From f6f1428f3b2a786fcd8a73c3949175df13cb0444 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 29 Nov 2024 17:51:01 +0100 Subject: [PATCH 01/17] README.md: add info on CMP feature coverage and libcmp hints; few fixes --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 8c38c3e..12c0d4e 100644 --- a/README.md +++ b/README.md @@ -18,20 +18,24 @@ and the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483 To this end, it may be linked in addition to the intermediate CMP library [CMPforOpenSSL](https://github.com/mpeylo/cmpossl), called `libcmp` below. -The high-level API is on the one hand convenient to use for application -programmers and on the other hand complete and flexible enough -to cover the major certificate management use cases. The library supports developing CMP clients that adhere to the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483), which is geared towards simple and interoperable industrial use. -The software also provides a command-line interface (CLI) -that is handy for interactive exploration of using CMP in a PKI. +The [high-level API](doc/Generic_CMP_client_API.pdf) +is convenient to use for application programmers +while being sufficiently complete and flexible +to cover all major certificate management use cases. + +The software also provides a command-line interface (CLI) that is handy +for demonstrating and interactively exploring the use of CMP in a PKI.\ +Yet interfacing at API level is more direct and secure for productive use. Note: An OSS CMP client and registration authority (RA) implementation in Java is available in the form of a [generic CMP RA and client component](https://github.com/siemens/cmp-ra-component) -and the [LightweightCmpRa](), which is a demo CLI application using it. +and the [LightweightCmpRa](https://github.com/siemens/LightweightCmpRa), +which is a demo application making use of the component. ## Support model @@ -103,14 +107,38 @@ The following OSS components are used. or if the latest CMP features not yet available in OpenSSL are required, which can be indicated by setting the environment variable `USE_LIBCMP`. +For an overview of CMP features relevant in industrial use cases see +[LCMPP section 7.1](https://datatracker.ietf.org/doc/html/rfc9483#section-7.1). +CMP client (EE) features are supported by the genCMPClient as follows. +* CMPv2 features defined in [RFC 4210](https://www.rfc-editor.org/rfc/rfc4210) + are sufficiently covered by using OpenSSL 3.0.\ + This includes most of the + "Generic Aspects of PKI Messages and PKI Management Operations", + IR, CR, KUR, P10CR, MAC, RR, and polling for certification responses. +* In OpenSSL 3.2, "Get CA Certificates" and "Get Root CA Certificate Update" + were added. +* In OpenSSL 3.3, "Get Certificate Request Template" and support for certificate + profiles and generalized polling ("Handling Delayed Delivery") were added. +* In OpenSSL 3.4, "CRL Update Retrieval" was added. +* In OpenSSL 3.5, support for central key generation is going to be added. + +The features newly defined with CMPv3 +in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480) +are fully covered by the [intermediate CMP library `libcmp`]( +https://github.com/mpeylo/cmpossl) and will be covered by OpenSSL 3.5.\ +Since the intermediate CMP library `libcmp` constitutes an extra dependency +and its maintenance will likely end soon after the release of OpenSSL 3.5, +better avoid using it. This is possible if all the CMP features needed +by the application scenario are covered by the OpenSSL version being used. + Hint: As long as your system provides at least OpenSSL 3.0 and related development header files at a sufficiently new patch level, better not manually install in addition a different OpenSSL version unless you need newer CMP features without using the intermediate CMP library `libcmp`. -Such a manual installation can interfere with the more or less implicit -references to the locations of OpenSSL header files and binary library files. -So unless you know exactly what you are doing, you may receive -version mismatch errors like the one mentioned [below](#sanity-checks-on-openssl). +Such an extra installation can interfere with the more or less implicit references +to the default locations of OpenSSL header files and binary library files. +So unless knowing exactly what to do and being careful, one may receive version +mismatch errors like the one mentioned [below](#sanity-checks-on-openssl). @@ -519,8 +547,8 @@ SPDX-License-Identifier: Apache-2.0 +B<-srvcert> and B<-crlcert> options. +If not given here, the password will be prompted for if needed. + =back =head2 Client authentication options diff --git a/include/genericCMPClient.h b/include/genericCMPClient.h index afd16f3..2277ce8 100644 --- a/include/genericCMPClient.h +++ b/include/genericCMPClient.h @@ -30,7 +30,6 @@ extern "C" { # include /* for abbreviation and backward compatibility: */ typedef OSSL_CMP_CTX CMP_CTX; -/* typedef OSSL_CMP_severity severity; already defined by libsecutils */ # if OPENSSL_VERSION_NUMBER < 0x30000080L # define OSSL_CMP_PKISTATUS_request -3 @@ -231,6 +230,8 @@ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, OPTIONAL X509 **newWithOld, OPTIONAL X509 **oldWithNew); +# endif +# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) /* get latest CRL according to cert DPN/issuer or get any update on given CRL */ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl); @@ -282,7 +283,7 @@ SSL_CTX *TLS_new(OPTIONAL const X509_STORE *truststore, OPTIONAL const CREDENTIALS *creds, OPTIONAL const char *ciphers, int security_level); void TLS_free(OPTIONAL SSL_CTX *tls); -# endif +# endif /* X509_EXTENSIONS helpers */ # ifdef LOCAL_DEFS diff --git a/src/cmpClient.c b/src/cmpClient.c index 60822ef..7d94969 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -75,10 +75,10 @@ const char *opt_recipient; const char *opt_expect_sender; bool opt_ignore_keyusage; bool opt_unprotected_errors; -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) bool opt_no_cache_extracerts; #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) const char *opt_srvcertout; #endif const char *opt_extracertsout; @@ -92,9 +92,12 @@ const char *opt_newwithnew; const char *opt_newwithold; const char *opt_oldwithnew; const char *opt_template; +const char *opt_crlcert; const char *opt_oldcrl; const char *opt_crlout; +const char *opt_otherpass = NULL; + /* client authentication */ const char *opt_ref; const char *opt_secret; @@ -140,7 +143,7 @@ const char *opt_chainout; const char *opt_oldcert; long opt_revreason; const char *opt_issuer; -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) char *opt_serial; #endif @@ -198,26 +201,27 @@ opt_t cmp_opts[] = { { "cmd", OPT_TXT, {.txt = NULL}, { &opt_cmd }, "CMP request to send: ir/cr/p10cr/kur/rr/genm. Overrides 'use_case' if given"}, { "infotype", OPT_TXT, {.txt = NULL}, { &opt_infotype }, - "InfoType name for requesting specific info in genm, " -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP - "with specific support" -#else - "e.g., C" + "InfoType name for requesting info in genm, e.g., C" +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) + ", with specific" #endif }, -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP - OPT_MORE("for 'caCerts' and 'rootCaCert'"), -#endif -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP - OPT_MORE("for 'caCerts', 'rootCaCert', 'certReqTemplate', and 'crlStatusList'"), +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) + OPT_MORE("support for 'caCerts', 'rootCaCert'" +# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) + ", 'certReqTemplate', and 'crlStatusList'" +# endif + ), #endif { "profile", OPT_TXT, {.txt = NULL}, { &opt_profile }, "Cert profile name to place in generalInfo field of PKIHeader of requests"}, { "geninfo", OPT_TXT, {.txt = NULL}, { (const char **)&opt_geninfo }, "Comma-separated list of OID and value to place in generalInfo PKIHeader"}, OPT_MORE("of form :int: or :str:, e.g. \'1.2.3.4:int:56789, id-kp:str:name'"), +#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) { "template", OPT_TXT, {.txt = NULL}, { &opt_template }, "File to save certTemplate received in genp of type certReqTemplate"}, +#endif OPT_HEADER("Certificate enrollment"), { "newkeytype", OPT_TXT, {.txt = NULL}, { &opt_newkeytype }, @@ -281,14 +285,14 @@ opt_t cmp_opts[] = { OPT_MORE("Values: 0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"), { "issuer", OPT_TXT, {.txt = NULL}, { &opt_issuer }, "DN of the issuer to place in the certificate template of ir/cr/kur" -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) "/rr" #else "" #endif ";"}, OPT_MORE("also used as recipient if neither -recipient nor -srvcert are given"), -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) { "serial", OPT_TXT, {.txt = NULL}, {(const char **) &opt_serial}, "Serial number of certificate to be revoked in revocation request (rr)"}, #endif @@ -336,12 +340,12 @@ opt_t cmp_opts[] = { { (const char **) &opt_unprotected_errors }, "Accept missing or invalid protection of regular error messages and negative"}, OPT_MORE("certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"), -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) { "no_cache_extracerts", OPT_BOOL, {.bit = false}, { (const char **) &opt_no_cache_extracerts }, "Do not keep certificates received in the extraCerts CMP message field"}, #endif -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) { "srvcertout", OPT_TXT, {.txt = NULL}, { &opt_srvcertout }, "File to save server cert used and validated for CMP response protection"}, #endif @@ -367,10 +371,14 @@ opt_t cmp_opts[] = { "File to save NewWithOld cert received in genp of type rootCaKeyUpdate"}, { "oldwithnew", OPT_TXT, {.txt = NULL}, { &opt_oldwithnew }, "File to save OldWithNew cert received in genp of type rootCaKeyUpdate"}, + { "crlcert", OPT_TXT, {.txt = NULL}, { &opt_crlcert }, + "cert to take CRL source data from for genm of type crlStatusList"}, { "oldcrl", OPT_TXT, {.txt = NULL}, { &opt_oldcrl }, - "CRL to request update for in genm of type crlStatusList"}, + "CRL to obtain an update for in genm of type crlStatusList"}, { "crlout", OPT_TXT, {.txt = NULL}, { &opt_crlout }, "File to save new CRL received in genp of type 'crls'"}, + { "otherpass", OPT_TXT, {.txt = NULL}, { &opt_otherpass }, + "Pass phrase source potentially needed for loading certificates of others"}, OPT_HEADER("Client authentication and protection"), { "ref", OPT_TXT, {.txt = NULL}, { &opt_ref }, @@ -801,7 +809,7 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, * Except for first request, need to satisfy recipNonce check by server. * Unfortunately requires re-protection if the request was protected. */ -#if OPENSSL_VERSION_NUMBER >= 0x30000090L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30000090L || defined(USE_LIBCMP) if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new)) goto err; #endif @@ -1044,8 +1052,8 @@ static int setup_ctx(CMP_CTX *ctx) /* set option flags directly via CMP API */ if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, opt_unprotected_errors ? 1 : 0) -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP - || (opt_no_cache_extracerts && // TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) + || (opt_no_cache_extracerts && /* TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called */ !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, opt_no_cache_extracerts ? 1 : 0)) #endif @@ -1065,7 +1073,7 @@ static int setup_ctx(CMP_CTX *ctx) } if (opt_profile != NULL) { -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) err = CMPclient_add_certProfile(ctx, opt_profile); #else LOG_err("-profile option is not supported for OpenSSL < 3.3"); @@ -1214,7 +1222,7 @@ static CMP_err prepare_CMP_client(CMP_CTX **pctx, enum use_case use_case, goto err; if (opt_srvcert != NULL) { - X509 *srvcert = CERT_load(opt_srvcert, NULL /* pass */, + X509 *srvcert = CERT_load(opt_srvcert, opt_otherpass, "directly trusted CMP server certificate", -1 /* no type check */, vpm); @@ -1308,8 +1316,9 @@ static int setup_transfer(CMP_CTX *ctx) && opt_tls_host == NULL) { if (opt_tls_used) LOG_warn("-tls_used given without any other TLS options"); - } else if (!opt_tls_used) { - LOG_warn("TLS options(s) are ignored since -tls_used is not given"); + } else { + if (!opt_tls_used) + LOG_warn("TLS options(s) are ignored since -tls_used is not given"); } SSL_CTX *tls = NULL; @@ -1488,8 +1497,8 @@ static int add_object(unsigned char *data, int len, int nid, const char *name) static int complete_genm_asn1_objects(void) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L -# define ASN1_OID_IT 0x2B,0x06,0x01,0x05,0x05,0x07,0x04 -# define ASN1_OID_REGCTRL 0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01 +# define ASN1_OID_IT 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04 +# define ASN1_OID_REGCTRL 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x05, 0x01 # if OPENSSL_VERSION_NUMBER < 0x30200000L /* were added by OpenSSL commit 34959f7a2256eadd23d56f0efe855be7fde282b2 */ static unsigned char so_rootCaCert[] = { ASN1_OID_IT, 20 }; @@ -1545,14 +1554,9 @@ static CMP_err check_options(enum use_case use_case) opt_centralkeygen = true; if (opt_infotype == NULL) { -#if 0 - if (use_case == genm) { - LOG_err("no -infotype option given for genm"); - return -51; - } -#else + if (use_case == genm) + LOG_warn("no -infotype option given for genm"); opt_infotype = ""; -#endif } else if (use_case != genm) { LOG_warn("-infotype option is ignored for commands other than 'genm'"); } else { @@ -1561,16 +1565,16 @@ static CMP_err check_options(enum use_case use_case) strncat(id_buf, opt_infotype, sizeof(id_buf) - strlen(id_buf) - 1); if ((infotype = OBJ_sn2nid(id_buf)) == NID_undef) { LOG(FL_ERR, "Unknown OID name '%s' in -infotype option", id_buf); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER <= 0x30200000L && !defined(USE_LIBCMP) if (strcmp(opt_infotype, "caCerts") == 0 - || strcmp(opt_infotype, "certReqTemplate") == 0) - LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.0", + || strcmp(opt_infotype, "rootCaCert") == 0) + LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.2", opt_infotype); #endif -#if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER < 0x30000000L - if (strcmp(opt_infotype, "rootCaCert") == 0 +#if OPENSSL_VERSION_NUMBER <= 0x30400000L && !defined(USE_LIBCMP) + if (strcmp(opt_infotype, "certReqTemplate") == 0 || strcmp(opt_infotype, "crlStatusList") == 0) - LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.0", + LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.4", opt_infotype); #endif return -30; @@ -1597,6 +1601,8 @@ static CMP_err check_options(enum use_case use_case) if (use_case != genm || strcmp(opt_infotype, "crlStatusList") != 0) { const char *msg = "option is ignored unless -cmd 'genm' and -infotype 'crlStatusList' is given"; + if (opt_crlcert != NULL) + LOG(FL_WARN, "-crlcert %s", msg); if (opt_oldcrl != NULL) LOG(FL_WARN, "-oldcrl %s", msg); } @@ -1629,15 +1635,14 @@ static CMP_err check_options(enum use_case use_case) return -34; } - if (opt_check_all && opt_check_any) { + if (opt_check_all && opt_check_any) LOG_warn("-check_all overrides -check_any"); - } if (use_case == pkcs10 && opt_csr == NULL) { LOG_err("-csr option is missing for command 'p10cr'"); return -35; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) if (use_case == revocation) { if (opt_issuer == NULL && opt_serial == NULL) { if (opt_oldcert == NULL && opt_csr == NULL) { @@ -1647,7 +1652,7 @@ static CMP_err check_options(enum use_case use_case) if (opt_oldcert != NULL && opt_csr != NULL) LOG_warn("Ignoring -csr since -oldcert is given for command 'rr' (revocation)"); } else { -#define OSSL_CMP_RR_MSG "since -issuer and -serial is given for command 'rr'" +# define OSSL_CMP_RR_MSG "since -issuer and -serial is given for command 'rr'" if (opt_issuer == NULL || opt_serial == NULL) { LOG_err("Must give both -issuer and -serial options or neither"); return -73; @@ -1700,13 +1705,11 @@ static CMP_err check_options(enum use_case use_case) return -23; } /* TODO check range of remaining numerical options */ - if ((crl_check || ocsp_check) && opt_trusted == NULL) { + if ((crl_check || ocsp_check) && opt_trusted == NULL) LOG_warn("Certificate status checks are enabled without providing the -trusted option"); - } if ((crl_check || ocsp_check || opt_stapling) && opt_tls_used - && opt_tls_trusted == NULL) { + && opt_tls_trusted == NULL) LOG_warn("Cannot do TLS certificate status checks without -tls_trusted option"); - } if ((opt_check_all || opt_check_any) && !crl_check && !ocsp_check) { LOG_err("-check_all or -check_any is given without any option enabling use of CRLs or OCSP"); return -37; @@ -1715,9 +1718,8 @@ static CMP_err check_options(enum use_case use_case) LOG_err("-ocsp_last is given without -ocsp or -use_aia enabling OCSP-based cert status checking"); return -38; } - if (opt_stapling && !opt_tls_used) { + if (opt_stapling && !opt_tls_used) LOG_warn("-stapling option is given without -tls_used"); - } #ifdef OPENSSL_NO_OCSP if (ocsp_check || opt_stapling) LOG_warn("OCSP may be not supported by the OpenSSL build used by the SecUtils"); @@ -1882,7 +1884,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return -48; } } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) if (use_case == revocation) { if (set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer") != CMP_OK) return -70; @@ -1906,7 +1908,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return CMP_OK; } -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) static int delete_file(const char *file, const char *desc) { if (file == NULL) @@ -2014,14 +2016,12 @@ static CMP_err save_credentials(CMP_CTX *ctx, CREDENTIALS *new_creds, STACK_OF(X509) *certs = CREDENTIALS_get_chain(new_creds); if (opt_chainout != NULL && strcmp(opt_chainout, opt_certout) != 0) { - if (!CERT_save(cert, opt_certout, "newly enrolled certificate")) { + if (!CERT_save(cert, opt_certout, "newly