diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 71c94f57..26933c4a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,8 +39,8 @@ jobs: # sudo apt-get update # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed make -f Makefile_v1 - make -f Makefile_v1 clean - make -f Makefile_v1 build_no_tls + make -f Makefile_v1 clean_all + USE_LIBCMP=1 STATIC_LIBCMP=1 make -f Makefile_v1 build_no_tls make -C libsecutils -f Makefile_v1 clean_config SKIP_pod2markdown=1 make -f Makefile_v1 doc_this SKIP_pod2markdown=1 DESTDIR=tmp make -f Makefile_v1 install @@ -55,7 +55,7 @@ jobs: # would need access to azure.archive.ubuntu.com: # sudo apt-get update # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed - make -f Makefile_v1 build_prereq test_all + USE_LIBCMP=1 make -f Makefile_v1 build test_all doc_deb: runs-on: ubuntu-latest diff --git a/.github/workflows/quality_check_sonarcloud.yml b/.github/workflows/quality_check_sonarcloud.yml index 5b27e27b..f9fda210 100644 --- a/.github/workflows/quality_check_sonarcloud.yml +++ b/.github/workflows/quality_check_sonarcloud.yml @@ -31,7 +31,8 @@ jobs: make - name: test-coverage run: | - make -f Makefile_v1 test_Mock + USE_LIBCMP=1 make -f Makefile_v1 clean_all build + USE_LIBCMP=1 make -f Makefile_v1 test_Mock find . -name *.gcno -exec gcov {} \; - name: Run sonar-scanner env: diff --git a/CMakeLists.txt b/CMakeLists.txt index 44403cbc..1742f285 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -23,34 +23,37 @@ if(NOT("$ENV{OPENSSL_DIR}" STREQUAL "")) else() set(OPENSSL_LIB $ENV{OPENSSL_DIR}) endif() - set(OpenSSL_INCLUDE_DIRS $ENV{OPENSSL_DIR}/include) + set(OPENSSL_INCLUDE_DIR $ENV{OPENSSL_DIR}/include) set(OPENSSL_LIBRARIES ${OPENSSL_LIB}/libssl${CMAKE_SHARED_LIBRARY_SUFFIX} ${OPENSSL_LIB}/libcrypto${CMAKE_SHARED_LIBRARY_SUFFIX}) - add_definitions(-isystem ${OpenSSL_INCLUDE_DIRS}) if($ENV{OPENSSL_DIR} MATCHES "3\\.0") set(OPENSSL_VERSION 3.0) elseif($ENV{OPENSSL_DIR} MATCHES "3\\.1") set(OPENSSL_VERSION 3.1) elseif($ENV{OPENSSL_DIR} MATCHES "3\\.2") set(OPENSSL_VERSION 3.2) + elseif($ENV{OPENSSL_DIR} MATCHES "3\\.3") + set(OPENSSL_VERSION 3.3) elseif($ENV{OPENSSL_DIR} MATCHES "3\\.") set(OPENSSL_VERSION 3) elseif($ENV{OPENSSL_DIR} MATCHES "1\\.1\\.1") set(OPENSSL_VERSION 1.1.1) + elseif($ENV{OPENSSL_DIR} MATCHES "1\\.1") + set(OPENSSL_VERSION 1.1) elseif($ENV{OPENSSL_DIR} MATCHES "prepare") - set(OPENSSL_VERSION 3.2) + set(OPENSSL_VERSION 3.3) else() - set(OPENSSL_VERSION 1.1.1) + set(OPENSSL_VERSION 3.0) endif() message(STATUS "assuming OpenSSL version " ${OPENSSL_VERSION}) else() find_package(OpenSSL REQUIRED) message(STATUS "using OpenSSL package, with version " ${OPENSSL_VERSION}) - add_definitions(-isystem /usr/include) endif() if(DEFINED ENV{USE_LIBCMP} OR "${OPENSSL_VERSION}" LESS "3") set(USE_LIBCMP 1) + message(STATUS "using libcmp") endif() set(SRC_DIR ${PROJECT_SOURCE_DIR}/src) @@ -64,16 +67,13 @@ include_directories( ${PROJECT_SOURCE_DIR}/libsecutils/include ) if(DEFINED USE_LIBCMP) - include_directories( - ${CMPOSSL_INC_DIR} - ${CMPOSSL_INC_DIR}/cmp - ${CMAKE_SYSROOT}/usr/include/cmp - # does not work for OpenSSL 3.0+: - # add_definitions(-isystem ${CMPOSSL_INC_DIR}/cmp) - # add_definitions(-isystem ${CMAKE_SYSROOT}/usr/include/cmp) - ) + include_directories(SYSTEM ${CMPOSSL_INC_DIR}/cmp) + include_directories(SYSTEM ${CMAKE_SYSROOT}/usr/include/cmp) endif() +# must not add the system OpenSSL include dir before ${CMPOSSL_INC_DIR}/cmp etc. +include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR}) + configure_file(${INC_DIR}/genericCMPClient_config.h.in ${INC_DIR}/genericCMPClient_config.h) # help CPackDeb please dpkg-shlibdeps @@ -104,6 +104,7 @@ if(DEFINED USE_LIBCMP) cmp ) endif() +# important: place libcmp before libcrypto such that its contents are preferred target_link_libraries(cmpClient ${OPENSSL_LIBRARIES} ) @@ -113,41 +114,51 @@ if(DEFINED ENV{SECUTILS_USE_UTA}) ) endif() if(DEFINED ENV{SECUTILS_NO_TLS}) - add_definitions(-DSECUTILS_NO_TLS=1) + add_compile_definitions(SECUTILS_NO_TLS=1) endif() -if(CMAKE_BUILD_TYPE MATCHES Release OR DEFINED ENV{NDEBUG}) - message(STATUS "build mode: Release") - add_definitions(-DNDEBUG=1 -O2) +if(DEFINED ENV{NDEBUG} OR NOT CMAKE_BUILD_TYPE MATCHES Debug) + set(CMAKE_BUILD_TYPE Release + CACHE STRING "Choose the type of build." FORCE) + add_compile_options(-O2) + add_compile_definitions(NDEBUG=1) else() - message(STATUS "build mode: Debug") - add_definitions(-g -O0) + set(CMAKE_BUILD_TYPE Debug + CACHE STRING "Choose the type of build." FORCE) + add_compile_options(-g -O0) set(DEBUG_FLAGS "-fsanitize=address,undefined -fno-sanitize-recover=all") # must use quotes on MacOSX - add_definitions(${DEBUG_FLAGS}) + add_compile_options(${DEBUG_FLAGS}) link_libraries(${DEBUG_FLAGS}) #set(CMAKE_SHARED_LINKER_FLAGS "-fsanitize=address,undefined -fno-sanitize-recover=all") # workarund for link_libraries() ignored on MacOSX if(NOT APPLE) set(COVERAGE_FLAGS --coverage -fprofile-arcs) - add_definitions(${COVERAGE_FLAGS}) + add_compile_options(${COVERAGE_FLAGS}) link_libraries(${COVERAGE_FLAGS}) target_link_libraries(${LIBGENCMP_NAME} ${COVERAGE_FLAGS}) endif() endif() - -add_definitions(-DDEBUG_UNUSED) -add_definitions(-DPEDANTIC -pedantic) -add_definitions(-Wall -Wextra -Wmissing-prototypes -Wstrict-prototypes - -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef) - +message(STATUS "build mode: ${CMAKE_BUILD_TYPE}") + +add_compile_definitions(DEBUG_UNUSED) +add_compile_definitions(PEDANTIC) +add_compile_options(-pedantic -Werror) +add_compile_options( + -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch + -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter) +# because of libsecutils: +add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow) + +# TODO maybe clean up code and re-enable property # set_property(TARGET ${LIBGENCMP_NAME} PROPERTY C_STANDARD 90) # set_property(TARGET cmpClient PROPERTY C_STANDARD 90) -target_link_libraries(${LIBGENCMP_NAME} ${OPENSSL_LIBRARIES} secutils) # needed for clang/MacOSX if(DEFINED USE_LIBCMP) target_link_libraries(${LIBGENCMP_NAME} cmp) # needed for clang/MacOSX endif() +# important: place libcmp before libcrypto such that its contents are preferred +target_link_libraries(${LIBGENCMP_NAME} ${OPENSSL_LIBRARIES} secutils) # needed for