add info on CMP feature coverage and libcmp hints to README.md; various test etc. fixes

.github/workflows/build.yml

@@ -60,7 +60,8 @@ jobs:
           # would need access to azure.archive.ubuntu.com:
           # sudo apt-get update
           # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed
-          USE_LIBCMP=1 make -f Makefile_v1 build test_all
+          # USE_LIBCMP=1 make -f Makefile_v1 test_Mock OPENSSL_CMP_ASPECTS=credentials V=1 # can be helpful for debugging
+            USE_LIBCMP=1 make -f Makefile_v1 test_all
 
   doc_deb:
     runs-on: ubuntu-latest

CMakeLists.txt

@@ -158,7 +158,7 @@ add_compile_options(-pedantic) # -Werror is enabled only for development and CI,
 add_compile_options(
   -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch
   -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter)
-add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-embedded-directive)
+add_compile_options(-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined)
 # because of libsecutils:
 add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow)
 # TODO maybe clean up code and re-enable property
@@ -278,15 +278,17 @@ if(NOT TARGET clean_all)
   add_custom_target(clean_all
     COMMAND ${CMAKE_BUILD_TOOL} clean
     COMMAND find . -name "*.o" -o -name "*.d" -o -regex "./libgencmp-.*" | xargs rm
+    COMMAND find . -name build -type dir | xargs rm -r
+    COMMAND find . -path ./libsecutils/Makefile | xargs -I % ${CMAKE_BUILD_TOOL} -C libsecutils clean_all || true
+    COMMAND find . -path ./cmpossl/Makefile | xargs -I % ${CMAKE_BUILD_TOOL} -C cmpossl clean_all || true
+    COMMAND rm CMakeCache.txt
     # after the following, cannot call this target again:
-    COMMAND rm -r build
     COMMAND find . ( -name "*.cmake" -o -name Makefile )
-            -not -path ./libsecutils -not -path ./cmpossl
+            -not -path ./libsecutils/* -not -path ./cmpossl/*
             | xargs rm
     COMMAND find . -name CMakeFiles
-            -not -path ./libsecutils -not -path ./cmpossl
+            -not -path ./libsecutils/* -not -path ./cmpossl/*
             | xargs rm -r
-    COMMAND rm CMakeCache.txt
     VERBATIM
  )
  endif()

Makefile_src

@@ -94,7 +94,7 @@ override CFLAGS += \
   -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \
   -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \
   -pedantic -DPEDANTIC
-override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement \
+override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined \
   -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils
 ifeq ($(LPATH),)
    override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include
@@ -143,7 +143,7 @@ ifeq ($(LPATH),)
         # TODO maybe better use absolute path here, as done by CMake
         override LDFLAGS += -Wl,-rpath,$(OUT_DIR) # no more needed: -Wl,-rpath,$(SECUTILS_DIR)
         ifndef NDEBUG # for CLI-based tests
-            override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../..
+#           override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../..
 #           not needed due to OUT_DIR set also for libsecutils:
 #           override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../../$(SECUTILS_DIR)
         endif

Makefile_tests

@@ -101,7 +101,7 @@ conformance: $(CMPCLIENT)
 
 OPENSSL_CMP_CONFIG ?= test.cnf
 .phony: test_cli
-test_cli: $(CMPCLIENT)
+test_cli:
 	@which $(PERL) || (echo "cannot find Perl, please install it"; false)
 	@echo -en "\n#### running CLI-based tests #### "
 	@if [ -n "$$OPENSSL_CMP_SERVER" ]; then echo -en "with server=$$OPENSSL_CMP_SERVER"; else echo -n "without server"; fi

Makefile_v1

@@ -276,7 +276,7 @@ ifdef SECUTILS_NO_TLS
 endif
 
 .phony: submodules
-ifeq ($(SECUTILS_DIR),)
+ifneq ($(LPATH),)
 submodules:
 else
 .phony: get_submodules build_submodules clean_submodules
@@ -404,8 +404,8 @@ build_no_tls:
 
