diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 096060aa..01cebd5f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,8 @@ jobs: # would need access to azure.archive.ubuntu.com: # sudo apt-get update # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed - USE_LIBCMP=1 make -f Makefile_v1 build test_all + # USE_LIBCMP=1 make -f Makefile_v1 test_Mock OPENSSL_CMP_ASPECTS=credentials V=1 # can be helpful for debugging + USE_LIBCMP=1 make -f Makefile_v1 test_all doc_deb: runs-on: ubuntu-latest diff --git a/CMakeLists.txt b/CMakeLists.txt index 0e02e202..b7527240 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ add_compile_options(-pedantic) # -Werror is enabled only for development and CI, add_compile_options( -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter) -add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive) +add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined) # because of libsecutils: add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow) # TODO maybe clean up code and re-enable property @@ -278,15 +278,17 @@ if(NOT TARGET clean_all) add_custom_target(clean_all COMMAND ${CMAKE_BUILD_TOOL} clean COMMAND find . -name "*.o" -o -name "*.d" -o -regex "./libgencmp-.*" | xargs rm + COMMAND find . -name build -type dir | xargs rm -r + COMMAND find . -path ./libsecutils/Makefile | xargs -I % ${CMAKE_BUILD_TOOL} -C libsecutils clean_all || true + COMMAND find . -path ./cmpossl/Makefile | xargs -I % ${CMAKE_BUILD_TOOL} -C cmpossl clean_all || true + COMMAND rm CMakeCache.txt # after the following, cannot call this target again: - COMMAND rm -r build COMMAND find . ( -name "*.cmake" -o -name Makefile ) - -not -path ./libsecutils -not -path ./cmpossl + -not -path ./libsecutils/* -not -path ./cmpossl/* | xargs rm COMMAND find . -name CMakeFiles - -not -path ./libsecutils -not -path ./cmpossl + -not -path ./libsecutils/* -not -path ./cmpossl/* | xargs rm -r - COMMAND rm CMakeCache.txt VERBATIM ) endif() diff --git a/Makefile_src b/Makefile_src index 869d6ca3..e7a08785 100644 --- a/Makefile_src +++ b/Makefile_src @@ -94,7 +94,7 @@ override CFLAGS += \ -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \ -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \ -pedantic -DPEDANTIC -override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement \ +override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined \ -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils ifeq ($(LPATH),) override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include @@ -143,7 +143,7 @@ ifeq ($(LPATH),) # TODO maybe better use absolute path here, as done by CMake override LDFLAGS += -Wl,-rpath,$(OUT_DIR) # no more needed: -Wl,-rpath,$(SECUTILS_DIR) ifndef NDEBUG # for CLI-based tests - override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. +# override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. # not needed due to OUT_DIR set also for libsecutils: # override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../../$(SECUTILS_DIR) endif diff --git a/Makefile_tests b/Makefile_tests index e750afc2..7739e477 100644 --- a/Makefile_tests +++ b/Makefile_tests @@ -101,7 +101,7 @@ conformance: $(CMPCLIENT) OPENSSL_CMP_CONFIG ?= test.cnf .phony: test_cli -test_cli: $(CMPCLIENT) +test_cli: @which $(PERL) || (echo "cannot find Perl, please install it"; false) @echo -en "\n#### running CLI-based tests #### " @if [ -n "$$OPENSSL_CMP_SERVER" ]; then echo -en "with server=$$OPENSSL_CMP_SERVER"; else echo -n "without server"; fi diff --git a/Makefile_v1 b/Makefile_v1 index cb375aaa..fe12dae1 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -276,7 +276,7 @@ ifdef SECUTILS_NO_TLS endif .phony: submodules -ifeq ($(SECUTILS_DIR),) +ifneq ($(LPATH),) submodules: else .phony: get_submodules build_submodules clean_submodules @@ -404,8 +404,8 @@ build_no_tls: .phony: clean_test clean clean_config clean_uta clean_this -ifeq ($(LPATH),) clean_uta: +ifneq ($(wildcard $(SECUTILS_DIR)),) $(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 clean_uta -s endif @@ -558,7 +558,7 @@ run_demo: $(OUT_DIR_BIN) # tests ######################################################################## .phony: test_EJBCA-AWS -test_EJBCA-AWS: get_EJBCA_crls +test_EJBCA-AWS: build get_EJBCA_crls ifeq ($(filter-out EJBCA Simple,$(OPENSSL_CMP_SERVER)),) $(warning "### skipping test_$(OPENSSL_CMP_SERVER) since not supported in this environment ###") else @@ -601,7 +601,7 @@ endif .phony: start_Simple stop_Simple start_Simple: @echo "start SimpleLra" - @cd SimpleLra && ./RunLra.sh & + @cd SimpleLra && ./RunLra.sh & # requires Java 8 @sleep 2 stop_Simple: @@ -658,11 +658,11 @@ endif all: build doc .phony: test_Mock -test_Mock: +test_Mock: build $(MAKE) -f Makefile_tests test_Mock CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION) .phony: tests_LwCmp -tests_LwCmp: $(OUT_DIR_BIN) +tests_LwCmp: build $(MAKE) -f Makefile_tests tests_LwCmp CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION) test_all: demo_all test test_Mock tests_LwCmp @@ -758,7 +758,9 @@ clean_openssl: buildCMPforOpenSSL: openssl ${makeCMPforOpenSSL_trigger} -# Debian packaging ############################################################# +################################################################ +# Debian packaging +################################################################ ifeq ($(INSTALL_DEB_PKGS),) IGNORE_DEB_DEPEND=-d diff --git a/README.md b/README.md index 8c38c3e2..44bbd623 100644 --- a/README.md +++ b/README.md @@ -18,20 +18,24 @@ and the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483 To this end, it may be linked in addition to the intermediate CMP library [CMPforOpenSSL](https://github.com/mpeylo/cmpossl), called `libcmp` below. -The high-level API is on the one hand convenient to use for application -programmers and on the other hand complete and flexible enough -to cover the major certificate management use cases. The library supports developing CMP clients that adhere to the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483), which is geared towards simple and interoperable industrial use. -The software also provides a command-line interface (CLI) -that is handy for interactive exploration of using CMP in a PKI. +The [high-level API](doc/Generic_CMP_client_API.pdf) +is convenient to use for application programmers +while being sufficiently complete and flexible +to cover all major certificate management use cases. + +The software also provides a command-line interface (CLI) that is handy +for demonstrating and interactively exploring the use of CMP in a PKI.\ +Yet interfacing at API level is more direct and secure for productive use. Note: An OSS CMP client and registration authority (RA) implementation in Java is available in the form of a [generic CMP RA and client component](https://github.com/siemens/cmp-ra-component) -and the [LightweightCmpRa](), which is a demo CLI application using it. +and the [LightweightCmpRa](https://github.com/siemens/LightweightCmpRa), +which is a demo application making use of the component. ## Support model @@ -103,14 +107,48 @@ The following OSS components are used. or if the latest CMP features not yet available in OpenSSL are required, which can be indicated by setting the environment variable `USE_LIBCMP`. +For an overview of CMP features relevant in industrial use cases see +[LCMPP section 7.1](https://datatracker.ietf.org/doc/html/rfc9483#section-7.1). +CMP client (EE) features are supported by the genCMPClient as follows. + +The features newly defined with CMPv3 +in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480) +are fully covered when using the [intermediate CMP library `libcmp`]( +https://github.com/mpeylo/cmpossl) or when using at least OpenSSL 3.5.