11 #if defined( __MVS__ ) || defined( __VMCMS__ )
13 #pragma convlit( suspend )
15 #if defined( __ILEC400__ )
22 #define NET_TIMEOUT 180
24 #if defined( TEST_SESSION ) || defined( TEST_SESSION_LOOPBACK )
77 #define CA_CRYPTLIB_PNPPKI 2
79 #define CA_NO CA_CRYPTLIB
86 static const CA_INFO
FAR_BSS caInfoTbl[] = {
88 {
"cryptlib",
TEXT(
"http://localhost" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
89 {
"cryptlib/PKIBoot",
TEXT(
"http://localhost" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
90 {
"Certicom",
TEXT(
"cmp://gandalf.trustpoint.com:8081" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
91 {
"ssh",
TEXT(
"cmp://interop-ca.ssh.com:8290" ),
TEXT(
"123456" ),
TEXT(
"interop" ) },
92 {
"ssh",
TEXT(
"http://pki.ssh.com:8080/pkix/" ),
TEXT(
"62154" ),
TEXT(
"ssh" ) },
93 {
"Entrust",
TEXT(
"cmp://204.101.128.45:829" ),
TEXT(
"39141091" ),
TEXT(
"ABCDEFGHIJK" ) },
94 {
"Trustcenter",
TEXT(
"cmp://demo.trustcenter.de/cgi-bin/cmp:829" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
95 {
"Baltimore",
TEXT(
"cmp://hip.baltimore.ie:8290" ),
TEXT(
"pgutmann" ),
TEXT(
"the-magical-land-near-oz" ) },
96 {
"Initech",
TEXT(
"cmp://61.74.133.49:8290" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
97 {
"RSA",
TEXT(
"cmp://ca1.kcspilot.com:32829" ),
TEXT(
"interop" ),
TEXT(
"interop" ) },
98 {
"Cylink",
TEXT(
"cmp://216.252.217.227:8082" ),
TEXT(
"3986" ),
TEXT(
"11002" ) },
99 {
"Insta-Certifier",
TEXT(
"http://pki.certificate.fi:8700/pkix/" ),
TEXT(
"3078" ),
TEXT(
"insta" ) }
104 #if ( CA_NO == CA_CRYPTLIB ) || ( CA_NO == CA_CRYPTLIB_PNPPKI )
105 #define SERVER_IS_CRYPTLIB
114 #define SERVER_NO_ALTNAMES
117 #define SERVER_FIXED_DN
123 #ifdef SERVER_IS_CRYPTLIB
139 #define NO_CA_REQUESTS ( 5 + 0 )
147 #define NO_CA_REQUESTS 0
154 #ifdef SERVER_IS_CRYPTLIB
155 #define SERVER_PROVIDES_DN
245 #ifdef SERVER_FIXED_DN
257 #ifndef SERVER_NO_ALTNAMES
269 #ifdef SERVER_FIXED_DN
281 #ifndef SERVER_NO_ALTNAMES
316 static int createCmpNewKeyRequest(
const CERT_DATA *requestData,
370 printf(
"Creation of CMP request failed with error code %d, line "
371 "%d.\n", status, __LINE__ );
375 return( cryptRequest );
378 static int createCmpRequest(
const CERT_DATA *requestData,
391 return( createCmpNewKeyRequest( requestData, cryptAlgo, useFixedKey,
398 &startTime, &dummy );
424 printf(
"Creation of CMP request failed with error code %d, line "
425 "%d.\n", status, __LINE__ );
429 return( cryptRequest );
445 printf(
"Creation of CMP revocation request failed with error code "
446 "%d, line %d.\n", status, __LINE__ );
450 return( cryptRequest );
453 static int createCmpSession(
const CRYPT_CONTEXT cryptCACert,
474 printf(
"cryptCreateSession() failed with error code %d, line %d.\n",
537 printf(
"Addition of session information failed with error code %d, "
538 "line %d.\n", status, __LINE__ );
542 return( cryptSession );
547 static int requestCert(
const char *description,
const CA_INFO *caInfoPtr,
548 const C_STR readKeysetName,
549 const C_STR writeKeysetName,
565 assert( !isPKIBoot || !isPnPPKI );
566 assert( !( isPnPPKI && writeKeysetName == NULL ) );
568 if( requestData != NULL )
579 puts(
"Testing standalone PKIBoot with no certificate request" );
582 printf(
"Testing %s processing", description );
583 if( requestData == NULL )
584 printf(