 .phony: clean_test clean clean_config clean_uta clean_this
 
-ifeq ($(LPATH),)
 clean_uta:
+ifneq ($(wildcard $(SECUTILS_DIR)),)
 	$(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 clean_uta -s
 endif
 
@@ -558,7 +558,7 @@ run_demo: $(OUT_DIR_BIN)
 # tests ########################################################################
 
 .phony: test_EJBCA-AWS
-test_EJBCA-AWS: get_EJBCA_crls
+test_EJBCA-AWS: build get_EJBCA_crls
 ifeq ($(filter-out EJBCA Simple,$(OPENSSL_CMP_SERVER)),)
 	$(warning "### skipping test_$(OPENSSL_CMP_SERVER) since not supported in this environment ###")
 else
@@ -601,7 +601,7 @@ endif
 .phony: start_Simple stop_Simple
 start_Simple:
 	@echo "start SimpleLra"
-	@cd SimpleLra && ./RunLra.sh &
+	@cd SimpleLra && ./RunLra.sh & # requires Java 8
 	@sleep 2
 
 stop_Simple:
@@ -658,11 +658,11 @@ endif
 all:	build doc
 
 .phony: test_Mock
-test_Mock:
+test_Mock: build
 	$(MAKE) -f Makefile_tests test_Mock CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION)
 
 .phony: tests_LwCmp
-tests_LwCmp: $(OUT_DIR_BIN)
+tests_LwCmp: build
 	$(MAKE) -f Makefile_tests tests_LwCmp CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION)
 
 test_all: demo_all test test_Mock tests_LwCmp
@@ -758,7 +758,9 @@ clean_openssl:
 buildCMPforOpenSSL: openssl ${makeCMPforOpenSSL_trigger}
 
 
-# Debian packaging #############################################################
+################################################################
+# Debian packaging
+################################################################
 
 ifeq ($(INSTALL_DEB_PKGS),)
     IGNORE_DEB_DEPEND=-d

README.md

@@ -18,20 +18,24 @@ and the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483
 To this end, it may be linked in addition to the intermediate CMP library
 [CMPforOpenSSL](https://github.com/mpeylo/cmpossl), called `libcmp` below.
 
-The high-level API is on the one hand convenient to use for application
-programmers and on the other hand complete and flexible enough
-to cover the major certificate management use cases.
 The library supports developing CMP clients that adhere to
 the [Lightweight CMP Profile (LCMPP)](https://www.rfc-editor.org/rfc/rfc9483),
 which is geared towards simple and interoperable industrial use.
 
-The software also provides a command-line interface (CLI)
-that is handy for interactive exploration of using CMP in a PKI.
+The [high-level API](doc/Generic_CMP_client_API.pdf)
+is convenient to use for application programmers
+while being sufficiently complete and flexible
+to cover all major certificate management use cases.
+
+The software also provides a command-line interface (CLI) that is handy
+for demonstrating and interactively exploring the use of CMP in a PKI.\
+Yet interfacing at API level is more direct and secure for productive use.
 
 Note: An OSS CMP client and registration authority (RA) implementation in Java
 is available in the form of a
 [generic CMP RA and client component](https://github.com/siemens/cmp-ra-component)
-and the [LightweightCmpRa](), which is a demo CLI application using it.
+and the [LightweightCmpRa](https://github.com/siemens/LightweightCmpRa),
+which is a demo application making use of the component.
 
 
 ## Support model
@@ -103,14 +107,48 @@ The following OSS components are used.
   or if the latest CMP features not yet available in OpenSSL are required,
   which can be indicated by setting the environment variable `USE_LIBCMP`.
 