\ +Since the intermediate CMP library `libcmp` constitutes an extra dependency +and its maintenance may end soon after the release of OpenSSL 3.5, +better avoid using it. This is possible if all the CMP features needed +by the application scenario are covered by the OpenSSL version being used. + +* CMPv2 features defined in [RFC 4210](https://www.rfc-editor.org/rfc/rfc4210) + are already sufficiently covered by using at least OpenSSL 3.0.\ + This includes most of the + "Generic Aspects of PKI Messages and PKI Management Operations", + IR, CR, KUR, P10CR, MAC, RR, and polling for certification responses. +* In OpenSSL 3.2, "Get CA Certificates" and "Get Root CA Certificate Update" + were added. +* In OpenSSL 3.3, "Get Certificate Request Template" and support for certificate + profiles and generalized polling ("Handling Delayed Delivery") were added. +* In OpenSSL 3.4, "CRL Update Retrieval" was added. +* In OpenSSL 3.5, support for central key generation is going to be added. + +The features newly defined with CMPv3 +in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480) +are fully covered by the [intermediate CMP library `libcmp`]( +https://github.com/mpeylo/cmpossl) and will be covered by OpenSSL 3.5.\ +Since the intermediate CMP library `libcmp` constitutes an extra dependency +and its maintenance will likely end soon after the release of OpenSSL 3.5, +better avoid using it. This is possible if all the CMP features needed +by the application scenario are covered by the OpenSSL version being used. + Hint: As long as your system provides at least OpenSSL 3.0 and related development header files at a sufficiently new patch level, better not manually install in addition a different OpenSSL version unless you need newer CMP features without using the intermediate CMP library `libcmp`. -Such a manual installation can interfere with the more or less implicit -references to the locations of OpenSSL header files and binary library files. -So unless you know exactly what you are doing, you may receive -version mismatch errors like the one mentioned [below](#sanity-checks-on-openssl). +Such an extra installation can interfere with the more or less implicit references +to the default locations of OpenSSL header files and binary library files. +So unless knowing exactly what to do and being careful, one may receive version +mismatch errors like the one mentioned [below](#sanity-checks-on-openssl). @@ -171,7 +209,7 @@ this can provide useful information. When getting version mismatch errors like ``` -OpenSSL runtime version 0x304000d0 does not match version 0x300000d0 used by compiler +OpenSSL runtime version 0x30400000 does not match version 0x300000d0 used by compiler ``` make sure that the system-level configuration for finding header and library files as well as the optional environment variables `OPENSSL_DIR` and `OPENSSL_LIB` @@ -408,6 +446,8 @@ The Command-Line Interface (CLI) of the CMP client is implemented in [`src/cmpClient.c`](src/cmpClient.c). It supports most of the features of the genCMPClient library. The CLI use with the available options are documented in [`cmpClient.pod`](doc/cmpClient.pod). +An example configuration used by the below mentioned demo invocations +can be found in [`demo.cnf`](config/demo.cnf). For simple test invocations the Insta Certifier Demo CA server may be used, for instance as follows: @@ -444,6 +484,13 @@ You can view this certificate for instance by executing openssl x509 -noout -text -in creds/operational.crt ``` +To select a specific CMP profile on the CloudCA server, set the environment +variable `CMP_PROFILE` to the profile name. +For instance: +``` +CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA +``` + CLI-based tests using the Insta Demo CA may be invoked using ``` make -f Makefile_v1 test_Insta @@ -452,20 +499,13 @@ where the PROXY environment variable may be used to override the default in order to reach the Insta Demo CA. In order to obtain a trace of the HTTP messages being sent and received, -build the genCMPClient with `USE_LIBCMP=1` and +one can build the genCMPClient with `USE_LIBCMP=1` and set the environment variable `OPENSSL_TRACE` to contain the string `"HTTP"`. For instance: ``` OPENSSL_TRACE=HTTP ./cmpClient imprint -section Insta ``` -To select a specific CMP profile on the CloudCA server, set the environment -variable `CMP_PROFILE` to the profile name. -For instance: -``` -CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA -``` - ## Using the library in own applications @@ -519,8 +559,8 @@ SPDX-License-Identifier: Apache-2.0 +B<-srvcert> and B<-crlcert> options. +If not given here, the password will be prompted for if needed. + =back =head2 Client authentication options @@ -875,7 +897,7 @@ Requires for the corresponding key to be given with B<-key>. The subject of this certificate will be used as sender of outgoing CMP messages, while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. The issuer of this certificate is used as one of the recipient fallback values -and as fallback issuer entry in the cerificate template of IR, CR, and KUR. +and as fallback issuer entry in the certificate template of IR, CR, and KUR. When using signature-based message protection, this "protection certificate" will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. @@ -1034,6 +1056,14 @@ These requests are not sent to the server if the B<-reqin> option is used, too. Multiple filenames may be given, separated by commas and/or whitespace. As many files are written as needed to store the complete transaction. +=item B<-reqout_only> I + +Save the first CMP requests created by the client to the given file and exit. +Any options related to CMP servers and their reponses are ignored. + +This option is useful for supporting offline scenarios where the certificate +request (or any other CMP request) is produced beforehand and sent out later. + =item B<-rspin> I Process the sequence of CMP responses provided in file(s), skipping server. @@ -1065,7 +1095,7 @@ but only as far as a trust store is provided for TLS or at CMP level. Then by default only the leaf certificates of a chain are checked, i.e., the certificates of CMP servers and of TLS servers (as far as TLS is used). The options B<-check_all> and B<-check_any> may be used to change the extent -of the checks to futher elements in the CA chain of these certificates. +of the checks to further elements in the CA chain of these certificates. For each certificate for which the status check is demanded the certification verification procedure will try to obtain the revocation status @@ -1191,11 +1221,59 @@ or L for details. =back +=head1 HISTORY + +For an overview of CMP features relevant in industrial use cases see +[LCMPP section 7.1](https://datatracker.ietf.org/doc/html/rfc9483#section-7.1). +CMP client (EE) features are supported by the genCMPClient as follows. + +The features newly defined with CMPv3 +in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480) +are fully covered when using the [intermediate CMP library `libcmp`]( +https://github.com/mpeylo/cmpossl) or when using at least OpenSSL 3.5. + +* CMPv2 features defined in [RFC 4210](https://www.rfc-editor.org/rfc/rfc4210) + are sufficiently covered by using OpenSSL 3.0.