"with implicitly-supplied subject DN" );
588 printf(
" with partial subject DN" );
592 printf(
" with CA-supplied subject DN" );
602 if( readKeysetName != NULL )
608 printf(
"Couldn't get private key to request new certificate, "
609 "status = %d, line %d.\n", status, __LINE__ );
613 if( writeKeysetName != NULL )
615 assert( !isPKIBoot );
621 printf(
"Couldn't create keyset to store certificate to, "
622 "status = %d, line %d.\n", status, __LINE__ );
628 cryptSession = createCmpSession( cryptCACert, caInfoPtr->url,
629 caInfoPtr->user, caInfoPtr->password,
630 privateKey,
FALSE, useExistingKey,
633 if( cryptSession <= 0 )
637 return( cryptSession );
647 #if defined( SERVER_IS_CRYPTLIB ) || defined( SERVER_FIXED_DN )
648 cryptCmpRequest = createCmpRequest( requestData,
650 cryptAlgo,
FALSE, cryptKeyset );
653 cryptCmpRequest = createCmpRequest( requestData,
655 cryptAlgo,
TRUE, cryptKeyset );
657 if( !cryptCmpRequest )
666 printf(
"cryptSetAttribute() failed with error code %d, line %d.\n",
678 printExtError( cryptSession,
"Attempt to activate CMP client session",
680 #ifdef SERVER_IS_CRYPTLIB
683 char errorMessage[ 512 ];
684 int errorMessageLength;
693 &errorMessageLength );
696 errorMessageLength > 13 &&
697 !memcmp( errorMessage,
"HTTP response", 13 ) )
699 puts(
" (Something other than a CMP server is listening on "
700 "the local port used for\n testing, "
701 "continuing...)\n" );
713 puts(
" (Server could be down, faking it and continuing...)\n" );
721 puts(
" (This is more likely to be an issue with the server than "
722 "with cryptlib,\n faking it and continuing...)\n" );
742 printf(
"cryptGetAttribute() failed with error code %d, line %d.\n",
746 #ifndef SERVER_IS_CRYPTLIB
747 puts(
"Returned certificate details are:" );
755 printf(
"Couldn't write certificate to keyset, status = %d, "
756 "line %d.\n", status, __LINE__ );
761 if( issuedCert != NULL )
762 *issuedCert = cryptCmpResponse;
767 printf(
"Successfully processed %s.\n\n", description );
773 static int revokeCert(
const char *description,
const CA_INFO *caInfoPtr,
774 const C_STR keysetName,
784 printf(
"Testing %s revocation processing...\n", description );
807 puts(
"Couldn't fetch certificate/key to revoke.\n" );
813 cryptSession = createCmpSession( cryptCACert, caInfoPtr->url,
814 caInfoPtr->user, caInfoPtr->password,
819 if( cryptSession <= 0 )
820 return( cryptSession );
821 cryptCmpRequest = createCmpRevRequest( cryptCert );
822 if( !cryptCmpRequest )
831 printf(
"cryptSetAttribute() failed with error code %d, line %d.\n",
838 printExtError( cryptSession,
"Attempt to activate CMP client session",
841 if( cryptCert != certToRevoke )
848 puts(
" (Server could be down, faking it and continuing...)\n" );
856 puts(
" (This is more likely to be an issue with the server than "
857 "with cryptlib,\n faking it and continuing...)\n" );
864 if( cryptCert != certToRevoke )
867 printf(
"%s processing succeeded.\n\n", description );
873 static int getPkiUserInfo(
const C_STR pkiUserName,
874 CA_INFO *caInfoPtr,
C_STR userID,
C_STR issuePW )
886 memcpy( caInfoPtr, &caInfoTbl[ CA_NO ],
sizeof( CA_INFO ) );
887 caInfoPtr->name =
"cryptlib";
888 caInfoPtr->user = userID;
889 caInfoPtr->password = issuePW;
920 static int connectCryptlibCMP(
const BOOLEAN usePKIBoot,
927 C_CHR userID[ 64 ], issuePW[ 64 ];
933 printf(