+For an overview of CMP features relevant in industrial use cases see
+[LCMPP section 7.1](https://datatracker.ietf.org/doc/html/rfc9483#section-7.1).
+CMP client (EE) features are supported by the genCMPClient as follows.
+
+The features newly defined with CMPv3
+in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480)
+are fully covered when using the [intermediate CMP library `libcmp`](
+https://github.com/mpeylo/cmpossl) or when using at least OpenSSL 3.5.\
+Since the intermediate CMP library `libcmp` constitutes an extra dependency
+and its maintenance may end soon after the release of OpenSSL 3.5,
+better avoid using it. This is possible if all the CMP features needed
+by the application scenario are covered by the OpenSSL version being used.
+
+* CMPv2 features defined in [RFC 4210](https://www.rfc-editor.org/rfc/rfc4210)
+  are already sufficiently covered by using at least OpenSSL 3.0.\
+  This includes most of the
+  "Generic Aspects of PKI Messages and PKI Management Operations",
+  IR, CR, KUR, P10CR, MAC, RR, and polling for certification responses.
+* In OpenSSL 3.2, "Get CA Certificates" and "Get Root CA Certificate Update"
+  were added.
+* In OpenSSL 3.3, "Get Certificate Request Template" and support for certificate
+  profiles and generalized polling ("Handling Delayed Delivery") were added.
+* In OpenSSL 3.4, "CRL Update Retrieval" was added.
+* In OpenSSL 3.5, support for central key generation is going to be added.
+
+The features newly defined with CMPv3
+in [RFC 9480 (CMP Updates)](https://www.rfc-editor.org/rfc/rfc9480)
+are fully covered by the [intermediate CMP library `libcmp`](
+https://github.com/mpeylo/cmpossl) and will be covered by OpenSSL 3.5.\
+Since the intermediate CMP library `libcmp` constitutes an extra dependency
+and its maintenance will likely end soon after the release of OpenSSL 3.5,
+better avoid using it. This is possible if all the CMP features needed
+by the application scenario are covered by the OpenSSL version being used.
+
 Hint: As long as your system provides at least OpenSSL 3.0 and
 related development header files at a sufficiently new patch level,
 better not manually install in addition a different OpenSSL version unless
 you need newer CMP features without using the intermediate CMP library `libcmp`.
-Such a manual installation can interfere with the more or less implicit
-references to the locations of OpenSSL header files and binary library files.
-So unless you know exactly what you are doing, you may receive
-version mismatch errors like the one mentioned [below](#sanity-checks-on-openssl).
+Such an extra installation can interfere with the more or less implicit references
+to the default locations of OpenSSL header files and binary library files.
+So unless knowing exactly what to do and being careful, one may receive version
+mismatch errors like the one mentioned [below](#sanity-checks-on-openssl).
 <!-- https://github.com/orgs/community/discussions/60861-->
 
 
@@ -171,7 +209,7 @@ this can provide useful information.
 
 When getting version mismatch errors like
 ```
-OpenSSL runtime version 0x304000d0 does not match version 0x300000d0 used by compiler
+OpenSSL runtime version 0x30400000 does not match version 0x300000d0 used by compiler
 ```
 make sure that the system-level configuration for finding header and library files
 as well as the optional environment variables `OPENSSL_DIR` and `OPENSSL_LIB`
@@ -408,6 +446,8 @@ The Command-Line Interface (CLI) of the CMP client is implemented in
 [`src/cmpClient.c`](src/cmpClient.c).
 It supports most of the features of the genCMPClient library.
 The CLI use with the available options are documented in [`cmpClient.pod`](doc/cmpClient.pod).
+An example configuration used by the below mentioned demo invocations
+can be found in [`demo.cnf`](config/demo.cnf).
 
 For simple test invocations the Insta Certifier Demo CA server may be used,
 for instance as follows:
@@ -444,6 +484,13 @@ You can view this certificate for instance by executing
 openssl x509 -noout -text -in creds/operational.crt
 ```
 
+To select a specific CMP profile on the CloudCA server, set the environment
+variable `CMP_PROFILE` to the profile name.
+For instance:
+```
+CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA
+```
+
 CLI-based tests using the Insta Demo CA may be invoked using
 ```
 make -f Makefile_v1 test_Insta
@@ -452,20 +499,13 @@ where the PROXY environment variable may be used to override the default
 in order to reach the Insta Demo CA.
 