\ + This includes most of the + "Generic Aspects of PKI Messages and PKI Management Operations", + IR, CR, KUR, P10CR, MAC, RR, and polling for certification responses. +* In OpenSSL 3.2, "Get CA Certificates" and "Get Root CA Certificate Update" + were added, as well as + the B<-srvcertout> option for saving the validated server certificate and + the B<-serial> option for the serial number of certificates to be revoked. + Since then, the B<-issuer> may be used also for certificates to be revoked. +* In OpenSSL 3.3, support for certificate profiles with the B<-profile> option + and generalized polling ("Handling Delayed Delivery") were added, as well as + the B<-no_cache_extracerts> option for not reusing extraCerts received. +* In OpenSSL 3.4, "Get Certificate Request Template" and + "CRL Update Retrieval" were added, as well as the related B<-template>, + B<-crlcert>, B<-oldcrl>, and B<-crlout> options. +* In OpenSSL 3.5, support for central key generation is added. + + =head1 COPYRIGHT -Copyright (c) 2021 Siemens AG. +Copyright (c) 2021-2024 Siemens AG. Licensed under the Apache License, Version 2.0 SPDX-License-Identifier: Apache-2.0 =cut + +# LocalWords: cmpClient cli md doc pkcs tls cert cmd ir cr kur rr +# LocalWords: genm infotype geninfo newkeytype len centralkeygen cn +# LocalWords: newkey newkeypass arg reqexts san nodefault oids popo +# LocalWords: csr ip certout chainout oldcert revreason msg srvcert +# LocalWords: keyusage extracerts srvcertout extracertsout dir ref +# LocalWords: dirname cacertsout cacerts oldwithold newwithnew mac +# LocalWords: newwithold oldwithnew oldcrl crlout keypass reqin tid +# LocalWords: reqout rspin rspout crls cdp cdps url crl maxdownload +# LocalWords: aia ocsp num auth attime ss sig suiteB alt certs CRIT +# LocalWords: EMERG nbsp stdout signKeyPairTypes caCerts rootCaCert +# LocalWords: certReqTemplate crlStatusList int str genp keySpec fd +# LocalWords: env DC org RAVERIFIED KEYENC crlcert CRLReason RP +# LocalWords: keyCompromise cACompromise affiliationChanged PKIConf +# LocalWords: cessationOfOperation certificateHold removeFromCRL CP +# LocalWords: privilegeWithdrawn aACompromise PKIStatus pollRep crt +# LocalWords: ErrMsgContent pem KUP thisUpdate subjectName ALG sha +# LocalWords: openssl hmacWithSHA hmac recipNonce CMPv libcmp diff --git a/include/genericCMPClient.h b/include/genericCMPClient.h index afd16f3e..1fb46b29 100644 --- a/include/genericCMPClient.h +++ b/include/genericCMPClient.h @@ -23,6 +23,10 @@ extern "C" { # include +#define OPENSSL_3_2_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30200000L || defined(USE_LIBCMP)) +#define OPENSSL_3_3_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30300000L || defined(USE_LIBCMP)) +#define OPENSSL_3_4_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30400000L || defined(USE_LIBCMP)) + # if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(USE_LIBCMP) # include /* if not found, maybe genericCMPClient_config.h is not up to date w.r.t. USE_LIBCMP */ # endif @@ -30,7 +34,6 @@ extern "C" { # include /* for abbreviation and backward compatibility: */ typedef OSSL_CMP_CTX CMP_CTX; -/* typedef OSSL_CMP_severity severity; already defined by libsecutils */ # if OPENSSL_VERSION_NUMBER < 0x30000080L # define OSSL_CMP_PKISTATUS_request -3 @@ -148,7 +151,7 @@ CMP_err CMPclient_setup_HTTP(CMP_CTX *ctx, const char *server, const char *path, CMP_err CMPclient_setup_BIO(CMP_CTX *ctx, BIO *rw, const char *path, int keep_alive, int timeout); -# if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined(USE_LIBCMP) +# if OPENSSL_3_3_FEATURES /* call optionally before requests; name may be UTF8-encoded string */ /* This calls OSSL_CMP_CTX_reset_geninfo_ITAVs() if name == NULL */ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name); @@ -214,23 +217,25 @@ CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, /* reason codes are defined in openssl/x509v3.h */ CMP_err CMPclient_revoke(CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ *csr, */ int reason); -# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +# if OPENSSL_3_2_FEATURES /* get CA certs, discard duplicates, and verify they are non-expired CA certs */ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out); # endif /* get certificate request template and related key specifications */ -# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +# if OPENSSL_3_4_FEATURES CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec); # endif -# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +# if OPENSSL_3_2_FEATURES /* get any root CA key update and verify it as far as possible */ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, OPTIONAL X509 **newWithOld, OPTIONAL X509 **oldWithNew); +# endif +# if OPENSSL_3_4_FEATURES /* get latest CRL according to cert DPN/issuer or get any update on given CRL */ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl); @@ -282,7 +287,7 @@ SSL_CTX *TLS_new(OPTIONAL const X509_STORE *truststore, OPTIONAL const CREDENTIALS *creds, OPTIONAL const char *ciphers, int security_level); void TLS_free(OPTIONAL SSL_CTX *tls); -# endif +# endif /* X509_EXTENSIONS helpers */ # ifdef LOCAL_DEFS diff --git a/src/cmpClient.c b/src/cmpClient.c index e4977c0f..2d1e956a 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -75,10 +75,10 @@ const char *opt_recipient; const char *opt_expect_sender; bool opt_ignore_keyusage; bool opt_unprotected_errors; -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_3_3_FEATURES bool opt_no_cache_extracerts; #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES const char *opt_srvcertout; #endif const char *opt_extracertsout; @@ -92,9 +92,12 @@ const char *opt_newwithnew; const char *opt_newwithold; const char *opt_oldwithnew; const char *opt_template; +const char *opt_crlcert; const char *opt_oldcrl; const char *opt_crlout; +const char *opt_otherpass = NULL; + /* client authentication */ const char *opt_ref; const char *opt_secret; @@ -140,7 +143,7 @@ const char *opt_chainout; const char *opt_oldcert; long opt_revreason; const char *opt_issuer; -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES char *opt_serial; #endif @@ -161,6 +164,8 @@ const char *opt_tls_host; static char *opt_reqin = NULL; static bool opt_reqin_new_tid = 0; static char *opt_reqout = NULL; +static char *opt_reqout_only = NULL; +static int reqout_only_done = 0; static char *opt_rspin = NULL; static char *opt_rspout = NULL; @@ -196,26 +201,25 @@ opt_t cmp_opts[] = { { "cmd", OPT_TXT, {.txt = NULL}, { &opt_cmd }, "CMP request to send: ir/cr/p10cr/kur/rr/genm. Overrides 'use_case' if given"}, { "infotype", OPT_TXT, {.txt = NULL}, { &opt_infotype }, - "InfoType name for requesting specific info in genm, " -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP - "with specific support" -#else - "e.g., C" + "InfoType name for requesting info in genm, e.g., C" +#if OPENSSL_3_2_FEATURES + ", with specific" #endif }, -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP - OPT_MORE("for 'caCerts' and 'rootCaCert'"), -#endif -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP - OPT_MORE("for 'caCerts', 'rootCaCert', 'certReqTemplate', and 'crlStatusList'"), +# if OPENSSL_3_4_FEATURES + OPT_MORE("support for 'caCerts', 'rootCaCert', 'certReqTemplate', and 'crlStatusList'"), +# elif OPENSSL_3_2_FEATURES + OPT_MORE("support for 'caCerts' and 'rootCaCert'"), #endif { "profile", OPT_TXT, {.txt = NULL}, { &opt_profile }, "Cert profile name to place in generalInfo field of PKIHeader of requests"}, { "geninfo", OPT_TXT, {.txt = NULL}, { (const char **)&opt_geninfo }, "Comma-separated list of OID and value to place in generalInfo PKIHeader"}, OPT_MORE("of form :int: or :str:, e.g. \'1.2.3.4:int:56789, id-kp:str:name'"), +#if OPENSSL_3_4_FEATURES { "template", OPT_TXT, {.txt = NULL}, { &opt_template }, "File to save certTemplate received in genp of type certReqTemplate"}, +#endif OPT_HEADER("Certificate enrollment"), { "newkeytype", OPT_TXT, {.txt = NULL}, { &opt_newkeytype }, @@ -224,8 +228,8 @@ opt_t cmp_opts[] = { { (const char **) &opt_centralkeygen}, "Request central (server-side) key generation. Default is local generation"}, { "newkey", OPT_TXT, {.txt = NULL}, { &opt_newkey }, - "Private or public key for for ir/cr/kur (defaulting to pubkey of -csr) if -newkeytype not given."