enrolled certificate")) return CMP_R_STORE_CREDS; - } if (opt_chainout != NULL && CERTS_save(certs, opt_chainout, - "chain of newly enrolled certificate") < 0) { + "chain of newly enrolled certificate") < 0) return CMP_R_STORE_CREDS; - } } else { if (!FILES_store_credentials(NULL /* key */, cert, certs, NULL, opt_certout, FORMAT_PEM, NULL, @@ -2062,7 +2062,7 @@ static int print_itavs(const STACK_OF(OSSL_CMP_ITAV) *itavs) return ret; } -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) static int save_template(const char *file, const OSSL_CRMF_CERTTEMPLATE *tmpl) { BIO *bio = BIO_new_file(file, "wb"); @@ -2102,7 +2102,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) CMP_err err; switch (infotype) { -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) case NID_id_it_caCerts: if (opt_cacertsout == NULL) { LOG(FL_ERR, "Missing -cacertsout option for -infotype caCerts"); @@ -2124,8 +2124,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) } CERTS_free(cacerts); return err; -#endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP + case NID_id_it_rootCaCert: if (opt_newwithnew == NULL) { LOG(FL_ERR, "Missing -newwithnew option for -infotype rootCaCert"); @@ -2170,12 +2169,12 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) X509_free(oldwithold); return err; } -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) case NID_id_it_crlStatusList: - if (opt_oldcrl == NULL && opt_oldcert == NULL) { - LOG(FL_ERR, "Missing -oldcrl and no -oldcert given for -infotype crlStatusList"); + if (opt_oldcrl == NULL && opt_crlcert == NULL && opt_oldcert == NULL) { + LOG(FL_ERR, "Missing -oldcrl and no -crlcert nor -oldcert given for -infotype crlStatusList"); return -62; } if (opt_crlout == NULL) { @@ -2183,18 +2182,29 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) return -63; } { + X509 *crlcert = NULL; X509_CRL *oldcrl = NULL, *crl = NULL; + err = -51; + if (opt_crlcert != NULL) { + crlcert = CERT_load(opt_crlcert, opt_otherpass, + "Cert for genm with -infotype crlStatusList", + -1 /* no type check */, vpm); + if (crlcert == NULL) + goto end_crlupd; + } err = -64; if (opt_oldcrl == NULL) { - LOG(FL_WARN, "No -oldcrl given, will use data from -oldcert"); + if (opt_crlcert == NULL) + LOG(FL_WARN, "No -oldcrl nor -crlcert given, will use data from -oldcert"); } else { oldcrl = CRL_load(opt_oldcrl, (int)opt_crls_timeout, "CRL for genm with -infotype crlStatusList"); if (oldcrl == NULL) goto end_crlupd; } - err = CMPclient_crlUpdate(ctx, oldcert, oldcrl, &crl); + err = CMPclient_crlUpdate(ctx, crlcert != NULL ? crlcert : oldcert, + oldcrl, &crl); if (err != CMP_OK) goto end_crlupd; @@ -2203,12 +2213,14 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) LOG_info("no CRL update available"); if (!delete_file(opt_crlout, desc)) err = -65; - } else if (!FILES_store_crl(crl, opt_crlout, FORMAT_ASN1, desc)) { - err = -66; + } else { + if (!FILES_store_crl(crl, opt_crlout, FORMAT_ASN1, desc)) + err = -66; } end_crlupd: X509_CRL_free(oldcrl); X509_CRL_free(crl); + X509_free(crlcert); return err; } @@ -2294,7 +2306,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) case -1: err = oldcert == NULL ? 0 : 0; return err; -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) */ default: if (infotype != NID_undef) { @@ -2305,7 +2317,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) opt_infotype, OpenSSL_version_num()); if (req == NULL || !OSSL_CMP_CTX_push0_genm_ITAV(ctx, req)) { LOG(FL_ERR, "Failed to create genm for -infotype %s", - opt_infotype); + opt_infotype); return -24; } } @@ -2414,7 +2426,7 @@ static int CMPclient(enum use_case use_case, OPTIONAL LOG_cb_t log_fn) string != NULL ? string : ""); } -#if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) if (!save_cert_or_delete(OSSL_CMP_CTX_get0_validatedSrvCert(ctx), opt_srvcertout, "validated server cert")) err = -53; @@ -2517,8 +2529,9 @@ int main(int argc, char *argv[]) use_case = revocation; } else if (strcmp(argv[1], "genm") == 0) { use_case = genm; - } else if (strcmp(argv[1], "validate") == 0) { - use_case = validate; + } else { + if (strcmp(argv[1], "validate") == 0) + use_case = validate; } } @@ -2635,6 +2648,14 @@ int main(int argc, char *argv[]) CRLs_free(crls); end: +#if 0 /* TODO check: likely not needed, arg type "const char *" does not fit */ + UTIL_cleanse(opt_keypass); + UTIL_cleanse(opt_newkeypass); + UTIL_cleanse(opt_otherpass); + UTIL_cleanse(opt_tls_keypass); + UTIL_cleanse(opt_secret); +#endif + if (rc != EXIT_SUCCESS) OSSL_CMP_CTX_print_errors(NULL); CRLMGMT_DATA_free(cmdata); diff --git a/src/genericCMPClient.c b/src/genericCMPClient.c index df03fd2..9c2677b 100644 --- a/src/genericCMPClient.c +++ b/src/genericCMPClient.c @@ -125,16 +125,14 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, { OSSL_CMP_CTX *ctx = NULL; - if (pctx == NULL) { + if (pctx == NULL) return CMP_R_NULL_ARGUMENT; - } if ((ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL || !OSSL_CMP_CTX_set_log_cb(ctx, log_fn != NULL ? (OSSL_CMP_log_cb_t)log_fn : /* difference is in 'int' vs. 'bool' and additional TRACE value */ - (OSSL_CMP_log_cb_t)LOG_console)) { + (OSSL_CMP_log_cb_t)LOG_console)) goto err; /* TODO make sure that proper error code it set by OSSL_CMP_CTX_set_log_cb() */ - } if (cmp_truststore != NULL && (!X509_STORE_up_ref(cmp_truststore) || !OSSL_CMP_CTX_set0_trustedStore(ctx, cmp_truststore))) @@ -158,17 +156,15 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, && !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)pwdref, (int)strlen(pwdref))) || (pkey != NULL && !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) || - (cert != NULL && !OSSL_CMP_CTX_set1_cert(ctx, cert))) { + (cert != NULL && !OSSL_CMP_CTX_set1_cert(ctx, cert))) goto err; - } if (cert != NULL && !OSSL_CMP_CTX_build_cert_chain(ctx, creds_truststore, chain)) goto err; } else { - if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)) { + if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1)) goto err; - } } /* need recipient for unprotected and PBM-protected messages */ @@ -213,9 +209,8 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, return CMP_R_UNKNOWN_ALGORITHM_ID; } if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DIGEST_ALGNID, nid) - || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, nid)) { + || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, nid)) goto err; - } } if (mac != NULL) { @@ -234,13 +229,11 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, && !OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_fn)) || (total_timeout >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT, - total_timeout))) { + total_timeout))) goto err; - } if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM, - implicit_confirm ? 1 : 0)) { + implicit_confirm ? 1 : 0)) goto err; - } if (new_cert_truststore != NULL) { /* ignore any -attime option here, since new certs are current anyway */ X509_VERIFY_PARAM *out_vpm = X509_STORE_get0_param(new_cert_truststore); @@ -264,18 +257,16 @@ CMP_err CMPclient_prepare(OSSL_CMP_CTX **pctx, CMP_err CMPclient_setup_BIO(CMP_CTX *ctx, BIO *rw, const char *path, int keep_alive, int timeout) { - if (ctx == NULL) { + if (ctx == NULL) return CMP_R_INVALID_CONTEXT; - } if (!OSSL_CMP_CTX_set1_serverPath(ctx, path) || (timeout >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT, timeout)) || (keep_alive >= 0 && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_KEEP_ALIVE, keep_alive)) || - !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, rw)) { + !OSSL_CMP_CTX_set_transfer_cb_arg(ctx, rw)) return CMPOSSL_error(); - } if (rw != NULL) { if (path == NULL) @@ -345,9 +336,8 @@ static BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail) && !OSSL_HTTP_proxy_connect(bio, info->server, info->port, NULL, NULL, /* no proxy credentials */ info->timeout, bio_err, opt_getprog())) - || (sbio = BIO_new(BIO_f_ssl())) == NULL) { + || (sbio = BIO_new(BIO_f_ssl())) == NULL) return NULL; - } if ((ssl = SSL_new(ssl_ctx)) == NULL) { BIO_free(sbio); return NULL; @@ -517,7 +507,7 @@ CMP_err CMPclient_setup_HTTP(OSSL_CMP_CTX *ctx, return err; } -#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) static int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, const char *text, int len) { @@ -572,7 +562,7 @@ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name) err: return CMPOSSL_error(); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP */ +#endif /* OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP */ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, OPTIONAL const EVP_PKEY *new_key, @@ -609,14 +599,12 @@ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, X509_EXTENSION_free); if (exts_copy == NULL - || !OSSL_CMP_CTX_set0_reqExtensions(ctx, exts_copy)) { + || !OSSL_CMP_CTX_set0_reqExtensions(ctx, exts_copy)) goto err; - } } - if (csr != NULL && !OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { + if (csr != NULL && !OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) goto err; - } return