 In order to obtain a trace of the HTTP messages being sent and received,
-build the genCMPClient with `USE_LIBCMP=1` and
+one can build the genCMPClient with `USE_LIBCMP=1` and
 set the environment variable `OPENSSL_TRACE` to contain the string `"HTTP"`.
 For instance:
 ```
 OPENSSL_TRACE=HTTP ./cmpClient imprint -section Insta
 ```
 
-To select a specific CMP profile on the CloudCA server, set the environment
-variable `CMP_PROFILE` to the profile name.
-For instance:
-```
-CMP_PROFILE=Nested make -f Makefile_v1 demo_CloudCA
-```
-
 
 ## Using the library in own applications
 
@@ -519,8 +559,8 @@ SPDX-License-Identifier: Apache-2.0
 
 <!--
 LocalWords:  md bis CHANGELOG doc libcmp openssl sudo cmake libssl cd
-LocalWords:  dev libc linux DIR perl ccache mk LIB ldd grep awk lcrypto
-LocalWords:  libcrypto sed zshrc LDFLAGS lib CPPFLAGS SECUTILS lsecutils
+LocalWords:  dev libc linux DIR perl ccache mk LIB ldd grep awk lcrypto KUR RR
+LocalWords:  libcrypto sed zshrc LDFLAGS lib CPPFLAGS SECUTILS lsecutils CMPv
 LocalWords:  util icvutil NDEBUG DCMAKE ln usr libgencmp CC lssl lcmp
 LocalWords:  cmpClient src DESTDIR ROOTFS cmpclient tarball deb rpath
 LocalWords:  debhelper dh devscripts debuild dpkg ecparam FI cr lgencmp

config/EJBCA.env

@@ -27,6 +27,7 @@ export EJBCA_TLS_TRUSTED=creds/docker/TLS_ROOTCA-docker.pem
 export EJBCA_CMP_ISSUER=creds/docker/CUSTOMER_ISSUING_CA.pem
 export EJBCA_TRUSTED=creds/docker/CUSTOMER_ROOTCA.pem
 export EJBCA_UNTRUSTED=creds/docker/CMP_ISSUING_CA.pem
+# export EJBCA_CMP_SERVER=/CN=Docker_Playground_CMP
 export EJBCA_CMP_RECIPIENT=/CN=CUSTOMER_ISSUING_CA
 export EJBCA_CMP_SUBJECT=/CN=test-genCMPClientDemo/OU=For testing purposes only/O=Siemens/C=DE
 export EJBCA_CMP_SUBJECT_IMPRINT=${EJBCA_CMP_SUBJECT}/OU=IDevID

config/demo.cnf

@@ -54,6 +54,7 @@ EJBCA_CMP_TRUSTED =
 EJBCA_TLS_TRUSTED =
 EJBCA_TRUSTED =
 EJBCA_UNTRUSTED =
+# EJBCA_CMP_SERVER =
 EJBCA_CMP_RECIPIENT =
 EJBCA_CMP_SUBJECT =
 EJBCA_CMP_SUBJECT_IMPRINT =
@@ -250,12 +251,13 @@ check_all = 1
 use_cdp = 1
 
 [empty]
+basicConstraints = CA:FALSE # used as a workaround for OpenSSL 3.4 ERROR: error creating certreq - see also https://github.com/openssl/openssl/pull/25631
 #keyUsage =
 #extendedKeyUsage =
 #subjectAltName =
 
 [reqexts]
-#basicConstraints = CA:FASE
+#basicConstraints = CA:FALSE
 keyUsage = "critical, digitalSignature" # is ignored by EJBCA
 extendedKeyUsage = "critical, serverAuth, 1.3.6.1.5.5.7.3.2" # is ignored by EJBCA
 subjectAltName = @alt_names

config/demo_EJBCA.cnf

@@ -42,7 +42,7 @@ EJBCA_UNTRUSTED =
 EJBCA_CMP_SERVER =
 EJBCA_CMP_RECIPIENT =
 EJBCA_CMP_SUBJECT =
-EJBCA_CMP_SUBJECT_ECC =
+# EJBCA_CMP_SUBJECT_ECC =
 DID = did:example:123456789abcdefghi
 
 [EJBCA]