}, - OPT_MORE("File to save new key if -newkeytype is given"), + "Private or public key for for ir/cr/kur (defaulting to pubkey of -csr)"}, + OPT_MORE("if -newkeytype is not given, otherwise file to save new key"), { "newkeypass", OPT_TXT, {.txt = NULL}, { &opt_newkeypass }, "Pass phrase source for -newkey"}, { "subject", OPT_TXT, {.txt = NULL}, { &opt_subject }, @@ -279,14 +283,14 @@ opt_t cmp_opts[] = { OPT_MORE("Values: 0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"), { "issuer", OPT_TXT, {.txt = NULL}, { &opt_issuer }, "DN of the issuer to place in the certificate template of ir/cr/kur" -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES "/rr" #else "" #endif ";"}, OPT_MORE("also used as recipient if neither -recipient nor -srvcert are given"), -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES { "serial", OPT_TXT, {.txt = NULL}, {(const char **) &opt_serial}, "Serial number of certificate to be revoked in revocation request (rr)"}, #endif @@ -334,12 +338,12 @@ opt_t cmp_opts[] = { { (const char **) &opt_unprotected_errors }, "Accept missing or invalid protection of regular error messages and negative"}, OPT_MORE("certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"), -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_3_3_FEATURES { "no_cache_extracerts", OPT_BOOL, {.bit = false}, { (const char **) &opt_no_cache_extracerts }, "Do not keep certificates received in the extraCerts CMP message field"}, #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES { "srvcertout", OPT_TXT, {.txt = NULL}, { &opt_srvcertout }, "File to save server cert used and validated for CMP response protection"}, #endif @@ -365,10 +369,14 @@ opt_t cmp_opts[] = { "File to save NewWithOld cert received in genp of type rootCaKeyUpdate"}, { "oldwithnew", OPT_TXT, {.txt = NULL}, { &opt_oldwithnew }, "File to save OldWithNew cert received in genp of type rootCaKeyUpdate"}, + { "crlcert", OPT_TXT, {.txt = NULL}, { &opt_crlcert }, + "cert to take CRL source data from for genm of type crlStatusList"}, { "oldcrl", OPT_TXT, {.txt = NULL}, { &opt_oldcrl }, - "CRL to request update for in genm of type crlStatusList"}, + "CRL to obtain an update for in genm of type crlStatusList"}, { "crlout", OPT_TXT, {.txt = NULL}, { &opt_crlout }, "File to save new CRL received in genp of type 'crls'"}, + { "otherpass", OPT_TXT, {.txt = NULL}, { &opt_otherpass }, + "Pass phrase source potentially needed for loading certificates of others"}, OPT_HEADER("Client authentication and protection"), { "ref", OPT_TXT, {.txt = NULL}, { &opt_ref }, @@ -422,6 +430,8 @@ opt_t cmp_opts[] = { "Use fresh transactionID for CMP requests read from -reqin"}, {"reqout", OPT_TXT, {.txt = NULL}, { (const char **) &opt_reqout}, "Save sequence of CMP requests to file(s)"}, + {"reqout_only", OPT_TXT, {.txt = NULL}, { (const char **) &opt_reqout_only}, + "Save first CMP request created by the client to file and exit"}, {"rspin", OPT_TXT, {.txt = NULL}, { (const char **) &opt_rspin}, "Process sequence of CMP responses provided in file(s), skipping server"}, {"rspout", OPT_TXT, {.txt = NULL}, { (const char **) &opt_rspout}, @@ -773,6 +783,11 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr; const char *prev_opt_rspin = opt_rspin; + if (opt_reqout_only != NULL) { + if (write_PKIMESSAGE(req, &opt_reqout_only)) + reqout_only_done = 1; + return NULL; /* stop at this point, not contacting any server */ + } if (opt_reqout != NULL && !write_PKIMESSAGE(req, &opt_reqout)) goto err; if (opt_reqin != NULL && opt_rspin == NULL) { @@ -792,7 +807,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, * Except for first request, need to satisfy recipNonce check by server. * Unfortunately requires re-protection if the request was protected. */ -#if OPENSSL_VERSION_NUMBER >= 0x30000090L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30000090L || defined(USE_LIBCMP) if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new)) goto err; #endif @@ -1035,8 +1050,8 @@ static int setup_ctx(CMP_CTX *ctx) /* set option flags directly via CMP API */ if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, opt_unprotected_errors ? 1 : 0) -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP - || (opt_no_cache_extracerts && // TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called +#if OPENSSL_3_3_FEATURES + || (opt_no_cache_extracerts && /* TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called */ !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, opt_no_cache_extracerts ? 1 : 0)) #endif @@ -1056,7 +1071,7 @@ static int setup_ctx(CMP_CTX *ctx) } if (opt_profile != NULL) { -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_3_3_FEATURES err = CMPclient_add_certProfile(ctx, opt_profile); #else LOG_err("-profile option is not supported for OpenSSL < 3.3"); @@ -1180,7 +1195,7 @@ static CMP_err prepare_CMP_client(CMP_CTX **pctx, enum use_case use_case, LOG_warn("-reqin is ignored since -rspin is present"); if (opt_reqin_new_tid && opt_reqin == NULL) LOG_warn("-reqin_new_tid is ignored since -reqin is not present"); - if (opt_reqin != NULL || opt_reqout != NULL + if (opt_reqin != NULL || opt_reqout != NULL || opt_reqout_only != NULL || opt_rspin != NULL || opt_rspout != NULL) transfer_fn = read_write_req_resp; @@ -1205,7 +1220,7 @@ static CMP_err prepare_CMP_client(CMP_CTX **pctx, enum use_case use_case, goto err; if (opt_srvcert != NULL) { - X509 *srvcert = CERT_load(opt_srvcert, NULL /* pass */, + X509 *srvcert = CERT_load(opt_srvcert, opt_otherpass, "directly trusted CMP server certificate", -1 /* no type check */, vpm); @@ -1247,9 +1262,36 @@ static int setup_transfer(CMP_CTX *ctx) goto err; } + if (opt_reqout_only != NULL) { + const char *msg = "option is ignored since -reqout_only option is given"; + + if (opt_server != NULL) { + LOG(FL_WARN, "-server %s", msg); + opt_server = NULL; + } + if (opt_path != NULL) { + LOG(FL_WARN, "-path %s", msg); + opt_path = NULL; + } +#if 0 /* TODO add in case mock server functionality is included */ + if (opt_use_mock_srv) + LOG(FL_WARN, "-use_mock_srv %s", msg); +#endif + if (opt_reqout != NULL) + LOG(FL_WARN, "-reqout %s", msg); + if (opt_rspin != NULL) + LOG(FL_WARN, "-rspin %s", msg); + if (opt_rspout != NULL) + LOG(FL_WARN, "-rspout %s", msg); + } if (opt_server == NULL) { - if (opt_rspin == NULL) { - LOG_err("missing -server or -rspin option"); + /* + * TODO add below in case mock server functionality is included: + * !opt_use_mock_srv && + */ + if (opt_reqout_only == NULL && opt_rspin == NULL) { + /* TODO add in that case also: "or -use_mock_srv" */ + LOG_err("missing -server or -reqout_only or -rspin option"); err = -15; goto err; } @@ -1272,8 +1314,9 @@ static int setup_transfer(CMP_CTX *ctx) && opt_tls_host == NULL) { if (opt_tls_used) LOG_warn("-tls_used given without any other TLS options"); - } else if (!opt_tls_used) { - LOG_warn("TLS options(s) are ignored since -tls_used is not given"); + } else { + if (!opt_tls_used) + LOG_warn("TLS options(s) are ignored since -tls_used is not given"); } SSL_CTX *tls = NULL; @@ -1452,8 +1495,8 @@ static int add_object(unsigned char *data, int len, int nid, const char *name) static int complete_genm_asn1_objects(void) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L -# define ASN1_OID_IT 0x2B,0x06,0x01,0x05,0x05,0x07,0x04 -# define ASN1_OID_REGCTRL 0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01 +# define ASN1_OID_IT 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04 +# define ASN1_OID_REGCTRL 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x05, 0x01 # if OPENSSL_VERSION_NUMBER < 0x30200000L /* were added by OpenSSL commit 34959f7a2256eadd23d56f0efe855be7fde282b2 */ static unsigned char so_rootCaCert[] = { ASN1_OID_IT, 20 }; @@ -1509,14 +1552,9 @@ static CMP_err check_options(enum use_case use_case) opt_centralkeygen = true; if (opt_infotype == NULL) { -#if 0 - if (use_case == genm) { - LOG_err("no -infotype option given for genm"); - return -51; - } -#else + if (use_case == genm) + LOG_warn("no -infotype option given for genm"); opt_infotype = ""; -#endif } else if (use_case != genm) { LOG_warn("-infotype option is ignored for commands other than 'genm'"); } else { @@ -1525,16 +1563,16 @@ static CMP_err check_options(enum use_case use_case) strncat(id_buf, opt_infotype, sizeof(id_buf) - strlen(id_buf) - 1); if ((infotype = OBJ_sn2nid(id_buf)) == NID_undef) { LOG(FL_ERR, "Unknown OID name '%s' in -infotype option", id_buf); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if !OPENSSL_3_2_FEATURES if (strcmp(opt_infotype, "caCerts") == 0 - || strcmp(opt_infotype, "certReqTemplate") == 0) - LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.0", + || strcmp(opt_infotype, "rootCaCert") == 0) + LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.2", opt_infotype); #endif -#if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER < 0x30000000L - if (strcmp(opt_infotype, "rootCaCert") == 0 +#if !OPENSSL_3_4_FEATURES + if (strcmp(opt_infotype, "certReqTemplate") == 0 || strcmp(opt_infotype, "crlStatusList") == 0) - LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.0", + LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.4", opt_infotype); #endif return -30; @@ -1561,6 +1599,8 @@ static CMP_err check_options(enum use_case use_case) if (use_case != genm || strcmp(opt_infotype, "crlStatusList") != 0) { const char *msg = "option is ignored unless -cmd 'genm' and -infotype 'crlStatusList' is given"; + if (opt_crlcert != NULL) + LOG(FL_WARN, "-crlcert %s", msg); if (opt_oldcrl != NULL) LOG(FL_WARN, "-oldcrl %s", msg); } @@ -1593,15 +1633,14 @@ static CMP_err check_options(enum use_case use_case) return -34; } - if (opt_check_all && opt_check_any) { + if (opt_check_all && opt_check_any) LOG_warn("-check_all overrides -check_any"); - } if (use_case == pkcs10 && opt_csr == NULL) { LOG_err("-csr option is missing for command 'p10cr'"); return -35; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES if (use_case == revocation) { if (opt_issuer == NULL && opt_serial == NULL) { if (opt_oldcert == NULL && opt_csr == NULL) { @@ -1611,7 +1650,7 @@ static CMP_err check_options(enum use_case use_case) if (opt_oldcert != NULL && opt_csr != NULL) LOG_warn("Ignoring -csr since -oldcert is given for command 'rr' (revocation)"); } else { -#define OSSL_CMP_RR_MSG "since -issuer and -serial is given for command 'rr'" +# define OSSL_CMP_RR_MSG "since -issuer and -serial is given for command 'rr'" if (opt_issuer == NULL || opt_serial == NULL) { LOG_err("Must give both -issuer and -serial options or neither"); return -73; @@ -1664,13 +1703,11 @@ static CMP_err check_options(enum use_case use_case) return -23; } /* TODO check range of remaining numerical options */ - if ((crl_check || ocsp_check) && opt_trusted == NULL) { + if ((crl_check || ocsp_check) && opt_trusted == NULL) LOG_warn("Certificate status checks are enabled without providing the -trusted option"); - } if ((crl_check || ocsp_check || opt_stapling) && opt_tls_used - && opt_tls_trusted == NULL) { + && opt_tls_trusted == NULL) LOG_warn("Cannot do TLS certificate status checks without -tls_trusted option"); - } if ((opt_check_all || opt_check_any) && !crl_check && !ocsp_check) { LOG_err("-check_all or -check_any is given without any option enabling use of CRLs or OCSP"); return -37; @@ -1679,9 +1716,8 @@ static CMP_err check_options(enum use_case use_case) LOG_err("-ocsp_last is given without -ocsp or -use_aia enabling OCSP-based cert status checking"); return -38; } - if (opt_stapling && !opt_tls_used) { + if (opt_stapling && !opt_tls_used) LOG_warn("-stapling option is given without -tls_used"); - } #ifdef OPENSSL_NO_OCSP if (ocsp_check || opt_stapling) LOG_warn("OCSP may be not supported by the OpenSSL build used by the SecUtils"); @@ -1775,7 +1811,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, LOG_err("Cannot have Subject Alternative Names both via -reqexts and via -sans"); return CMP_R_MULTIPLE_SAN_SOURCES; } - if (opt_certout == NULL) { + if (opt_certout == NULL && opt_reqout_only == NULL) { LOG_err("-certout not given, nowhere to save certificate"); return -45; } @@ -1846,7 +1882,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return -48; } } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES if (use_case == revocation) { if (set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer") != CMP_OK) return -70; @@ -1870,7 +1906,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return CMP_OK; } -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES static int delete_file(const char *file, const char *desc) { if (file == NULL) @@ -1978,14 +2014,12 @@ static CMP_err save_credentials(CMP_CTX *ctx, CREDENTIALS *new_creds, STACK_OF(X509) *certs = CREDENTIALS_get_chain(new_creds); if (opt_chainout != NULL && strcmp(opt_chainout, opt_certout) != 0) { - if (!CERT_save(cert, opt_certout, "newly enrolled certificate")) { + if (!CERT_save(cert, opt_certout, "newly enrolled certificate")) return CMP_R_STORE_CREDS; - } if (opt_chainout != NULL && CERTS_save(certs, opt_chainout, - "chain of newly enrolled certificate") < 0) { + "chain of newly enrolled certificate") < 0) return CMP_R_STORE_CREDS; - } } else { if (!FILES_store_credentials(NULL /* key */, cert, certs, NULL, opt_certout, FORMAT_PEM, NULL, @@ -2026,7 +2060,7 @@ static int print_itavs(const STACK_OF(OSSL_CMP_ITAV) *itavs) return ret; } -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_3_4_FEATURES static int save_template(const char *file, const OSSL_CRMF_CERTTEMPLATE *tmpl) { BIO *bio = BIO_new_file(file, "wb"); @@ -2066,7 +2100,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) CMP_err err; switch (infotype) { -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES case NID_id_it_caCerts: if (opt_cacertsout == NULL) { LOG(FL_ERR, "Missing -cacertsout option for -infotype caCerts"); @@ -2088,8 +2122,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) } CERTS_free(cacerts); return err; -#endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP + case NID_id_it_rootCaCert: if (opt_newwithnew == NULL) { LOG(FL_ERR, "Missing -newwithnew option for -infotype rootCaCert"); @@ -2134,12 +2167,12 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) X509_free(oldwithold); return err; } -#endif +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_3_4_FEATURES case NID_id_it_crlStatusList: - if (opt_oldcrl == NULL && opt_oldcert == NULL) { - LOG(FL_ERR, "Missing -oldcrl and no -oldcert given for -infotype crlStatusList"); + if (opt_oldcrl == NULL && opt_crlcert == NULL && opt_oldcert == NULL) { + LOG(FL_ERR, "Missing -oldcrl and no -crlcert nor -oldcert given for -infotype crlStatusList"); return -62; } if (opt_crlout == NULL) { @@ -2147,18 +2180,29 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) return -63; } { + X509 *crlcert = NULL; X509_CRL *oldcrl = NULL, *crl = NULL; + err = -51; + if (opt_crlcert != NULL) { + crlcert = CERT_load(opt_crlcert, opt_otherpass, + "Cert for genm with -infotype crlStatusList", + -1 /* no type check */, vpm); + if (crlcert == NULL) + goto end_crlupd; + } err = -64; if (opt_oldcrl == NULL) { - LOG(FL_WARN, "No -oldcrl given, will use data from -oldcert"); + if (opt_crlcert == NULL) + LOG(FL_WARN, "No -oldcrl nor -crlcert given, will use data from -oldcert"); } else { oldcrl = CRL_load(opt_oldcrl, (int)opt_crls_timeout, "CRL for genm with -infotype crlStatusList"); if (oldcrl == NULL) goto end_crlupd; } - err = CMPclient_crlUpdate(ctx, oldcert, oldcrl, &crl); + err = CMPclient_crlUpdate(ctx, crlcert != NULL ? crlcert : oldcert, + oldcrl, &crl); if (err != CMP_OK) goto end_crlupd; @@ -2167,12 +2211,14 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) LOG_info("no CRL update available"); if (!delete_file(opt_crlout, desc)) err = -65; - } else if (!FILES_store_crl(crl, opt_crlout, FORMAT_ASN1, desc)) { - err = -66; + } else { + if (!FILES_store_crl(crl, opt_crlout, FORMAT_ASN1, desc)) + err = -66; } end_crlupd: X509_CRL_free(oldcrl); X509_CRL_free(crl); + X509_free(crlcert); return err; } @@ -2258,7 +2304,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) case -1: err = oldcert == NULL ? 