clang/MacOSX set(INC_PUBLIC_HDRS ${INC_DIR}/genericCMPClient.h diff --git a/Makefile_src b/Makefile_src index cf86f939..c8a78c86 100644 --- a/Makefile_src +++ b/Makefile_src @@ -6,6 +6,7 @@ # BIN_DIR defines where the CLI application shall be placed, unless it is empty or unset. # Optional LIBCMP_INC defines the directory of the libcmp header files, must be non-empty if and only if libcmp is used (USE_LIBCMP). # All these paths may be absolute or relative to the dir containing this Makefile. +# With USE_LIBCMP, setting STATIC_LIBCMP leads to static linking with libcmp.a . # Optional DEBUG_FLAGS may set to prepend to local CFLAGS and LDFLAGS (default see below). # OSSL_VERSION_QUIRKS maybe be needed to provide for setting OpenSSL compilation version quirks. @@ -36,10 +37,11 @@ else ifeq ($(shell uname -s),Darwin) OS=MacOS DLL=.dylib - SONAME=install_name + # see https://www.fullstaq.com/knowledge-hub/blogs/an-alternative-to-macos-dyld-library-path + SONAME=install_name,@rpath/ else # assuming Linux DLL=.so - SONAME=soname + SONAME=soname, endif endif @@ -89,8 +91,15 @@ ifdef NDEBUG else DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og endif -override CFLAGS += $(DEBUG_FLAGS) -std=gnu90 -fstack-protector -fno-omit-frame-pointer -override CFLAGS += -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter -Werror #-DPEDANTIC -pedantic -Wno-declaration-after-statement +override CFLAGS += $(DEBUG_FLAGS) -fstack-protector -fno-omit-frame-pointer +# override CFLAGS += -std=gnu90 # TODO maybe clean up code and re-enable flag +override CFLAGS += \ + -Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes \ + -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \ + -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \ + -pedantic -DPEDANTIC -Werror +override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement \ + -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils ifeq ($(LPATH),) override CFLAGS += -I$(SECUTILS_DIR)/include endif @@ -112,34 +121,47 @@ override CFLAGS += -I$(PREFIX)include # for genericCMPClient.h override CFLAGS += $(OSSL_VERSION_QUIRKS) ifneq ($(LIBCMP_INC),) - override LIBS += -lcmp -endif -# placing libcmp before libcrypto such that its contents are preferred -override LIBS += -lcrypto -ifdef SECUTILS_USE_UTA - override LIBS += -luta + ifneq ($(STATIC_LIBCMP),) + LIBCMP = $(LIBCMP_DIR)/libcmp.a + else + override LIBS += -lcmp + endif endif +# important: place libcmp before libcrypto such that its contents are preferred + +override LIBS += -lsecutils ifdef SECUTILS_NO_TLS override CFLAGS += -DSECUTILS_NO_TLS=1 else override LIBS += -lssl endif -override LIBS += -lsecutils +override LIBS += -lcrypto +ifdef SECUTILS_USE_UTA + override LIBS += -luta +endif override LDFLAGS += $(DEBUG_FLAGS) # needed for -fsanitize=... ifeq ($(LPATH),) override LDFLAGS += -L $(PREFIX)$(OUT_DIR) ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging - override LDFLAGS += -Wl,-rpath $(OUT_DIR) -Wl,-rpath $(LIBCMP_DIR) -Wl,-rpath $(SECUTILS_DIR) - # override LDFLAGS += -Wl,-rpath $(OUT_DIR)/../../../.. -Wl,-rpath $(OUT_DIR)/../../../../$(LIBCMP_DIR) -Wl,-rpath $(OUT_DIR)/../../../../$(SECUTILS_DIR) # for