CMP_OK; @@ -624,7 +612,7 @@ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP /* TODO remove decls when exported by OpenSSL */ +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) /* TODO remove decls when exported by OpenSSL */ static int ossl_x509_add_cert_new_(STACK_OF(X509) **p_sk, X509 *cert, int flags) { if (*p_sk == NULL && (*p_sk = sk_X509_new_null()) == NULL) { @@ -634,7 +622,7 @@ static int ossl_x509_add_cert_new_(STACK_OF(X509) **p_sk, X509 *cert, int flags) return X509_add_cert(*p_sk, cert, flags); } -#if 0 // TODO remove? +# if 0 /* TODO remove? */ static int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs, int flags) /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */ @@ -673,9 +661,9 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, } return 1; } -#endif +# endif -#if 0 // TODO remove? +# if 0 /* TODO remove? */ /*- * Builds a certificate chain starting from * using the optional list of intermediate CA certificates . @@ -737,7 +725,7 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, X509_STORE_CTX_free(csc); return res; } -#endif +# endif #endif /* end TODO remove decls when exported by OpenSSL */ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) @@ -775,9 +763,8 @@ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) return CMP_R_INVALID_PARAMETERS; break; } - if (newcert == NULL) { + if (newcert == NULL) goto err; - } EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(ctx, 1 /* priv */); /* NULL in case P10CR */ @@ -806,9 +793,8 @@ CMP_err CMPclient_enroll(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, int cmd) CREDENTIALS *creds = CREDENTIALS_new(new_key, newcert, chain, NULL, NULL); CERTS_free(chain); - if (creds == NULL) { + if (creds == NULL) return ERR_R_MALLOC_FAILURE; - } *new_creds = creds; ERR_clear_error(); /* empty the OpenSSL error queue */ return CMP_OK; @@ -838,9 +824,8 @@ CMP_err CMPclient_imprint(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, return CMP_R_INVALID_PARAMETERS; CMP_err err = CMPclient_setup_certreq(ctx, new_key, NULL /* old_cert */, subj, exts, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_IR); - } X509_NAME_free(subj); return err; } @@ -866,9 +851,8 @@ CMP_err CMPclient_bootstrap(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, return CMP_R_INVALID_PARAMETERS; CMP_err err = CMPclient_setup_certreq(ctx, new_key, NULL /* old_cert */, subj, exts, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_CR); - } X509_NAME_free(subj); return err; } @@ -884,9 +868,8 @@ CMP_err CMPclient_pkcs10(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, CMP_err err = CMPclient_setup_certreq(ctx, NULL /* new_key */, NULL /* old_cert */, NULL /* subject */, NULL /* exts */, csr); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_P10CR); - } return err; } @@ -898,9 +881,8 @@ CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, NULL /* subject */, NULL /* exts */, NULL /* csr */); - if (err == CMP_OK) { + if (err == CMP_OK) err = CMPclient_enroll(ctx, new_creds, CMP_KUR); - } return err; } @@ -939,9 +921,8 @@ CMP_err CMPclient_revoke(OSSL_CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ if ((reason >= CRL_REASON_UNSPECIFIED && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_REVOCATION_REASON, reason)) - || !OSSL_CMP_exec_RR_ses(ctx)) { + || !OSSL_CMP_exec_RR_ses(ctx)) goto err; - } ERR_clear_error(); /* empty the OpenSSL error queue */ return CMP_OK; @@ -949,7 +930,7 @@ CMP_err CMPclient_revoke(OSSL_CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) static OSSL_CMP_ITAV *get_genm_itav(CMP_CTX *ctx, OSSL_CMP_ITAV *req, /* gets consumed */ int expected, const char *desc) @@ -1025,9 +1006,7 @@ static const X509_VERIFY_PARAM *get0_trustedStore_vpm(const CMP_CTX *ctx) return ts == NULL ? NULL : X509_STORE_get0_param(ts); } -#endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) { OSSL_CMP_ITAV *req, *itav; @@ -1072,9 +1051,9 @@ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec) @@ -1104,9 +1083,9 @@ CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) { if (ok == 0 && store_ctx != NULL @@ -1255,9 +1234,9 @@ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl) { @@ -1323,7 +1302,7 @@ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OSSL_CMP_ITAV_free(itav); return err; } -#endif +#endif /* OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP */ char *CMPclient_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, size_t bufsize) diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 2cebcd7..a22bbe3 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -67,17 +67,17 @@ TBD,TBD,TBD,TBD,config default all options set, -section,, -cmd,ir,, -cacertsout 1,0,-,1,genm with infotype signKeyPairTypes, -section,, -cmd,genm,,BLANK,,, -infotype,signKeyPairTypes,,BLANK,,BLANK, 0,*,*,*,genm with missing infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,,,BLANK,,BLANK, 0,*,*,*,genm with invalid infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,asdf,,BLANK,,BLANK, -Mock server must use OpenSSL 3.3 ,1,-,-,genm certReqTemplate - not with OpenSSL 1.1 , -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" +Mock server must use OpenSSL 3.3 ,1,-,-,genm certReqTemplate, -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,*,*,*,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK,, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,test.template.pem,test.template.pem, -infotype,certReqTemplate,,BLANK,,BLANK, -*,0,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, -Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts - not with OpenSSL 1.1 , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN +0,*,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, +Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts, -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN 0,*,*,*,genm caCerts missing cacertsout option, -section,, -cmd,genm,, -cacertsout,"""",, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts missing cacertsout arg , -section,, -cmd,genm,, -cacertsout,BLANK,, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout extra arg , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,test.cacertsout.pem, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout arg non-ex dir, -section,, -cmd,genm,, -cacertsout,idontexist/idontexist,, -infotype,caCerts,,BLANK,,BLANK, --,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem +Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert no oldwithold given , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, empty.txt , -newwithnew, test.newwithnew.pem @@ -87,20 +87,25 @@ Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts - not with OpenSSL 1.1 , 0,*,*,*,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, BLANK,, 0,*,*,*,genm rootCaCert newwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,, 0,*,*,*,genm rootCaCert newwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,directory/, --,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem +Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem 0,*,*,*,genm rootCaCert oldwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,, 0,*,*,*,genm rootCaCert oldwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,/directory, --,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem +Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem 0,*,*,*,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,, 0,*,*,*,genm rootCaCert newwithold directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,/directory, --,1,-,-,genm rootCaCert oldwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem --,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der --,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der -0,*,*,*,genm crlStatusList missing oldcrl , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der +Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert oldwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem +Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der +Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList with crlcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, root.crt , -crlout, test.crl.der +Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList missing oldcrl crlcert oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, empty.txt , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl random file, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, random.bin, -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl nonexistent, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, idontexist, -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, , -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, empty.txt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert random file, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, random.bin, -crlout, test.crl.der +0,*,*,*,genm crlStatusList crlcert nonexistent, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, idontexist, -crlout, test.crl.der TBD,*,*,*,genm crlStatusList oldcrl wrong , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, wrong.crl , -crlout, test.crl.der 0,*,*,*,genm crlStatusList missing crlout , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, BLANK,, 0,*,*,*,genm crlStatusList crlout missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, -crlout,, From 4632f4f0df572bf97cd2a80ddcdb4f257eebe5ff Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 13 Dec 2024 12:05:05 +0100 Subject: [PATCH 09/17] README.md: refer to config/demo.cnf and fix structual issue on CLI demo use --- README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index cd87ac3..2663f68 100644 --- a/README.md +++ b/README.md @@ -446,6 +446,8 @@ The Command-Line Interface (CLI) of the CMP client is implemented in [`src/cmpClient.c`](src/cmpClient.c). It supports most of the features of the genCMPClient library. The CLI use with the available options are documented in [`cmpClient.pod`](doc/cmpClient.pod). +An example configuration used by the below mentioned demo invocations +can be found in [`demo.cnf`](config/demo.cnf). For simple test invocations the Insta Certifier Demo CA server may be used, for instance as follows: @@ -482,6 +484,13 @@ You can view this certificate for instance by executing openssl x509 -noout -text -in creds/operational.crt ``` +To select a specific CMP profile on the CloudCA server, set the environment +variable `CMP_PROFILE` to the profile name. +For instance: +``` +CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA +``` + CLI-based tests using the Insta Demo CA may be invoked using ``` make -f Makefile_v1 test_Insta @@ -490,20 +499,13 @@ where the PROXY environment variable may be used to override the default in order to reach the Insta Demo CA. In order to obtain a trace of the HTTP messages being sent and received, -build the genCMPClient with `USE_LIBCMP=1` and +one can build the genCMPClient with `USE_LIBCMP=1` and set the environment variable `OPENSSL_TRACE` to contain the string `"HTTP"`. For instance: ``` OPENSSL_TRACE=HTTP ./cmpClient imprint -section Insta ``` -To select a specific CMP profile on the CloudCA server, set the environment -variable `CMP_PROFILE` to the profile name. -For instance: -``` -CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA -``` - ## Using the library in own applications From be5567d9327d3f8b42c65b432a33083c89ea2fe6 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 11:45:48 +0100 Subject: [PATCH 10/17] fix OpenSSL version 3.4.0 dependencies: assume that -pre version has new CMP features --- CMakeLists.txt | 2 +- Makefile_src | 2 +- README.md | 2 +- include/genericCMPClient.h | 14 +++++++---- src/cmpClient.c | 48 +++++++++++++++++++------------------- src/genericCMPClient.c | 22 ++++++++--------- 6 files changed, 47 insertions(+), 43 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 4528ba3..ae9ce6a 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ add_compile_options(-pedantic) # -Werror is enabled only for development and CI, add_compile_options( -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter) -add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive) +add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive -Wno-expansion-to-defined) # because of libsecutils: add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow) # TODO maybe clean up code and re-enable property diff --git a/Makefile_src b/Makefile_src index ad884f1..8b389c3 100644 --- a/Makefile_src +++ b/Makefile_src @@ -94,7 +94,7 @@ override CFLAGS += \ -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \ -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \ -pedantic -DPEDANTIC -override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive \ +override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive -Wno-expansion-to-defined \ -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils ifeq ($(LPATH),) override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include diff --git a/README.md b/README.md index 2663f68..44bbd62 100644 --- a/README.md +++ b/README.md @@ -209,7 +209,7 @@ this can provide useful information. When getting version mismatch errors like ``` -OpenSSL runtime version 0x304000d0 does not match version 0x300000d0 used by compiler +OpenSSL runtime version 0x30400000 does not match version 0x300000d0 used by compiler ``` make sure that the system-level configuration for finding header and library files as well as the optional environment variables `OPENSSL_DIR` and `OPENSSL_LIB` diff --git a/include/genericCMPClient.h b/include/genericCMPClient.h index 2277ce8..1fb46b2 100644 --- a/include/genericCMPClient.h +++ b/include/genericCMPClient.h @@ -23,6 +23,10 @@ extern "C" { # include +#define OPENSSL_3_2_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30200000L || defined(USE_LIBCMP)) +#define OPENSSL_3_3_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30300000L || defined(USE_LIBCMP)) +#define OPENSSL_3_4_FEATURES (OPENSSL_VERSION_NUMBER >= 0x30400000L || defined(USE_LIBCMP)) + # if OPENSSL_VERSION_NUMBER < 0x30000000L || defined(USE_LIBCMP) # include /* if not found, maybe genericCMPClient_config.h is not up to date w.r.t. USE_LIBCMP */ # endif @@ -147,7 +151,7 @@ CMP_err CMPclient_setup_HTTP(CMP_CTX *ctx, const char *server, const char *path, CMP_err CMPclient_setup_BIO(CMP_CTX *ctx, BIO *rw, const char *path, int keep_alive, int timeout); -# if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined(USE_LIBCMP) +# if OPENSSL_3_3_FEATURES /* call optionally before requests; name may be UTF8-encoded string */ /* This calls OSSL_CMP_CTX_reset_geninfo_ITAVs() if name == NULL */ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name); @@ -213,25 +217,25 @@ CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, /* reason codes are defined in openssl/x509v3.h */ CMP_err CMPclient_revoke(CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ *csr, */ int reason); -# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +# if OPENSSL_3_2_FEATURES /* get CA certs, discard duplicates, and verify they are non-expired CA certs */ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out); # endif /* get certificate request template and related key specifications */ -# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +# if OPENSSL_3_4_FEATURES CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec); # endif -# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +# if OPENSSL_3_2_FEATURES /* get any root CA key update and verify it as far as possible */ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, OPTIONAL X509 **newWithOld, OPTIONAL X509 **oldWithNew); # endif -# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +# if OPENSSL_3_4_FEATURES /* get latest CRL according to cert DPN/issuer or get any update on given CRL */ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl); diff --git a/src/cmpClient.c b/src/cmpClient.c index 7d94969..19132d9 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -75,10 +75,10 @@ const char *opt_recipient; const char *opt_expect_sender; bool opt_ignore_keyusage; bool opt_unprotected_errors; -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) +#if OPENSSL_3_3_FEATURES bool opt_no_cache_extracerts; #endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES const char *opt_srvcertout; #endif const char *opt_extracertsout; @@ -143,7 +143,7 @@ const char *opt_chainout; const char *opt_oldcert; long opt_revreason; const char *opt_issuer; -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES char *opt_serial; #endif @@ -202,13 +202,13 @@ opt_t cmp_opts[] = { "CMP request to send: ir/cr/p10cr/kur/rr/genm. Overrides 'use_case' if given"}, { "infotype", OPT_TXT, {.txt = NULL}, { &opt_infotype }, "InfoType name for requesting info in genm, e.g., C" -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES ", with specific" #endif }, -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES OPT_MORE("support for 'caCerts', 'rootCaCert'" -# if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +# if OPENSSL_3_4_FEATURES ", 'certReqTemplate', and 'crlStatusList'" # endif ), @@ -218,7 +218,7 @@ opt_t cmp_opts[] = { { "geninfo", OPT_TXT, {.txt = NULL}, { (const char **)&opt_geninfo }, "Comma-separated list of OID and value to place in generalInfo PKIHeader"}, OPT_MORE("of form :int: or :str:, e.g. \'1.2.3.4:int:56789, id-kp:str:name'"), -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +#if OPENSSL_3_4_FEATURES { "template", OPT_TXT, {.txt = NULL}, { &opt_template }, "File to save certTemplate received in genp of type certReqTemplate"}, #endif @@ -285,14 +285,14 @@ opt_t cmp_opts[] = { OPT_MORE("Values: 0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"), { "issuer", OPT_TXT, {.txt = NULL}, { &opt_issuer }, "DN of the issuer to place in the certificate template of ir/cr/kur" -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES "/rr" #else "" #endif ";"}, OPT_MORE("also used as recipient if neither -recipient nor -srvcert are given"), -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES { "serial", OPT_TXT, {.txt = NULL}, {(const char **) &opt_serial}, "Serial number of certificate to be revoked in revocation request (rr)"}, #endif @@ -340,12 +340,12 @@ opt_t cmp_opts[] = { { (const char **) &opt_unprotected_errors }, "Accept missing or invalid protection of regular error messages and negative"}, OPT_MORE("certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"), -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) +#if OPENSSL_3_3_FEATURES { "no_cache_extracerts", OPT_BOOL, {.bit = false}, { (const char **) &opt_no_cache_extracerts }, "Do not keep certificates received in the extraCerts CMP message field"}, #endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES { "srvcertout", OPT_TXT, {.txt = NULL}, { &opt_srvcertout }, "File to save server cert used and validated for CMP response protection"}, #endif @@ -1052,7 +1052,7 @@ static int setup_ctx(CMP_CTX *ctx) /* set option flags directly via CMP API */ if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, opt_unprotected_errors ? 