0 : 0; return err; -#endif +#endif /* OPENSSL_3_4_FEATURES */ default: if (infotype != NID_undef) { @@ -2269,7 +2315,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) opt_infotype, OpenSSL_version_num()); if (req == NULL || !OSSL_CMP_CTX_push0_genm_ITAV(ctx, req)) { LOG(FL_ERR, "Failed to create genm for -infotype %s", - opt_infotype); + opt_infotype); return -24; } } @@ -2352,6 +2398,12 @@ static int CMPclient(enum use_case use_case, OPTIONAL LOG_cb_t log_fn) } int status = OSSL_CMP_CTX_get_status(ctx); + if (status < OSSL_CMP_PKISTATUS_accepted && reqout_only_done) { + /* we got no response because we did not send request */ + ERR_clear_error(); + err = CMP_OK; + goto err; + } if (err != -19 && use_case != genm && status >= 0) { /* we got some response, print PKIStatusInfo */ char buf[OSSL_CMP_PKISI_BUFLEN]; @@ -2372,7 +2424,7 @@ static int CMPclient(enum use_case use_case, OPTIONAL LOG_cb_t log_fn) string != NULL ? string : ""); } -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES if (!save_cert_or_delete(OSSL_CMP_CTX_get0_validatedSrvCert(ctx), opt_srvcertout, "validated server cert")) err = -53; @@ -2475,8 +2527,9 @@ int main(int argc, char *argv[]) use_case = revocation; } else if (strcmp(argv[1], "genm") == 0) { use_case = genm; - } else if (strcmp(argv[1], "validate") == 0) { - use_case = validate; + } else { + if (strcmp(argv[1], "validate") == 0) + use_case = validate; } } @@ -2491,7 +2544,7 @@ int main(int argc, char *argv[]) if (argv[i][0] == '-') { if (argv[i][1] == '-') argv[i]++; - if (strcmp(argv[i] + 1, "help") == 0) { + if (strcmp(argv[i] + 1, "help") == 0 || strcmp(argv[i] + 1, "h") == 0) { rc = print_help(prog); goto end; } else if (i + 1 < argc) { @@ -2593,6 +2646,14 @@ int main(int argc, char *argv[]) CRLs_free(crls); end: +#if 0 /* TODO check: likely not needed, arg type "const char *" does not fit */ + UTIL_cleanse(opt_keypass); + UTIL_cleanse(opt_newkeypass); + UTIL_cleanse(opt_otherpass); + UTIL_cleanse(opt_tls_keypass); + UTIL_cleanse(opt_secret); +#endif + if (rc != EXIT_SUCCESS) OSSL_CMP_CTX_print_errors(NULL); CRLMGMT_DATA_free(cmdata); diff --git a/src/genericCMPClient.c b/src/genericCMPClient.c index 04464255..210b7c80 100644 --- a/src/genericCMPClient.c +++ b/src/genericCMPClient.c @@ -125,16 +125,14 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, { OSSL_CMP_CTX *ctx = NULL; - if (pctx == NULL) { + if (pctx == NULL) return CMP_R_NULL_ARGUMENT; - } if ((ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL || !OSSL_CMP_CTX_set_log_cb(ctx, log_fn != NULL ? (OSSL_CMP_log_cb_t)log_fn : /* difference is in 'int' vs. 'bool' and additional TRACE value */ - (OSSL_CMP_log_cb_t)LOG_console)) { + (OSSL_CMP_log_cb_t)LOG_console)) goto err; /* TODO make sure that proper error code it set by OSSL_CMP_CTX_set_log_cb() */ - } if (cmp_truststore != NULL && (!X509_STORE_up_ref(cmp_truststore) || !OSSL_CMP_CTX_set0_trustedStore(ctx, cmp_truststore))) @@ -158,17 +156,15 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, && !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)pwdref, (int)strlen(pwdref))) || (pkey != NULL && !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) || - (cert != NULL && !OSSL_CMP_CTX_set1_cert(ctx, cert))) { + (cert != NULL && !OSSL_CMP_CTX_set1_cert(ctx, cert))) goto err; - } if (cert != NULL && !OSSL_CMP_CTX_build_cert_chain(ctx, creds_truststore, chain)) goto err; } else { - if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)) { + if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)) goto err; - } } /* need recipient for unprotected and PBM-protected messages */ @@ -213,9 +209,8 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, return CMP_R_UNKNOWN_ALGORITHM_ID; } if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DIGEST_ALGNID, nid) - || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, nid)) { + || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, nid)) goto err; - } } if (mac != NULL) { @@ -234,13 +229,11 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, && !OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_fn)) || (total_timeout >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT, - total_timeout))) { + total_timeout))) goto err; - } if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM, - implicit_confirm ? 1 : 0)) { + implicit_confirm ? 1 : 0)) goto err; - } if (new_cert_truststore != NULL) { /* ignore any -attime option here, since new certs are current anyway */ X509_VERIFY_PARAM *out_vpm = X509_STORE_get0_param(new_cert_truststore); @@ -264,18 +257,16 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, CMP_err CMPclient_setup_BIO(CMP_CTX *ctx, BIO *rw, const char *path, int keep_alive, int timeout) { - if (ctx == NULL) { + if (ctx == NULL) return CMP_R_INVALID_CONTEXT; - } if (!OSSL_CMP_CTX_set1_serverPath(ctx, path) || (timeout >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT, timeout)) || (keep_alive >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_KEEP_ALIVE, keep_alive)) || - !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, rw)) { + !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, rw)) return CMPOSSL_error(); - } if (rw != NULL) { if (path == NULL) @@ -345,9 +336,8 @@ static BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) && !OSSL_HTTP_proxy_connect(bio, info->server, info->port, NULL, NULL, /* no proxy credentials */ info->timeout, bio_err, opt_getprog())) - || (sbio = BIO_new(BIO_f_ssl())) == NULL) { + || (sbio = BIO_new(BIO_f_ssl())) == NULL) return NULL; - } if ((ssl = SSL_new(ssl_ctx)) == NULL) { BIO_free(sbio); return NULL; @@ -500,7 +490,8 @@ CMP_err CMPclient_setup_HTTP(OSSL_CMP_CTX *ctx, if (path == NULL) path = ""; if (server == NULL) - LOG_info("will not contact any server"); /* since -rspin is given */ + LOG_info("will not contact any server"); + /* since -reqout_only or -rspin is given */ else LOG(FL_INFO, "will contact http%s://%s:%d%s%s%s%s", tls != NULL ? "s" : "", @@ -516,7 +507,7 @@ CMP_err CMPclient_setup_HTTP(OSSL_CMP_CTX *ctx, return err; } -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_3_3_FEATURES static int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, const char *text, int len) { @@ -571,7 +562,7 @@ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name) err: return CMPOSSL_error(); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_3_FEATURES */ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, OPTIONAL const EVP_PKEY *new_key, @@ -608,14 +599,12 @@ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, X509_EXTENSION_free); if (exts_copy == NULL - || !OSSL_CMP_CTX_set0_reqExtensions(ctx, exts_copy)) { + || !OSSL_CMP_CTX_set0_reqExtensions(ctx, exts_copy)) goto err; - } } - if (csr != NULL && !OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + if (csr != NULL && !OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) goto err; - } return CMP_OK; @@ -623,7 +612,7 @@ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP /* TODO remove decls when exported by OpenSSL */ +#if OPENSSL_3_2_FEATURES /* TODO remove decls when exported by OpenSSL */ static int ossl_x509_add_cert_new_(STACK_OF(X509) **p_sk, X509 *cert, int flags) { if (*p_sk == NULL && (*p_sk = sk_X509_new_null()) == NULL) { @@ -633,7 +622,7 @@ static int ossl_x509_add_cert_new_(STACK_OF(X509) **p_sk, X509 *cert, int flags) return X509_add_cert(*p_sk, cert, flags); } -#if 0 // TODO remove? +# if 0 /* TODO remove? */ static int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, int