN=www.iotrus.com/O=IOT-R-US, Inc./C=US/ST=NC/L=RTP/serialNumber=IOTRUS-0123456789' " - " -keyout %s -out %s", CLIENT_UT_MFG_PRIVKEY, CLIENT_UT_MFG_CSR); - printf("%s\n", cmd); - rv = system(cmd); - - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl ca -config CA/estExampleCA.cnf -in %s " - "-extensions v3_ca -out %s -batch", CLIENT_UT_MFG_CSR, CLIENT_UT_MFG_CERT); - printf("%s\n", cmd); - rv = system(cmd); - - { - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - return -1; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - return -1; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - return -1; - } - } - - /* - * gen the keypair to be used for EST Client testing - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, - "openssl ecparam -name prime256v1 -genkey -out %s", CLIENT_UT_PUBKEY); - printf("%s\n", cmd); - - rv = system(cmd); - - /* - * start the server for the tests that need to talk to a server - */ - us4778_clean(); - /* - * Start an instance of the EST server - */ - rv = us4778_start_server(0, 0); - SLEEP(2); - - return rv; -} - - -/* - * This routine is called when CUnit uninitializes this test - * suite. This can be used to deallocate data or close any - * resources that were used for the test cases. - */ -static int us4778_destroy_suite (void) -{ - /* - * Return to a known state just in case - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - - st_stop(); - return 0; -} - -/* - * Callback function passed to est_client_init() - */ -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error) -{ - BIO *bio_err; - bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); - int approve = 0; - - /* - * Print out the specifics of this cert - */ - printf("%s: OpenSSL/EST server cert verification failed with the following error: openssl_cert_error = %d (%s)\n", - __FUNCTION__, openssl_cert_error, - X509_verify_cert_error_string(openssl_cert_error)); - - printf("Failing Cert:\n"); - X509_print_fp(stdout,cur_cert); - /* - * Next call prints out the signature which can be used as the fingerprint - * This fingerprint can be checked against the anticipated value to determine - * whether or not the server's cert should be approved. - */ - X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature); - - if (openssl_cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) { - approve = 1; - } - - BIO_free(bio_err); - - return approve; -} - - - -/* - * This test performs a valid retry-after exchange. Registrar - * sends a 202 with a valid retry delay value and and provides - * the voucher in response to a second try. - */ -static void us4778_test1 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - time_t start_time; - time_t stop_time; - - /* - * Set up the server for retry-after mode - */ - rc = st_set_brski_retry_mode(1, 5, 1); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4778_SERVER_IP, US4778_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - start_time = time(NULL); - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - stop_time = time(NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - printf("delta time is %ld\n", stop_time - start_time); - CU_ASSERT(stop_time - start_time >= 4); - CU_ASSERT(stop_time - start_time <= 6); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test verifies that the pledge ignores a second retry-after - * response from the registrar. - */ -static void us4778_test2 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - /* - * Set up the server for retry-after mode - */ - rc = st_set_brski_retry_mode(1, 5, 2); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4778_SERVER_IP, US4778_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CA_ENROLL_RETRY); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test verifies that the pledge handles a retry delay value - * greater than 60 seconds - */ -static void us4778_test3 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - time_t start_time; - time_t stop_time; - - /* - * Set up the server for retry-after mode - */ - rc = st_set_brski_retry_mode(1, 70, 1); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4778_SERVER_IP, US4778_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - start_time = time(NULL); - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - stop_time = time(NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - printf("delta time is %ld\n", stop_time - start_time); - CU_ASSERT(stop_time - start_time >= 59); - CU_ASSERT(stop_time - start_time <= 61); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* The main() function for setting up and running the tests. - * Returns a CUE_SUCCESS on successful running, another - * CUnit error code on failure. - */ -int us4778_add_suite (void) -{ - CU_ErrorCode CU_error; - -#ifdef HAVE_CUNIT - CU_pSuite pSuite = NULL; - - /* add a suite to the registry */ - pSuite = CU_add_suite("us4778_BRSKI_retry-after_support", - us4778_init_suite, - us4778_destroy_suite); - if (NULL == pSuite) { - CU_cleanup_registry(); - return CU_get_error(); - } - -#ifdef WIN32 - InitializeCriticalSection (&logger_critical_section); - est_init_logger(EST_LOG_LVL_INFO, &us4778_logger_stderr); -#endif - - /* add the tests to the suite */ - /* NOTE - ORDER IS IMPORTANT - MUST TEST fread() AFTER fprintf() */ - if ( - (NULL == CU_add_test(pSuite, "Valid retry-after resp", us4778_test1)) || - (NULL == CU_add_test(pSuite, "Invalid retry-after resp: 2 retries", us4778_test2)) || - (NULL == CU_add_test(pSuite, "Invalid retry-after resp: > 60 secs", us4778_test3)) - ) { - CU_error = CU_get_error(); - printf("%d\n", CU_error); - - CU_cleanup_registry(); - printf("%s\n", CU_get_error_msg()); - return CU_get_error(); - } - - return CUE_SUCCESS; -#endif -} diff --git a/test/UT/US4784/us4784.c b/test/UT/US4784/us4784.c deleted file mode 100644 index 48c72b7..0000000 --- a/test/UT/US4784/us4784.c +++ /dev/null @@ -1,627 +0,0 @@ -/*------------------------------------------------------------------ - * us4784.c - Unit Tests for serial number verification - * - * October, 2017 - * - * Copyright (c) 2017 by cisco Systems, Inc. - * All rights reserved. - *------------------------------------------------------------------ - */ -#include -#ifndef WIN32 -#include -#endif -#include -#include -#include "curl_utils.h" -#ifdef HAVE_CUNIT -#include "CUnit/Basic.h" -#include "CUnit/Automated.h" -#endif -#include "../../util/test_utils.h" -#include "st_server.h" - -#include "../../src/est/est_locl.h" - -/* - * max command line length when generating system commands - */ -#define EST_UT_MAX_CMD_LEN 256 - -/* - * The CA certificate used to verify the EST server. Grab it from the server's directory - */ -/* #define CLIENT_UT_CACERT "../../example/server/estCA/cacert.crt" */ -#define CLIENT_UT_CACERT "CA/estCA/cacert.crt" -#define CLIENT_UT_PUBKEY "./est_client_ut_keypair" -#define CLIENT_UT_MFG_PRIVKEY "./est_client_ut_mfg_privkey.pem" -#define CLIENT_UT_MFG_CSR "./est_client_ut_mfg_csr.pem" -#define CLIENT_UT_MFG_CERT "./est_client_ut_mfg_cert.pem" - -#define US4784_SERVER_PORT 29496 -#define US4784_SERVER_IP "127.0.0.1" -#define US4784_UIDPWD_GOOD "estuser:estpwd" -#define US4784_UID "estuser" -#define US4784_PWD "estpwd" -#ifndef WIN32 -#define US4784_CACERTS "CA/estCA/cacert.crt" -#define US4784_TRUST_CERTS "CA/trustedcerts.crt" -#define US4784_SERVER_CERTKEY "CA/estCA/private/estservercertandkey.pem" -#else -#define US4784_CACERTS "CA\\estCA\\cacert.crt" -#define US4784_TRUST_CERTS "CA\\trustedcerts.crt" -#define US4784_SERVER_CERTKEY "CA\\estCA\\private\\estservercertandkey.pem" - -static CRITICAL_SECTION logger_critical_section; -static void us4784_logger_stderr (char *format, va_list l) -{ - EnterCriticalSection(&logger_critical_section); - vfprintf(stderr, format, l); - fflush(stderr); - LeaveCriticalSection(&logger_critical_section); -} -#endif - -#define US4784_ENROLL_URL_BA "https://127.0.0.1:29496/.well-known/est/cacerts-somestring/simpleenroll" -#define US4784_PKCS10_CT "Content-Type: application/pkcs10" - -#define US4784_PKCS10_RSA2048 "MIICvTCCAaUCAQAweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMQwwCgYDVQQH\nDANSVFAxEjAQBgNVBAoMCVJTQWNlcnRjbzEMMAoGA1UECwwDcnNhMRAwDgYDVQQD\nDAdyc2EgZG9lMRowGAYJKoZIhvcNAQkBFgtyc2FAZG9lLmNvbTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBAN6pCTBrK7T029Bganq0QHXHyNL8opvxc7JY\nXaQz39R3J9BoBE72XZ0QXsBtUEYGNhHOLaISASNzs2ZKWpvMHJWmPYNt39OCi48Y\nFOgLDbAn83mAOKSfcMLbibCcsh4HOlhaaFrWskRTAsew16MUOzFu6vBkw/AhI82J\nKPYws0dYOxuWFIgE1HL+m/gplbzq7FrBIdrqkNL+ddgyXoDd5NuLMJGDAK7vB1Ww\n9/Baw/6Ai9V5psye1v8fWDr6HW2gg9XnVtMwB4pCg1rl1lSYstumTGYbM6cxJywe\nLuMnDjj1ZwDsZ1wIXaBAXZaxEIS/rXOX0HnZMTefxY/gpFk1Kv0CAwEAAaAAMA0G\nCSqGSIb3DQEBBQUAA4IBAQB6rIwNjE8l8jFKR1hQ/qeSvee/bAQa58RufZ4USKuK\nlsih7UCf8bkQvgljnhscQuczIbnJzeqEPqSdnomFW6CvMc/ah+QfX87FGYxJgpwF\nutnUifjDiZhrWgf/jNNbtHrkecw/Zex4sZ/HC127jtE3cyEkDsrA1oBxYRCq93tC\nW2q9PLVmLlyjcZcS1KHVD2nya79kfS0YGMocsw1GelVL2iz/ocayAS5GB9Y2sEBw\nRkCaYZw6vhj5qjpCUzJ3E8Cl3VD4Kpi3j3bZGDJA9mdmd8j5ZyPY56eAuxarWssD\nciUM/h6E99w3tmrUZbLljkjJ7pBXRnontgm5WZmQFH4X" - -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error); - -static void us4784_clean (void) -{ -} - -static int us4784_start_server (int manual_enroll, int nid) -{ - int rv; - - rv = st_start(US4784_SERVER_PORT, - US4784_SERVER_CERTKEY, - US4784_SERVER_CERTKEY, - "US4784 test realm", - US4784_CACERTS, - US4784_TRUST_CERTS, - "CA/estExampleCA.cnf", - manual_enroll, - 0, - nid); - - SLEEP(1); - - /* - * If the starting of the single thread server was successful, - * go ahead and put it into BRSKI mode - */ - if (!rv) { - rv = st_set_brski_mode(); - if (rv) { - printf("Failed to put the server in BRSKI mode\n"); - return(rv); - } - - /* - * Initialize the BRSKI server testing modes - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - } - - return (rv); -} - -/* - * This routine is called when CUnit initializes this test - * suite. - * 1. Generate the keypair to be used for this EST Client UT suite - */ -static int us4784_init_suite (void) -{ - int rv = 0; - - char cmd[EST_UT_MAX_CMD_LEN]; - printf("Starting EST Client BRSKI serial number unit tests.\n"); - - /* - * gen the mfg keypair that will be used to simulate what - * would come from the manufacturer, including a cert request with - * a hw serial number in the DN. - * - * Then, get the CSR signed by the ESTCA used for UT. - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl req -nodes -days 365 -sha256 -newkey rsa:2048 " - " -subj '/CN=www.iotrus.com/O=IOT-R-US, Inc./C=US/ST=NC/L=RTP/serialNumber=IOTRUS-0123456789' " - " -keyout %s -out %s", CLIENT_UT_MFG_PRIVKEY, CLIENT_UT_MFG_CSR); - printf("%s\n", cmd); - rv = system(cmd); - - snprintf(cmd, EST_UT_MAX_CMD_LEN, "openssl ca -config CA/estExampleCA.cnf -in %s " - "-extensions v3_ca -out %s -batch", CLIENT_UT_MFG_CSR, CLIENT_UT_MFG_CERT); - printf("%s\n", cmd); - rv = system(cmd); - - /* - * gen the keypair to be used for EST Client testing - */ - snprintf(cmd, EST_UT_MAX_CMD_LEN, - "openssl ecparam -name prime256v1 -genkey -out %s", CLIENT_UT_PUBKEY); - printf("%s\n", cmd); - rv = system(cmd); - - /* - * start the server for the tests that need to talk to a server - */ - us4784_clean(); - /* - * Start an instance of the EST server - */ - rv = us4784_start_server(0, 0); - SLEEP(2); - - return rv; -} - - -/* - * This routine is called when CUnit uninitializes this test - * suite. This can be used to deallocate data or close any - * resources that were used for the test cases. - */ -static int us4784_destroy_suite (void) -{ - /* - * Return to a known state just in case - */ - st_set_brski_serial_num_mode(1,0,0); - st_set_brski_retry_mode(0,5,1); - st_set_brski_nonce_mode(1,0,0); - - st_stop(); - return 0; -} - -/* - * Callback function passed to est_client_init() - */ -static int client_manual_cert_verify (X509 *cur_cert, int openssl_cert_error) -{ - BIO *bio_err; - bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); - int approve = 0; - - /* - * Print out the specifics of this cert - */ - printf("%s: OpenSSL/EST server cert verification failed with the following error: openssl_cert_error = %d (%s)\n", - __FUNCTION__, openssl_cert_error, - X509_verify_cert_error_string(openssl_cert_error)); - - printf("Failing Cert:\n"); - X509_print_fp(stdout,cur_cert); - /* - * Next call prints out the signature which can be used as the fingerprint - * This fingerprint can be checked against the anticipated value to determine - * whether or not the server's cert should be approved. - */ - X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature); - - if (openssl_cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) { - approve = 1; - } - - BIO_free(bio_err); - - return approve; -} - - - -/* - * This test performs a voucher request using a cert that does NOT - * contain a serial number in the DN. Should return an error. - */ -static void us4784_test1 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - EVP_PKEY *priv_key; - int voucher_cacert_len = 0; - int sign_voucher = 0; - X509 *client_cert; - BIO *certin; - EVP_PKEY *client_priv_key; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - /* - * Read in the private key file - */ - priv_key = read_private_key(CLIENT_UT_PUBKEY); - if (priv_key == NULL) { - printf("\nError while reading private key file %s\n", CLIENT_UT_PUBKEY); - return; - } - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, US4784_SERVER_CERTKEY) <= 0) { - printf("\nUnable to read client certificate file %s\n", US4784_SERVER_CERTKEY); - return; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", US4784_SERVER_CERTKEY); - return; - } - client_priv_key = read_private_key(US4784_SERVER_CERTKEY); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", US4784_SERVER_CERTKEY); - ERR_print_errors_fp(stderr); - return; - } - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4784_SERVER_IP, US4784_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test performs a voucher request using a cert that DOES - * contain a serial number in the DN. Should return success. - */ -static void us4784_test2 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - X509 *client_cert; - BIO *certin; - EVP_PKEY *client_priv_key; - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - return; - } - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4784_SERVER_IP, US4784_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_NONE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test sends a voucher that is missing the serial number - */ -static void us4784_test3 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - X509 *client_cert; - BIO *certin; - EVP_PKEY *client_priv_key; - - st_set_brski_serial_num_mode(0,0,0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - return; - } - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4784_SERVER_IP, US4784_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test