1 : 0) -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) +#if OPENSSL_3_3_FEATURES || (opt_no_cache_extracerts && /* TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called */ !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, opt_no_cache_extracerts ? 1 : 0)) @@ -1073,7 +1073,7 @@ static int setup_ctx(CMP_CTX *ctx) } if (opt_profile != NULL) { -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) +#if OPENSSL_3_3_FEATURES err = CMPclient_add_certProfile(ctx, opt_profile); #else LOG_err("-profile option is not supported for OpenSSL < 3.3"); @@ -1565,13 +1565,13 @@ static CMP_err check_options(enum use_case use_case) strncat(id_buf, opt_infotype, sizeof(id_buf) - strlen(id_buf) - 1); if ((infotype = OBJ_sn2nid(id_buf)) == NID_undef) { LOG(FL_ERR, "Unknown OID name '%s' in -infotype option", id_buf); -#if OPENSSL_VERSION_NUMBER <= 0x30200000L && !defined(USE_LIBCMP) +#if !OPENSSL_3_2_FEATURES if (strcmp(opt_infotype, "caCerts") == 0 || strcmp(opt_infotype, "rootCaCert") == 0) LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.2", opt_infotype); #endif -#if OPENSSL_VERSION_NUMBER <= 0x30400000L && !defined(USE_LIBCMP) +#if !OPENSSL_3_4_FEATURES if (strcmp(opt_infotype, "certReqTemplate") == 0 || strcmp(opt_infotype, "crlStatusList") == 0) LOG(FL_INFO, "infoType %s is not supported for OpenSSL < 3.4", @@ -1642,7 +1642,7 @@ static CMP_err check_options(enum use_case use_case) LOG_err("-csr option is missing for command 'p10cr'"); return -35; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES if (use_case == revocation) { if (opt_issuer == NULL && opt_serial == NULL) { if (opt_oldcert == NULL && opt_csr == NULL) { @@ -1884,7 +1884,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return -48; } } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES if (use_case == revocation) { if (set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer") != CMP_OK) return -70; @@ -1908,7 +1908,7 @@ static CMP_err check_template_options(CMP_CTX *ctx, EVP_PKEY **new_pkey, return CMP_OK; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES static int delete_file(const char *file, const char *desc) { if (file == NULL) @@ -2062,7 +2062,7 @@ static int print_itavs(const STACK_OF(OSSL_CMP_ITAV) *itavs) return ret; } -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +#if OPENSSL_3_4_FEATURES static int save_template(const char *file, const OSSL_CRMF_CERTTEMPLATE *tmpl) { BIO *bio = BIO_new_file(file, "wb"); @@ -2102,7 +2102,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) CMP_err err; switch (infotype) { -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES case NID_id_it_caCerts: if (opt_cacertsout == NULL) { LOG(FL_ERR, "Missing -cacertsout option for -infotype caCerts"); @@ -2169,9 +2169,9 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) X509_free(oldwithold); return err; } -#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) */ +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +#if OPENSSL_3_4_FEATURES case NID_id_it_crlStatusList: if (opt_oldcrl == NULL && opt_crlcert == NULL && opt_oldcert == NULL) { LOG(FL_ERR, "Missing -oldcrl and no -crlcert nor -oldcert given for -infotype crlStatusList"); @@ -2306,7 +2306,7 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) case -1: err = oldcert == NULL ? 0 : 0; return err; -#endif /* OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) */ +#endif /* OPENSSL_3_4_FEATURES */ default: if (infotype != NID_undef) { @@ -2426,7 +2426,7 @@ static int CMPclient(enum use_case use_case, OPTIONAL LOG_cb_t log_fn) string != NULL ? string : ""); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES if (!save_cert_or_delete(OSSL_CMP_CTX_get0_validatedSrvCert(ctx), opt_srvcertout, "validated server cert")) err = -53; diff --git a/src/genericCMPClient.c b/src/genericCMPClient.c index 9c2677b..210b7c8 100644 --- a/src/genericCMPClient.c +++ b/src/genericCMPClient.c @@ -507,7 +507,7 @@ CMP_err CMPclient_setup_HTTP(OSSL_CMP_CTX *ctx, return err; } -#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined(USE_LIBCMP) +#if OPENSSL_3_3_FEATURES static int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, const char *text, int len) { @@ -562,7 +562,7 @@ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name) err: return CMPOSSL_error(); } -#endif /* OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_3_FEATURES */ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, OPTIONAL const EVP_PKEY *new_key, @@ -612,7 +612,7 @@ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) /* TODO remove decls when exported by OpenSSL */ +#if OPENSSL_3_2_FEATURES /* TODO remove decls when exported by OpenSSL */ static int ossl_x509_add_cert_new_(STACK_OF(X509) **p_sk, X509 *cert, int flags) { if (*p_sk == NULL && (*p_sk = sk_X509_new_null()) == NULL) { @@ -930,7 +930,7 @@ CMP_err CMPclient_revoke(OSSL_CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ return CMPOSSL_error(); } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES static OSSL_CMP_ITAV *get_genm_itav(CMP_CTX *ctx, OSSL_CMP_ITAV *req, /* gets consumed */ int expected, const char *desc) @@ -1051,9 +1051,9 @@ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) OSSL_CMP_ITAV_free(itav); return err; } -#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +#if OPENSSL_3_4_FEATURES CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec) @@ -1083,9 +1083,9 @@ CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined(USE_LIBCMP) +#if OPENSSL_3_2_FEATURES static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx) { if (ok == 0 && store_ctx != NULL @@ -1234,9 +1234,9 @@ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } -#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_2_FEATURES */ -#if OPENSSL_VERSION_NUMBER > 0x30400000L || defined(USE_LIBCMP) +#if OPENSSL_3_4_FEATURES CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl) { @@ -1302,7 +1302,7 @@ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OSSL_CMP_ITAV_free(itav); return err; } -#endif /* OPENSSL_VERSION_NUMBER > 0x30400000L || defined USE_LIBCMP */ +#endif /* OPENSSL_3_4_FEATURES */ char *CMPclient_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, size_t bufsize) From 555ceadf7588763e59e68d181f20a9a05259f31f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 11:46:43 +0100 Subject: [PATCH 11/17] cmpClient.c: add -h option as an alias for -help --- src/cmpClient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmpClient.c b/src/cmpClient.c index 19132d9..a10acb0 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -2546,7 +2546,7 @@ int main(int argc, char *argv[]) if (argv[i][0] == '-') { if (argv[i][1] == '-') argv[i]++; - if (strcmp(argv[i] + 1, "help") == 0) { + if (strcmp(argv[i] + 1, "help") == 0 || strcmp(argv[i] + 1, "h") == 0) { rc = print_help(prog); goto end; } else if (i + 1 < argc) { From b62c966e92974cb3e5559aabfa910bdbe0334b96 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 11:50:24 +0100 Subject: [PATCH 12/17] Makefile_{v1,test}: fix 'build' prerequisite for cli-based tests --- Makefile_tests | 2 +- Makefile_v1 | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile_tests b/Makefile_tests index e750afc..7739e47 100644 --- a/Makefile_tests +++ b/Makefile_tests @@ -101,7 +101,7 @@ conformance: $(CMPCLIENT) OPENSSL_CMP_CONFIG ?