"Timed out waiting for server to initialise, line %d.\n",
950 puts(
"CA certificate store doesn't contain the PKI user "
951 "information needed to\nauthenticate certificate issue "
952 "operations. This is probably because the\nserver loopback "
953 "test (which initialises the certificate store) hasn't been "
954 "run yet.\nSkipping CMP test.\n" );
967 printf(
"Couldn't get cryptlib CMP CA certificate, status = %d, "
968 "line %d.\n", status, __LINE__ );
979 status = getPkiUserInfo(
TEXT(
"Test PKI user" ), &caInfo,
988 status = requestCert(
"certificate init.request (ir)", &caInfo, NULL,
989 usePKIBoot ? NULL : writeFileName,
991 cryptCACert, usePKIBoot,
FALSE, NULL );
1007 status = getPkiUserInfo(
TEXT(
"Procurement" ), &caInfo, userID,
1009 if( status !=
TRUE )
1016 status = requestCert(
"certificate init.request (ir)", &caInfo, NULL,
1017 usePKIBoot ? NULL : writeFileName,
1020 if( status !=
TRUE )
1025 if( requestCert(
"Duplicate init.request", &caInfo, NULL, NULL,
1029 printf(
"Duplicate init request wasn't detected by the CMP server, "
1030 "line %d.\n\n", __LINE__ );
1042 status = requestCert(
"certificate request (cr)", &caInfo, readFileName,
1043 writeFileName, cmpCryptlibRequestData,
1045 if( status !=
TRUE )
1068 status = requestCert(
"certificate update (kur)", &caInfo, readFileName,
1070 FALSE, &cryptCert );
1071 if( status !=
TRUE )
1084 status = requestCert(
"DSA certificate", &caInfo, readFileName, NULL,
1087 if( status !=
TRUE )
1103 status = revokeCert(
"RSA signing certificate", &caInfo, readFileName,
1105 if( status !=
TRUE )
1118 static int connectCMP(
void )
1123 const CA_INFO *caInfoPtr = &caInfoTbl[ CA_NO ];
1131 printf(
"Couldn't get CMP CA certificate, status = %d, line %d.\n",
1141 #define REVOKE_FIRST_CERT
1143 status = requestCert(
"certificate init.request (ir)", caInfoPtr, NULL,
1144 writeFileName, cmpRsaSignRequestData,
1147 if( status !=
TRUE )
1163 #define REVOKE_SECOND_CERT
1166 status = requestCert(
"certificate request (cr)", caInfoPtr,
1167 readFileName, writeFileName, cmpRsaSignRequestData,
1169 if( status !=
TRUE )
1171 #if defined( TEST_IR )
1196 status = requestCert(
"certificate update (kur)", caInfoPtr,
1199 if( status !=
TRUE )
1218 status = requestCert(
"encryption-only certificate", caInfoPtr,
1219 readFileName, writeFileName,
1222 if( status !=
TRUE )
1229 #ifdef REVOKE_FIRST_CERT
1231 status = revokeCert(
"RSA initial/updated certificate", caInfoPtr,
1232 readFileName, cryptCert, cryptCACert,
TRUE );
1234 status = revokeCert(
"RSA initial/updated certificate", caInfoPtr,
1235 readFileName, cryptCert, cryptCACert,
FALSE );
1238 #elif !defined( TEST_KUR )
1243 status = revokeCert(
"RSA initial/updated certificate", caInfoPtr,
1250 if( status !=
TRUE )
1255 #ifdef REVOKE_SECOND_CERT
1260 status = revokeCert(
"RSA signing certificate", caInfoPtr, readFileName,
1262 if( status !=
TRUE )
1275 static int connectCMPFail(
const int count )
1307 cmpFailRequestData1, cmpFailRequestData2, cmpFailRequestData3
1310 TEXT(
"Test PKI user" ),
1311 TEXT(
"Test PKI user" ),
1312 TEXT(
"Procurement" )
1314 static const char *cmpFailRequestDescriptionTbl[] = {
1315 "request containing full DN with CN mis-matching\n pkiUser CN",
1316 "request containing extra field in altName\n not present in pkiUser altName",