flags) /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */ @@ -672,9 +661,9 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, } return 1; } -#endif +# endif -#if 0 // TODO remove? +# if 0 /* TODO remove? */ /*- * Builds a certificate chain starting from * using the optional list of intermediate CA certificates . @@ -736,7 +725,7 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, X509_STORE_CTX_free(csc); return res; } -#endif +# endif #endif /* end TODO remove decls when exported by OpenSSL */ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) @@ -774,9 +763,8 @@ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) return CMP_R_INVALID_PARAMETERS; break; } - if (newcert == NULL) { + if (newcert == NULL) goto err; - } EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(ctx, 1 /* priv */); /* NULL in case P10CR */ @@ -805,9 +793,8 @@ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) CREDENTIALS *creds = CREDENTIALS_new(new_key, newcert, chain, NULL, NULL); CERTS_free(chain); - if (creds == NULL) { + if (creds == NULL) return ERR_R_MALLOC_FAILURE; - } *new_creds = creds; ERR_clear_error(); /* empty the OpenSSL error queue */ return CMP_OK; @@ -837,9 +824,8 @@ CMP_err CMPclient_imprint(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, return CMP_R_INVALID_PARAMETERS; CMP_err err = CMPclient_setup_certreq(ctx, new_key, NULL /* old_cert */, subj, exts, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_IR); - } X509_NAME_free(subj); return err; } @@ -865,9 +851,8 @@ CMP_err CMPclient_bootstrap(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, return CMP_R_INVALID_PARAMETERS; CMP_err err = CMPclient_setup_certreq(ctx, new_key, NULL /* old_cert */, subj, exts, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_CR); - } X509_NAME_free(subj); return err; } @@ -883,9 +868,8 @@ CMP_err CMPclient_pkcs10(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, CMP_err err = CMPclient_setup_certreq(ctx, NULL /* new_key */, NULL /* old_cert */, NULL /* subject */, NULL /* exts */, csr); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_P10CR); - } return err; } @@ -897,9 +881,8 @@ CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, NULL /* subject */, NULL /* exts */, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_KUR); - } return err; } @@ -938,9 +921,8 @@ CMP_err CMPclient_revoke(OSSL_CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ if ((reason >= CRL_REASON_UNSPECIFIED && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_REVOCATION_REASON, reason)) - || !OSSL_CMP_exec_RR_ses(ctx)) { + || !OSSL_CMP_exec_RR_ses(ctx)) goto err; - } ERR_clear_error(); /* empty the OpenSSL error queue */ return CMP_OK; @@ -948,7 +930,7 @@ CMP_err CMPclient_revoke(OSSL_CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES static OSSL_CMP_ITAV *get_genm_itav(CMP_CTX *ctx, OSSL_CMP_ITAV *req, /* gets consumed */ int expected, const char *desc) @@ -1024,9 +1006,7 @@ static const X509_VERIFY_PARAM *get0_trustedStore_vpm(const CMP_CTX *ctx) return ts == NULL ? NULL : X509_STORE_get0_param(ts); } -#endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) { OSSL_CMP_ITAV *req, *itav; @@ -1071,9 +1051,9 @@ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_3_4_FEATURES CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec) @@ -1103,9 +1083,9 @@ CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_3_2_FEATURES static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) { if (ok == 0 && store_ctx != NULL @@ -1254,9 +1234,9 @@ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_3_4_FEATURES CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl) { @@ -1322,7 +1302,7 @@ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_3_4_FEATURES */ char *CMPclient_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, size_t bufsize) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index a02c2fac..9a4fa136 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -138,6 +138,7 @@ my @server_configurations = ("Mock"); # ("Mock", "EJBCA", "Insta", "Simple"); @server_configurations = split /\s+/, $ENV{OPENSSL_CMP_SERVER} if $ENV{OPENSSL_CMP_SERVER}; # set env variable, e.g., OPENSSL_CMP_SERVER="Mock Insta" to include further CMP servers +my $mock_openssl_version = `$ENV{OPENSSL} version | perl -pe 's/OpenSSL (\\d\\.\\d).*/\$1/es;'` if grep(/^Mock$/, @server_configurations); my @all_aspects = ("connection", "verification", "credentials", "commands", "enrollment"); push (@all_aspects, "certstatus"); @@ -162,7 +163,6 @@ sub test_cmp_http { if ($server_name eq "Mock" && !(grep { $_ eq '-server' } @$params)); my $cmd = app([@app, @$params]); - $expected_result = 1 if $server_name eq "Mock" && $title =~ m/- ok for Mock/; sleep($sleep) if $server_name eq "Insta"; sleep($sleep) if $server_name eq "Insta" && $title eq "path with additional '/'s fine according to RFC 3986" @@ -247,7 +247,7 @@ sub test_cmp_http_aspect { indir data_dir() => sub { plan tests => 1 + @server_configurations * @all_aspects + 2 - - (grep(/^Mock$/, @server_configurations) + - (grep(/^Mock$/, @server_configurations) # && $mock_openssl_version < 3.x && grep(/^certstatus$/, @all_aspects)); indir "Mock" => sub { @@ -270,8 +270,9 @@ indir data_dir() => sub { } foreach my $aspect (@all_aspects) { $aspect = chop_dblquot($aspect); - if ($server_name eq "Mock" && $aspect eq "certstatus") { - print "Skipping certstatus check as not supported by $server_name server\n"; + if (# $mock_openssl_version < 3.x && + $server_name eq "Mock" && $aspect eq "certstatus") { + print "Skipping certstatus check as not supported by $server_name server with OpenSSL version $mock_openssl_version\n"; next; } if (not($server_name =~ m/Insta/)) { # do not update aspect-specific settings for Insta @@ -342,6 +343,11 @@ sub load_tests { my $description = 1; $description += 3; my $title = $fields[$description]; + if ($server_name eq "Mock" && defined $expected_result && $expected_result =~ m/^\s*(3(\.\d+)+)\s*([01]?)\s*$/) { + my ($min_openssl_version, $val) = ($1, $3); + $expected_result = ($val eq "0" ? 0 : 1) if $mock_openssl_version >= $min_openssl_version; + } + # $expected_result = 1 if $server_name eq "Mock" && $title =~ m/- ok for Mock/; next LOOP if (!defined($expected_result) || ($expected_result ne 0 && $expected_result ne 1)); @fields = grep {$_ ne 'BLANK'} @fields[$description + 1 .. @fields - 1]; diff --git a/test/recipes/80-test_cmp_http_data/test.cnf b/test/recipes/80-test_cmp_http_data/test.cnf index eb013bf0..ae3b02aa 100644 --- a/test/recipes/80-test_cmp_http_data/test.cnf +++ b/test/recipes/80-test_cmp_http_data/test.cnf @@ -119,6 +119,40 @@ sleep = 3 # A value of 3 appears to be just sufficient, with some exceptions handled # in 80-test_cmp_http.t, for preventing HTTP code 503 (Service Unavailable) +[Simple] # for use with SimpleLra/RunLra.sh +#no_check_time = 1 # not yet needed here +#attime = 1564704000 +server_host = 127.0.0.1 # localhost +server_port = 9080 +server_tls = 9085 +server_cert = server.crt +server = $server_host:$server_port +tls_cert = tls.p12 +tls_key = $tls_cert +tls_keypass = pass:12345 +tls_trusted = tls_trusted.pem +server_path = cmp/${ENV::EJBCA_PATH_RA} +path = $server_path +ca_dn = ${ENV::EJBCA_CMP_RECIPIENT} +recipient = $ca_dn +server_dn = $ca_dn # TODO was ${ENV::EJBCA_CMP_SERVER} +expect_sender = $server_dn +subject = ${ENV::EJBCA_CMP_SUBJECT} # TODO was ${ENV::EJBCA_CMP_SUBJECT_ECC} +kur_port = 9083 +pbm_port = 9084 +pbm_ref = +pbm_secret = pass:SecretCmp +cert = signer.crt +key = signer.p12 +keypass = pass:12345 +ignore_keyusage = 0 +unprotected_errors = 1 # EJBCA sends error messages and negative responses without protection +crls = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP2}${ENV::EJBCA_CDP_URL_POSTFIX_v11}, creds/crls/EJBCA-${ENV::EJBCA_CDP3}.crl, creds/crls/EJBCA-${ENV::EJBCA_CDP1}.crl +cdps = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP3}${ENV::EJBCA_CDP_URL_POSTFIX}, ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP1}${ENV::EJBCA_CDP_URL_POSTFIX} +ocsp = ${ENV::EJBCA_OCSP_URL} +column = 2 +sleep = 0 + ############################# aspects [connection] diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 1556fe09..c956356e 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -67,40 +67,45 @@ TBD,TBD,TBD,TBD,config default all options set, -section,, -cmd,ir,, -cacertsout 1,0,-,1,genm with infotype signKeyPairTypes, -section,, -cmd,genm,,BLANK,,, -infotype,signKeyPairTypes,,BLANK,,BLANK, 0,*,*,*,genm with missing infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,,,BLANK,,BLANK, 0,*,*,*,genm with invalid infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,asdf,,BLANK,,BLANK, -Mock server must use OpenSSL 3.3 ,1,-,-,genm certReqTemplate - not with OpenSSL 1.1 , -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" +3.4,1,-,-,genm certReqTemplate, -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,*,*,*,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK,, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,test.template.pem,test.template.pem, -infotype,certReqTemplate,,BLANK,,BLANK, -*,0,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, -Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts - not with OpenSSL 1.1 , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN +3.4 0,*,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, +3.2,1,-,-,genm caCerts , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN 0,*,*,*,genm caCerts missing cacertsout option, -section,, -cmd,genm,, -cacertsout,"""",, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts missing cacertsout arg , -section,, -cmd,genm,, -cacertsout,BLANK,, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout extra arg , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,test.cacertsout.pem, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout arg non-ex dir, -section,, -cmd,genm,, -cacertsout,idontexist/idontexist,, -infotype,caCerts,,BLANK,,BLANK, --,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert no oldwithold given , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem +3.2,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem +3.2,*,*,*,genm rootCaCert no oldwithold given , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, empty.txt , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold random file, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, random.bin , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, idontexist , -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold no match , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, signer.crt , -newwithnew, test.newwithnew.pem +3.2,*,*,*,genm rootCaCert oldwithold different , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, signer.crt , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, BLANK,, 0,*,*,*,genm rootCaCert newwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,, 0,*,*,*,genm rootCaCert newwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,directory/, --,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem +3.2,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem 0,*,*,*,genm rootCaCert oldwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,, 0,*,*,*,genm rootCaCert oldwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,/directory, --,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem +3.2,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem 0,*,*,*,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,, 0,*,*,*,genm rootCaCert newwithold directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,/directory, --,1,-,-,genm rootCaCert oldwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem --,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der --,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der -0,*,*,*,genm crlStatusList missing oldcrl , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der +3.2,1,-,-,genm rootCaCert oldwithnew newwithold,-section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem +3.4,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der +3.4,1,-,-,genm crlStatusList with crlcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, root.crt , -crlout, test.crl.der +3.4,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList missing oldcrl crlcert oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, empty.txt , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl random file, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, random.bin, -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl nonexistent, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, idontexist, -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, , -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, empty.txt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert random file, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, random.bin, -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert nonexistent, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, idontexist, -crlout, test.crl.der TBD,*,*,*,genm crlStatusList oldcrl wrong , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, wrong.crl , -crlout, test.crl.der 0,*,*,*,genm crlStatusList missing crlout , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, BLANK,, 0,*,*,*,genm crlStatusList crlout missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, -crlout,, @@ -130,3 +135,5 @@ TBD,TBD,TBD,TBD,find invalid geninfo values, -section,, -cmd,cr,, -cert,signer.c 1,1,1,TBD,reqin new tid just ir, -section,, -cmd,ir,,,,,,,,,,,,,,,-reqin,ir.der,,-reqin_new_tid 0,0,0,0,reqin wrong req, -section,, -cmd,ir,,,,,,,,,,,,,,,-reqin,cr.der certConf.der,,BLANK 1,1,1,1,rspin , -section,, -cmd,ir,,,,,,,,,,,,,,,-rspin,ip.der pkiConf.der +1,1,1,1,reqout_only ir, -section,, -cmd,ir,,,,,,,,,,,,,,,-reqout_only,ir2.der,-server,"""" +0,0,0,0,reqout_only non-existing directory and file, -section,, -cmd,ir,,,,,,,,,,,,,,,-reqout_only,idontexist/idontexist,-server,"""" diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index fd4f170e..ec0619a4 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -103,7 +103,7 @@ TBD,TBD,TBD,TBD,days 36525, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pa 0,*,*,*,out_trusted is non-existing file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,idontexist,,BLANK,,BLANK,,, 0,*,*,*,out_trusted too many parameters, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,abc,def,BLANK,,BLANK,,, 0,*,*,*,out_trusted empty certificate file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,empty.txt,,BLANK,,BLANK,,, -1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default - not with OpenSSL 1.1, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-check_all,-crls,wrong.crl,-srvcert,server.crt +1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-check_all,-crls,wrong.crl,-srvcert,server.crt 0,0,0,0,out_trusted expired issuing ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing_expired.crt,,BLANK,,BLANK,,,-partial_chain 0,0,0,0,out_trusted expired root ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,root_expired.crt,,BLANK,,BLANK,,, 0,0,0,0,out_trusted wrong cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,signer.crt,,BLANK,,BLANK,,, diff --git a/util/shlib_wrap.sh b/util/shlib_wrap.sh index 028fa183..b343b12e 100755 --- a/util/shlib_wrap.sh +++ b/util/shlib_wrap.sh @@ -1,7 +1,8 @@ #!/bin/sh #dummy implementation of shlib_wrap.sh -LD_LIBRARY_PATH=../../../..:../../../../securityUtilities:../../../../..:../../../../../securityUtilities +export LD_LIBRARY_PATH=../../../.. +export DYLD_LIBRARY_PATH=../../../.. cmd="$1"; [ -x "$cmd" ] || cmd="$cmd${EXE_EXT}" shift