= test.cnf .phony: test_cli -test_cli: $(CMPCLIENT) +test_cli: @which $(PERL) || (echo "cannot find Perl, please install it"; false) @echo -en "\n#### running CLI-based tests #### " @if [ -n "$$OPENSSL_CMP_SERVER" ]; then echo -en "with server=$$OPENSSL_CMP_SERVER"; else echo -n "without server"; fi diff --git a/Makefile_v1 b/Makefile_v1 index fecb77e..eb0bcd1 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -558,7 +558,7 @@ run_demo: $(OUT_DIR_BIN) # tests ######################################################################## .phony: test_EJBCA-AWS -test_EJBCA-AWS: get_EJBCA_crls +test_EJBCA-AWS: build get_EJBCA_crls ifeq ($(filter-out EJBCA Simple,$(OPENSSL_CMP_SERVER)),) $(warning "### skipping test_$(OPENSSL_CMP_SERVER) since not supported in this environment ###") else @@ -658,11 +658,11 @@ endif all: build doc .phony: test_Mock -test_Mock: +test_Mock: build $(MAKE) -f Makefile_tests test_Mock CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION) .phony: tests_LwCmp -tests_LwCmp: $(OUT_DIR_BIN) +tests_LwCmp: build $(MAKE) -f Makefile_tests tests_LwCmp CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION) test_all: demo_all test test_Mock tests_LwCmp From 9cc295728f14da6926a8cc01c4b1e0dfb60de404 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 11:55:11 +0100 Subject: [PATCH 13/17] Makefile_src,shlib_wrap.sh: simplify LD_LIBRARY_PATH, add DYLD_LIBRARY_PATH, export both, so no more need -Wl,-rpath --- Makefile_src | 2 +- util/shlib_wrap.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile_src b/Makefile_src index 8b389c3..a43f713 100644 --- a/Makefile_src +++ b/Makefile_src @@ -143,7 +143,7 @@ ifeq ($(LPATH),) # TODO maybe better use absolute path here, as done by CMake override LDFLAGS += -Wl,-rpath,$(OUT_DIR) # no more needed: -Wl,-rpath,$(SECUTILS_DIR) ifndef NDEBUG # for CLI-based tests - override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. +# override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. # not needed due to OUT_DIR set also for libsecutils: # override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../../$(SECUTILS_DIR) endif diff --git a/util/shlib_wrap.sh b/util/shlib_wrap.sh index 028fa18..b343b12 100755 --- a/util/shlib_wrap.sh +++ b/util/shlib_wrap.sh @@ -1,7 +1,8 @@ #!/bin/sh #dummy implementation of shlib_wrap.sh -LD_LIBRARY_PATH=../../../..:../../../../securityUtilities:../../../../..:../../../../../securityUtilities +export LD_LIBRARY_PATH=../../../.. +export DYLD_LIBRARY_PATH=../../../.. cmd="$1"; [ -x "$cmd" ] || cmd="$cmd${EXE_EXT}" shift From 8680bbf836326720b4f19ede186467a2e69ad4c8 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 13:42:09 +0100 Subject: [PATCH 14/17] cmpClient.c,Makefile_src,CMakeLists.txt: avoid non-portable -Wno-embedded-directive --- CMakeLists.txt | 2 +- Makefile_src | 2 +- src/cmpClient.c | 12 +++++------- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ae9ce6a..b752724 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -158,7 +158,7 @@ add_compile_options(-pedantic) # -Werror is enabled only for development and CI, add_compile_options( -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter) -add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive -Wno-expansion-to-defined) +add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined) # because of libsecutils: add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow) # TODO maybe clean up code and re-enable property diff --git a/Makefile_src b/Makefile_src index a43f713..e7a0878 100644 --- a/Makefile_src +++ b/Makefile_src @@ -94,7 +94,7 @@ override CFLAGS += \ -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \ -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \ -pedantic -DPEDANTIC -override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive -Wno-expansion-to-defined \ +override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined \ -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils ifeq ($(LPATH),) override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include diff --git a/src/cmpClient.c b/src/cmpClient.c index a10acb0..2d1e956 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -206,12 +206,10 @@ opt_t cmp_opts[] = { ", with specific" #endif }, -#if OPENSSL_3_2_FEATURES - OPT_MORE("support for 'caCerts', 'rootCaCert'" # if OPENSSL_3_4_FEATURES - ", 'certReqTemplate', and 'crlStatusList'" -# endif - ), + OPT_MORE("support for 'caCerts', 'rootCaCert', 'certReqTemplate', and 'crlStatusList'"), +# elif OPENSSL_3_2_FEATURES + OPT_MORE("support for 'caCerts' and 'rootCaCert'"), #endif { "profile", OPT_TXT, {.txt = NULL}, { &opt_profile }, "Cert profile name to place in generalInfo field of PKIHeader of requests"}, @@ -230,8 +228,8 @@ opt_t cmp_opts[] = { { (const char **) &opt_centralkeygen}, "Request central (server-side) key generation. Default is local generation"}, { "newkey", OPT_TXT, {.txt = NULL}, { &opt_newkey }, - "Private or public key for for ir/cr/kur (defaulting to pubkey of -csr) if -newkeytype not given."}, - OPT_MORE("File to save new key if -newkeytype is given"), + "Private or public key for for ir/cr/kur (defaulting to pubkey of -csr)"}, + OPT_MORE("if -newkeytype is not given, otherwise file to save new key"), { "newkeypass", OPT_TXT, {.txt = NULL}, { &opt_newkeypass }, "Pass phrase source for -newkey"}, { "subject", OPT_TXT, {.txt = NULL}, { &opt_subject }, From 391f694a6dd1cc4d621e212d019c522e1b4105f2 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 13:01:54 +0100 Subject: [PATCH 15/17] test.cnf: re-add config for SimpleLra (many tests currently not working, so updates needed) --- config/EJBCA.env | 1 + config/demo.cnf | 1 + config/demo_EJBCA.cnf | 2 +- test/recipes/80-test_cmp_http_data/test.cnf | 34 +++++++++++++++++++++ 4 files changed, 37 insertions(+), 1 deletion(-) diff --git a/config/EJBCA.env b/config/EJBCA.env index c06e11c..fd825ef 100644 --- a/config/EJBCA.env +++ b/config/EJBCA.env @@ -27,6 +27,7 @@ export EJBCA_TLS_TRUSTED=creds/docker/TLS_ROOTCA-docker.pem export EJBCA_CMP_ISSUER=creds/docker/CUSTOMER_ISSUING_CA.pem export EJBCA_TRUSTED=creds/docker/CUSTOMER_ROOTCA.pem export EJBCA_UNTRUSTED=creds/docker/CMP_ISSUING_CA.pem +# export EJBCA_CMP_SERVER=/CN=Docker_Playground_CMP export EJBCA_CMP_RECIPIENT=/CN=CUSTOMER_ISSUING_CA export EJBCA_CMP_SUBJECT=/CN=test-genCMPClientDemo/OU=For testing purposes only/O=Siemens/C=DE export EJBCA_CMP_SUBJECT_IMPRINT=${EJBCA_CMP_SUBJECT}/OU=IDevID diff --git a/config/demo.cnf b/config/demo.cnf index 77d0ddb..67bea18 100644 --- a/config/demo.cnf +++ b/config/demo.cnf @@ -54,6 +54,7 @@ EJBCA_CMP_TRUSTED = EJBCA_TLS_TRUSTED = EJBCA_TRUSTED = EJBCA_UNTRUSTED = +# EJBCA_CMP_SERVER = EJBCA_CMP_RECIPIENT = EJBCA_CMP_SUBJECT = EJBCA_CMP_SUBJECT_IMPRINT = diff --git a/config/demo_EJBCA.cnf b/config/demo_EJBCA.cnf index dc82bc3..616598c 100644 --- a/config/demo_EJBCA.cnf +++ b/config/demo_EJBCA.cnf @@ -42,7 +42,7 @@ EJBCA_UNTRUSTED = EJBCA_CMP_SERVER = EJBCA_CMP_RECIPIENT = EJBCA_CMP_SUBJECT = -EJBCA_CMP_SUBJECT_ECC = +# EJBCA_CMP_SUBJECT_ECC = DID = did:example:123456789abcdefghi [EJBCA] diff --git a/test/recipes/80-test_cmp_http_data/test.cnf b/test/recipes/80-test_cmp_http_data/test.cnf index eb013bf..ae3b02a 100644 --- a/test/recipes/80-test_cmp_http_data/test.cnf +++ b/test/recipes/80-test_cmp_http_data/test.cnf @@ -119,6 +119,40 @@ sleep = 3 # A value of 3 appears to be just sufficient, with some exceptions handled # in 80-test_cmp_http.t, for preventing HTTP code 503 (Service Unavailable) +[Simple] # for use with SimpleLra/RunLra.sh +#no_check_time = 1 # not yet needed here +#attime = 1564704000 +server_host = 127.0.0.1 # localhost +server_port = 9080 +server_tls = 9085 +server_cert = server.crt +server = $server_host:$server_port +tls_cert = tls.p12 +tls_key = $tls_cert +tls_keypass = pass:12345 +tls_trusted = tls_trusted.pem +server_path = cmp/${ENV::EJBCA_PATH_RA} +path = $server_path +ca_dn = ${ENV::EJBCA_CMP_RECIPIENT} +recipient = $ca_dn +server_dn = $ca_dn # TODO was ${ENV::EJBCA_CMP_SERVER} +expect_sender = $server_dn +subject = ${ENV::EJBCA_CMP_SUBJECT} # TODO was ${ENV::EJBCA_CMP_SUBJECT_ECC} +kur_port = 9083 +pbm_port = 9084 +pbm_ref = +pbm_secret = pass:SecretCmp +cert = signer.crt +key = signer.p12 +keypass = pass:12345 +ignore_keyusage = 0 +unprotected_errors = 1 # EJBCA sends error messages and negative responses without protection +crls = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP2}${ENV::EJBCA_CDP_URL_POSTFIX_v11}, creds/crls/EJBCA-${ENV::EJBCA_CDP3}.crl, creds/crls/EJBCA-${ENV::EJBCA_CDP1}.crl +cdps = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP3}${ENV::EJBCA_CDP_URL_POSTFIX}, ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP1}${ENV::EJBCA_CDP_URL_POSTFIX} +ocsp = ${ENV::EJBCA_OCSP_URL} +column = 2 +sleep = 0 + ############################# aspects [connection] From 0599ec82a563ce87ecc9ac335550604bd4846453 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 13:02:30 +0100 Subject: [PATCH 16/17] Makefile_v1: note that SimpleLra requries Java 8 --- Makefile_v1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile_v1 b/Makefile_v1 index eb0bcd1..fe12dae 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -601,7 +601,7 @@ endif .phony: start_Simple stop_Simple start_Simple: @echo "start SimpleLra" - @cd SimpleLra && ./RunLra.sh & + @cd SimpleLra && ./RunLra.sh & # requires Java 8 @sleep 2 stop_Simple: From 4a45573ab486d0925df55e93ffa4823f211dd3aa Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 14 Dec 2024 13:17:02 +0100 Subject: [PATCH 17/17] fix CLI-based test cases for Mock server by adding dependency on OpenSSL server version --- .github/workflows/build.yml | 3 ++- test/recipes/80-test_cmp_http.t | 14 +++++++---- .../80-test_cmp_http_data/test_commands.csv | 24 +++++++++---------- .../80-test_cmp_http_data/test_enrollment.csv | 2 +- 4 files changed, 25 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 096060a..01cebd5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,8 @@ jobs: # would need access to azure.archive.ubuntu.com: # sudo apt-get update # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed - USE_LIBCMP=1 make -f Makefile_v1 build test_all + # USE_LIBCMP=1 make -f Makefile_v1 test_Mock OPENSSL_CMP_ASPECTS=credentials V=1 # can be helpful for debugging + USE_LIBCMP=1 make -f Makefile_v1 test_all doc_deb: runs-on: ubuntu-latest diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index a02c2fa..9a4fa13 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -138,6 +138,7 @@ my @server_configurations = ("Mock"); # ("Mock", "EJBCA", "Insta", "Simple"); @server_configurations = split /\s+/, $ENV{OPENSSL_CMP_SERVER} if $ENV{OPENSSL_CMP_SERVER}; # set env variable, e.g., OPENSSL_CMP_SERVER="Mock Insta" to include further CMP servers +my $mock_openssl_version = `$ENV{OPENSSL} version | perl -pe 's/OpenSSL (\\d\\.