sends a voucher with a serial number that's too long - */ -static void us4784_test4 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - X509 *client_cert; - BIO *certin; - EVP_PKEY *client_priv_key; - - st_set_brski_serial_num_mode(1,1,0); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - return; - } - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4784_SERVER_IP, US4784_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_SERIAL_NUM_TOO_LARGE); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* - * This test sends a voucher with a mismatching serial number - */ -static void us4784_test5 (void) -{ - EST_CTX *ectx; - unsigned char *pkey = NULL; - unsigned char *cacerts = NULL; - int cacerts_len = 0; - EST_ERROR rc = EST_ERR_NONE; - int voucher_cacert_len = 0; - int sign_voucher = 0; - - X509 *client_cert; - BIO *certin; - EVP_PKEY *client_priv_key; - - st_set_brski_serial_num_mode(1,0,1); - - /* - * Read in the CA certificates - */ - cacerts_len = read_binary_file(CLIENT_UT_CACERT, &cacerts); - - ectx = est_client_init(cacerts, cacerts_len, EST_CERT_FORMAT_PEM, - client_manual_cert_verify); - - certin = BIO_new(BIO_s_file_internal()); - if (BIO_read_filename(certin, CLIENT_UT_MFG_CERT) <= 0) { - printf("\nUnable to read client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - /* - * This reads the file, which is expected to be PEM encoded. If you're using - * DER encoded certs, you would invoke d2i_X509_bio() instead. - */ - client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); - if (client_cert == NULL) { - printf("\nError while reading PEM encoded client certificate file %s\n", CLIENT_UT_MFG_CERT); - return; - } - client_priv_key = read_private_key(CLIENT_UT_MFG_PRIVKEY/* client_key_file */); - if (client_priv_key == NULL) { - printf("\nError while reading PEM encoded private key file %s\n", CLIENT_UT_MFG_PRIVKEY); - ERR_print_errors_fp(stderr); - return; - } - rc = est_client_set_auth(ectx, "estuser", "estpwd", client_cert, client_priv_key); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_server(ectx, US4784_SERVER_IP, US4784_SERVER_PORT, NULL); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_set_brski_mode(ectx); - CU_ASSERT(rc == EST_ERR_NONE); - - rc = est_client_brski_get_voucher(ectx, &voucher_cacert_len, sign_voucher); - CU_ASSERT(rc == EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISMATCH); - - if (ectx) { - est_destroy(ectx); - } - if (cacerts) { - free(cacerts); - } - if (pkey) { - free(pkey); - } -} - - -/* The main() function for setting up and running the tests. - * Returns a CUE_SUCCESS on successful running, another - * CUnit error code on failure. - */ -int us4784_add_suite (void) -{ - CU_ErrorCode CU_error; - -#ifdef HAVE_CUNIT - CU_pSuite pSuite = NULL; - - /* add a suite to the registry */ - pSuite = CU_add_suite("us4784_BRSKI_serial_number_support", - us4784_init_suite, - us4784_destroy_suite); - if (NULL == pSuite) { - CU_cleanup_registry(); - return CU_get_error(); - } - -#ifdef WIN32 - InitializeCriticalSection (&logger_critical_section); - est_init_logger(EST_LOG_LVL_INFO, &us4784_logger_stderr); -#endif - - /* add the tests to the suite */ - /* NOTE - ORDER IS IMPORTANT - MUST TEST fread() AFTER fprintf() */ - if ( - (NULL == CU_add_test(pSuite, "Voucher request - no serial number", us4784_test1)) || - (NULL == CU_add_test(pSuite, "Voucher request - valid serial number", us4784_test2)) || - (NULL == CU_add_test(pSuite, "Voucher request - serial num missing", us4784_test3)) || - (NULL == CU_add_test(pSuite, "Voucher request - serial num too long", us4784_test4)) || - (NULL == CU_add_test(pSuite, "Voucher request - serial num mismatch", us4784_test5)) - ) { - CU_error = CU_get_error(); - printf("%d\n", CU_error); - - CU_cleanup_registry(); - printf("%s\n", CU_get_error_msg()); - return CU_get_error(); - } - - return CUE_SUCCESS; -#endif -} diff --git a/test/UT/US895/us895.c b/test/UT/US895/us895.c index 13026e6..22b4a96 100644 --- a/test/UT/US895/us895.c +++ b/test/UT/US895/us895.c @@ -184,7 +184,6 @@ static int us895_destroy_suite (void) static unsigned char * handle_short_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -198,7 +197,6 @@ static unsigned char * handle_short_csrattrs_request (int *csr_len, static unsigned char * handle_corrupt_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -212,7 +210,6 @@ static unsigned char * handle_corrupt_csrattrs_request (int *csr_len, static unsigned char * handle_long_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -226,7 +223,6 @@ static unsigned char * handle_long_csrattrs_request (int *csr_len, static unsigned char * handle_correct_csrattrs_request (int *csr_len, char * path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -240,7 +236,6 @@ static unsigned char * handle_correct_csrattrs_request (int *csr_len, static unsigned char * handle_nopop_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -254,7 +249,6 @@ static unsigned char * handle_nopop_csrattrs_request (int *csr_len, static unsigned char * handle_empty_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; diff --git a/test/UT/US899/cert_san_match.pem b/test/UT/US899/cert_san_match.pem index 0b295c2..8c3ce2f 100644 --- a/test/UT/US899/cert_san_match.pem +++ b/test/UT/US899/cert_san_match.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1352 (0x548) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 687 (0x2af) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 18:41:33 2017 GMT - Not After : Nov 13 18:41:33 2037 GMT + Not Before: Sep 27 13:55:10 2013 GMT + Not After : Nov 5 13:55:10 2017 GMT Subject: CN=tester Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:9f:03:c9:11:b2:a0:f4:7d:4e:83:29:07:6e:97: - db:c9:75:1e:42:dc:a9:41:ea:c5:c5:fc:c7:e7:84: - 47:28:d5:58:be:d6:50:cc:d7:d4:61:0a:26:f8:b3: - e2:85:aa:4f:01:d2:9b:4b:b8:5b:f0:49:8b:59:b3: - 81:1f:83:a8:fc:3b:ab:74:e0:9c:89:9f:ec:5b:85: - 01:51:7a:3b:13:cb:97:09:24:04:f1:4e:17:b9:e5: - f8:14:0a:f5:9b:9a:e3:87:de:7e:90:bf:f5:b3:ee: - a5:79:c4:74:e1:80:9d:32:55:dd:51:32:54:8e:0a: - a1:22:50:dd:5b:97:57:82:c2:80:2c:89:66:6a:8f: - 2c:9c:f5:1f:19:10:4b:9d:35:94:f5:b9:9b:5c:4f: - 6f:3f:3b:c5:92:66:7d:02:33:ac:ec:46:a7:1b:83: - 62:8c:b0:ad:66:2d:35:9a:f4:a3:7d:25:b8:2c:04: - a3:10:dd:46:3c:28:d4:49:d6:5c:53:8a:21:4a:07: - 95:c5:92:73:8a:85:34:4c:e4:c0:a2:4f:f0:fd:77: - 04:ea:49:4d:d8:75:c5:b5:75:9c:2b:01:d9:53:98: - af:b1:16:94:27:66:36:a4:71:cd:76:f9:e4:bf:37: - fd:2e:f8:e4:40:ba:03:9c:4f:38:48:b0:45:52:60: - a6:c7:95:91:82:a9:83:aa:e8:6a:22:2c:8c:a4:98: - 15:bd:08:67:b7:82:17:61:1e:3b:8e:2d:f9:be:0b: - 10:1f:0e:5d:6d:86:96:8a:10:5c:1f:03:1f:d6:a9: - 8f:f2:5b:83:1b:65:7e:2a:1c:8b:e8:dc:c2:3b:23: - a6:c9:44:84:3c:61:87:7a:c5:ae:26:46:ee:6f:f6: - 46:b2:ce:f2:2c:72:8a:b0:19:85:5a:58:2a:17:27: - 1f:c4:ac:03:e9:6d:dc:3c:54:de:bf:13:23:bb:88: - f5:b3:33:1e:14:68:6d:4c:e1:1a:47:40:a0:20:94: - 07:c2:39:18:3c:a8:79:64:50:5b:78:13:c1:49:7d: - 96:06:8a:37:c7:8e:19:74:15:89:a7:57:38:c3:f3: - 85:ff:1a:1b:fb:14:7b:69:9d:8f:5b:82:56:90:41: - f0:b0:ae:63:10:b4:f2:46:bc:e4:76:ca:98:f4:8d: - 99:87:07:8f:aa:64:ad:e0:e6:36:38:42:0b:c5:5c: - 63:2f:e1:57:bc:be:cd:30:75:4a:14:8f:b7:c9:01: - 57:f4:1f:b0:05:b6:59:63:fd:62:15:02:e3:46:6e: - da:80:e4:73:9e:74:9c:0e:fb:58:e8:6e:50:da:21: - d0:7d:c5:68:55:12:69:ed:2a:af:b4:4d:e6:5f:cd: - c9:22:23 + 00:ee:44:f3:93:2c:a6:3f:9c:ba:2a:83:b0:bd:a5: + 74:a5:c8:d3:a8:a0:44:4d:eb:ab:f5:4d:72:5a:d8: + 6f:ce:74:bb:4a:d1:8a:a8:9a:e5:e2:a7:0c:95:c7: + a0:7d:c8:84:6f:63:b2:c3:09:f4:ea:0c:06:f7:99: + e2:0e:c3:f0:cf:44:30:33:08:f8:69:79:7a:63:34: + 6d:ed:a9:cf:f7:9b:ca:dd:24:25:cd:bc:0e:cc:17: + cc:1f:8c:1c:15:7b:5f:ca:7e:26:15:dc:a5:54:7e: + 9c:47:46:59:1e:80:f0:37:e4:c3:d7:96:df:48:d2: + a7:14:d8:8f:7a:78:ee:f3:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -55,27 +29,19 @@ Certificate: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:localhost.cisco.com - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:21:00:aa:32:4d:44:8f:4c:b7:d5:25:76:09:7c:88: - 12:cc:1c:38:03:12:44:29:41:fa:a5:c3:5f:07:67:60:e7:29: - 0b:02:20:1a:28:6e:b2:7b:8f:73:69:b7:bc:0b:dd:69:22:0e: - e7:17:5a:9d:99:5e:14:fc:49:30:66:1a:a0:87:38:8c:85 + Signature Algorithm: ecdsa-with-SHA1 + 30:46:02:21:00:97:1b:17:9e:9e:df:8f:fb:d2:18:5f:89:d8: + 30:31:87:9c:f8:56:9b:6d:e1:b6:87:bf:c7:d6:c3:a9:ab:f3: + 6c:02:21:00:fb:40:3e:6a:9a:72:d8:ac:95:b5:62:39:22:69: + 34:61:ad:55:0f:e8:5f:51:08:48:24:53:b7:5c:72:cc:5d:ae -----BEGIN CERTIFICATE----- -MIIDHTCCAsOgAwIBAgICBUgwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE4NDEzM1oXDTM3MTExMzE4NDEzM1owETEPMA0GA1UE -AwwGdGVzdGVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnwPJEbKg -9H1OgykHbpfbyXUeQtypQerFxfzH54RHKNVYvtZQzNfUYQom+LPihapPAdKbS7hb -8EmLWbOBH4Oo/DurdOCciZ/sW4UBUXo7E8uXCSQE8U4XueX4FAr1m5rjh95+kL/1 -s+6lecR04YCdMlXdUTJUjgqhIlDdW5dXgsKALIlmao8snPUfGRBLnTWU9bmbXE9v -PzvFkmZ9AjOs7EanG4NijLCtZi01mvSjfSW4LASjEN1GPCjUSdZcU4ohSgeVxZJz -ioU0TOTAok/w/XcE6klN2HXFtXWcKwHZU5ivsRaUJ2Y2pHHNdvnkvzf9LvjkQLoD -nE84SLBFUmCmx5WRgqmDquhqIiyMpJgVvQhnt4IXYR47ji35vgsQHw5dbYaWihBc -HwMf1qmP8luDG2V+KhyL6NzCOyOmyUSEPGGHesWuJkbub/ZGss7yLHKKsBmFWlgq -FycfxKwD6W3cPFTevxMju4j1szMeFGhtTOEaR0CgIJQHwjkYPKh5ZFBbeBPBSX2W -Boo3x44ZdBWJp1c4w/OF/xob+xR7aZ2PW4JWkEHwsK5jELTyRrzkdsqY9I2ZhweP -qmSt4OY2OEILxVxjL+FXvL7NMHVKFI+3yQFX9B+wBbZZY/1iFQLjRm7agORznnSc -DvtY6G5Q2iHQfcVoVRJp7SqvtE3mX83JIiMCAwEAAaM6MDgwCQYDVR0TBAIwADAL -BgNVHQ8EBAMCBeAwHgYDVR0RBBcwFYITbG9jYWxob3N0LmNpc2NvLmNvbTAKBggq -hkjOPQQDAgNIADBFAiEAqjJNRI9Mt9Uldgl8iBLMHDgDEkQpQfqlw18HZ2DnKQsC -IBoobrJ7j3Npt7wL3WkiDucXWp2ZXhT8STBmGqCHOIyF +MIIBmDCCAT6gAwIBAgICAq8wCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTM1NTEwWhcNMTcxMTA1MTM1NTEwWjARMQ8wDQYDVQQD +DAZ0ZXN0ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO5E85Mspj+cuiqD +sL2ldKXI06igRE3rq/VNclrYb850u0rRiqia5eKnDJXHoH3IhG9jssMJ9OoMBveZ +4g7D8M9EMDMI+Gl5emM0be2pz/ebyt0kJc28DswXzB+MHBV7X8p+JhXcpVR+nEdG +WR6A8Dfkw9eW30jSpxTYj3p47vNdAgMBAAGjOjA4MAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgXgMB4GA1UdEQQXMBWCE2xvY2FsaG9zdC5jaXNjby5jb20wCQYHKoZIzj0E +AQNJADBGAiEAlxsXnp7fj/vSGF+J2DAxh5z4Vptt4baHv8fWw6mr82wCIQD7QD5q +mnLYrJW1YjkiaTRhrVUP6F9RCEgkU7dccsxdrg== -----END CERTIFICATE----- diff --git a/test/UT/US899/cert_san_match_ip.pem b/test/UT/US899/cert_san_match_ip.pem index c7478ff..dd676b7 100644 --- a/test/UT/US899/cert_san_match_ip.pem +++ b/test/UT/US899/cert_san_match_ip.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1357 (0x54d) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 717 (0x2cd) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 19:43:36 2017 GMT - Not After : Nov 13 19:43:36 2037 GMT - Subject: CN=localhost.cisco.com + Not Before: Sep 27 15:00:41 2013 GMT + Not After : Nov 5 15:00:41 2017 GMT + Subject: CN=tester13 Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:b3:f5:88:58:87:76:3a:6c:62:af:05:22:d5:9c: - e1:ce:1a:a5:35:d5:28:9d:ec:24:50:c4:58:bb:d3: - bd:52:30:15:37:c0:7f:03:58:10:e0:8f:75:fe:09: - 61:0c:69:50:73:67:b5:4c:e4:0a:36:1f:a8:99:c9: - 8c:16:5c:27:98:04:bf:a2:d1:11:9e:cb:e4:79:cb: - 47:72:b7:27:f0:31:c1:9b:49:3a:82:c3:39:65:a5: - db:18:d8:c5:8c:75:60:af:df:eb:e4:b4:a4:bc:8d: - f3:84:62:b5:8a:3c:6b:6b:68:50:36:fa:62:0c:ca: - 0c:27:1e:99:1e:4d:6e:23:42:a2:0b:9d:00:e1:15: - b5:46:8a:f9:0f:dc:55:a2:b3:c2:dc:29:0e:85:93: - 3b:74:d6:75:4e:a1:05:89:08:87:ab:da:87:0c:7d: - 05:9b:31:9c:b9:a0:8e:64:2d:a7:8a:6c:be:2a:1f: - e1:6b:1b:0d:d8:74:db:39:6d:8a:b0:91:52:a1:35: - f4:4a:8f:68:d2:27:6f:70:4d:21:08:11:4e:be:0a: - 0e:1c:1e:e9:b2:f9:46:1a:c2:d0:c4:8a:15:21:ac: - ae:be:f7:a0:d2:88:3b:d3:b4:8d:ad:1b:26:55:48: - 07:3a:c2:6f:d8:43:ad:16:75:d1:d9:97:66:b0:d4: - 39:d2:94:ce:3c:00:f8:4b:d7:90:46:92:75:05:75: - a6:81:40:33:4f:92:4c:70:35:06:ed:77:96:57:bb: - c0:a8:f5:bf:98:89:40:b9:ca:7e:c0:80:10:e4:00: - 2d:d5:b2:64:77:3e:86:e2:dc:37:67:63:4b:e6:87: - 8d:f0:4a:23:d2:99:27:2f:94:0f:03:6c:56:af:5f: - e5:0c:8e:64:58:c2:56:07:30:20:71:49:4d:90:69: - 03:9e:c0:a8:39:3e:6b:3b:86:55:59:f9:cb:f0:d2: - d2:58:70:5a:51:2c:c0:ef:0f:81:4f:d0:61:f1:e6: - ff:86:a8:ad:31:0e:e8:f5:e4:ed:77:57:04:2c:b8: - 41:e2:07:89:f4:fb:22:10:e3:03:14:e8:46:f8:ae: - b4:26:e1:3f:13:06:ea:b0:e5:c9:a6:d5:f1:e2:e5: - 9a:f4:b1:d7:ac:35:fa:10:bc:3c:8f:78:85:50:ab: - e0:03:6c:fb:16:e2:38:28:66:12:4c:fd:8c:e9:c8: - 91:d4:8c:f7:43:c9:02:20:90:44:5c:47:cd:b1:af: - ef:00:ea:71:e5:7e:31:4c:da:7d:a6:39:41:24:2c: - 9b:b6:2e:8b:f5:2a:47:2c:3a:3b:a3:cc:de:00:7c: - c3:6d:dd:9d:f7:0e:5f:c9:6c:ca:0c:88:7e:29:79: - 8a:5c:c3 + 00:c2:04:ef:f9:51:a9:a6:72:ad:23:e7:af:7d:51: + 8b:dc:7e:d0:71:33:5d:93:65:52:6e:79:df:30:58: + cf:08:4e:47:8d:4a:1f:6a:ea:48:67:68:27:10:0d: + a8:c2:80:e8:0d:10:12:34:32:e9:d8:77:e5:15:ec: + 9c:95:ba:f4:16:57:e5:aa:6f:18:9e:ee:4e:6c:ef: + 4c:f3:bf:91:f0:4b:b0:8d:c0:ff:8f:6e:f1:f3:b9: + 31:8e:73:d9:5c:c5:5f:fd:30:ae:36:ba:80:aa:75: + ae:4d:50:3b:ba:b3:9a:a6:d2:3a:45:20:c3:7e:86: + 79:af:74:d7:c2:d4:c1:d4:fb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -54,28 +28,20 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: - IP Address:127.0.0.1 - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:20:2d:b5:21:c5:c0:a0:10:8b:fc:dc:ef:4d:42:e7: - 21:e1:6a:27:d8:2b:df:cb:cb:b3:49:41:61:6a:f7:34:9d:7e: - 02:21:00:fa:a9:b3:e9:da:5d:6a:30:fd:ff:61:10:62:c3:2e: - a3:a2:8e:d5:94:94:0d:50:f9:7e:e3:f2:57:b5:6e:3e:bf + IP Address:192.168.51.140, IP Address:127.0.0.1 + Signature Algorithm: ecdsa-with-SHA1 + 30:44:02:20:6e:64:22:3a:61:01:a6:bb:5a:3d:52:12:4e:b0: + 14:50:34:6d:0d:44:ba:28:24:88:50:a8:3a:45:01:76:1e:3a: + 02:20:5e:8f:cf:9b:74:e8:a3:29:7c:bb:15:2b:34:14:7a:ad: + 1e:98:07:2a:cf:75:88:88:45:51:d7:2c:98:a0:4c:01 -----BEGIN CERTIFICATE----- -MIIDGzCCAsGgAwIBAgICBU0wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE5NDMzNloXDTM3MTExMzE5NDMzNlowHjEcMBoGA1UE -AwwTbG9jYWxob3N0LmNpc2NvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBALP1iFiHdjpsYq8FItWc4c4apTXVKJ3sJFDEWLvTvVIwFTfAfwNYEOCP -df4JYQxpUHNntUzkCjYfqJnJjBZcJ5gEv6LREZ7L5HnLR3K3J/AxwZtJOoLDOWWl -2xjYxYx1YK/f6+S0pLyN84RitYo8a2toUDb6YgzKDCcemR5NbiNCogudAOEVtUaK -+Q/cVaKzwtwpDoWTO3TWdU6hBYkIh6vahwx9BZsxnLmgjmQtp4psviof4WsbDdh0 -2zltirCRUqE19EqPaNInb3BNIQgRTr4KDhwe6bL5RhrC0MSKFSGsrr73oNKIO9O0 -ja0bJlVIBzrCb9hDrRZ10dmXZrDUOdKUzjwA+EvXkEaSdQV1poFAM0+STHA1Bu13 -lle7wKj1v5iJQLnKfsCAEOQALdWyZHc+huLcN2djS+aHjfBKI9KZJy+UDwNsVq9f -5QyOZFjCVgcwIHFJTZBpA57AqDk+azuGVVn5y/DS0lhwWlEswO8PgU/QYfHm/4ao -rTEO6PXk7XdXBCy4QeIHifT7IhDjAxToRviutCbhPxMG6rDlyabV8eLlmvSx16w1 -+hC8PI94hVCr4ANs+xbiOChmEkz9jOnIkdSM90PJAiCQRFxHzbGv7wDqceV+MUza -faY5QSQsm7Yui/UqRyw6O6PM3gB8w23dnfcOX8lsygyIfil5ilzDAgMBAAGjKzAp -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZI -zj0EAwIDSAAwRQIgLbUhxcCgEIv83O9NQuch4Won2Cvfy8uzSUFhavc0nX4CIQD6 -qbPp2l1qMP3/YRBiwy6joo7VlJQNUPl+4/JXtW4+vw== +MIIBjzCCATegAwIBAgICAs0wCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTUwMDQxWhcNMTcxMTA1MTUwMDQxWjATMREwDwYDVQQD +DAh0ZXN0ZXIxMzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwgTv+VGppnKt +I+evfVGL3H7QcTNdk2VSbnnfMFjPCE5HjUofaupIZ2gnEA2owoDoDRASNDLp2Hfl +Feyclbr0Flflqm8Ynu5ObO9M87+R8EuwjcD/j27x87kxjnPZXMVf/TCuNrqAqnWu +TVA7urOaptI6RSDDfoZ5r3TXwtTB1PsCAwEAAaMxMC8wCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwFQYDVR0RBA4wDIcEwKgzjIcEfwAAATAJBgcqhkjOPQQBA0cAMEQC +IG5kIjphAaa7Wj1SEk6wFFA0bQ1EuigkiFCoOkUBdh46AiBej8+bdOijKXy7FSs0 +FHqtHpgHKs91iIhFUdcsmKBMAQ== -----END CERTIFICATE----- diff --git a/test/UT/US899/cert_san_match_wc.pem b/test/UT/US899/cert_san_match_wc.pem index 89738d6..1a267de 100644 --- a/test/UT/US899/cert_san_match_wc.pem +++ b/test/UT/US899/cert_san_match_wc.