1317 "request containing partial DN with OU\n mis-matching pkiUser CN"
1322 C_CHR userID[ 64 ], issuePW[ 64 ];
1329 printf(
"Timed out waiting for server to initialise, line %d.\n",
1340 printf(
"Couldn't get CMP CA certificate, status = %d, line %d.\n",
1344 status = getPkiUserInfo(
TEXT(
"Test PKI user" ), &caInfo,
1346 if( status !=
TRUE )
1356 sprintf( message,
"invalid request %d with %s,", count + 1,
1357 cmpFailRequestDescriptionTbl[ count ] );
1358 status = requestCert( message, &caInfo, NULL, NULL,
1365 puts(
"Invalid CMP request should have been rejected, but "
1372 puts(
" (This isn't an error since we're checking for the rejection "
1373 "of invalid\n requests)." );
1379 return( connectCMP() );
1384 static int connectPNPPKI(
const BOOLEAN isCaUser,
const BOOLEAN useDevice,
1389 C_CHR userID[ 64 ], issuePW[ 64 ];
1399 printf(
"cryptCreateSession() failed with error code %d, line %d.\n",
1412 TEXT(
"[Autodetect]" ) );
1415 printf(
"Crypto device open failed with error code %d, "
1416 "line %d.\n", status, __LINE__ );
1424 printf(
"\nDevice login failed with error code %d, line %d.\n",
1430 puts(
"(Deleted a signature key object, presumably a leftover "
1431 "from a previous run)." );
1434 puts(
"(Deleted an encryption key object, presumably a leftover "
1435 "from a previous run)." );
1445 printf(
"User keyset create failed with error code %d, "
1446 "line %d.\n", status, __LINE__ );
1454 printf(
"Timed out waiting for server to initialise, line %d.\n",
1461 TEXT(
"Test CA PKI user" ) : \
1462 TEXT(
"Test PKI user" ) );
1486 caInfoTbl[ CA_CRYPTLIB_PNPPKI ].url,
1487 paramStrlen( caInfoTbl[ CA_CRYPTLIB_PNPPKI ].url ) );
1508 printf(
"Addition of session information failed with error code %d, "
1509 "line %d.\n", status, __LINE__ );
1517 printExtError( cryptSession,
"Attempt to activate plug-and-play PKI "
1518 "client session", status, __LINE__ );
1540 TEXT(
"Signature key" ), issuePW );
1545 printf(
"Certified private-key read failed with error code %d, "
1546 "line %d.\n", status, __LINE__ );
1564 printf(
"Certified private-key password change failed with error "
1565 "code %d, line %d.\n", status, __LINE__ );
1580 static int cmpServerSingleIteration(
const CRYPT_CONTEXT cryptPrivateKey,
1592 printf(
"SVR: cryptCreateSession() failed with error code %d, line "
1593 "%d.\n", status, __LINE__ );
1612 return(
attrErrorExit( cryptSession,
"SVR: cryptSetAttribute()",
1613 status, __LINE__ ) );
1621 status =
extErrorExit( cryptSession,
"SVR: Attempt to activate CMP "
1622 "server session", status, __LINE__ );
1632 static int cmpServer(
void )
1642 puts(
"SVR: Testing CMP server session..." );
1652 printf(
"SVR: cryptCreateSession() failed with error code %d, "
1653 "line %d.\n", status, __LINE__ );
1661 cmpPkiUserPartialDNData, cmpPkiUserCaData,
1669 for( i = 0; i < NO_CA_REQUESTS; i++ )
1671 printf(
"SVR: Running server iteration %d.\n", i + 1 );
1672 if( !cmpServerSingleIteration( cryptCAKey, cryptCertStore,
FALSE ) )
1674 #if defined( SERVER_IS_CRYPTLIB ) && defined( TEST_DUP_IR )
1680 puts(
"SVR: Failure was due to a rejected duplicate request "
1681 "from the client,\n continuing..." );
1688 if( i < NO_CA_REQUESTS )
1692 printf(
"SVR: Only %d of %d server requests were processed.\n", i,
1696 puts(
"SVR: All server requests were successfully processed." );
1702 if( i >= NO_CA_REQUESTS )