\\d).*/\$1/es;'` if grep(/^Mock$/, @server_configurations); my @all_aspects = ("connection", "verification", "credentials", "commands", "enrollment"); push (@all_aspects, "certstatus"); @@ -162,7 +163,6 @@ sub test_cmp_http { if ($server_name eq "Mock" && !(grep { $_ eq '-server' } @$params)); my $cmd = app([@app, @$params]); - $expected_result = 1 if $server_name eq "Mock" && $title =~ m/- ok for Mock/; sleep($sleep) if $server_name eq "Insta"; sleep($sleep) if $server_name eq "Insta" && $title eq "path with additional '/'s fine according to RFC 3986" @@ -247,7 +247,7 @@ sub test_cmp_http_aspect { indir data_dir() => sub { plan tests => 1 + @server_configurations * @all_aspects + 2 - - (grep(/^Mock$/, @server_configurations) + - (grep(/^Mock$/, @server_configurations) # && $mock_openssl_version < 3.x && grep(/^certstatus$/, @all_aspects)); indir "Mock" => sub { @@ -270,8 +270,9 @@ indir data_dir() => sub { } foreach my $aspect (@all_aspects) { $aspect = chop_dblquot($aspect); - if ($server_name eq "Mock" && $aspect eq "certstatus") { - print "Skipping certstatus check as not supported by $server_name server\n"; + if (# $mock_openssl_version < 3.x && + $server_name eq "Mock" && $aspect eq "certstatus") { + print "Skipping certstatus check as not supported by $server_name server with OpenSSL version $mock_openssl_version\n"; next; } if (not($server_name =~ m/Insta/)) { # do not update aspect-specific settings for Insta @@ -342,6 +343,11 @@ sub load_tests { my $description = 1; $description += 3; my $title = $fields[$description]; + if ($server_name eq "Mock" && defined $expected_result && $expected_result =~ m/^\s*(3(\.\d+)+)\s*([01]?)\s*$/) { + my ($min_openssl_version, $val) = ($1, $3); + $expected_result = ($val eq "0" ? 0 : 1) if $mock_openssl_version >= $min_openssl_version; + } + # $expected_result = 1 if $server_name eq "Mock" && $title =~ m/- ok for Mock/; next LOOP if (!defined($expected_result) || ($expected_result ne 0 && $expected_result ne 1)); @fields = grep {$_ ne 'BLANK'} @fields[$description + 1 .. @fields - 1]; diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index a22bbe3..c956356 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -67,36 +67,36 @@ TBD,TBD,TBD,TBD,config default all options set, -section,, -cmd,ir,, -cacertsout 1,0,-,1,genm with infotype signKeyPairTypes, -section,, -cmd,genm,,BLANK,,, -infotype,signKeyPairTypes,,BLANK,,BLANK, 0,*,*,*,genm with missing infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,,,BLANK,,BLANK, 0,*,*,*,genm with invalid infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,asdf,,BLANK,,BLANK, -Mock server must use OpenSSL 3.3 ,1,-,-,genm certReqTemplate, -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" +3.4,1,-,-,genm certReqTemplate, -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,*,*,*,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK,, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,test.template.pem,test.template.pem, -infotype,certReqTemplate,,BLANK,,BLANK, -0,*,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, -Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts, -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN +3.4 0,*,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, +3.2,1,-,-,genm caCerts , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN 0,*,*,*,genm caCerts missing cacertsout option, -section,, -cmd,genm,, -cacertsout,"""",, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts missing cacertsout arg , -section,, -cmd,genm,, -cacertsout,BLANK,, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout extra arg , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,test.cacertsout.pem, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout arg non-ex dir, -section,, -cmd,genm,, -cacertsout,idontexist/idontexist,, -infotype,caCerts,,BLANK,,BLANK, -Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert no oldwithold given , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem +3.2,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem +3.2,*,*,*,genm rootCaCert no oldwithold given , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, empty.txt , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold random file, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, random.bin , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert oldwithold nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, idontexist , -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold no match , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, signer.crt , -newwithnew, test.newwithnew.pem +3.2,*,*,*,genm rootCaCert oldwithold different , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, signer.crt , -newwithnew, test.newwithnew.pem 0,*,*,*,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, BLANK,, 0,*,*,*,genm rootCaCert newwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,, 0,*,*,*,genm rootCaCert newwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,directory/, -Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem +3.2,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem 0,*,*,*,genm rootCaCert oldwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,, 0,*,*,*,genm rootCaCert oldwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,/directory, -Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem +3.2,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem 0,*,*,*,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,, 0,*,*,*,genm rootCaCert newwithold directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,/directory, -Mock server must use OpenSSL 3.2 ,1,-,-,genm rootCaCert oldwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem -Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der -Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList with crlcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, root.crt , -crlout, test.crl.der -Mock server must use OpenSSL 3.4 ,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der +3.2,1,-,-,genm rootCaCert oldwithnew newwithold,-section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem +3.4,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der +3.4,1,-,-,genm crlStatusList with crlcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -crlcert, root.crt , -crlout, test.crl.der +3.4,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der 0,*,*,*,genm crlStatusList missing oldcrl crlcert oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, , -crlout, test.crl.der 0,*,*,*,genm crlStatusList oldcrl empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, empty.txt , -crlout, test.crl.der diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index fd4f170..ec0619a 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -103,7 +103,7 @@ TBD,TBD,TBD,TBD,days 36525, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pa 0,*,*,*,out_trusted is non-existing file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,idontexist,,BLANK,,BLANK,,, 0,*,*,*,out_trusted too many parameters, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,abc,def,BLANK,,BLANK,,, 0,*,*,*,out_trusted empty certificate file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,empty.txt,,BLANK,,BLANK,,, -1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default - not with OpenSSL 1.1, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-check_all,-crls,wrong.crl,-srvcert,server.crt +1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-check_all,-crls,wrong.crl,-srvcert,server.crt 0,0,0,0,out_trusted expired issuing ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing_expired.crt,,BLANK,,BLANK,,,-partial_chain 0,0,0,0,out_trusted expired root ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,root_expired.crt,,BLANK,,BLANK,,, 0,0,0,0,out_trusted wrong cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,signer.crt,,BLANK,,BLANK,,,