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1360 (0x550) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 719 (0x2cf) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 19:52:45 2017 GMT - Not After : Nov 13 19:52:45 2037 GMT - Subject: CN=localhost.cisco.com + Not Before: Sep 27 15:10:16 2013 GMT + Not After : Nov 5 15:10:16 2017 GMT + Subject: CN=tester14 Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:92:6d:bf:2a:c6:c7:9c:a0:a1:a9:45:49:93:74: - 56:0e:25:ea:d6:b5:72:54:c2:ea:9c:7c:5f:b5:da: - 2d:6d:cd:a0:15:a1:d3:e8:9a:31:3b:5e:16:b5:e2: - 2c:e1:21:24:03:e8:d5:96:9f:93:88:90:e6:24:21: - 7f:89:01:15:23:46:01:e2:4b:8b:71:34:f8:ae:74: - c1:b4:14:56:3f:d8:2e:70:a1:71:fa:1e:40:45:9c: - 9d:c2:f5:93:91:21:c8:fe:c4:de:08:5e:ba:53:d3: - bd:f7:e8:be:ed:78:55:aa:dd:f0:55:52:10:a9:8a: - 8c:ae:d3:0c:d4:bd:05:e3:f1:2e:b8:43:d2:90:6d: - 83:ae:ac:85:2f:00:29:4e:28:fb:3f:e6:c5:db:20: - 93:c4:2c:93:44:4f:25:21:8e:8d:29:33:a4:95:64: - 98:7a:ed:4d:14:a9:f1:29:0b:fe:58:14:83:6d:0b: - 89:eb:e5:5b:33:1b:10:84:ec:f8:f2:45:64:24:6c: - ef:5b:3d:ad:47:ef:6b:37:fb:ca:5f:3b:1d:ac:af: - 47:2d:49:ba:b8:fc:1d:42:32:9d:58:71:c9:49:59: - d3:57:60:ad:d3:ad:1a:63:03:af:f2:b4:a7:4c:a4: - 51:37:35:e4:08:d4:82:ac:ed:ae:26:8d:a5:fb:c1: - 6f:87:42:41:2b:d3:0b:c9:0c:1b:cf:ff:d4:0b:d6: - 3f:8c:04:78:d1:6b:83:19:34:54:00:88:16:b9:b4: - 56:2f:4a:fa:3e:cd:14:b8:e5:65:7b:db:73:df:ab: - b9:73:f0:00:51:ed:7c:8b:be:9f:2b:0e:1b:74:85: - ad:2d:a0:d9:eb:7c:13:0a:9e:cc:b9:35:a3:6c:ed: - f3:57:f8:4f:9c:67:6b:c5:53:66:48:7d:dc:b7:64: - da:c8:af:37:2b:46:bf:62:f4:19:65:9b:44:a2:ee: - db:ea:24:28:b7:e8:6d:55:c2:e9:89:c6:52:29:17: - 09:76:a2:8d:3b:cd:ef:6e:ab:28:d5:1b:de:83:10: - cf:d0:8c:79:85:35:43:60:9a:d5:9f:2a:d5:40:26: - 49:76:d8:ce:28:08:5a:11:31:21:77:4c:52:a9:49: - 38:b2:25:c9:1f:6b:3f:ed:67:09:9c:cd:e0:38:fb: - cc:93:c3:5d:ff:80:c8:7a:a2:af:b2:e0:87:0b:ca: - 1a:a4:66:4e:e0:c7:c0:b9:7f:20:98:b6:ed:33:25: - 31:f8:e7:6b:4c:1a:b3:11:ff:79:74:97:96:61:e1: - 2f:14:fa:73:43:07:3d:8b:d1:1b:ae:77:46:d6:cd: - 06:e4:d4:40:85:e9:46:12:ac:d0:a4:f4:7f:bb:33: - b0:57:f1 + 00:ae:3a:26:93:ee:cb:de:f6:5b:b5:fb:a3:2e:b6: + 2b:cc:eb:49:1a:76:38:60:30:eb:7f:9a:99:f5:d2: + 7f:fd:c8:da:bd:f3:38:4b:7d:27:fb:15:81:23:59: + 22:92:1f:ad:77:f7:5f:50:e7:69:e2:64:2a:68:33: + 63:62:02:10:fa:2c:e1:06:ae:cc:04:79:e5:8c:1f: + ea:9a:26:9e:03:b0:4f:b4:f8:1c:2b:21:6b:b0:6d: + 68:24:ae:0c:2e:a7:36:7b:27:d4:f1:13:ef:75:5e: + e2:11:49:fc:d4:f8:4d:2d:63:3e:c8:08:44:a3:c8: + 79:42:4e:85:a5:5e:ab:91:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -55,27 +29,19 @@ Certificate: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:*.cisco.com - Signature Algorithm: ecdsa-with-SHA256 - 30:44:02:20:4b:a8:4c:c6:d2:59:35:40:72:22:01:37:65:2c: - d1:a2:bd:7b:f8:48:cf:0a:3e:bc:ad:65:7a:14:61:70:a3:5c: - 02:20:56:91:75:d1:8e:a4:f6:19:d6:64:a5:16:d7:79:1f:a2: - 5a:27:ae:ae:75:bb:c6:19:ad:3b:f2:08:f9:4b:87:4a + Signature Algorithm: ecdsa-with-SHA1 + 30:44:02:20:47:98:0f:e8:c3:0f:b1:8e:80:bc:ec:66:30:da: + 68:0d:2e:c3:de:aa:20:66:e8:8a:dd:d0:12:97:dd:67:af:0d: + 02:20:6f:8a:1a:37:f4:19:ce:5d:8c:5e:af:b2:e7:7d:72:5b: + 7e:dc:a9:7e:49:ec:bf:c4:d5:5b:38:5b:9e:b2:1e:27 -----BEGIN CERTIFICATE----- -MIIDITCCAsigAwIBAgICBVAwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE5NTI0NVoXDTM3MTExMzE5NTI0NVowHjEcMBoGA1UE -AwwTbG9jYWxob3N0LmNpc2NvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAJJtvyrGx5ygoalFSZN0Vg4l6ta1clTC6px8X7XaLW3NoBWh0+iaMTte -FrXiLOEhJAPo1Zafk4iQ5iQhf4kBFSNGAeJLi3E0+K50wbQUVj/YLnChcfoeQEWc -ncL1k5EhyP7E3gheulPTvffovu14Vard8FVSEKmKjK7TDNS9BePxLrhD0pBtg66s -hS8AKU4o+z/mxdsgk8Qsk0RPJSGOjSkzpJVkmHrtTRSp8SkL/lgUg20LievlWzMb -EITs+PJFZCRs71s9rUfvazf7yl87HayvRy1Jurj8HUIynVhxyUlZ01dgrdOtGmMD -r/K0p0ykUTc15AjUgqztriaNpfvBb4dCQSvTC8kMG8//1AvWP4wEeNFrgxk0VACI -Frm0Vi9K+j7NFLjlZXvbc9+ruXPwAFHtfIu+nysOG3SFrS2g2et8EwqezLk1o2zt -81f4T5xna8VTZkh93Ldk2sivNytGv2L0GWWbRKLu2+okKLfobVXC6YnGUikXCXai -jTvN726rKNUb3oMQz9CMeYU1Q2Ca1Z8q1UAmSXbYzigIWhExIXdMUqlJOLIlyR9r -P+1nCZzN4Dj7zJPDXf+AyHqir7LghwvKGqRmTuDHwLl/IJi27TMlMfjna0wasxH/ -eXSXlmHhLxT6c0MHPYvRG653RtbNBuTUQIXpRhKs0KT0f7szsFfxAgMBAAGjMjAw -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBYGA1UdEQQPMA2CCyouY2lzY28uY29t -MAoGCCqGSM49BAMCA0cAMEQCIEuoTMbSWTVAciIBN2Us0aK9e/hIzwo+vK1lehRh -cKNcAiBWkXXRjqT2GdZkpRbXeR+iWieurnW7xhmtO/II+UuHSg== +MIIBkDCCATigAwIBAgICAs8wCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTUxMDE2WhcNMTcxMTA1MTUxMDE2WjATMREwDwYDVQQD +DAh0ZXN0ZXIxNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArjomk+7L3vZb +tfujLrYrzOtJGnY4YDDrf5qZ9dJ//cjavfM4S30n+xWBI1kikh+td/dfUOdp4mQq +aDNjYgIQ+izhBq7MBHnljB/qmiaeA7BPtPgcKyFrsG1oJK4MLqc2eyfU8RPvdV7i +EUn81PhNLWM+yAhEo8h5Qk6FpV6rkVMCAwEAAaMyMDAwCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwFgYDVR0RBA8wDYILKi5jaXNjby5jb20wCQYHKoZIzj0EAQNHADBE +AiBHmA/oww+xjoC87GYw2mgNLsPeqiBm6Ird0BKX3WevDQIgb4oaN/QZzl2MXq+y +531yW37cqX5J7L/E1Vs4W56yHic= -----END CERTIFICATE----- diff --git a/test/UT/US899/cert_san_mismatch.pem b/test/UT/US899/cert_san_mismatch.pem index 195fbeb..2c9f5d2 100644 --- a/test/UT/US899/cert_san_mismatch.pem +++ b/test/UT/US899/cert_san_mismatch.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1354 (0x54a) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 715 (0x2cb) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 19:24:09 2017 GMT - Not After : Nov 13 19:24:09 2037 GMT - Subject: CN=localhost.cisco.com + Not Before: Sep 27 14:35:46 2013 GMT + Not After : Nov 5 14:35:46 2017 GMT + Subject: CN=tester11 Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:a4:0e:9f:67:6c:73:e9:3d:fe:99:cc:bc:a5:2a: - c4:48:14:5b:57:63:a4:69:20:38:a3:6a:de:e9:72: - 66:17:a0:80:77:5a:de:16:a9:b3:0b:c4:b2:03:37: - 1a:69:3f:64:92:82:de:8a:33:7a:e8:dc:13:0e:fe: - 9c:fc:bc:43:1d:6f:42:39:10:f2:30:4d:0e:a3:23: - 11:fc:41:e4:42:ed:f9:5a:9d:c7:a2:06:02:29:78: - 76:fc:8a:4a:1a:2d:8f:42:4e:a6:2c:04:5d:db:1e: - b3:fb:64:f1:4d:7e:07:4c:37:95:c7:2b:eb:98:8e: - b7:b7:1b:8f:7a:ed:6c:8c:3d:65:d5:9c:59:68:c8: - 3c:ad:35:5a:22:6b:91:2b:96:7b:04:02:f5:02:cd: - 1e:78:a3:63:ca:47:d3:b6:2f:7d:b5:78:31:3d:c1: - 6d:b4:e1:f4:ed:e7:a4:34:99:20:7f:61:e8:92:77: - e0:f5:5a:7d:cf:e1:87:d7:52:d2:f9:e1:bd:ca:73: - fa:17:c5:2a:53:84:5d:6f:71:c1:35:8d:80:b6:1f: - 52:7e:2f:61:49:8f:89:a8:94:a2:2e:59:07:12:99: - 91:ab:e0:7a:53:a7:0b:fd:15:d3:c4:68:6d:d8:dd: - 01:4d:73:28:5f:f9:66:e9:b0:bc:6f:f4:9a:d5:89: - 18:94:e2:1b:10:01:0d:38:56:6d:d0:52:e9:77:6f: - ca:1c:5e:4f:2d:89:1f:5e:6a:0d:14:fe:d8:e9:3b: - c1:5c:2a:fe:27:9a:02:b5:46:f1:6e:a4:15:3b:d4: - 3e:6f:97:91:b9:c3:da:3f:69:d6:d7:4d:17:d5:a3: - cb:46:95:74:dc:63:ec:28:1c:87:40:0f:93:24:98: - da:51:33:73:ad:6b:97:66:06:b9:02:83:db:45:c8: - de:a7:e4:d2:d6:94:43:fd:07:3e:d1:93:f7:2a:30: - 59:ed:68:80:b4:2f:ab:46:70:c1:a4:f2:36:6b:5f: - 09:23:88:7a:4f:86:c3:5e:00:99:61:62:d9:11:ab: - 6d:7b:82:19:a6:91:0d:2c:05:e6:31:08:1b:05:32: - 53:81:31:39:00:df:93:7b:d4:46:ec:01:e6:47:e4: - 7b:81:51:d9:f1:09:4f:72:e4:dd:10:7d:d7:a9:28: - 46:91:4d:e2:f8:34:20:62:5c:97:97:44:d9:dd:7f: - d5:f3:2b:eb:4b:7a:f4:b9:bc:2f:34:02:82:07:de: - 63:b8:3a:3f:24:94:71:cd:69:d3:43:ee:fc:73:e3: - 55:07:fc:4d:fd:d3:ea:5f:22:b2:61:99:bd:2f:b8: - 7a:e5:aa:ba:20:2e:31:26:3d:2b:fe:9f:e3:3e:f5: - 1b:27:73 + 00:bd:98:4d:6e:91:3f:05:65:cf:ee:aa:24:16:b3: + 44:ba:d8:89:b1:c9:bd:10:0a:70:92:99:de:ea:63: + 04:ec:d5:e3:d5:3d:41:20:f7:ab:00:cc:21:a3:b9: + bf:88:83:3d:14:f4:a9:84:95:23:6c:98:d5:d3:90: + 1f:cb:c0:6c:90:71:57:fd:39:e6:e4:99:29:83:d6: + 28:58:d3:ca:3f:70:06:a4:f0:25:82:b1:73:4e:03: + a6:d9:51:cd:6b:70:c6:a9:4c:75:36:4e:eb:37:46: + 7c:1c:2e:cf:9b:be:e5:a2:0e:1b:21:74:e8:72:a2: + ad:ed:b1:3c:a0:4a:d4:c3:17 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -55,27 +29,19 @@ Certificate: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:roundhouse.cisco.com - Signature Algorithm: ecdsa-with-SHA256 - 30:44:02:20:22:b5:dd:85:20:7b:68:6d:eb:fd:92:72:16:da: - 5a:ce:31:a9:01:a1:ac:8e:d7:c3:df:9a:74:32:35:ee:d7:7c: - 02:20:47:d3:05:d8:07:0d:39:1d:23:15:d2:81:da:fa:ab:f7: - 48:e9:4c:e2:49:34:1d:c4:2e:2b:38:63:be:05:03:b8 + Signature Algorithm: ecdsa-with-SHA1 + 30:44:02:20:28:51:20:46:6e:43:bc:37:f4:83:17:30:bd:04: + e1:6f:3c:e8:91:63:6e:d9:d2:24:79:c5:2d:3c:0c:c0:92:ed: + 02:20:5e:e3:2c:6c:16:66:d1:dd:1d:f5:14:a1:bb:e7:54:55: + fa:e9:fd:76:a5:6a:f0:56:2d:13:27:c0:c6:4e:3b:0f -----BEGIN CERTIFICATE----- -MIIDKjCCAtGgAwIBAgICBUowCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE5MjQwOVoXDTM3MTExMzE5MjQwOVowHjEcMBoGA1UE -AwwTbG9jYWxob3N0LmNpc2NvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAKQOn2dsc+k9/pnMvKUqxEgUW1djpGkgOKNq3ulyZheggHda3hapswvE -sgM3Gmk/ZJKC3oozeujcEw7+nPy8Qx1vQjkQ8jBNDqMjEfxB5ELt+Vqdx6IGAil4 -dvyKShotj0JOpiwEXdses/tk8U1+B0w3lccr65iOt7cbj3rtbIw9ZdWcWWjIPK01 -WiJrkSuWewQC9QLNHnijY8pH07YvfbV4MT3BbbTh9O3npDSZIH9h6JJ34PVafc/h -h9dS0vnhvcpz+hfFKlOEXW9xwTWNgLYfUn4vYUmPiaiUoi5ZBxKZkavgelOnC/0V -08RobdjdAU1zKF/5ZumwvG/0mtWJGJTiGxABDThWbdBS6XdvyhxeTy2JH15qDRT+ -2Ok7wVwq/ieaArVG8W6kFTvUPm+XkbnD2j9p1tdNF9Wjy0aVdNxj7Cgch0APkySY -2lEzc61rl2YGuQKD20XI3qfk0taUQ/0HPtGT9yowWe1ogLQvq0ZwwaTyNmtfCSOI -ek+Gw14AmWFi2RGrbXuCGaaRDSwF5jEIGwUyU4ExOQDfk3vURuwB5kfke4FR2fEJ -T3Lk3RB916koRpFN4vg0IGJcl5dE2d1/1fMr60t69Lm8LzQCggfeY7g6PySUcc1p -00Pu/HPjVQf8Tf3T6l8ismGZvS+4euWquiAuMSY9K/6f4z71GydzAgMBAAGjOzA5 -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB8GA1UdEQQYMBaCFHJvdW5kaG91c2Uu -Y2lzY28uY29tMAoGCCqGSM49BAMCA0cAMEQCICK13YUge2ht6/2SchbaWs4xqQGh -rI7Xw9+adDI17td8AiBH0wXYBw05HSMV0oHa+qv3SOlM4kk0HcQuKzhjvgUDuA== +MIIBmTCCAUGgAwIBAgICAsswCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTQzNTQ2WhcNMTcxMTA1MTQzNTQ2WjATMREwDwYDVQQD +DAh0ZXN0ZXIxMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvZhNbpE/BWXP +7qokFrNEutiJscm9EApwkpne6mME7NXj1T1BIPerAMwho7m/iIM9FPSphJUjbJjV +05Afy8BskHFX/Tnm5Jkpg9YoWNPKP3AGpPAlgrFzTgOm2VHNa3DGqUx1Nk7rN0Z8 +HC7Pm77log4bIXTocqKt7bE8oErUwxcCAwEAAaM7MDkwCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwHwYDVR0RBBgwFoIUcm91bmRob3VzZS5jaXNjby5jb20wCQYHKoZI +zj0EAQNHADBEAiAoUSBGbkO8N/SDFzC9BOFvPOiRY27Z0iR5xS08DMCS7QIgXuMs +bBZm0d0d9RShu+dUVfrp/XalavBWLRMnwMZOOw8= -----END CERTIFICATE----- diff --git a/test/UT/US899/cert_san_mismatch_ip.pem b/test/UT/US899/cert_san_mismatch_ip.pem index a758b7d..a804944 100644 --- a/test/UT/US899/cert_san_mismatch_ip.pem +++ b/test/UT/US899/cert_san_mismatch_ip.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1355 (0x54b) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 716 (0x2cc) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 19:36:00 2017 GMT - Not After : Nov 13 19:36:00 2037 GMT - Subject: CN=localhost.cisco.com + Not Before: Sep 27 14:56:29 2013 GMT + Not After : Nov 5 14:56:29 2017 GMT + Subject: CN=tester12 Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:a9:37:ec:5d:09:90:d3:d5:a1:2a:bc:d2:28:77: - fd:d6:4d:07:a8:a1:f6:c0:65:3f:de:4a:8c:36:16: - 61:9e:93:9f:e8:41:92:d7:80:94:1d:57:4e:84:b1: - d6:82:0b:c9:4e:f9:25:b2:f0:d6:43:e9:fd:95:25: - 93:77:31:ef:c6:ed:df:4f:92:bd:c7:86:95:bc:6e: - 8f:55:e4:4c:1a:ac:99:2d:a3:b0:d1:f6:f6:08:f9: - 56:f6:fa:26:e3:54:89:80:4e:95:3a:fb:48:c4:90: - 05:50:6d:6d:5b:d7:e6:f1:1b:6e:ce:ee:bf:60:b0: - 64:1a:d5:59:62:7c:d8:13:fc:e0:bb:aa:27:ba:cc: - 0c:ee:0d:2d:a1:e8:22:9b:82:aa:db:9a:7c:ec:32: - 4a:68:10:e9:84:12:64:8b:77:85:d3:c0:aa:84:90: - 70:ea:cf:4c:26:20:a1:d1:e9:b4:ae:78:aa:fa:2e: - 1a:3c:68:a6:9b:0b:80:ff:3f:11:1f:46:4a:41:0a: - 75:76:d2:b7:79:ee:56:6f:b6:0a:84:fb:a6:26:51: - b1:44:78:49:60:23:48:6f:51:a0:57:29:ab:b5:20: - 95:19:75:22:75:b4:a9:6c:b3:42:b4:9a:9a:76:fa: - 48:72:65:b4:15:ab:f5:83:ca:73:cc:79:55:4b:73: - 29:f2:b0:c5:00:e6:ac:6b:f5:15:47:a5:36:c5:a3: - b6:cc:0b:80:2a:2c:98:d5:ac:b7:b3:99:e6:21:fb: - 41:e4:af:4a:d6:ab:22:36:12:55:26:19:e2:ff:1d: - ec:0d:71:e9:b5:8a:05:29:89:4e:a5:0d:57:6e:09: - 53:8d:86:0e:17:1b:64:23:09:61:09:bd:f3:93:6f: - 66:b2:11:a7:3e:96:4f:92:9c:cd:dc:13:43:71:66: - 2f:ee:ef:93:18:ec:b7:b3:60:fd:ef:5e:d0:d0:7b: - 75:ff:62:8e:aa:8a:49:44:f2:cb:07:bb:ab:39:d5: - bf:83:30:2e:d3:51:f3:b0:36:15:0e:59:7d:fb:29: - 52:1c:4d:b4:45:8d:e8:95:2a:fa:da:ee:3f:ed:06: - cf:35:2b:35:09:2a:a2:d6:8d:56:3d:16:e7:6e:0c: - c8:48:ff:ec:7b:13:06:98:6d:ca:e7:a9:4f:c9:cc: - 0f:ed:dd:85:3b:3a:10:1f:6f:50:d6:6b:90:34:35: - f3:a6:16:c7:f2:e4:45:44:bb:46:94:ba:d0:b9:7c: - df:26:3e:0f:df:d3:e7:c0:f3:a0:85:9a:b8:a6:36: - 9d:4b:92:7f:9a:72:b7:96:d1:d1:e6:bb:61:ea:67: - f2:d1:48:1f:ad:20:fd:c8:35:09:76:f3:37:fa:48: - e7:2b:df + 00:c6:65:bf:f2:9f:fd:67:96:f9:f8:69:6b:83:c8: + c6:d9:a8:53:03:0e:b5:7c:79:f9:83:05:6f:60:d8: + 0c:ec:33:b7:2a:95:48:d2:eb:d0:ba:cd:de:0c:71: + ec:c6:ef:ab:ea:4e:d0:4d:46:e1:d0:4d:9d:4c:31: + 40:69:09:02:d1:66:0c:c2:be:6b:e5:ea:f5:15:38: + 16:b2:34:20:8d:19:ee:61:b0:4c:d3:59:ec:c3:64: + fd:36:54:e3:49:2f:ee:8b:e3:06:42:ee:d7:af:5d: + 31:6c:43:c6:b4:41:40:dc:e2:b3:ed:f6:95:f1:9c: + ec:72:d9:9c:07:af:32:cc:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -55,27 +29,19 @@ Certificate: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: IP Address:192.168.50.65 - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:20:6f:d4:0b:5b:68:41:20:a8:ed:4e:0e:d4:5e:af: - ea:12:9f:2c:bb:85:1a:12:1d:1a:38:77:18:51:79:61:4e:b0: - 02:21:00:cd:9e:fd:af:40:59:dd:f2:22:5a:b8:30:07:c5:76: - de:e5:17:62:a0:7e:6a:8b:b6:df:06:1d:e2:f8:b1:a0:58 + Signature Algorithm: ecdsa-with-SHA1 + 30:46:02:21:00:ef:13:e8:c2:e0:30:5a:5f:93:41:7d:14:f1: + d0:c1:a9:44:d3:11:72:52:c1:6c:b1:22:12:09:d8:96:0b:fa: + 1f:02:21:00:d3:74:15:65:fc:dc:d9:0f:e8:1c:4d:1d:b3:2e: + 37:78:47:d0:69:95:9b:bc:a2:b5:c7:4f:32:0d:50:84:45:34 -----BEGIN CERTIFICATE----- -MIIDGzCCAsGgAwIBAgICBUswCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE5MzYwMFoXDTM3MTExMzE5MzYwMFowHjEcMBoGA1UE -AwwTbG9jYWxob3N0LmNpc2NvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAKk37F0JkNPVoSq80ih3/dZNB6ih9sBlP95KjDYWYZ6Tn+hBkteAlB1X -ToSx1oILyU75JbLw1kPp/ZUlk3cx78bt30+SvceGlbxuj1XkTBqsmS2jsNH29gj5 -Vvb6JuNUiYBOlTr7SMSQBVBtbVvX5vEbbs7uv2CwZBrVWWJ82BP84LuqJ7rMDO4N -LaHoIpuCqtuafOwySmgQ6YQSZIt3hdPAqoSQcOrPTCYgodHptK54qvouGjxoppsL -gP8/ER9GSkEKdXbSt3nuVm+2CoT7piZRsUR4SWAjSG9RoFcpq7UglRl1InW0qWyz -QrSamnb6SHJltBWr9YPKc8x5VUtzKfKwxQDmrGv1FUelNsWjtswLgCosmNWst7OZ -5iH7QeSvStarIjYSVSYZ4v8d7A1x6bWKBSmJTqUNV24JU42GDhcbZCMJYQm985Nv -ZrIRpz6WT5KczdwTQ3FmL+7vkxjst7Ng/e9e0NB7df9ijqqKSUTyywe7qznVv4Mw -LtNR87A2FQ5ZffspUhxNtEWN6JUq+truP+0GzzUrNQkqotaNVj0W524MyEj/7HsT -BphtyuepT8nMD+3dhTs6EB9vUNZrkDQ186YWx/LkRUS7RpS60Ll83yY+D9/T58Dz -oIWauKY2nUuSf5pyt5bR0ea7Yepn8tFIH60g/cg1CXbzN/pI5yvfAgMBAAGjKzAp -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA8GA1UdEQQIMAaHBMCoMkEwCgYIKoZI -zj0EAwIDSAAwRQIgb9QLW2hBIKjtTg7UXq/qEp8su4UaEh0aOHcYUXlhTrACIQDN -nv2vQFnd8iJauDAHxXbe5RdioH5qi7bfBh3i+LGgWA== +MIIBizCCATGgAwIBAgICAswwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTQ1NjI5WhcNMTcxMTA1MTQ1NjI5WjATMREwDwYDVQQD +DAh0ZXN0ZXIxMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxmW/8p/9Z5b5 ++Glrg8jG2ahTAw61fHn5gwVvYNgM7DO3KpVI0uvQus3eDHHsxu+r6k7QTUbh0E2d +TDFAaQkC0WYMwr5r5er1FTgWsjQgjRnuYbBM01nsw2T9NlTjSS/ui+MGQu7Xr10x +bEPGtEFA3OKz7faV8ZzsctmcB68yzEECAwEAAaMrMCkwCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwDwYDVR0RBAgwBocEwKgyQTAJBgcqhkjOPQQBA0kAMEYCIQDvE+jC +4DBaX5NBfRTx0MGpRNMRclLBbLEiEgnYlgv6HwIhANN0FWX83NkP6BxNHbMuN3hH +0GmVm7yitcdPMg1QhEU0 -----END CERTIFICATE----- diff --git a/test/UT/US899/cert_san_mismatch_wc.pem b/test/UT/US899/cert_san_mismatch_wc.pem index fb18794..774c5d5 100644 --- a/test/UT/US899/cert_san_mismatch_wc.pem +++ b/test/UT/US899/cert_san_mismatch_wc.pem @@ -1,52 +1,26 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1362 (0x552) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 721 (0x2d1) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Nov 13 19:55:50 2017 GMT - Not After : Nov 13 19:55:50 2037 GMT - Subject: CN=localhost.cisco.com + Not Before: Sep 27 15:15:18 2013 GMT + Not After : Nov 5 15:15:18 2017 GMT + Subject: CN=tester15 Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) + Public-Key: (1024 bit) Modulus: - 00:a2:4a:0e:0b:14:06:4d:f5:3b:53:9c:77:f6:d8: - 65:c8:51:42:5f:b3:67:63:e8:5b:3c:53:8e:a7:c6: - 45:2c:09:b1:51:7b:cb:ed:33:ce:da:3d:e4:19:f1: - 48:b5:03:9e:8c:ba:18:89:45:78:44:e7:71:9e:b0: - 9c:14:cc:2d:e6:42:24:75:10:26:96:44:cf:1d:9f: - bf:6f:14:72:02:15:aa:1e:5a:7d:45:f0:91:6c:07: - c4:c2:20:95:1c:09:47:81:e5:29:9e:8a:45:dd:52: - a3:fc:22:da:ff:df:bf:30:da:0c:e1:f4:a6:3f:7a: - c3:f8:c7:64:06:fc:23:4d:0f:0b:0a:8a:85:c7:fe: - c1:1f:55:2f:c7:b5:a8:84:25:3d:fe:c3:90:5e:74: - 99:1b:fb:7b:21:f5:69:bb:f9:99:7f:3b:f7:5c:5d: - 9a:43:a9:04:87:cd:7b:0f:53:36:9c:3c:c7:40:9d: - 02:2b:92:30:87:e2:19:83:fe:a4:0f:f5:b5:62:5e: - 09:9a:3a:47:86:0f:db:0d:18:91:bc:69:9c:c5:54: - c5:38:f1:77:0a:9a:d8:55:c0:55:91:6c:37:36:19: - 86:59:15:b1:f0:7f:a5:eb:a5:93:0c:48:8a:c4:3c: - 25:a7:2e:20:d5:3c:cb:e5:42:c0:6b:a3:0a:e2:0f: - de:3c:2f:dc:6d:3d:23:d1:6e:3f:1d:dd:e5:00:05: - ab:d7:07:0a:ea:b8:6c:22:d3:80:6d:a9:92:f2:a0: - fd:a1:50:f6:61:a6:60:f3:9e:7a:a3:f1:d6:c8:2c: - bb:01:a8:53:f2:68:39:bb:b7:84:0f:8c:f9:b9:ea: - 7f:58:33:3d:5d:dc:69:66:07:ef:1a:25:b9:0b:d3: - 64:82:b0:43:7c:a0:6d:c3:28:05:d9:99:e1:d6:8c: - 91:f7:98:a0:50:bd:53:5d:a5:a8:4a:dd:84:a2:f8: - 3c:9a:3b:38:59:00:c8:a1:bc:b7:81:40:49:33:3a: - 05:4a:75:c1:91:a6:e8:5c:96:ad:33:2e:0c:8d:33: - 27:51:18:dc:6e:30:52:22:3b:f9:9b:32:93:95:cd: - 21:79:be:cd:58:a5:1b:e7:07:1b:9e:97:b9:a1:c4: - db:98:fe:e5:59:cd:b5:81:b0:a2:b7:80:54:35:4e: - be:83:77:80:c9:81:d2:1e:bb:59:cd:ed:71:35:b2: - c4:87:3b:84:6f:78:ce:c2:28:58:a5:ad:a5:e7:9e: - a4:3e:d1:38:9c:49:30:77:82:f6:20:3c:c2:90:84: - a4:b8:1c:fe:8a:f1:47:bc:b7:87:90:bc:a6:fd:ad: - 2e:0d:a1:3b:26:e0:80:5b:ad:0f:fd:03:c1:2d:ac: - 1f:6c:6b + 00:a0:42:6b:73:58:0c:f2:85:6e:af:50:b3:19:44: + a1:44:03:15:2b:e2:f5:0b:34:20:a3:c8:f2:d5:03: + 9c:5f:80:f7:ed:29:f5:9e:d4:0e:5f:64:99:a2:f1: + dd:8e:d1:5b:99:85:48:1a:6f:7d:1d:50:d3:13:7b: + 48:df:2c:60:62:4b:5a:8b:19:2f:00:c3:b3:09:1c: + 09:51:27:eb:ab:ed:fb:06:62:31:69:fb:1e:f9:11: + 12:75:dd:a4:f9:8a:99:e9:f4:48:96:db:89:b8:64: + fc:55:7f:5f:4f:1b:89:07:0c:05:b8:aa:4d:c6:e6: + 41:ee:7a:c3:f4:25:93:65:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -55,27 +29,19 @@ Certificate: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:*.yahoo.com - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:21:00:8e:49:23:8e:fa:66:03:67:29:c9:ee:5b:c0: - be:f3:c0:9e:5a:5c:c2:0f:74:92:93:f7:8d:5a:07:90:55:77: - 5c:02:20:6b:c0:fb:17:b2:fd:04:92:96:0d:08:94:32:da:d9: - 25:e9:18:49:08:02:ca:09:9b:fe:2c:d0:6d:bb:5c:70:81 + Signature Algorithm: ecdsa-with-SHA1 + 30:44:02:20:20:9c:0e:e3:29:89:f4:2d:07:c5:66:52:9a:9a: + 56:10:30:03:b1:9c:a3:aa:fd:2a:d2:d9:c7:67:1e:4b:f8:6a: + 02:20:12:01:05:2b:73:8d:2b:aa:d3:5d:9e:f5:e5:4e:c8:a8: + eb:86:6e:02:95:f4:7d:57:d7:69:39:d8:67:7b:8b:1f -----BEGIN CERTIFICATE----- -MIIDIjCCAsigAwIBAgICBVIwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MTExMzE5NTU1MFoXDTM3MTExMzE5NTU1MFowHjEcMBoGA1UE -AwwTbG9jYWxob3N0LmNpc2NvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBAKJKDgsUBk31O1Ocd/bYZchRQl+zZ2PoWzxTjqfGRSwJsVF7y+0zzto9 -5BnxSLUDnoy6GIlFeETncZ6wnBTMLeZCJHUQJpZEzx2fv28UcgIVqh5afUXwkWwH -xMIglRwJR4HlKZ6KRd1So/wi2v/fvzDaDOH0pj96w/jHZAb8I00PCwqKhcf+wR9V -L8e1qIQlPf7DkF50mRv7eyH1abv5mX8791xdmkOpBIfNew9TNpw8x0CdAiuSMIfi -GYP+pA/1tWJeCZo6R4YP2w0YkbxpnMVUxTjxdwqa2FXAVZFsNzYZhlkVsfB/peul -kwxIisQ8JacuINU8y+VCwGujCuIP3jwv3G09I9FuPx3d5QAFq9cHCuq4bCLTgG2p -kvKg/aFQ9mGmYPOeeqPx1sgsuwGoU/JoObu3hA+M+bnqf1gzPV3caWYH7xoluQvT -ZIKwQ3ygbcMoBdmZ4daMkfeYoFC9U12lqErdhKL4PJo7OFkAyKG8t4FASTM6BUp1 -wZGm6FyWrTMuDI0zJ1EY3G4wUiI7+Zsyk5XNIXm+zVilG+cHG56XuaHE25j+5VnN -tYGworeAVDVOvoN3gMmB0h67Wc3tcTWyxIc7hG94zsIoWKWtpeeepD7ROJxJMHeC -9iA8wpCEpLgc/orxR7y3h5C8pv2tLg2hOybggFutD/0DwS2sH2xrAgMBAAGjMjAw -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBYGA1UdEQQPMA2CCyoueWFob28uY29t -MAoGCCqGSM49BAMCA0gAMEUCIQCOSSOO+mYDZynJ7lvAvvPAnlpcwg90kpP3jVoH -kFV3XAIga8D7F7L9BJKWDQiUMtrZJekYSQgCygmb/izQbbtccIE= +MIIBkDCCATigAwIBAgICAtEwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt +cGxlQ0EwHhcNMTMwOTI3MTUxNTE4WhcNMTcxMTA1MTUxNTE4WjATMREwDwYDVQQD +DAh0ZXN0ZXIxNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoEJrc1gM8oVu +r1CzGUShRAMVK+L1CzQgo8jy1QOcX4D37Sn1ntQOX2SZovHdjtFbmYVIGm99HVDT +E3tI3yxgYktaixkvAMOzCRwJUSfrq+37BmIxafse+RESdd2k+YqZ6fRIltuJuGT8 +VX9fTxuJBwwFuKpNxuZB7nrD9CWTZVMCAwEAAaMyMDAwCQYDVR0TBAIwADALBgNV +HQ8EBAMCBeAwFgYDVR0RBA8wDYILKi55YWhvby5jb20wCQYHKoZIzj0EAQNHADBE +AiAgnA7jKYn0LQfFZlKamlYQMAOxnKOq/SrS2cdnHkv4agIgEgEFK3ONK6rTXZ71 +5U7IqOuGbgKV9H1X12k52Gd7ix8= -----END CERTIFICATE----- diff --git a/test/UT/US899/key_san_match.pem b/test/UT/US899/key_san_match.pem index 1105ccf..894542a 100644 --- a/test/UT/US899/key_san_match.pem +++ b/test/UT/US899/key_san_match.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCfA8kRsqD0fU6D -KQdul9vJdR5C3KlB6sXF/MfnhEco1Vi+1lDM19RhCib4s+KFqk8B0ptLuFvwSYtZ -s4Efg6j8O6t04JyJn+xbhQFRejsTy5cJJATxThe55fgUCvWbmuOH3n6Qv/Wz7qV5 -xHThgJ0yVd1RMlSOCqEiUN1bl1eCwoAsiWZqjyyc9R8ZEEudNZT1uZtcT28/O8WS -Zn0CM6zsRqcbg2KMsK1mLTWa9KN9JbgsBKMQ3UY8KNRJ1lxTiiFKB5XFknOKhTRM -5MCiT/D9dwTqSU3YdcW1dZwrAdlTmK+xFpQnZjakcc12+eS/N/0u+ORAugOcTzhI -sEVSYKbHlZGCqYOq6GoiLIykmBW9CGe3ghdhHjuOLfm+CxAfDl1thpaKEFwfAx/W -qY/yW4MbZX4qHIvo3MI7I6bJRIQ8YYd6xa4mRu5v9kayzvIscoqwGYVaWCoXJx/E -rAPpbdw8VN6/EyO7iPWzMx4UaG1M4RpHQKAglAfCORg8qHlkUFt4E8FJfZYGijfH -jhl0FYmnVzjD84X/Ghv7FHtpnY9bglaQQfCwrmMQtPJGvOR2ypj0jZmHB4+qZK3g -5jY4QgvFXGMv4Ve8vs0wdUoUj7fJAVf0H7AFtllj/WIVAuNGbtqA5HOedJwO+1jo -blDaIdB9xWhVEmntKq+0TeZfzckiIwIDAQABAoICACROJfMveIY5sdpKXNMIQvsd -DVqwrMhLBPquOyoFzoVpKIjxv6L1SB0bx0gTMg3Yk49T+XbxUbRr5jAFxt5eHg/w -w7W8rqDRbZJ7rJBguupLGmHQ4nwBm3MrKVfSJL9xPq+/wd/kpAF/5DIIA7OUvM9I -QW6PcjS4ApAmLFQEGsvVApSojkSYCdSQNphvWwQ6vpbX2LvbuweR6wsA8Vu2Vq3f -d7nVZoO+tuhUPB/z6Pvix8jtChoIm0eS/t0Y3x2HtRAE6VIhnNWskgNYWw7z9463 -RN0E/YwFX62Ne6lqE6d9feeNwye3s5QaE5ItfeeWreyykNKiZb6ja7NU447qWElv -GmM3zr7VRvv0Trh8UQBFBgpZGGFpXk7al9fj2iM4YylYo/6YLU7q3rRphHoF/9/r -WwdwCwDN7nOLge6UVLFNSkQ1zb3NcH6MhzxtNzND83GnhKAjKQpK6SvNjyS0wjY+ -353JOrGMD0f5F1Sii4e/8puAkaeE8LaU37gdnV2FIqwMaTgmYAvWEdB6A/xch6yB -5Z+kz8ba//kmCSWivkm3WZscjQo9QRPEMzs7ZKrA8FdnhdCW3VJPuomkFe2qEaWg -EHhMgK0TyrRh0/pnYJ7EEB7kBG/Fo0QKAYgWZ7iNOnnGdu3CoyYJdVjUFlVTlZYK -KkPAcP3iLCiExhHlFjVJAoIBAQDFXzgX5OUkib/a3vkHv3lWdf0MIOIzcgADX3YR -JU9Hna1l85xv4va+Pv+tFGx4+MGWcMNbFxFtokGWOENn0C8o0FLvbwDS1k+XwORW -NJpsp6AwXciMZjx0Z9CwzdDN05W654tp0AQJpcNe/QWJ6JQpI/q3nx29I8D25Xb+ -r2xiW2LsyewHXbgqkDsbpVd7l3SGrCf3TaG227f2hdOZo629OQv9OhRrXtLaFoyR -uwK1VhOL/7OwfJksAxiQZtEJywhkwAg9gUqAG3Kmpn0gyWt6wQo9OPCIMu+d8W/O -434Oec7QCxRyvYn1nBS2JLHVnzJapz/j/Dk4s7dOcQsI2r3HAoIBAQDOP8SAGfIG -gGY7ZB9oRts+ulLQHTi5R3BHZu3eeWDrRRoA9ku0oRIXySgCkz5lW0kkDNK+4e4n -4RMP/5rIIkGTMczvsDm91BFLwgfQFnFXrB1+8BvD+jxSeSa7FpO+Aor4Gdpj1vZ2 -UOCUCLvksSGSGBTO/l/z66BlLkouzVqNwnhu/XI9KJRY0SGFAj7ptP/ay5PrZRw0 -7FLSpBohwoHKDeNs3YCgPMTbM1WXjF/ZmdrDixNmtqjFVrzLDCk7/pD34A5jROzo -ULsuL5blmQp8FiuQLtpKT448nRwTnYb4WvbOm/bppQW0dsLk26uTTGsogORFqrDC -m/HCLnAJwijFAoIBABK20pTBaVCrlvtjxO0NJK4kBdhOjeQe3Q100bcSeI/rzXMr -RBv/wzGKu6dnlllqDMD89CkA6PAiQGHD9/Ax9ybBifuV5NgY5fcXnQ7ncfT3d+Le -IZPeZcELzufUvAWoGDxelAN2a8uWYg3xo8LNwK6d8LnUZnd2mmdOnpfLflVdIOYe -xzhzlHDEuDYI2WCona3fSPLT849pCepgCg45TNHyRMa/6Qu9M/TlynJO7xTOko/l -sN39EnDv4jZe6VcqXyNeaembBrta3uYaRycCsiQzhYsEiRoA6mNpbxaIz30D464q -PsgaXKhjIjubAxmkPJwH27D8S1irAah4Y3l1dCUCggEAevcXz4woeOnaibRC6We9 -VWO+9edGJ2jJLzjVvts9Bmf3ffVZ44JYiCfdG9Pv0nwfWkfu6fFHjS0qsVIiVQnf -cMOzPIAjnOKvwSwYfl6zCqNKHqFG3Iv3pPAoQEjQoutfMVYwl2/VF2tWyct/QnS8 -4B5NYa/VQ1cLFOgJQGgcggIczYd7sazc7SsaQfO50JqiJC9VrHVm4MK5Cm7eSZxu -xymKmyBgjKhOcaXkdOszRkftXsIvOgDTFHyHKMPCXcuDYNWLnnG8kTF4t6uV2qNo -1dxd8qOMb9uIoOjGkYdMrguFtF7WUiyZ/yMDRXEWlUZtaQOXlVWT9yMEe1I2aAsD -RQKCAQAgldNC9sAeJ2X58Y/KHEWiNlNHrAwT/vaexY3Vnj66oYRl1ysS0xtTWi0O -h2MyO+ufqDGoAmt5r7FlGFxVTXbwqtWgjzqywXiraFAMrVaWFB3/tUzTA00jVN3H -iaBRu3NE6/xBv9ssuzCfQLJesPxhPrCZd/SdnujP5N1QOYkE1Bv+LOGPe/uszpAW -bWUgThUwzacSc5tbKUxVZs6PKC918BxTUjvCA8otdkIhtgBCOy5xMMfsp6RgkN3I -kL7er55UqmygZM9t6VA0k4i/9KzdiB6h3uG/SG5or/F70gLtbWUQRgU8z/d+NhdE -1WF/nPei22p+iS1CDJonLarAEraX ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDuRPOTLKY/nLoqg7C9pXSlyNOooERN66v1TXJa2G/OdLtK0Yqo +muXipwyVx6B9yIRvY7LDCfTqDAb3meIOw/DPRDAzCPhpeXpjNG3tqc/3m8rdJCXN +vA7MF8wfjBwVe1/KfiYV3KVUfpxHRlkegPA35MPXlt9I0qcU2I96eO7zXQIDAQAB +AoGAOl3dpPHND8wetodn5iz/tBTL9IS99rCCgSalmqdmTBbAQoWuB7taEPmG1bH/ +GJDkED1F7w0jV6n2kvS5MZDCDirPulZgQEhDSIIt8H7epLgZ9duv2axi3C4F3SOZ +BJihh7EQVwXA1BMoyV6a3mhkOpJWoAt9O3F+pU7tgUymSakCQQD3o9wLjeBPmZST +4kszwcASBlvXqLUGvdD6eg9n/gfVx0wkQPeKMVzMB78W2hDysGvK7e5IYiLXOUvl +d50NRzL/AkEA9lAb0/Ja2QGMXQWtCVkjf3Sdh3ZYdROcaXqUaETU0fzitPqk+FwE +5rXiCTi+/BOMFXqpQ9ECqmu7JaEwl+WFowJBANXHny5aTEprSthfgowrtqPY2XBT +M/Od6cpRlPsxUZI7en/RleC2vGVmSpBvsDHSGzwUKqBSF8G0tNBjcjEERgECQQDH +LdiS97RHL11WC7T1jkOKWb7ZP/YgFo+xLBK+joqalCivuM+WlrLP7dyvIFgwd44c +AGjIEkhZj2xy7XniGxSJAkBfZ6/FU6TzTtXEppqN5Y19FswaLpG4JExZddxfmN57 +dhN1j5jjXlldpZXpkKXM/DwxPfNI6vVq+p771sTdFY9l +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US899/key_san_match_ip.pem b/test/UT/US899/key_san_match_ip.pem index 5361e68..1aab227 100644 --- a/test/UT/US899/key_san_match_ip.pem +++ b/test/UT/US899/key_san_match_ip.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCz9YhYh3Y6bGKv -BSLVnOHOGqU11Sid7CRQxFi7071SMBU3wH8DWBDgj3X+CWEMaVBzZ7VM5Ao2H6iZ -yYwWXCeYBL+i0RGey+R5y0dytyfwMcGbSTqCwzllpdsY2MWMdWCv3+vktKS8jfOE -YrWKPGtraFA2+mIMygwnHpkeTW4jQqILnQDhFbVGivkP3FWis8LcKQ6Fkzt01nVO -oQWJCIer2ocMfQWbMZy5oI5kLaeKbL4qH+FrGw3YdNs5bYqwkVKhNfRKj2jSJ29w -TSEIEU6+Cg4cHumy+UYawtDEihUhrK6+96DSiDvTtI2tGyZVSAc6wm/YQ60WddHZ -l2aw1DnSlM48APhL15BGknUFdaaBQDNPkkxwNQbtd5ZXu8Co9b+YiUC5yn7AgBDk -AC3VsmR3Pobi3DdnY0vmh43wSiPSmScvlA8DbFavX+UMjmRYwlYHMCBxSU2QaQOe -wKg5Pms7hlVZ+cvw0tJYcFpRLMDvD4FP0GHx5v+GqK0xDuj15O13VwQsuEHiB4n0 -+yIQ4wMU6Eb4rrQm4T8TBuqw5cmm1fHi5Zr0sdesNfoQvDyPeIVQq+ADbPsW4jgo -ZhJM/YzpyJHUjPdDyQIgkERcR82xr+8A6nHlfjFM2n2mOUEkLJu2Lov1KkcsOjuj -zN4AfMNt3Z33Dl/JbMoMiH4peYpcwwIDAQABAoICAChjaDTaPh4RmjpGkFFZ0tHT -aBXDX8jFqUbZMkMBXAGYmgJ3uOnSt4L2n5gimb3T2wLzmRyHJ4WLKGdPdRnFl/tF -wY60llxJzV7KUSA9XADL4fRMhI25a+XUye3zJK8H3unJ+yLKqhhJUYh6MN0z/zXN -ZQdZvWy6YezbsKi83wWZ3E138K0Tlqoc4ZX+MNgBuS95JXG0IAlyYkSB3gCpwe0/ -b8TNQFda1J5SmvJ/zpTCIBHLMue7XCmi3Fqwq4pCK0XUGp4rPm6//AI7xTiOzdnX -3t/PzkplKKcz5u/dP63dmCBy6gymF6tFX/CkYb+NGVZGMhza33tlePH5SUpRbyJj -2LYiJGqzoQNQ7AB99S1VziMQ2EOcfgFkLIC+KazfJm1njctSn+fDutQto4E3Cp3t -n8llILw/OKBSTtt/oauSCUXmmM0Dke2sken6BKC1Na5LD/ZUleoJNQ+KLs2hcNfO -sr2zSYUAUXLIU502aNL7s4a0Uvmd6vFcgdk+ssUOHvJ+PWL3GQ3hVmscJQZ9iN61 -Ty0C7mA75gOhHORvHjiVNoeAZjjPaOKyfihWBHIg581AEHOSnsqlHFubp443myaZ -RrzmGWLvjoR6SVDulvGaSMs9pKjS5G/1/RcXCC6NXKPAxeEf3h1Ho0c6DsencnH5 -1lWLX2Y3kV5iqZT3ERM5AoIBAQDLb+cIW+E6ZtQjFwcBTF0Gs5+Z0TbEDl/IYFp0 -NOqZDLP99k5f4/icZ+DvDufCD83EhFigSG4q9sDXuSNClKa1IvCeFxJ5B7ZiS9b5 -hRwDt3USgwusXTr2bmCAELNvnZLcDv0z9NqBxj/d+xH2ou2ye0tJv+bCMiMDLHEB -fFW+U6e+vExvF5Uv4aROcRuq61D4gc+rgrDC2ZwVelzDIURBjcBF1VEF4gCCSQy7 -3HRKir3+7vigeG7GCAxc8esExuWnWsimEpPJs7Xy/V1DYpFwsPIJ5TFU76vVMv9j -h2h5fMql6vaLkwvATQdOs7PIyZpneycd6+Lb1yuXtjUyJCn7AoIBAQDidLTOGUF+ -eSvOnCX7Uv3fisJXgaFRZ7QD/fSrfHqZYm3O5YaI4GBRrwStaeUYpu9+CREE59b1 -kdHo1EX+aPkOW1LiC4vAen1ElTSSvy6mQ2Cy7VJ1RwjAMs4yACfO86ZA+6mN1gmx -MVuuJu7D+ag00Wm6tJA5N5tDxU/7QNtG8qKFh3Gm3TtM1uiyU/y8qxxtv7T2ozVQ -xUCECjaZXX0AXoS4KT5zgxwa2lRC2TlukdGfahl+/cY7IkBcBfAs+1dYBqG3qzl/ -O7AtLQqpq+UcI3aGQTXntHgV681kr0V54982ah5loPhe+sVfAGt0G1ufsYjWLlck -RWMuTtcJPKXZAoIBADGd6UswnY4Q5kxooVy/szCfPp3VWPYYS2Qjm+wbu9v4LS4T -lKnugAQlkca8a+n40MbNQJBXGgeAhygWD3N9resfym/EUM0UBHeU56mTvXFqnTMW -oxI26tqPsRmK+TiPxfHF9htl7KUaJRmO0qLEuhR93a7vDujuMXvkqush2AfDf3YV -ls7BgbFb5yb6jzTwj58MignapiHf0SGr5lPxGSSj3fEqRciZhmZASsrGydYkYJJ8 -1kbNGLdT3zAMELXpjLl0etuGTGU1X3sUMFru/2nsvhuLuqxsiAxHk+JCdEitFv/A -fsEr7AHKx616Rq8B/JaggrnZfkr//7HQzsib6WECggEBAMW6T1CRXs1WcbiiQMu0 -CDWSi+QqLLfOi7DcojDFrKqW9fgsEw8akx9faP8dskqXIA/1TKXy5I9g9l6MUl00 -PRqbBMCYgjra+NvUR6ZGRi4oMJuqelAqaOqgsceYuSmLNsQQuVg95hKQXVOvbNUy -/Pq5Ss8Z77/13J0NAKwKUiwdmWhr/gFLtAaAs4dZrBj0cwsk05ZypQ/UW2OvI0NA -DPAwl0PRx1TGythrgB0qXGo96kF+O6rVXKuvWXDAQpiUEQysJbIgUEDW1hpr9J53 -l8G8+TV6ZN3ehuflD171Zv1pyTFS8R2dsqAD6CfuTuR/Kr5CHo+cwLvL1jDN6BaJ -nOkCggEAJrdEz9tU97Y3IFetENBSB5iVdbG+8iX/hHHjXB6OkEe9qUtEWYETVr0T -+GJgThy2fuidhcYDgeWsZyunIgdm8omi0fqG9zuYne3UBbRAoajtcNgmpLhyspmm -vV6mGwo/rFRcXKRzS5uUPeYMkwInkhgZoV/Pplt/In/t8X2stY3qJSOT6nsAl/u9 -KuGcZYTeOvpmotlMCoDqrQAhFcoMGqf3svvLfRybBCM/KA4V5ESg1xGkdX6E/JYC -lukuyd7UeBdF9DmL9mRiVpW4P0zmoGhGqeqKEHyrUZYpQbYY3hvpSpkZoSpK0wa1 -qd51Z5B8uQi3lCzkR3pYFWkEAqOI5w== ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDCBO/5Uammcq0j5699UYvcftBxM12TZVJued8wWM8ITkeNSh9q +6khnaCcQDajCgOgNEBI0MunYd+UV7JyVuvQWV+Wqbxie7k5s70zzv5HwS7CNwP+P +bvHzuTGOc9lcxV/9MK42uoCqda5NUDu6s5qm0jpFIMN+hnmvdNfC1MHU+wIDAQAB +AoGBAKhLwB10SMSpFKbggckiwz8wgX6wH6uLaEWMUZ2Oa4e43zgf48DKGKQaJEg4 +kPqm9qLeHexJfa7X0U+DPxBiavazw/oEoHKf3pLOm/HQfr0gKik4hYxeBk1tqLhR +7xUbzcxAWw9cBKr3qzrvKp86S1LzUD0nkLvH4pouCSgTcf6BAkEA5wVKh6Iaf8zs ++hyIvPVldOQPMyfW6XRUFkJj4wueGIlyAgzqKYGjVmgQ4ZI7JnooY9zT9U03vecL +LocRQeAc9wJBANb/cF2COqYyTYjBvps29cTTOZajdhLYJB8yJcMici3epjW682gN +epDM0SwiHsN6f7vzTsQTxEJGi7O/MY2Tmx0CQBkNbtakkqEXVP+OhpmPNxBlBuzy +PhEVB2Vej7x4bw2UIiPsyJv1rgPZxzLfC8ERcD3cHbQ1Sn0yh/jkts9hAWMCQQCz +LxkbFdqDgREVlUOiYN/cNp6caYeSlQkl5smKJD88839a8IDEi9dGryz1t0okaQfk +QRe4WzEKe3kbSZGnCQoRAkEAmQBdntXZgFCrdMQbYvGGmjnPHGYK/OeKZN2ZVIKI +VKMTz74yAiA6l/W0D7KY+aR+bm3lxUPCqIdryA7K1JhGJA== +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US899/key_san_match_wc.pem b/test/UT/US899/key_san_match_wc.pem index 95ba8b5..e296fac 100644 --- a/test/UT/US899/key_san_match_wc.pem +++ b/test/UT/US899/key_san_match_wc.