1709 cryptCertStore, cryptCAKey,
1712 return(
extErrorExit( cryptCertStore,
"cryptCACertManagement()",
1713 status, __LINE__ ) );
1724 if( noEntries <= 0 )
1726 puts(
"CRL created from revoked certificate is empty, should "
1727 "contain at least one\ncertificate entry." );
1738 puts(
"SVR: CMP session succeeded.\n" );
1747 status = cmpServer();
1753 static int cmpServerFail(
void )
1762 puts(
"SVR: Testing CMP server for rejection of invalid requests..." );
1767 cmpPkiUserPartialDNData, cmpPkiUserCaData,
1776 for( i = 0; i < 3; i++ )
1778 printf(
"SVR: Running server iteration %d.\n", i + 1 );
1779 if( cmpServerSingleIteration( cryptCAKey, cryptCertStore,
FALSE ) )
1781 puts(
"SVR: CMP request succeeded when it should have "
1791 puts(
"SVR: CMP invalid requests successfully rejected.\n" );
1797 #ifdef WINDOWS_THREADS
1799 static int pnppkiServer(
const BOOLEAN pkiBootOnly,
const BOOLEAN isCaUser,
1800 const BOOLEAN isIntermediateCA,
1809 printf(
"SVR: Testing %s server session%s...\n",
1810 pkiBootOnly ?
"PKIBoot" :
"plug-and-play PKI",
1811 isCaUser ?
" for CA certificate" : \
1812 isIntermediateCA ?
" using intermediate CA" :
"" );
1815 if( isIntermediateCA )
1821 cmpPkiUserFullDNData, cmpPkiUserPartialDNData,
1822 cmpPkiUserCaData,
"CMP" ) )
1829 cmpPkiUserPartialDNData, cmpPkiUserCaData,
1838 if( !cmpServerSingleIteration( cryptCAKey, cryptCertStore, useDevice ) )
1845 puts(
"SVR: Plug-and-play PKI session succeeded.\n" );
1849 unsigned __stdcall cmpServerThread(
void *dummy )
1862 #ifndef SERVER_IS_CRYPTLIB
1866 puts(
"Error: The local CMP session test only works with the cryptlib "
1873 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpServerThread,
1874 NULL, 0, &threadID );
1878 status = connectCryptlibCMP(
FALSE,
TRUE );
1890 #ifndef SERVER_IS_CRYPTLIB
1894 puts(
"Error: The local CMP session test only works with the cryptlib "
1906 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpServerThread,
1907 NULL, 0, &threadID );
1911 status = connectCryptlibCMP(
FALSE,
TRUE );
1919 unsigned __stdcall cmpPKIBootServerThread(
void *dummy )
1932 #ifndef SERVER_IS_CRYPTLIB
1936 puts(
"Error: The local CMP session test only works with the cryptlib "
1943 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpPKIBootServerThread,
1944 NULL, 0, &threadID );
1948 status = connectCryptlibCMP(
TRUE,
TRUE );
1954 unsigned __stdcall cmpPnPPKIServerThread(
void *dummy )
1973 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpPnPPKIServerThread,
1974 NULL, 0, &threadID );
1984 unsigned __stdcall cmpPnPPKIDeviceServerThread(
void *dummy )
2003 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpPnPPKIDeviceServerThread,
2004 NULL, 0, &threadID );
2014 unsigned __stdcall cmpPnPPKICaServerThread(
void *dummy )
2029 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpPnPPKICaServerThread,
2030 NULL, 0, &threadID );
2040 unsigned __stdcall cmpPnPPKIIntermedCaServerThread(
void *dummy )
2055 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpPnPPKIIntermedCaServerThread,
2056 NULL, 0, &threadID );
2066 unsigned __stdcall cmpFailServerThread(
void *dummy )
2081 hThread = (
HANDLE ) _beginthreadex( NULL, 0, cmpFailServerThread,
2082 NULL, 0, &threadID );
2086 status = connectCMPFail( 0 );
2088 status = connectCMPFail( 1 );
2090 status = connectCMPFail( 2 );