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCSbb8qxsecoKGp -RUmTdFYOJerWtXJUwuqcfF+12i1tzaAVodPomjE7Xha14izhISQD6NWWn5OIkOYk -IX+JARUjRgHiS4txNPiudMG0FFY/2C5woXH6HkBFnJ3C9ZORIcj+xN4IXrpT0733 -6L7teFWq3fBVUhCpioyu0wzUvQXj8S64Q9KQbYOurIUvAClOKPs/5sXbIJPELJNE -TyUhjo0pM6SVZJh67U0UqfEpC/5YFINtC4nr5VszGxCE7PjyRWQkbO9bPa1H72s3 -+8pfOx2sr0ctSbq4/B1CMp1YcclJWdNXYK3TrRpjA6/ytKdMpFE3NeQI1IKs7a4m -jaX7wW+HQkEr0wvJDBvP/9QL1j+MBHjRa4MZNFQAiBa5tFYvSvo+zRS45WV723Pf -q7lz8ABR7XyLvp8rDht0ha0toNnrfBMKnsy5NaNs7fNX+E+cZ2vFU2ZIfdy3ZNrI -rzcrRr9i9Bllm0Si7tvqJCi36G1VwumJxlIpFwl2oo07ze9uqyjVG96DEM/QjHmF -NUNgmtWfKtVAJkl22M4oCFoRMSF3TFKpSTiyJckfaz/tZwmczeA4+8yTw13/gMh6 -oq+y4IcLyhqkZk7gx8C5fyCYtu0zJTH452tMGrMR/3l0l5Zh4S8U+nNDBz2L0Ruu -d0bWzQbk1ECF6UYSrNCk9H+7M7BX8QIDAQABAoICAAE04OfAvXRv7J7OLcyLH3x6 -LgsAxCQ2aHP0rlUkr3cJiKoaHDYPXHxiMW4/xzrtmLZkv6sXAn3mf1PUbJ5WFK30 -Y31oK7NQcU0Q2OeLjW0HW4wtJc/erGhMJipIdzYM/YVNL6hk0due3RdYqb47JrKP -QTcXDK60q26OtS1E8K23q6svkE+FPqMMvR9GrwvgRkAmvg/fsVQDHYRSWGqIvsJr -Phu0hygMlGrSQuBUA2r+WLT18VN6KIiY5WeTR84SicTLtjX7quOFFjejgHtNJxjI -jAcB6neN7URK5Dnpt68wWU+f6wLCmQQnK62//e+PSiE+oyGe/s0Du24lkwul0pco -8s00iHKKbUhFB5lHOTScHJGoeYdMl5SbZXzt3mvRRCFkfRNnjJt7C1xDEF84ogwJ -3Drqho7y62KoHp5XxH2mRcdzA9NSWWDHUlK7ygcxCsqHx7JnwGnEj8tlHTJp6+3W -0T5WJxwgj92SiOmwDgP7jV9hxwlb9ga348cFMeW6KF8/8Moimo0HToawlrpYhgMq -KX+85udc34XCveJiP+ToAKXDOLiDvIrTnZm4IdRKas/ht3AWlNrY3twZwPzqDurV -HSjzLj90nzOzsUQ4ZVoW+X63Y9jtJvv7VPfPPjY1l9Qi36bf2EVWyraKYjR3PjR3 -G8M7tLKAElxE06EuSnlBAoIBAQC6zihyDnqO+IRH7BaP+EkJesrVitoO1xjHf3cp -8c1Nh7koB8lHPxrF4ycY+Nc84oIIAHMYm+A3N+UIQKRt9gE+s/p29gE9tdNngn3s -T1+daWMA8ZBvyfu8EjmRGuGuK70oMHC1RPE2g/SpXXguJqLuR2QaOgF6+Qn7iole -cgFJTDtvhQkU8JB2GqBiUB30USvBH2lA67z4BjWpRmQXRZUwEnYxhWg7bSRlHYyS -7my1hnhDgas+Noo3Y8vhGTJqzJZAYO/NDzDtbQB5IkExCaO6B1R1F/ZI7BhxSxIu -BVKk6vN4iWRRc6pHk4DB7ZZ+NzFrTnDVc/sspS078IEjnkCRAoIBAQDIqt7rwckp -BGOJLBFuCg08cjP5Hst+xP6nSzJsOZQTQwYo4zxWykD6wTnblXbu+X/KZ15+QTyc -eNglPt/0ZuM3MzneamobM5tPUTDQZBqFonRWH6xN2jWUluew/b1nnr2YIXdHoSOk -JhXQTP49AMQEViA3lz9jzp1Vf/nJM8Pa2hiZGylCH03VuG7qTYGhwDyk6lizENHu -pp1UlljD44NHqTAZQeTM6lIOrS+yD6B/2Ywv/BqeBLU8qjjZGLHtIIJ5ouufZNpV -l5rnLYJ+Ad924FPtl8NLEYh8ibEvDXrnw569oqTEOrRT+yHr0RK4ql8f3dCxSIi5 -UUpGZuCjjFFhAoIBACCjwudi5kEy5RIYCz0umbxhSy2SrFUpejfpaq3WhRPF4jE/ -Ywji2s+2x+8SE7GctjGlunaTTdL4HjmZ6eEYudD16457n23j5kNQxqXSnJdJgbX5 -f045EZYj7REQjFw9Yjiydg8GM8tdtRMetNADijZuHOyENBwDhZ4A782jx9vBySTM -LvEMs4EfV+S1sPYudKGy1lY0mnkPxLKGDRkP3Ghg4Wv3rmWrxU8xoY1OwYnaLAtH -jd858l6JPmdfWrLUenBXP68pt1fU0t9Xf+KMl6H6g+RNwoetUPwCrPODlJQiRVZL -U070Ec2d1UKNO91j0Wu5cfep4zpCxiuR806A6TECggEBAL9j0chUhPNdHz5WzK0C -Y0tytUV27KoVY7jWDNqSNDwG4hofWY6By2Ye43se3FfjmdHHs6WBvTiUPbuQc3Qc -qbwdXKVZI6icGRaWnpMz1uP8ZS87eFCsvgvhvkveR0dMbRJrYOPtuhu2w3lv5dDz -KQHlz0aWODyOdRt2Oxx/Bd93wpxM/pX1W3xrM0a/89L9khnM9hqcAU64lTh3SWRU -XAL+SETex0X2e5tJ7ULMis1GBeJCdnSekumwhRXy6sj7B9bR4B+fxmp6daDmlB5w -1N0B6qqi4/52U5JMlbUGC2J//qhqNvJ99z5eOSU8vLlqrd2r538famAuO0RYnQsA -KyECggEAZPLA4pmyGVfBWcSXbDcORM2GtZ+qzSqWFD9gNCgJYDn1yJvdUDMNdb95 -BT4Ox/jV2agt5etrFm5DO7O1n1sCNEVi1eGZzML3TB5pcDgxRS/fH03t0WH9Dyqu -DbH4BbhLREP/G3URcm7+exCzAxoFmOHj8U9mFINjltcFlG6OAJE4rXmAWranHICa -QNPYXyGbq04c3tGTa4n3GglRO/ppU8BobrGxeH5i7iY5glkRyq5LQAhu5BLuATEh -TsLvGklZwfaDiJ0mKTjpBi9mX5Yrt6RvOZpnori2V5DCeszllf2/ZMZDbMMzEIPC -7h+49BgA8h5GOWvJOZDDh66NxHKlvA== ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQCuOiaT7sve9lu1+6MutivM60kadjhgMOt/mpn10n/9yNq98zhL +fSf7FYEjWSKSH613919Q52niZCpoM2NiAhD6LOEGrswEeeWMH+qaJp4DsE+0+Bwr +IWuwbWgkrgwupzZ7J9TxE+91XuIRSfzU+E0tYz7ICESjyHlCToWlXquRUwIDAQAB +AoGAJWbcY0OPRpUSiRW1KVD4RCx6bBDW92dpFuKkjI4c5elZdA+jlSkQDSnHqEP5 +VO8x+SAEuUSEiZJBPE9T1XVmGUQczf87ZQHZRSwrIohih/MrvyrNakszD1VPlGIs +fLwKAMFfM2/aXignZx9UJaMcTvzDNZ/FhlxgzYnrukfzPUECQQDVe/BijfLQs711 +KZyYWMchW84LcXYa3mtt2EVwfmZlvAlKIe0WyJ9KskYvssWKLIHcZvRIHiQgs+T/ +pPBUmgkhAkEA0OzF3uU2oX4aVhmu8H3R9AmH7mKFjySdTAFPyZMdh/AonsKO+B1t +wGI+9jOgDC3qOp3GVygUTO7xpa+qSpUH8wJARrxZSx6DjRlxNigChgwsduYnYG1I +1+BIsk3NvFd1cFIctd6F4124QhTN4rIWeBEFOlU2rcqm59sTjo1FQJMFYQJBAJYb +uGNYjrLjNqrsExwpWmMbQfYOBWX+aaHFQ31R3SLhc1317eDozAUw0Yn1N6Xoi2UI +HQxb+JH6D9b6asDhaO8CQCqNag8fEhmXzWiZDM+ngreFJsFFYiwwbcSOA0p3JBG/ +o39PeTTW4VC8+Y7KIO5rM8ZzuT3cArfsZLC8erAc2oI= +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US899/key_san_mismatch.pem b/test/UT/US899/key_san_mismatch.pem index 1f25535..c057fa6 100644 --- a/test/UT/US899/key_san_mismatch.pem +++ b/test/UT/US899/key_san_mismatch.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCkDp9nbHPpPf6Z -zLylKsRIFFtXY6RpIDijat7pcmYXoIB3Wt4WqbMLxLIDNxppP2SSgt6KM3ro3BMO -/pz8vEMdb0I5EPIwTQ6jIxH8QeRC7flanceiBgIpeHb8ikoaLY9CTqYsBF3bHrP7 -ZPFNfgdMN5XHK+uYjre3G4967WyMPWXVnFloyDytNVoia5ErlnsEAvUCzR54o2PK -R9O2L321eDE9wW204fTt56Q0mSB/YeiSd+D1Wn3P4YfXUtL54b3Kc/oXxSpThF1v -ccE1jYC2H1J+L2FJj4molKIuWQcSmZGr4HpTpwv9FdPEaG3Y3QFNcyhf+WbpsLxv -9JrViRiU4hsQAQ04Vm3QUul3b8ocXk8tiR9eag0U/tjpO8FcKv4nmgK1RvFupBU7 -1D5vl5G5w9o/adbXTRfVo8tGlXTcY+woHIdAD5MkmNpRM3Ota5dmBrkCg9tFyN6n -5NLWlEP9Bz7Rk/cqMFntaIC0L6tGcMGk8jZrXwkjiHpPhsNeAJlhYtkRq217ghmm -kQ0sBeYxCBsFMlOBMTkA35N71EbsAeZH5HuBUdnxCU9y5N0QfdepKEaRTeL4NCBi -XJeXRNndf9XzK+tLevS5vC80AoIH3mO4Oj8klHHNadND7vxz41UH/E390+pfIrJh -mb0vuHrlqrogLjEmPSv+n+M+9RsncwIDAQABAoICABu64wPCx6bdlTre6eYLIAlE -85mGXKRuT1SD/HC+JvaIaR6Di/WNspdjJGm5tyuiDPhcyYvXnsdcZ5ZJwDRSCBAi -HbHypNU4OSinBWO7qX8MpXDFKZi/5j6nP4l5QIRDPitJivn2tPyUKHzuN4FPM6GU -5aq4SEbNnM0FChAPsKDVwfBE0LIO4n6ufXFC+FNDSMDJVSuniyZ+C6CF2om5Zki1 -q7ESEF6aMOHDnTRMy7rsTDjxrWMbbBemueTR+ZpGJ2PgjZ3V9E0QmxB6zFsmc2KV -UcbFcG7UJcMKeI1X/AOPVJmWRGb+Xd7mARj6Q9L7rDwwolryl4wZlQhhcoh0d2Rx -buegpaWuPGGexPxv5w9D6DCv/VQD2gfQi4euHdFh2z6kD5ubprcVHRCx+SmWhw6M -JOSIegkyZfwDN9DQ8WL/NZS0Y/1tJ8wwMJtr9R2OrkyfXDLqDTrnQVBMOhxllkSt -kSTKooMEFVTmY0Ae+nkzpDnGDiYMUWJf5/lisn04voa2cKuLYGa+BZ3i/n7bRSAZ -KU/beaHSU/VRDssV4r7S9ZLaoaP0Ae2/BTYlxf5rymjVUU+PQvA22eEaTo6icDJG -tYax78x7eJaRv8BV4bmkMyHaR5RFDCotERsH0NRPP58daLbNu8Z1pC6X+5Ia6Btm -l7wfWRKCSbuOogIb6JJVAoIBAQDgpbOFqeYpPURUBfh4yrQFraorgznV1QeRUDl/ -fkWt0ZhnEAsZyBKdrW7LSAblO0i+SKoy7YBewy3whWzx5JCDKTnk293OM9VsZXPd -ajoBimN97rM/veQ4WzSALU1qLcm3+eRWslcwdlFSfHBwWpTnubCtbYB4ncxU/j4W -74DCUnhqrikQrHtmvDLRFedwEYLctsDr361XlUpe7J/he59JsdksDRdbPdx20Qht -e+0ufgLTSYJSZKzU0FZuk2nxTVZyZaqdgEJK4MN7Oy+I2DnedfgmFDu9uUDxULR7 -D2tWDNqjkDyXeaGiRQw86/fgc9A4ZisslOoF8My9U2Jygv7nAoIBAQC69CEWnGIi -+T+IdaBuOMYpYjxs91Kq44M3oje725Ep880vLNz3S+RO3+4+OPy5Bk5gF3Fitvev -XRGzZHJmpx5rJ0CsnNchXxflIeupqMUrloqf+UBGBJu7hBi7Z0Bxyv6iaUgoqMtQ -NgsLDCsDsftnR93YeHJNQowU2Cp48oV6XlslCcfqGmAPne5PifYk5KEVKXmDiD0A -S8DVEdrP2CTZqKUdzZQcxFIFzTp0sgeYODrdnGd386idNd04Z0YQzMSkgEcW9pBX -AUbRkU0y9Qbi8UvlUFiwEjLMh/dAt7RTdmlirrSStTXfHd1WY49B8nCEo7Fclulk -oAPyFCj1qn2VAoIBAQCRT53IIBYZJuBD2XjX6YZ5BdTFQKTwhFPY0yPeLDe2L5V9 -VQtZKemgxMaeB4EuViK/sxEk0CvxIB9fLW9DKK2xqcEhIHdhInYzH4zK9COBS5r/ -op+f45z0N0rGfodM30FUF/hze/iaCG6iBIxWoMEhAyQdim9HlgrOD4bqHxISoHXz -y6QUfP11ftcAGEMUYr9bNXulF5JwzMjGjhj9KZHngXsQ24b4JhOtZ5kj+L17DVeW -hD4gPa7uGbVO4VvuEjCQ3uJ17rjy5mCMHcSpp/QGyhgxyXS7TFGNxr53u4map8Xl -dy86bBr5c+Bup9Q3A7L0SGI0/D5EiXZmIMHVgJaRAoIBACX8XIy/kaERi7sqS0KZ -/omCEE0Do6RdPdgb+b8Nyd0AUHx5XRxSKz1renjiE1d01I/ps3wfOQxEmMgebLA2 -3JNhEl8ALyX0sGI6FiwOwqEsoVYHyutvHEVpfaz2Ob3lRP+y7Jp2UXkmwe+otUS2 -8SH3FDhboL3Z+6Rwl5CjlkNa0KIh7qC+Yy5JJJa8rWqpmaE3IB19nQdmXPPuAMui -Wzpubb40exetPA05udrkIW7oXe2RTeSteWEYBK7lLPNU58+U0Nz1lDZZaA5Eu67S -4mdSJ92cCakcyX2NUsuvh9A9iwQmA0Kb1ypSYxqeeAkqPXp12B+7+ggcCzEwr3Hb -BlECggEBAI6oXo79Br/y22x+b7OJ/ht1qJflVugizN7hz5oQa5FAPgFlUZfIPPCH -9AuDZrX1ez+B7H+wK1mz6yoSC0iVvVmDaFI2rRKXOLzWfcJg5KavEYlXSGuocAxR -IHKgUSJN1pcmqbONTKV+1h4tGlF1E+d5CW2BDXGNpYEEUkAnI/42XPmlh6ofyhHV -yclnrBxU50FpIOw/btXKxRyaNRvDBzRcJkuvXB8KpO+X2BKRC+XKVc9BGh1NUl1U -CJWhHD3vaJf4nIpZ6/trRwhp5cXu0qLLLoMn13JszZWWtfgt4i9Uv4qgEIdYiyAy -6B8UpmY7mrdYTVLyBVsTJGiP5CtCVxE= ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQC9mE1ukT8FZc/uqiQWs0S62Imxyb0QCnCSmd7qYwTs1ePVPUEg +96sAzCGjub+Igz0U9KmElSNsmNXTkB/LwGyQcVf9OebkmSmD1ihY08o/cAak8CWC +sXNOA6bZUc1rcMapTHU2Tus3RnwcLs+bvuWiDhshdOhyoq3tsTygStTDFwIDAQAB +AoGAVhUcsyMHdi/v5PEjSZtDjYJbonlyeiIDUszCRbGHvvCubVdOhuVsowQMEgZ4 +TEcqKKWdgjEk0F3kWBaMGTrZD0OlvjkhRDvR53P6mvDuN1+rDo4NxYe3GPX+Rylw +YmkqJNkbspwPeu2tjD7gCRio/PiaQVAHmnZEi7JY0pjPH8ECQQDrh+3paJyZ3USt +d+znBZwvXOH5tdEd7TMeSRlaETJIR+H+9043v4jbk2myH6fq/Ga2qKNEHJwj3A/q +yYWHbdvPAkEAzhJkdmL61V03/Bs3EfV3q1K+7T7C+gBEJeXGgjfNbnPaKubej2R4 +yrYX3WLVKNwAyn9QBdc1C/3Li7On1+6OOQJAJnf9E7JSYY8SOILt3o28BMBW6EIZ +9ZlYUAoAagWFAOk8sDgUPma6I6LgEIe7FVZEMHE6uVUy62h18RMZDBWVYQJBAMOD +WcOkxz1WEz7jB03HqgFnIXRwPob5Z67ZIYz8qrDnxA8+OdysQ5p4R44pLfp1OV7m +iaLw+whkhBEIo+9QC6kCQQDqJiutzJMhsp4hIDhB/hhmWlkbe5LZOFqLLejvSvhF ++vQb9bJ7OjcOD+xl6Zq0QZWg6PVtw+mV8rBqnvhn6Rgi +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US899/key_san_mismatch_ip.pem b/test/UT/US899/key_san_mismatch_ip.pem index 6eab990..1e1cf9f 100644 --- a/test/UT/US899/key_san_mismatch_ip.pem +++ b/test/UT/US899/key_san_mismatch_ip.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCpN+xdCZDT1aEq -vNIod/3WTQeoofbAZT/eSow2FmGek5/oQZLXgJQdV06EsdaCC8lO+SWy8NZD6f2V -JZN3Me/G7d9Pkr3HhpW8bo9V5EwarJkto7DR9vYI+Vb2+ibjVImATpU6+0jEkAVQ -bW1b1+bxG27O7r9gsGQa1VlifNgT/OC7qie6zAzuDS2h6CKbgqrbmnzsMkpoEOmE -EmSLd4XTwKqEkHDqz0wmIKHR6bSueKr6Lho8aKabC4D/PxEfRkpBCnV20rd57lZv -tgqE+6YmUbFEeElgI0hvUaBXKau1IJUZdSJ1tKlss0K0mpp2+khyZbQVq/WDynPM -eVVLcynysMUA5qxr9RVHpTbFo7bMC4AqLJjVrLezmeYh+0Hkr0rWqyI2ElUmGeL/ -HewNcem1igUpiU6lDVduCVONhg4XG2QjCWEJvfOTb2ayEac+lk+SnM3cE0NxZi/u -75MY7LezYP3vXtDQe3X/Yo6qiklE8ssHu6s51b+DMC7TUfOwNhUOWX37KVIcTbRF -jeiVKvra7j/tBs81KzUJKqLWjVY9FuduDMhI/+x7EwaYbcrnqU/JzA/t3YU7OhAf -b1DWa5A0NfOmFsfy5EVEu0aUutC5fN8mPg/f0+fA86CFmrimNp1Lkn+acreW0dHm -u2HqZ/LRSB+tIP3INQl28zf6SOcr3wIDAQABAoIB/xqvrQpefNfweXU57ZBWJNAG -bveNjlJkyHGCQRzxM27s1AnHtwFKY98tpFyAE6l9r9g8+gBSX0XeHmrzkSXWqyvw -V5KUX4uzbJR4ElTxzyLKKYYxNlcdr2kaQ7rXhjtsxDh328+yriaDxy+hmcCg8YmD -ATziafaocUkzdViudbV6CLXB/LQyftyJX6jssbWsfEqAA4O+2Qww/ff5PucGAXlU -daPbui9DpP/v3zrcHe3ARxhkhzwszF/FTYiZDzhS3XcKDBLeS3B7xnEs8/k8Gt6u -6lnm+Lpx2wmVEh2x4xcW5DBl3zaItaziSAIpZJcimycfCxA3uN+1gUJKbMnEm+zC -xuswOV+6Uk/bF7RkTbAUBGae38kiY48rBPpYPb22ZQPo1GzPbAyXMmJgKIjRpgU+ -Mv3Zn8/FwIts5mTynT/xkT2JDQZHgLhrHJimVIm6CbekmvGzIFvbDS1lCvBQAT/8 -5AYVTGOn8p5QjQEE0ryCHTcwC91nsJEgDaqZikJFwr8Aq9nLR4kYPCZOZ6LyaWgK -tSiRAgAdjrXSPL+jr4KIaJxnj8yO7BHpJclNafn/sJB+jopzwgr589Tq3i99os/o -CsR7dq0ea27JsR010WxNVM/Jtt00Z1griBzIJ4bCeaIF9sfWxv9s5gG2IcChxasx -H5uoJlDf1zpslknCcNkCggEBAMk0X+Aj+ptj8DdlwFl8yXhKXAMm3bZypXrxEPV1 -mh63a1/rGH5R8UTF3jufAVykzaXeu7t9vCj+1L0SRCVAjXywkA/FVcprjph92uQQ -xbzEgz8YKjO0LCkfywoeOUSql+N7rhq1L61jxzHK88RKNpsgJKw5rghHXx+5whM9 -DIWGdflmYECCDGM57/M5CqSr1GhdPIWCxPmeszHjywCuSp6YzL0Njx+gT/vJ0D/C -AY0eqxxv6JRl5YQUH9qf6QTlXeM5yiBU6NfgObrPlp1RZT/T5fPfPxqm2wvTMHH3 -zoDnbKDffch7J42nOXDE9HkYEJ1iw0kwFRiDGHuF9ZMw4l0CggEBANdNiEEO4swk -95Atk1BkRoboKxjICo7WWmkeqaGwZPfn81/Xnu2hgJg/Wsx1hzEUERySWpfOFOBm -AVt2xg3xdetUqTNw3SAOLOBtyGc/Hpi4PIhMpCDCf0qAFCL5KZ6WKRaqF4gQbR98 -RnD3R9zZsTrGn5+f1mY9Ayu7RM3g0GT2ixSWPBPAi14xyqZ2dmPviS4BX3Fy3jEo -aZO/iOmDsK5JXd1eLN5V3HQaBlolV75S2SLbucJRCXBjSsGdYD9kKSudlv2QH1if -tiJ81hRanTSnr46YKkBSLfxbRP9GaPo1LzXUNQpJx2AtiDoxdKIsBkW68xGpkUPQ -sNYdpkHv22sCggEAd0tnYRTT/Jf3kFDzB9vV9E1aWsALiqZU+Ry/Klns5DNqJXfV -kOfyvgz3Y7A19YD9MVBrTJITItdcuTGAV/n7Kafh8ofVAuxcootUYg6TvwVgr+Ma -+obj/AoOr1QWLmFbJxRouQseVpanPx2PBJ3f3H/lXnvgdKYkf0H7EL8MkoqTniiV -/wlcYOS0ISh76AC9Mpe9T4emVD5FDtp5vVCZi4kbMyg76Mt7QNV6dKMJmmtJltW/ -N2Vm/LWV4WEYnr+DuDrGXf8aAwy+DcYRDft5pat0VvDRkHLHwy4XNitwM7uDC6sW -/+wNGo7Ant0X+khLaZVqJhWtHFh2Bp75aKj+PQKCAQEAmbVchTXfbOcnZuNivI4a -W838lqCaCQe3XDzr1edc7i/GbLI/YF9gs1DnvfhaIAu3e7Jwwtf5x4qLhYTyOJoe -GXhDo9n7xBrapw85d5x0d4twi85LjqfMwJ9XwPApanLButCMJDO19DiBAb1IrL8t -7ExJQWiXZD5CuUHlCSZrIOlyuavYEDHyTbk2eEkylH46bYHFZfUf8/BqD3U6hZvi -00rFnHjTh5e835aE2m62icYUBvLfV38LQhVhFYEJabhUPDMxzKzL9DVxjoWZQMbA -XQsqJp8z6t/AvN1cEPNvltHJdqCdjU7G7D8VdpZAMldD0xx41C8+6i9fUD2yqHhZ -KQKCAQEAvNBxaNFN3eMGjbqjN+Z8JprPGFBTxjiAhG/MJd+5MlbJVn5pQag/vWaW -UvOPCOOu1bCKyYb7wtpUBQk8xalTEwNHpRqzd9KZxN+tKma7SHFb8gSwchQ9zpH+ -OwlEmj6TflR8HzUV0YYeqSTwF/Wb3uqhWgfA4b6qDSBTHAR4KQ942Ymx3UZ9paHS -jGs097FuJuB5xWojPLQPH0Z7rvgct+0aJ8MNsUKhuxd9KQkrq9m7tajlN4LXAMXC -ZxLwrtjk+RiPrMmbgwVzLny1b6qoL/EGe4X3MLPwbFE0g0ztmuRfXltqULsfTNQi -iOArdHWiwdokB1ihlJ4K2Y+IDBmk0Q== ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDGZb/yn/1nlvn4aWuDyMbZqFMDDrV8efmDBW9g2AzsM7cqlUjS +69C6zd4McezG76vqTtBNRuHQTZ1MMUBpCQLRZgzCvmvl6vUVOBayNCCNGe5hsEzT +WezDZP02VONJL+6L4wZC7tevXTFsQ8a0QUDc4rPt9pXxnOxy2ZwHrzLMQQIDAQAB +AoGAYlsLH9NlIzfb0OUiYgDlY/5ouPlPy9gEdIn7P32cWnUA92Fu6vHxVsq8rFrG +UZF8HvrXlZfwVv5DXwSDtA69kAXKWgcStRK6idBLZZjpQqg/a05ajTuSaxeBh/PV +63Ddff5W+GDnaFIsDxjSEscafYNFoYD6uaq9EuzbOjpSsOECQQD1kmH9s4Io9QFB +wQ9WEpzc1GdoOq6RVTyWkGoA1Vvzb+3DphjlLK1OpFLzIEXFdOuqWdCul+MTsqEu +U/k+V651AkEAztKIlF6YcY4jajrtEppaD+uyqPjiwO+YwY+dBpXuELmwtBEtDHV/ +Y5kMu5BLNNND5GFzqmNNIkCxRQ25lXTFHQJAKDPLuQXvNBdQGlypzxSC+6AGQckB +lSdYIOoJgJNtV0Ams5X4k2QqByrdrZHF+lp2zk+f20VgVnQy8OusbSlblQJAeJFZ +F41RtxkSYjI51BdxG0je3QxCPBEw7t3Gv3kV0GA/t6kvpsy0V554QrtqbEAgmvmI +kTLUW3x1GvlWT99DrQJBAJH+dTB8xvxHxTC/KxErx48imZGZ/lqlpAeADY7ZMv2i +Aidlu36/giQLmVPPpGdHbXmrXsR7PRn/woak5PZG8TI= +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US899/key_san_mismatch_wc.pem b/test/UT/US899/key_san_mismatch_wc.pem index 527fc44..6a969e6 100644 --- a/test/UT/US899/key_san_mismatch_wc.pem +++ b/test/UT/US899/key_san_mismatch_wc.pem @@ -1,52 +1,15 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCiSg4LFAZN9TtT -nHf22GXIUUJfs2dj6Fs8U46nxkUsCbFRe8vtM87aPeQZ8Ui1A56MuhiJRXhE53Ge -sJwUzC3mQiR1ECaWRM8dn79vFHICFaoeWn1F8JFsB8TCIJUcCUeB5SmeikXdUqP8 -Itr/378w2gzh9KY/esP4x2QG/CNNDwsKioXH/sEfVS/HtaiEJT3+w5BedJkb+3sh -9Wm7+Zl/O/dcXZpDqQSHzXsPUzacPMdAnQIrkjCH4hmD/qQP9bViXgmaOkeGD9sN -GJG8aZzFVMU48XcKmthVwFWRbDc2GYZZFbHwf6XrpZMMSIrEPCWnLiDVPMvlQsBr -owriD948L9xtPSPRbj8d3eUABavXBwrquGwi04BtqZLyoP2hUPZhpmDznnqj8dbI -LLsBqFPyaDm7t4QPjPm56n9YMz1d3GlmB+8aJbkL02SCsEN8oG3DKAXZmeHWjJH3 -mKBQvVNdpahK3YSi+DyaOzhZAMihvLeBQEkzOgVKdcGRpuhclq0zLgyNMydRGNxu -MFIiO/mbMpOVzSF5vs1YpRvnBxuel7mhxNuY/uVZzbWBsKK3gFQ1Tr6Dd4DJgdIe -u1nN7XE1ssSHO4RveM7CKFilraXnnqQ+0TicSTB3gvYgPMKQhKS4HP6K8Ue8t4eQ -vKb9rS4NoTsm4IBbrQ/9A8EtrB9sawIDAQABAoICABnjc1sMDjdoa9baKn7rpUzv -vYVTsqYK3mcAs0yLQeSVBT7I306PCavh3J3Q0jbiBWxQkXJwbQ+c1hCo/rUInzfQ -jE1KTsWA44NHxPt8yPURLKqb58j8583SbW5EUVUAG/KaMmnyh9OXB8bEbqgLss2h -sxVmeBC/TjzE3e2JUj5MLIg5cb7mIjuT1MPodCHkaP/XhZOzyOrgUpOnuP6+AeD8 -mWiYG/A4KZtaSYu3zAnfXi+t/DckIm7CwCxAtj4/hXhUJPb/3gICTIDJzxG9zT7j -V3TOfB1qdyEyxdOlbidIqhhS8Cg7zKWLK6p1dgF40M7a+mzZvnLrk5N4FlfajSpO -gFyYSlvTdfUFJKFt1wYT4c1k3tOAUhZBxoIDYTUdioWW/9R3lqT8poZmFZQ1UUUs -Do6d5OPFcDHea3fhNXN7rbves09GKSCdPIcH+2xiB7jQ/c8SAgd6P1/W0MzPqI9F -QhOEBc2UzCs/DWa6PGgehbepZaYZswfOS8TEU5rm9DcCtwDytwsxoltFokgAN6z7 -593EhJIVfBTA6PibaeptYa+dlLsJtzHlVDoQ+9IcV1tY1eF04wAO/UeOY9ysXrxX -WjzXfjqVLudNOcMfVczU6vKGUsMHaPSod7ghdj78i8dj4IL/PVV+gz5RPwD4Plf1 -+ArZOodu3ILXSEO8H9J1AoIBAQDc7JBvpBmEBcwltwFIMWkE+SjrTZxTZLpnSPKl -7/SO6GXgp0i7QNc8goXhMmnlKePj0z2MXhCNLz6dbFn6jYdJzGKNLnc9mikzBMV6 -iWxrdKpY9EYs3tBFp8/fcBAAbQv/cQbTuub+O5O7zoonNYTimQdrFiEMMC5QNKUh -IoHZLMVY70OJB0Fu4Rw0+XgcRJRSZssnVcpN59iGmf1Un5iMyk5odV0uHRbDfVIc -RbvVG82zDtNg5mM6VsbcWY5sB1tfS6ZGmjSPTnvuITyLFGqyOpRNgNDB6u4XLEz/ -trzcjyBYFZa3Fed4c5P8UEq7UQokEkmqM1WXmfCXfmo7Yk7NAoIBAQC8DkkLR+jY -Mco3xAzPBj2Zdqx4AlHGs8Z1zajoTZxVV0hE+Wh+MH4iZOvUHFcxSHtteZBjW7qZ -SfdM/hLiWYEcFBGJZC+idRXR64qbbDXCTCxLm1ati4crjdMXaUraIM7bKSFJ5ku/ -+cz1vlF5B/fwhDcUCbZhePPoDKWbDiWbpTvkkL2B6u0uja6Ex1e/2SPtdn5P4wG6 -ed+9ylIZwhKfLUDkIolIHUD1Oya/Ln35B11hTbU8fFSsXDgVLju0T+QxM1ru8DpD -7qAqTFzzSSMJ077VCE/muPq5fSQ5mLbgi4Yr4WcgcDuIWYwGf5yR3crOUmkvjsR/ -d4ytz2FGQ7gXAoIBADo1ysjfwCldLbEySxAulLFOxU1aoboHbGYSfnzigNm2ukE7 -UpqkNxImgggYNHbBVt6Mpkb58fqBXEo2Zm7yI5d6Vu1ENP7yQ7DBrRbgZsTZdJkD -pAnmm5H+6XLCIDU8hlDEAzx+nqaWJBL0FMrH+z+Jer7okcSYXVucw3W7leMXPNh2 -EqFkXAVPIxOCN/eaykn788Nlg2yLji3JHUrS0msmUwqLAgZIe9r+hkgUx60bKlPn -sCJ0EekpPDSLFE+6kITHdgRcVUT9NQJFl6I9uu9DKBhTvK2brShF7/PgvlqPC8Kp -zZBoIRlHutJchZRdggKHHwnNhNvxH8eK84q6GHECggEAebyhqmzVnca1il4ekJIQ -pFy/jzypJYFRUwdcdW1wa4qCHSx7aV0I+kjspTXnd97dD+RnBPrnk73fGndLUD3y -p3OSWqeBcqBrDKZ25uAo+OuIrTUU6mltilNYOEqQCx676gH5K7aqiM8z0E1wvnHb -HlbotM8IwpajBi/RsMt6qwRO/kp4czbabY2IUSoecvIlIN7ZK+vfPZERtvHXLheF -KIgJ/uUgi49scpPlJFP7do8+8vN0BIDT63QTVhrEyZgCN5twHUdj4IAELP2cGl3Z -Ec6CNbQYzVon7JXHMoXatQd9RsC2mrgswbp+O+K2P3Mdi2yr7P5107JXXljmNq81 -5wKCAQEAhzFaEK8i+hBHzZ+OQm9u7HL7RKhXM11GMzG2kka4rpiCZs/wizZwsAbR -2jX+24JdtRu37ueEEF1lBj3i88yrSdpC2pCeB90YICMd9lRpLjRDltk3B6oIoKp1 -M9jJ9fEVgU1zo8lyI+rhCStc1h0lh7HVl227OXb5DN+WSIWSSl/6ROkO5DjIBrLw -tvUWqS1c1H6jFPPVs8AL0MoKy9fgQuMO/ycp6DaGCiJmUtJeDxlk5qa57fSvoPpr -Y5johJx32SeeuoOkm27/jtK2GGJWe4mxosTSvQVUjuwb2i9iYcu7UUOzUdQVRaC/ -m6KzclcJs5G8DhwSag7HkmMUoRTdaA== ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCgQmtzWAzyhW6vULMZRKFEAxUr4vULNCCjyPLVA5xfgPftKfWe +1A5fZJmi8d2O0VuZhUgab30dUNMTe0jfLGBiS1qLGS8Aw7MJHAlRJ+ur7fsGYjFp ++x75ERJ13aT5ipnp9EiW24m4ZPxVf19PG4kHDAW4qk3G5kHuesP0JZNlUwIDAQAB +AoGACOzqExh6UB+CVJ1H/EZIPQN28GTJhQA4OSb970MuOFt0c2780QW6bzGpJNwX +nNaoJVq480/2ReW0e8dH/bX5ACnf/sZnLdhhOQ450ltB7KD+/B8U0nHwL5t0m8yj +cq3CbYDa+xHc9DJOBc0bGzCPwHcMVPrutwk/uSbxwdKSk4ECQQDUTRIrWX+SlRyL +84ImjwH8eS3Ak/WxyTy0kA88tzDrS6zjUKtYnVbdRhKP793p1qCAbRqG3mO8npGw +2kVSfs+zAkEAwT8VcmVoiNp97OKRWW8wHvuqef3bDdCB5Gtyvrg/NZoJxrrECQYM +A9bMLzJDETpBCTnKYFXcFNMHCNUCQ7FD4QJBAMsghr7lXfNxKiQZtDCSafMYOpdk +uhMGGUgmAf40xOCMwnmoaJlbyY3jisUfWzNugJkASv458DG7gmg1H1jELpMCQEW9 +4puahZN+Zxvq2NISEqfb47aLK1dc/MPXE15JWGab5RNXrBAloohwKNiPpyy8fWQ6 ++xKxafAKCOvjFCIiA4ECQQC0zNtjb+4T/zG25PzfRB8qTppRWi0gH+8TXExXuW92 +8icrxcynK0GXTZehoC5LnTeijixA/3Z2FPhYQmnq/GJi +-----END RSA PRIVATE KEY----- diff --git a/test/UT/US900/us900.c b/test/UT/US900/us900.c index 88333c4..33c4cdc 100644 --- a/test/UT/US900/us900.c +++ b/test/UT/US900/us900.c @@ -144,7 +144,6 @@ static int us900_destroy_suite (void) static unsigned char * handle_correct_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -158,7 +157,6 @@ static unsigned char * handle_correct_csrattrs_request (int *csr_len, static unsigned char * handle_corrupt_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -172,7 +170,6 @@ static unsigned char * handle_corrupt_csrattrs_request (int *csr_len, static unsigned char * handle_short_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -186,7 +183,6 @@ static unsigned char * handle_short_csrattrs_request (int *csr_len, static unsigned char * handle_long_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -200,7 +196,6 @@ static unsigned char * handle_long_csrattrs_request (int *csr_len, static unsigned char * handle_nopop_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -214,7 +209,6 @@ static unsigned char * handle_nopop_csrattrs_request (int *csr_len, static unsigned char * handle_empty_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; diff --git a/test/UT/US901/revoked-cert.pem b/test/UT/US901/revoked-cert.pem index 63e027a..6dee36c 100644 --- a/test/UT/US901/revoked-cert.pem +++ b/test/UT/US901/revoked-cert.pem @@ -1,83 +1,43 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 1222 (0x4c6) - Signature Algorithm: ecdsa-with-SHA256 + Serial Number: 6 (0x6) + Signature Algorithm: ecdsa-with-SHA1 Issuer: CN=estExampleCA Validity - Not Before: Feb 6 15:23:17 2017 GMT - Not After : Jan 19 15:23:17 2029 GMT + Not Before: Jul 2 17:33:45 2013 GMT + Not After : Jul 2 17:33:45 2014 GMT Subject: CN=revoked-cert-test Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:b4:5a:ea:a2:72:74:22:a2:b1:65:d7:17:22:79: - a3:f2:df:7c:06:1e:b0:54:1b:a9:85:04:6d:da:dd: - 32:30:eb:06:37:15:ee:0c:e2:44:c3:40:e7:02:d3: - 00:7e:11:58:d1:43:6c:23:d1:9c:87:a8:34:22:c1: - a4:7b:e7:ca:6d:96:9b:08:df:a1:da:ac:ae:69:7a: - 15:98:3b:32:fe:94:c9:eb:52:ff:61:c2:ac:2b:eb: - c4:24:9d:cb:f6:cb:04:0c:d8:66:68:37:fe:4e:e5: - b0:99:57:e9:8c:b2:13:cf:f4:82:ff:a6:86:2f:6a: - 01:31:d8:8e:4e:36:bc:19:8b:18:ed:3f:de:c2:cc: - 7a:e9:f4:ca:40:0b:d6:b5:b7:65:9c:c6:12:3b:cd: - e1:43:6d:2e:b9:5b:0d:b1:f9:38:a7:ae:11:41:48: - 93:b4:af:97:c4:17:3b:18:f5:15:41:1a:48:57:81: - 75:67:6f:97:bc:66:a4:e6:83:d3:a5:02:54:65:16: - 91:9b:27:77:11:85:2b:c8:79:19:3b:3b:d4:5c:f4: - f4:83:ac:f6:19:7c:f7:ee:d7:56:86:77:89:fc:b3: - c4:70:72:2f:7f:2c:1f:2b:72:b7:8e:ec:05:22:72: - a9:35:3f:53:ad:c1:9d:05:ec:bc:69:14:48:54:16: - 3c:0f:74:03:cf:7b:a4:40:b9:be:cf:85:d7:5f:7b: - fc:34:5b:50:e1:1e:69:e1:dc:d3:95:3b:d0:61:c4: - 1c:bb:27:10:e0:81:d8:da:87:f2:db:e9:26:7b:e1: - 60:92:d0:a5:61:09:e0:ea:f9:b4:f5:d8:2f:d5:14: - 2b:50:5f:a1:2e:ad:42:9b:b2:7d:bb:66:4d:cc:70: - 09:7c:c0:a9:58:ca:2b:4a:6a:30:69:45:7f:1f:a5: - d6:1f:90:49:57:4a:10:c5:47:79:e7:6f:b5:d0:39: - 31:3d:b5:5e:01:ec:11:c5:e0:c6:7b:fa:43:59:84: - 25:da:1b:23:92:9b:90:ce:2d:da:a1:f7:da:6c:9e: - 38:88:8e:fb:44:96:ef:09:94:85:e3:35:ec:74:1d: - ff:f6:ac:9a:a9:34:fb:79:b9:57:fa:ce:19:7c:be: - 84:a4:10:aa:46:28:e0:21:bc:a3:62:95:65:4c:a7: - cc:d3:cb:6a:85:a1:bd:f8:98:e6:f7:ff:85:7a:25: - 39:b5:6e:39:aa:7a:c5:02:24:89:d9:82:9b:eb:39: - 44:15:d7:3c:ac:d9:b1:3b:60:bc:9e:a9:de:c6:53: - 4c:c5:b0:28:eb:98:d3:56:df:9a:e7:2d:ce:62:f6: - c1:ab:cc:77:04:a3:7e:7f:14:9a:19:f4:47:66:40: - 81:aa:95 - Exponent: 65537 (0x10001) + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:aa:2d:4b:3b:6f:1f:b3:39:64:fe:41:73:56:6f: + 8c:fb:40:29:20:0d:b1:51:3c:1b:cd:af:50:01:b1: + a9:c9:2f:b6:2c:a3:b3:f6:d8:da:6e:4a:37:e9:60: + 6b:25:1d:49:bf:f1:e8:0b:a4:c1:56:80:ec:b8:55: + b6:87:ca:9b:03 + ASN1 OID: prime256v1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: - FF:CF:43:42:AA:8F:68:21:4B:EC:F5:79:0E:B8:4D:FC:B4:4C:EA:80 + 8B:E8:5A:FA:80:34:AF:ED:C3:03:4D:D8:5F:6B:7C:CB:1E:01:C7:69 X509v3 Authority Key Identifier: keyid:66:E5:56:CA:93:2B:02:0B:57:A4:D4:E2:ED:5F:CA:A4:EE:7D:83:F9 - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:20:14:84:2c:85:af:36:6d:7e:c6:77:06:73:87:b9: - 2a:5f:8e:f6:c4:90:31:f1:6e:c3:2b:1d:bf:0f:71:e4:06:1a: - 02:21:00:bf:cc:6f:e5:95:a8:21:87:03:c3:cc:b6:d5:df:0f: - 7a:4f:dc:e0:42:26:55:50:19:b5:39:c6:60:12:2e:8d:ed + Signature Algorithm: ecdsa-with-SHA1 + 30:45:02:21:00:f7:c9:92:ec:ee:a9:38:d0:01:ab:54:5b:07: + c4:e0:d0:dc:09:36:95:7a:ab:13:c5:74:80:60:0a:67:a0:51: + ef:02:20:4c:17:99:f4:cf:3a:b3:dc:0a:92:3d:4f:9f:55:a1: + 91:44:76:ca:83:5f:dd:a4:bc:fd:12:d8:35:61:df:69:af -----BEGIN CERTIFICATE----- -MIIDOzCCAuGgAwIBAgICBMYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhh -bXBsZUNBMB4XDTE3MDIwNjE1MjMxN1oXDTI5MDExOTE1MjMxN1owHDEaMBgGA1UE -AwwRcmV2b2tlZC1jZXJ0LXRlc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQC0WuqicnQiorFl1xcieaPy33wGHrBUG6mFBG3a3TIw6wY3Fe4M4kTDQOcC -0wB+EVjRQ2wj0ZyHqDQiwaR758ptlpsI36HarK5pehWYOzL+lMnrUv9hwqwr68Qk -ncv2ywQM2GZoN/5O5bCZV+mMshPP9IL/poYvagEx2I5ONrwZixjtP97CzHrp9MpA -C9a1t2WcxhI7zeFDbS65Ww2x+TinrhFBSJO0r5fEFzsY9RVBGkhXgXVnb5e8ZqTm -g9OlAlRlFpGbJ3cRhSvIeRk7O9Rc9PSDrPYZfPfu11aGd4n8s8Rwci9/LB8rcreO -7AUicqk1P1OtwZ0F7LxpFEhUFjwPdAPPe6RAub7Phddfe/w0W1DhHmnh3NOVO9Bh -xBy7JxDggdjah/Lb6SZ74WCS0KVhCeDq+bT12C/VFCtQX6EurUKbsn27Zk3McAl8 -wKlYyitKajBpRX8fpdYfkElXShDFR3nnb7XQOTE9tV4B7BHF4MZ7+kNZhCXaGyOS -m5DOLdqh99psnjiIjvtElu8JlIXjNex0Hf/2rJqpNPt5uVf6zhl8voSkEKpGKOAh -vKNilWVMp8zTy2qFob34mOb3/4V6JTm1bjmqesUCJInZgpvrOUQV1zys2bE7YLye -qd7GU0zFsCjrmNNW35rnLc5i9sGrzHcEo35/FJoZ9EdmQIGqlQIDAQABo00wSzAJ -BgNVHRMEAjAAMB0GA1UdDgQWBBT/z0NCqo9oIUvs9XkOuE38tEzqgDAfBgNVHSME -GDAWgBRm5VbKkysCC1ek1OLtX8qk7n2D+TAKBggqhkjOPQQDAgNIADBFAiAUhCyF -rzZtfsZ3BnOHuSpfjvbEkDHxbsMrHb8PceQGGgIhAL/Mb+WVqCGHA8PMttXfD3pP -3OBCJlVQGbU5xmASLo3t +MIIBbTCCARSgAwIBAgIBBjAJBgcqhkjOPQQBMBcxFTATBgNVBAMTDGVzdEV4YW1w +bGVDQTAeFw0xMzA3MDIxNzMzNDVaFw0xNDA3MDIxNzMzNDVaMBwxGjAYBgNVBAMM +EXJldm9rZWQtY2VydC10ZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqi1L +O28fszlk/kFzVm+M+0ApIA2xUTwbza9QAbGpyS+2LKOz9tjabko36WBrJR1Jv/Ho +C6TBVoDsuFW2h8qbA6NNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUi+ha+oA0r+3D +A03YX2t8yx4Bx2kwHwYDVR0jBBgwFoAUZuVWypMrAgtXpNTi7V/KpO59g/kwCQYH +KoZIzj0EAQNIADBFAiEA98mS7O6pONABq1RbB8Tg0NwJNpV6qxPFdIBgCmegUe8C +IEwXmfTPOrPcCpI9T59VoZFEdsqDX92kvP0S2DVh32mv -----END CERTIFICATE----- diff --git a/test/UT/US901/revoked-key.pem b/test/UT/US901/revoked-key.pem index 9e02b21..49ef810 100644 --- a/test/UT/US901/revoked-key.pem +++ b/test/UT/US901/revoked-key.pem @@ -1,52 +1,8 @@ ------BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC0WuqicnQiorFl -1xcieaPy33wGHrBUG6mFBG3a3TIw6wY3Fe4M4kTDQOcC0wB+EVjRQ2wj0ZyHqDQi -waR758ptlpsI36HarK5pehWYOzL+lMnrUv9hwqwr68Qkncv2ywQM2GZoN/5O5bCZ -V+mMshPP9IL/poYvagEx2I5ONrwZixjtP97CzHrp9MpAC9a1t2WcxhI7zeFDbS65 -Ww2x+TinrhFBSJO0r5fEFzsY9RVBGkhXgXVnb5e8ZqTmg9OlAlRlFpGbJ3cRhSvI -eRk7O9Rc9PSDrPYZfPfu11aGd4n8s8Rwci9/LB8rcreO7AUicqk1P1OtwZ0F7Lxp -FEhUFjwPdAPPe6RAub7Phddfe/w0W1DhHmnh3NOVO9BhxBy7JxDggdjah/Lb6SZ7 -4WCS0KVhCeDq+bT12C/VFCtQX6EurUKbsn27Zk3McAl8wKlYyitKajBpRX8fpdYf -kElXShDFR3nnb7XQOTE9tV4B7BHF4MZ7+kNZhCXaGyOSm5DOLdqh99psnjiIjvtE -lu8JlIXjNex0Hf/2rJqpNPt5uVf6zhl8voSkEKpGKOAhvKNilWVMp8zTy2qFob34 -mOb3/4V6JTm1bjmqesUCJInZgpvrOUQV1zys2bE7YLyeqd7GU0zFsCjrmNNW35rn -Lc5i9sGrzHcEo35/FJoZ9EdmQIGqlQIDAQABAoICAAIIRj2XYZSkVbBqmJGkYkMR -3qFpBh6kgygDEUPWm0Ku206SmjCd+h1jJVdETmydQG13P4g1y/hBXnkHypU02vSa -LlwOvRGsQXjhzc192UjCH3Zd5I/S9EK4cOjiuFIrHnwQkjLZcq2r6+4GbhTOSufc -fv9nfnqZTLMlmBDsj/kPtrOxtQ5n5Hivb/oByCUbEHOQTdNLsh6i49Rl4MUhJFDL -Ztlf+n4ePm0Qv/M7i8ZEiA0oYczNFp4iX/hTAvcIjC/pbbGcY7yYThJ/vteKiI2V -mw3CzLEj1d1kos54GV92HSARQVTDCATi0Yu0QCiPtzVo5cX++QiAjuz2NAxyhbG4 -Ck9vnHppiq9U6KGkrCCO0iH+TEIAc/ut4Bv9VtylEuR0v9kHYAZ7u1QO+rAL8Diw -mhUafmOlUkfnC35zdGHmxxRtTdlK4pboiYP1eFhPSU1VYK5Ls6WIEx/tt22/h0Vo -tgOwnU8PJDc1/bBR2srkkOAPzi0sj3apIQxC8YDIC18UF4Gxa5VY4OnBZKQG/Yxi -EE4js38gRdHYdSMY9bwJfN9yhoYDSBxNHVAeiSF1/UswpPEIHsPua+mBmaTeXDBq -MLHQmlebzcNxMn26QlZF4J9uPtmSZy3kY+3sOd9Bv7z9DY9ObUigVH3kPduNW6IC -B11EWYLhyY4iHFujHMKfAoIBAQDckALYmmmzoMelZCy/Ncycaw8JEVF/t9WZsHPU -kwZHy7WdBAbPOqqyezYIULCe40XL5iaHJIpulaZVhzivtoUfoasWWzyLt0Dz6V51 -UZVJK2qItzE4Lrc0EbX3q4Zbf1Uyx66HKMQN0eLEmQ6dhIyzQRlDIhOGIZVho11n -8X6/jt+bDrF2yBRrM/2pjvZxJ9U7QBGDxmvKqGYrsPNpjkpDDFgeZxoTfq0e1HeE -CNfkbKsjN7YpC/hhbgWBoNbhsJz36n8LnuZiMJG5VNjL87EjePqRNqcRXsASYxWq -ErmDPTcM0ltqVffV6Qd25kgSHxTz0kv11m96iL19w9Sr0ePHAoIBAQDRVSESsGV9 -VKv7gFpSx7ZHlaLKNZ8yTXJhM4/WoXUccNW+EyCZrPmpINwDcO+rgyUuzlM9h4gc -f5YbO2f0Q6CogBxT762SAY6772pjgL6a9Zta+AhBVNVjgB8fKmT3OkcCWbAcYBiq -f0xPRBAQSg+hCRFdF5MKGgfbDa2qQfvfQBqY6OyTq8+rDfJpgvDGRBmNlk10ZJY6 -iKqWjnLdoBfEc/JlirhVhd7793pvolexOsdS91RiIukMXoiqX8rMshqTXAlkHCp6 -5im3Ucz54nPmr3Dw/1OEdx/ERarquP2EqpmhPdOb/92y0YPx7IJ3YG0E4qtCGVWx -1cPhSOYsYYbDAoIBAAhUW/coJbPF76Q8W0BBXN/PXzr9b3F+VM/ADS/K+aK+e7ZZ -T5SF56pj4s9/lJv7g0hHAc96vsucVTLHr4lbQD3Ikjh+65NvMUHE329YzGV+AUD2 -giJYCU0rGg8naCSOc34+ckXicT0AXysDiLzEI7glTjnt0ITxQb31OHLTePDtCV7G -uEb/GV5PEVZU8tOlKHVbXw318V4u6+TcguTKnd1YWv+S7zYrQ4h1h6nx141l2TS0 -RunX7OJpEEYr99GAJP1r2q5qqtKseORh4uoY4uivCe9v+/E4/dHz8f6BRIZDSo/u -ZctnQbvPWBvSaIheqiDnIT1AgudCwL0+JwryG0MCggEBAJs+Uf/FOA8hq0Yio1m+ -6KzgCVGDQOQSUaBKmALpzKth9vI2xzeQ87p9Nw2KRQRih0HWHB+Gkufnqw/ZF7gs -K0qrb9bD6mpco1k3LiRLB5BuU1+8kIq6+mIHU41OaIB9BMp2b0gr8D8JlzM129/o -vPyFeA4c/JxCP88xrriUpNGlfdQm8cR2Z9WIy116kUvIl1bMv/Zw3oTcc/6h+Afq -wZWdE4hAv4IVfRBKMc/2iqhSWh5qdHcvQrw8o4gO8Jyr/U+JsyE+TjbE2O0uSiCL -076iH9Vq1apomfN6Y04eEU3BI5xT+Mo5kFYcUYkqCHu11EQKQk4L8eSoDtPVt3X0 -gfcCggEBAI2rCdq3Ye+uPnn7bp6Htmqe38V2VFbXqZo9gM7KANF6L0uGWyB/AsLK -PwoObYdfzVSVvCWOGpkDB/kXgCRpO4nv9r84X2n6HYfvSJXLO+U54OEYXdFKy626 -F+J7/+Dhf6AWUMKxDdXw5VdIWupyjVZxpAZq4s4aMbfIqeUTIPzAfHKk5KtQ2k1N -REWQ607L9/PUOjo70HYyHCcbEoOWFzLJgv2hBkLCjjRJB6Rjt7SmJLMy9KX3cmWq -IBZzkKV4IrYKENJx5ugA6ss0XjiNlXlaC10I6y3EIJAclZOJtmrz5BAEtqCPCPn4 -5hs4Ul/Rz9la6PLHTkQD+Tzk9MZmSg0= ------END PRIVATE KEY----- +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAKkMGURZyfDKEQLSvEJpe+G/O0Hs79KH00fTbNPEnCwoAoGCCqGSM49 +AwEHoUQDQgAEqi1LO28fszlk/kFzVm+M+0ApIA2xUTwbza9QAbGpyS+2LKOz9tja +bko36WBrJR1Jv/HoC6TBVoDsuFW2h8qbAw== +-----END EC PRIVATE KEY----- diff --git a/test/UT/US901/us901.c b/test/UT/US901/us901.c index 9e13891..3243aac 100644 --- a/test/UT/US901/us901.c +++ b/test/UT/US901/us901.c @@ -66,7 +66,7 @@ static char test5_outfile[FILENAME_MAX] = "US901\\test5.crt"; static void us901_clean(void) { char cmd[200]; - sprintf(cmd, "rm -f %s", test5_outfile); + sprintf(cmd, "rm %s", test5_outfile); system(cmd); } @@ -119,15 +119,17 @@ static int us901_start_server(char server_type) { st_enable_http_digest_auth(); break; case 'C': - system("openssl ca -config CA/estExampleCA.cnf -gencrl -out CA/estCA/crl.pem"); + system( + "openssl ca -config CA/estExampleCA.cnf -gencrl -out CA/estCA/crl.pem"); SLEEP(1); system( "cat CA/trustedcerts.crt CA/estCA/crl.pem > US901/trustedcertsandcrl.crt"); SLEEP(1); - rv = st_start_crl(US901_SERVER_PORT, + rv = st_start(US901_SERVER_PORT, US901_SERVER_CERTKEY, US901_SERVER_CERTKEY, "estrealm", "CA/estCA/cacert.crt", "US901/trustedcertsandcrl.crt", "CA/estExampleCA.cnf", 0, 0, 0); + st_enable_crl(); st_disable_http_auth(); break; case 'N': @@ -517,7 +519,7 @@ static void us901_test12(void) { long rv; int st_rv; - st_rv = us901_start_server('C'); + st_rv = us901_start_server('R'); if (st_rv) { return; } diff --git a/test/UT/runtest.c b/test/UT/runtest.c index ecd606f..01dcba7 100644 --- a/test/UT/runtest.c +++ b/test/UT/runtest.c @@ -35,7 +35,6 @@ extern int us1005_add_suite(void); extern int us1883_add_suite(void); extern int us1060c_add_suite(void); extern int us3496_add_suite(void); -extern int us3646_add_suite(void); extern int us748_add_suite(void); extern int us893_add_suite(void); extern int us894_add_suite(void); @@ -52,8 +51,6 @@ extern int us2174_add_suite(void); extern int us3512_add_suite(void); extern int us3612_add_suite(void); extern int us4020_add_suite(void); -extern int us4778_add_suite(void); -extern int us4784_add_suite(void); #if (DISABLE_SUITE != 0) extern int us1060_add_suite(void); #endif @@ -315,13 +312,6 @@ int main(int argc, char *argv[]) { exit(1); } #endif -#ifdef ENABLE_ALL_SUITES - rv = us3646_add_suite(); - if (rv != CUE_SUCCESS) { - printf("\nFailed to add test suite for US3646 (%d)", rv); - exit(1); - } -#endif #ifdef ENABLE_ALL_SUITES rv = us4020_add_suite(); if (rv != CUE_SUCCESS) { @@ -329,20 +319,6 @@ int main(int argc, char *argv[]) { exit(1); } #endif -#ifdef ENABLE_ALL_SUITES - rv = us4778_add_suite(); - if (rv != CUE_SUCCESS) { - printf("\nFailed to add test suite for US4778 (%d)", rv); - exit(1); - } -#endif -#ifdef ENABLE_ALL_SUITES - rv = us4784_add_suite(); - if (rv != CUE_SUCCESS) { - printf("\nFailed to add test suite for US4784 (%d)", rv); - exit(1); - } -#endif if (xml) { /* Run all test using automated interface, which @@ -386,3 +362,4 @@ int main(int argc, char *argv[]) { #endif } + diff --git a/test/build_ut.gradle b/test/build_ut.gradle index ae9c16f..e3f42b2 100644 --- a/test/build_ut.gradle +++ b/test/build_ut.gradle @@ -19,15 +19,6 @@ model { sharedLibraryLinkFile = file(System.getenv().SSL_DIR + "\\lib\\ssleay32.lib") } } - if(!System.getenv().DISABLE_SAFEC.equals("TRUE")) { - ciscosafec { - headers.srcDir System.getenv().SAFEC_DIR + "\\include" - binaries.withType(StaticLibraryBinary) { - staticLibraryFile = - file(System.getenv().SAFEC_DIR + "\\lib\\safeclib.lib") - } - } - } cunit { headers.srcDir System.getenv().CUNIT_DIR + "\\include" binaries.withType(StaticLibraryBinary) { @@ -65,10 +56,7 @@ model { srcDir "UT" include "**/*.c" srcDir "util" - if(System.getenv().DISABLE_SAFEC.equals("TRUE")) - { - srcDir "safe_c_stub/src" - } + srcDir "safe_c_stub/src" exclude "st_proxy.c" exclude "st_server.c" exclude "US1060/us1060.c" @@ -76,10 +64,7 @@ model { exclude "US903/perftest.c" } exportedHeaders { - if(System.getenv().DISABLE_SAFEC.equals("TRUE")) - { - srcDir "safe_c_stub/include" - } + srcDir "safe_c_stub/include" srcDir "util" } } @@ -87,10 +72,6 @@ model { binaries.all { lib library: "libcrypto", linkage: "shared" lib library: "libssl", linkage: "shared" - if(!System.getenv().DISABLE_SAFEC.equals("TRUE")) - { - lib library: "ciscosafec", linkage: "static" - } lib library: "cunit", linkage: "static" lib library: "est", linkage: "shared" lib library: "curl", linkage: "shared" diff --git a/test/util/ossl_srv.c b/test/util/ossl_srv.c index ac3871d..f03c503 100644 --- a/test/util/ossl_srv.c +++ b/test/util/ossl_srv.c @@ -2365,7 +2365,6 @@ BIO * ossl_simple_enroll (const char *p10buf, int p10len, char *configfile) conf = NULL; key = NULL; section = NULL; - memset(buf[2], 0, sizeof(buf[2])); preserve=0; msie_hack=0; diff --git a/test/util/st_server.c b/test/util/st_server.c index 577ffcf..2c11cac 100644 --- a/test/util/st_server.c +++ b/test/util/st_server.c @@ -7,7 +7,7 @@ * * August, 2013 * - * Copyright (c) 2013, 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2013, 2016 by cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ */ @@ -32,7 +32,6 @@ #include #include #include -#include #define MAX_CERT_LEN 8192 #define MAX_FILENAME_LEN 255 @@ -62,18 +61,6 @@ char tst_srvr_path_seg_enroll[EST_MAX_PATH_SEGMENT_LEN+1]; char tst_srvr_path_seg_cacerts[EST_MAX_PATH_SEGMENT_LEN+1]; char tst_srvr_path_seg_csrattrs[EST_MAX_PATH_SEGMENT_LEN+1]; -static int brski_retry_enabled = 0; -static int brski_retry_delay = 0; -static int brski_retry_count = 0; -static int brski_retry_running_count = 0; - -static int brski_send_nonce = 1; -static int brski_nonce_too_long = 0; -static int brski_nonce_mismatch = 0; - -static int brski_send_serial_num = 1; -static int brski_serial_num_too_long = 0; -static int brski_serial_num_mismatch = 0; unsigned char *p7_ca_certs = NULL; int p7_ca_certs_len = 0; @@ -180,7 +167,7 @@ static int compare (const void *pa, const void *pb) * case we'll add the public key from the cert request into * our lookup table so it can be correlated later. */ -static int lookup_pkcs10_request (unsigned char *pkcs10, int p10_len) +static int lookup_pkcs10_request(unsigned char *pkcs10, int p10_len) { X509_REQ *req = NULL; BIO *in = NULL; @@ -336,7 +323,6 @@ static int process_pkcs10_enrollment (unsigned char * pkcs10, int p10_len, #define TEST_CSR "MCYGBysGAQEBARYGCSqGSIb3DQEJBwYFK4EEACIGCWCGSAFlAwQCAg==\0" static unsigned char * process_csrattrs_request (int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) { unsigned char *csr_data; @@ -567,7 +553,7 @@ static int load_ca_certs (EST_CTX *ctx, unsigned char *pem_cacerts, int pem_cace return (-1); } - p7_ca_certs = calloc(p7_ca_certs_len+1, sizeof(char)); + p7_ca_certs = malloc(p7_ca_certs_len); if (!p7_ca_certs) { printf("malloc failed\n"); BIO_free_all(cacerts_bio); @@ -833,14 +819,8 @@ void st_stop () * simulate_manual_enroll: Pass in a non-zero value to have the EST * simulate manual approval at the CA level. This * is used to test the retry-after logic. - * enable_pop: Enable PoP support. * ec_nid: Openssl NID value for ECDHE curve to use during * TLS handshake. Take values from - * enable_tls10 Enable TLS 1.0 support - * disable_cacerts_response: Do not pass down the CA certs response chain - * to the library. - * enable_crl: Enable CRL checks - * */ static int st_start_internal ( int listen_port, @@ -856,8 +836,7 @@ static int st_start_internal ( int enable_srp, char *srp_vfile, int enable_tls10, - int disable_cacerts_response, - int enable_crl) + int disable_cacerts_response) { X509 *x; EVP_PKEY *priv_key; @@ -987,10 +966,6 @@ static int st_start_internal ( est_server_enable_tls10(ectx); } - if (enable_crl) { - est_enable_crl(ectx); - } - if (est_set_ca_enroll_cb(ectx, &process_pkcs10_enrollment)) { printf("\nUnable to set EST pkcs10 enrollment callback. Aborting!!!\n"); return (-1); @@ -1123,50 +1098,7 @@ int st_start_tls10 (int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 1, 0, 0); - - return (rv); -} - -/* - * Call this to start a simple EST server with CRL check enabled, - * This server will not be thread safe. It can only handle a single - * EST request on the listening socket at any given time. - * This server will run until st_stop() is invoked. - * - * Parameters: - * listen_port: Port number to listen on - * certfile: PEM encoded certificate used for server's identity - * keyfile: Private key associated with the certfile - * realm: HTTP realm to present to the client - * ca_chain_file: PEM encoded certificates to use in the /cacerts - * response to the client. - * trusted_certs_file: PEM encoded certificates to use for authenticating - * the EST client at the TLS layer. - * ossl_conf_file: Configuration file that specifies the OpenSSL - * CA to use. - * simulate_manual_enroll: Pass in a non-zero value to have the EST - * simulate manual approval at the CA level. This - * is used to test the retry-after logic. - * ec_nid: Openssl NID value for ECDHE curve to use during - * TLS handshake. Take values from - */ -int st_start_crl (int listen_port, - char *certfile, - char *keyfile, - char *realm, - char *ca_chain_file, - char *trusted_certs_file, - char *ossl_conf_file, - int simulate_manual_enroll, - int enable_pop, - int ec_nid) -{ - int rv; - - rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, - trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 0, 1); + enable_pop, ec_nid, 0, NULL, 1, 0); return (rv); } @@ -1209,7 +1141,7 @@ int st_start (int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 0, 0); + enable_pop, ec_nid, 0, NULL, 0, 0); return (rv); } @@ -1253,7 +1185,7 @@ int st_start_nocacerts (int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 1, 0); + enable_pop, ec_nid, 0, NULL, 0, 1); return (rv); } @@ -1292,7 +1224,7 @@ int st_start_srp (int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, 0, enable_pop, - 0, 1, vfile, 0, 0, 0); + 0, 1, vfile, 0, 0); return (rv); } @@ -1329,10 +1261,10 @@ int st_start_srp_tls10 (int listen_port, char *vfile) { int rv; - /* Note here that the third to last parm turns on tls1.0 */ + /* Note here that the last parm turns on tls1.0 */ rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, 0, enable_pop, 0, - 1, vfile, 1, 0, 0); + 1, vfile, 1, 0); return (rv); } @@ -1447,557 +1379,3 @@ void st_csr_filename (char *incoming_name) } } -static int jsoneq(const char *json, jsmntok_t *tok, const char *s) { - if (tok->type == JSMN_STRING && (int) strlen(s) == tok->end - tok->start && - strncmp(json + tok->start, s, tok->end - tok->start) == 0) { - return 0; - } - return -1; -} - -static int dump(const char *js, jsmntok_t *t, size_t count, int indent) { - int i, j, k; - if (count == 0) { - return 0; - } - if (t->type == JSMN_PRIMITIVE) { - printf("%.*s", t->end - t->start, js+t->start); - return 1; - } else if (t->type == JSMN_STRING) { - printf("'%.*s'", t->end - t->start, js+t->start); - return 1; - } else if (t->type == JSMN_OBJECT) { - printf("\n"); - j = 0; - for (i = 0; i < t->size; i++) { - for (k = 0; k < indent; k++) printf(" "); - j += dump(js, t+1+j, count-j, indent+1); - printf(": "); - j += dump(js, t+1+j, count-j, indent+1); - printf("\n"); - } - return j+1; - } else if (t->type == JSMN_ARRAY) { - j = 0; - printf("\n"); - for (i = 0; i < t->size; i++) { - for (k = 0; k < indent-1; k++) printf(" "); - printf(" - "); - j += dump(js, t+1+j, count-j, indent+1); - printf("\n"); - } - return j+1; - } - return 0; -} - -/* { */ -/* "ietf-voucher:voucher": { */ -/* "nonce": "62a2e7693d82fcda2624de58fb6722e5", */ -/* "assertion": "logging" */ -/* "pinned-domain-cert": "" */ -/* "serial-number": "JADA123456789" */ -/* } */ -/* } */ -#define BRSKI_DEVICE_SERIAL_NUM "F7BE0D" -#define VOUCHER "{\n\r\"ietf-voucher:voucher\":{\n\r\"nonce\":\"%s\",\n\r\"assertion\":\"logging\",\n\r\"pinned-domain-cert\":\"%s\",\n\r\"serial-number\":\"%s\"}\n\r}" -#define VOUCHER_NONONCE "{\n\r\"ietf-voucher:voucher\":{\n\r\"assertion\":\"logging\",\n\r\"pinned-domain-cert\":\"%s\",\n\r\"serial-number\":\"%s\"}\n\r}" -#define VOUCHER_NOSERIAL "{\n\r\"ietf-voucher:voucher\":{\n\r\"assertion\":\"logging\",\n\r\"pinned-domain-cert\":\"%s\",\n\r}\n\r}" - -#define EST_BRSKI_MAX_NONCE_LEN 256 -#define EST_BRSKI_MAX_SERIAL_NUM_LEN 256 - -#define NONCE_TEMPLATE "\"nonce\":\"%s\"" -#define SERIAL_NUM_TEMPLATE "\"serial-number\":\"%s\"" -#define VOUCHER_TEMPLATE "{\n\r\"ietf-voucher:voucher\":{\n\r%s,\n\r\"assertion\":\"logging\",\n\r\"pinned-domain-cert\":\"%s\",\n\r%s}\n\r}" - - -/* - * Callback function used by EST stack to process a BRSK - * voucher request. The parameters are: - * - * voucher_req Contains the voucher request from the client - * voucher_req_len Length of the voucher request - * voucher Pointer to a buffer pointer that will contain - * the voucher to be returned - * voucher_len Pointer to an integer that will be set to the length - * of the returned voucher. - * peer_cert - client certificate, if available, in internal X509 - * structure format - */ -static -EST_BRSKI_CALLBACK_RC -process_brski_voucher_request (char *voucher_req, int voucher_req_len, - char **voucher, int *voucher_len, X509 *peer_cert) -{ - char *voucher_buf = NULL; - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int nonce_found = 0; - int incoming_server_cert_found = 0; - char incoming_nonce[EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1]; - char incoming_server_cert[EST_BRSKI_MAX_CACERT_LEN+1]; - char *ser_num_str = NULL; - - char *nonce_buf = NULL; - char *serial_num_buf = NULL; - - - memset(incoming_nonce, 0, EST_BRSKI_VOUCHER_REQ_NONCE_SIZE+1); - - printf("BRSKI voucher request received\n"); - printf(" voucher_req = %s\n voucher_req_len = %d\n", - voucher_req, voucher_req_len); - - /* - * If configured to perform retries, alternate between - * sending the retry and sending the voucher response. - * Unlike simple enroll retry processing, there is nothing - * in the voucher request to key off of to determine if - * the voucher request has been seen before, so the only - * option is to toggle based on time. This can be more - * error prone if the test code gets out of sync with - * this toggling. - */ - if (brski_retry_enabled) { - if (brski_retry_running_count) { - brski_retry_running_count--; - return (EST_BRSKI_CB_RETRY); - } else { - brski_retry_running_count = brski_retry_count; - /* - * Continue on with sending the voucher response - */ - } - } - - /* - * Parse the voucher request and obtain the nonce - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)voucher_req, (size_t)voucher_req_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Voucher request parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)voucher_req, tok, p.toknext, 0); - printf("Voucher request parsed\n"); - } - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_req, &tok[i], "nonce") == 0) { - sprintf(incoming_nonce, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_req + tok[i+1].start); - printf("Found nonce %s\n", incoming_nonce); - nonce_found = 1; - break; - } - } - if (!nonce_found) { - printf("Nonce missing from voucher request\n"); - return (EST_BRSKI_CB_FAILURE); - } - - /* - * Now look for the Registrar's cert - */ - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_req, &tok[i], "pinned-domain-cert") == 0) { - sprintf(incoming_server_cert, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_req + tok[i+1].start); - printf("Found pinned domain cert %s\n", incoming_server_cert); - incoming_server_cert_found = 1; - break; - } - } - if (!incoming_server_cert_found) { - printf("Pinned domain cert missing from voucher request\n"); - return (EST_BRSKI_CB_FAILURE); - } - - free(tok); - - /* - * Obtain the serial number of the pledge device from its ID cert - */ - ser_num_str = est_find_ser_num_in_subj(peer_cert); - if (ser_num_str == NULL) { - char *subj; - - printf("Pledge MFG cert does not contain a serial number."); - - subj = X509_NAME_oneline(X509_get_subject_name(peer_cert), NULL, 0); - printf("Client MFG cert subject: %s", subj); - OPENSSL_free(subj); - - return (EST_ERR_CLIENT_BRSKI_SERIAL_NUM_MISSING); - } - - voucher_buf = calloc(EST_BRSKI_MAX_VOUCHER_LEN, sizeof(char)); - if (voucher_buf) { - - if (brski_send_nonce) { - - nonce_buf = calloc(EST_BRSKI_MAX_NONCE_LEN+1, sizeof(char)); - - if (brski_nonce_too_long) { - - snprintf(nonce_buf, EST_BRSKI_MAX_NONCE_LEN, NONCE_TEMPLATE, - "123456789012345678901234567890123"); - -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* "123456789012345678901234567890123", p7_ca_certs, */ -/* ser_num_str); */ - } else if (brski_nonce_mismatch) { - snprintf(nonce_buf, EST_BRSKI_MAX_NONCE_LEN, NONCE_TEMPLATE, - "12345678901234567890123456789012"); - -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* "12345678901234567890123456789012", p7_ca_certs, */ -/* ser_num_str); */ - } else { - snprintf(nonce_buf, EST_BRSKI_MAX_NONCE_LEN, NONCE_TEMPLATE, - incoming_nonce); - -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* incoming_nonce, p7_ca_certs, */ -/* ser_num_str); */ - } - } else { -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER_NONONCE, */ -/* p7_ca_certs, */ -/* ser_num_str); */ - } - - - if (brski_send_serial_num) { - - serial_num_buf = calloc(EST_BRSKI_MAX_NONCE_LEN+1, sizeof(char)); - - if (brski_serial_num_too_long) { -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* "123456789012345678901234567890123", p7_ca_certs, */ -/* ser_num_str); */ - snprintf(serial_num_buf, EST_BRSKI_MAX_SERIAL_NUM_LEN, SERIAL_NUM_TEMPLATE, - "SERIAL-NUM-TOO-LONG0123456789012345678901234567890123456789012345"); - } else if (brski_serial_num_mismatch) { -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* "12345678901234567890123456789012", p7_ca_certs, */ -/* ser_num_str); */ - snprintf(serial_num_buf, EST_BRSKI_MAX_SERIAL_NUM_LEN, SERIAL_NUM_TEMPLATE, - "SERIAL-NUM-MISMATCH012345678901234567890123456789012345678901234"); - } else { -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER, */ -/* incoming_nonce, p7_ca_certs, */ -/* ser_num_str); */ - snprintf(serial_num_buf, EST_BRSKI_MAX_SERIAL_NUM_LEN, SERIAL_NUM_TEMPLATE, - ser_num_str); - } - } else { -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER_NONONCE, */ -/* p7_ca_certs, */ -/* ser_num_str); */ - } - -/* *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER_TEMPLATE, */ -/* nonce_buf, p7_ca_certs, serial_num_buf); */ - *voucher_len = snprintf(voucher_buf, EST_BRSKI_MAX_VOUCHER_LEN, VOUCHER_TEMPLATE, - nonce_buf, p7_ca_certs, serial_num_buf); - free(nonce_buf); - free(serial_num_buf); - - *voucher = voucher_buf; - printf("Voucher to be returned = %s\n", *voucher); - } else { - *voucher = NULL; - *voucher_len = 0; - return (EST_BRSKI_CB_FAILURE); - } - - return EST_BRSKI_CB_SUCCESS; -} - -/* - * Callback function used by EST stack to process a BRSKI - * voucher status indication. The parameters are: - * - * voucher_status Contains the voucher status from the client - * voucher_status_len Length of the voucher status - * peer_cert - client certificate, if available, in internal X509 - * structure format - * - */ -static EST_BRSKI_CALLBACK_RC -process_brski_voucher_status (char *voucher_status, int voucher_status_len, X509 *peer_cert) -{ - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int status_found = 0; - char incoming_status[5+1]; - int reason_found = 0; - char incoming_reason[EST_BRSKI_MAX_REASON_LEN]; - - memset(incoming_status, 0, 5+1); - - printf("BRSKI voucher status received\n"); - printf(" voucher_status = %s\n voucher_status_len = %d\n", - voucher_status, voucher_status_len); - - /* - * Parse the voucher response and obtain the status and reason - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)voucher_status, (size_t)voucher_status_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Voucher response parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)voucher_status, tok, p.toknext, 0); - printf("Voucher status parsed\n"); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_status, &tok[i], "Status") == 0) { - sprintf(incoming_status, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_status + tok[i+1].start); - printf("Found status %s\n", incoming_status); - status_found = 1; - break; - } - } - if (!status_found) { - printf("Status value missing from voucher status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(voucher_status, &tok[i], "Reason") == 0) { - sprintf(incoming_reason, "%.*s", tok[i+1].end-tok[i+1].start, - voucher_status + tok[i+1].start); - printf("Found reason: %s\n", incoming_reason); - reason_found = 1; - break; - } - } - if (!reason_found) { - printf("Reason value missing from voucher status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - free(tok); - return EST_BRSKI_CB_SUCCESS; -} - -/* - * Callback function used by EST stack to process a BRSK - * enrollment status. The parameters are: - * - * voucher_req Contains the voucher request from the client - * voucher_req_len Length of the voucher request - * voucher Pointer to a buffer pointer that will contain - * voucher/ - * voucher_len Pointer to an integer that will be set to the length - * of the returned voucher. - * - */ -static EST_BRSKI_CALLBACK_RC -process_brski_enroll_status (char *enroll_status, int enroll_status_len, X509 *peer_cert) -{ - jsmn_parser p; - jsmntok_t *tok; - size_t tokcount = 100; - int parser_resp; - int i; - int status_found = 0; - char incoming_status[5+1]; - int reason_found = 0; - char incoming_reason[EST_BRSKI_MAX_REASON_LEN]; - - memset(incoming_status, 0, 5+1); - - printf("BRSKI enroll status received\n"); - printf(" enroll_status = %s\n enroll_status_len = %d\n", - enroll_status, enroll_status_len); - - /* - * Parse the voucher response and obtain the status and reason - */ - jsmn_init(&p); - tok = calloc(tokcount, sizeof(*tok)); - if (tok == NULL) { - printf("calloc(): errno=%d\n", errno); - return 3; - } - parser_resp = jsmn_parse(&p, (char *)enroll_status, (size_t)enroll_status_len, - tok, tokcount); - if (parser_resp < 0) { - printf("Enroll response parse failed. parse error = %d\n", parser_resp); - } else { - dump((char *)enroll_status, tok, p.toknext, 0); - printf("Enroll status parsed\n"); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(enroll_status, &tok[i], "Status") == 0) { - sprintf(incoming_status, "%.*s", tok[i+1].end-tok[i+1].start, - enroll_status + tok[i+1].start); - printf("Found status %s\n", incoming_status); - status_found = 1; - break; - } - } - if (!status_found) { - printf("Status value missing from enroll status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - for (i = 1; i < parser_resp; i++) { - if (jsoneq(enroll_status, &tok[i], "Reason") == 0) { - sprintf(incoming_reason, "%.*s", tok[i+1].end-tok[i+1].start, - enroll_status + tok[i+1].start); - printf("Found reason: %s\n", incoming_reason); - reason_found = 1; - break; - } - } - if (!reason_found) { - printf("Reason value missing from enroll status\n"); - return (EST_BRSKI_CB_FAILURE); - } - - free(tok); - return EST_BRSKI_CB_SUCCESS; -} - -int st_set_brski_mode (void) -{ - int rc; - - if (est_set_brski_voucher_req_cb(ectx, &process_brski_voucher_request)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - return(-1); - } - if (est_set_brski_voucher_status_cb(ectx, &process_brski_voucher_status)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - return(-1); - } - if (est_set_brski_enroll_status_cb(ectx, &process_brski_enroll_status)) { - printf( - "\nUnable to set EST BRSKI voucher request callback. Aborting!!!\n"); - return(-1); - } - - /* - * For EST /cacerts, the CA certs response can be processed two ways, - * they can be provided to the EST library and the library repsonds - * directly, or the application layer can provide a call back and - * it provides the response buffer containing the CA certs. The estserver - * test app does it the first way, so the EST library responds directly. - * With BRSKI, this response of the CA certs is contained in the voucher, so - * the application layer needs to be responsible for preparing the response. - * The following code is replicated from the EST library. - */ - /* - * Convert the PEM encoded buffer previously read the file into the - * PKCS7 buffer used for responding to /cacerts requests - */ - rc = load_ca_certs(ectx, cacerts_raw, cacerts_len); - if (rc != 0) { - printf("\nUnable to convert CA certs chain in PEM format to PKCS7." - " Aborting!!!\n"); - return (-1); - } - return (0); -} - -/* - * Used to control the retry-after mode of the voucher request processing - */ -int st_set_brski_retry_mode (int enable_retry, int retry_delay, int retry_count) -{ - /* - * reset the retry-after logic - */ - brski_retry_delay = retry_delay; - if (EST_ERR_NONE != est_server_set_brski_retry_period(ectx, brski_retry_delay)) { - printf("\nFailed to set retry period in context\n"); - return (-1); - } - brski_retry_running_count = brski_retry_count = retry_count; - brski_retry_enabled = enable_retry; - - printf("\nSetting retry mode to:\n" - " retry_enabled = %d\n" - " retry_delay = %d\n" - " retry_count = %d\n", - brski_retry_enabled, - brski_retry_delay, - brski_retry_count); - - return (0); -} - -/* - * Used to control the nonce error processing - */ -int st_set_brski_nonce_mode (int send_nonce, int nonce_too_long, - int nonce_mismatch) -{ - /* - * set the retry-after testing logic - */ - brski_send_nonce = send_nonce; - brski_nonce_too_long = nonce_too_long; - brski_nonce_mismatch = nonce_mismatch; - - printf("\nSetting nonce mode to:\n" - " send_nonce = %d\n" - " send_nonce_too_long = %d\n" - " send_nonce_mismatch = %d\n", - brski_send_nonce, - brski_nonce_too_long, - brski_nonce_mismatch); - - return (0); -} - -/* - * Used to control the serial number error processing - */ -int st_set_brski_serial_num_mode (int send_serial_num, int serial_num_too_long, - int serial_num_mismatch) -{ - /* - * set the serial number testing logic - */ - brski_send_serial_num = send_serial_num; - brski_serial_num_too_long = serial_num_too_long; - brski_serial_num_mismatch = serial_num_mismatch; - - printf("\nSetting serial_num mode to:\n" - " send_serial_num = %d\n" - " send_serial_num_too_long = %d\n" - " send_serial_num_mismatch = %d\n", - brski_send_serial_num, - brski_serial_num_too_long, - brski_serial_num_mismatch); - - return (0); -} diff --git a/test/util/st_server.h b/test/util/st_server.h index 29a139a..7d12aad 100644 --- a/test/util/st_server.h +++ b/test/util/st_server.h @@ -41,16 +41,6 @@ int st_start_tls10(int tcp_port, int simulate_manual_enroll, int enable_pop, int ec_nid); -int st_start_crl(int listen_port, - char *certfile, - char *keyfile, - char *realm, - char *ca_chain_file, - char *trusted_certs_file, - char *ossl_conf_file, - int simulate_manual_enroll, - int enable_pop, - int ec_nid); int st_start_srp (int listen_port, char *certfile, char *keyfile, @@ -86,12 +76,6 @@ void st_enable_csrattr_enforce(); void st_set_read_timeout(int timeout); void st_write_csr(int state); void st_csr_filename(char *incoming_name); -int st_set_brski_mode(); -int st_set_brski_retry_mode(int enable_retry, int retry_delay, int retry_count); -int st_set_brski_nonce_mode (int send_nonce, int nonce_too_long, - int nonce_mismatch); -int st_set_brski_serial_num_mode (int send_serial_num, int serial_num_too_long, - int serial_num_mismatch); #ifdef WIN32 void st_toggle_ipv6(); #endif diff --git a/test/util/st_server_windows.c b/test/util/st_server_windows.c index 1cbed2a..1ef0490 100644 --- a/test/util/st_server_windows.c +++ b/test/util/st_server_windows.c @@ -4,7 +4,7 @@ * * March, 2016 * - * Copyright (c) 2016, 2017 by cisco Systems, Inc. + * Copyright (c) 2016 by cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ */ @@ -432,8 +432,7 @@ static int process_pkcs10_enrollment(unsigned char * pkcs10, int p10_len, //This CSR attributes contains the challengePassword OID and others #define TEST_CSR "MCYGBysGAQEBARYGCSqGSIb3DQEJBwYFK4EEACIGCWCGSAFlAwQCAg==\0" -static unsigned char * process_csrattrs_request(int *csr_len, char *path_seg, - X509 *peer_cert, void *app_data) +static unsigned char * process_csrattrs_request(int *csr_len, char *path_seg, void *app_data) { unsigned char *csr_data; @@ -1011,8 +1010,7 @@ static int st_start_internal( int enable_srp, char *srp_vfile, int enable_tls10, - int disable_cacerts_response, - int enable_crl) + int disable_cacerts_response) { X509 *x; EVP_PKEY *priv_key; @@ -1127,10 +1125,6 @@ static int st_start_internal( est_server_enable_tls10(ectx); } - if (enable_crl) { - est_enable_crl(ectx); - } - if (est_set_ca_enroll_cb(ectx, &process_pkcs10_enrollment)) { printf("\nUnable to set EST pkcs10 enrollment callback. Aborting!!!\n"); return (-1); @@ -1268,50 +1262,7 @@ int st_start_tls10(int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 1, 0, 0); - - return (rv); -} - -/* - * Call this to start a simple EST server with CRL check enabled, - * This server will not be thread safe. It can only handle a single - * EST request on the listening socket at any given time. - * This server will run until st_stop() is invoked. - * - * Parameters: - * listen_port: Port number to listen on - * certfile: PEM encoded certificate used for server's identity - * keyfile: Private key associated with the certfile - * realm: HTTP realm to present to the client - * ca_chain_file: PEM encoded certificates to use in the /cacerts - * response to the client. - * trusted_certs_file: PEM encoded certificates to use for authenticating - * the EST client at the TLS layer. - * ossl_conf_file: Configuration file that specifies the OpenSSL - * CA to use. - * simulate_manual_enroll: Pass in a non-zero value to have the EST - * simulate manual approval at the CA level. This - * is used to test the retry-after logic. - * ec_nid: Openssl NID value for ECDHE curve to use during - * TLS handshake. Take values from - */ -int st_start_crl(int listen_port, - char *certfile, - char *keyfile, - char *realm, - char *ca_chain_file, - char *trusted_certs_file, - char *ossl_conf_file, - int simulate_manual_enroll, - int enable_pop, - int ec_nid) -{ - int rv; - - rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, - trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 0, 1); + enable_pop, ec_nid, 0, NULL, 1, 0); return (rv); } @@ -1354,7 +1305,7 @@ int st_start(int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 0, 0); + enable_pop, ec_nid, 0, NULL, 0, 0); return (rv); } @@ -1397,7 +1348,7 @@ int st_start_nocacerts(int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, simulate_manual_enroll, - enable_pop, ec_nid, 0, NULL, 0, 1, 0); + enable_pop, ec_nid, 0, NULL, 0, 1); return (rv); } @@ -1436,7 +1387,7 @@ int st_start_srp(int listen_port, rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, 0, enable_pop, - 0, 1, vfile, 0, 0, 0); + 0, 1, vfile, 0, 0); return (rv); } @@ -1476,7 +1427,7 @@ int st_start_srp_tls10(int listen_port, /* Note here that the last parm turns on tls1.0 */ rv = st_start_internal(listen_port, certfile, keyfile, realm, ca_chain_file, trusted_certs_file, ossl_conf_file, 0, enable_pop, 0, - 1, vfile, 1, 0, 0); + 1, vfile, 1, 0); return (rv); } diff --git a/version b/version index 6fd361e..a7a5141 100644 --- a/version +++ b/version @@ -1 +1 @@ -libest 2.1.0p.brski +libest 2.1.0p