CLI-based tests + # ifeq ($(PREFIX),) + # TODO maybe better use absolute path here, as done by CMake + override LDFLAGS += -Wl,-rpath,$(OUT_DIR) -Wl,-rpath,$(LIBCMP_DIR) -Wl,-rpath,$(SECUTILS_DIR) + # endif + override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. -Wl,-rpath,$(OUT_DIR)/../../../../$(LIBCMP_DIR) -Wl,-rpath,$(OUT_DIR)/../../../../$(SECUTILS_DIR) # for CLI-based tests endif override LDFLAGS += -L $(LIBCMP_DIR) -L $(SECUTILS_DIR) ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging - override LDFLAGS += -Wl,-rpath $(LIBCMP_DIR_) -Wl,-rpath $(SECUTILS_DIR_) + ifneq ($(PREFIX),) + override LDFLAGS += -Wl,-rpath,$(LIBCMP_DIR_) -Wl,-rpath,$(SECUTILS_DIR_) + endif endif override LDFLAGS += -L $(OPENSSL_LIB) -L $(OPENSSL) ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging - override LDFLAGS += -Wl,-rpath $(OPENSSL_RPATH_LIB) -Wl,-rpath $(OPENSSL_RPATH) + override LDFLAGS += -Wl,-rpath,$(OPENSSL_RPATH_LIB) + ifneq ($(OPENSSL_RPATH_LIB),$(OPENSSL_RPATH)) + override LDFLAGS += -Wl,-rpath,$(OPENSSL_RPATH) + endif endif else override LDFLAGS += -L $(LPATH) @@ -192,14 +214,14 @@ $(OBJS): %$(OBJ): %.c # | $(SECUTILS_LIB) # $(PREFIX)$(OUT_DIR)/libcmp$(DLL) #%$(OBJ): %.c # $(CC) $(CFLAGS) -o "$@" "$<" -$(OUT_DIR)/$(OUTLIBV): src/genericCMPClient$(OBJ) - $(CC) $^ $(LDFLAGS) $(LIBS) -shared -o $@ -Wl,-$(SONAME),$(OUTLIBV) +$(OUT_DIR)/$(OUTLIBV): src/genericCMPClient$(OBJ) $(LIBCMP) + $(CC) $^ $(LDFLAGS) $(LIBS) -shared -o $@ -Wl,-$(SONAME)$(OUTLIBV) $(OUT_DIR)/$(OUTLIB): $(OUT_DIR)/$(OUTLIBV) ln -sf $(OUTLIBV) $(OUT_DIR)/$(OUTLIB) $(CMPCLIENT): src/cmpClient$(OBJ) $(OUT_DIR)/$(OUTLIB) - $(CC) $(LDFLAGS) $< $(LIBS) -lgencmp -o $@ + $(CC) $(LDFLAGS) $< -lgencmp $(LIBS) -o $@ .PHONY: all archive all: build archive diff --git a/Makefile_tests b/Makefile_tests index 56b115ed..3b3366ec 100644 --- a/Makefile_tests +++ b/Makefile_tests @@ -47,7 +47,7 @@ LWCMPRA_JAR ?= $(LWCMPRA_JAR) # was: ./LightweightCmpRa.jar LWCMPRA_RUN = java -jar $(LWCMPRA_JAR) # may insert before -jar: -Dorg.slf4j.simpleLogger.log.com.siemens.pki.cmpracomponent.msgprocessing.CmpRaImplementation=trace CMPCAMOCK_JAR ?= ./CmpCaMock.jar # TODO: $(LWCMPRA_DIR)/target/?? -CMPCAMOCK_RUN = java -jar $(CMPCAMOCK_JAR) +CMPCAMOCK_RUN = java -jar $(CMPCAMOCK_JAR)# -verbose:class .phony: tests_LwCmp tests_LwCmp: @@ -61,7 +61,7 @@ start_LwCmp: $(CMPRACOMP_JAR) $(LWCMPRA_JAR) @ #mkdir test/Upstream test/Downstream 2>/dev/null || true @$(LWCMPRA_RUN) config/tests.yml & @echo starting CmpCaMock - @$(CMPCAMOCK_RUN) . http://localhost:7000/ca credentials/ENROLL_Keystore.p12 credentials/CMP_CA_Keystore.p12 & + @CLASSPATH=CmpCaMock_lib $(CMPCAMOCK_RUN) . http://localhost:7000/ca credentials/ENROLL_Keystore.p12 credentials/CMP_CA_Keystore.p12 & @sleep 2 stop_LwCmp: @PID=`ps aux|grep "$(LWCMPRA_RUN)" | grep -v grep | awk '{ print $$2 }'` && \ @@ -72,8 +72,9 @@ stop_LwCmp: # conformance ################################################################## GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signkey creds/operational.pem -out creds/operational.csr -passin pass:12345 2>/dev/null -CMPCLNT = LD_LIBRARY_PATH=. $(CMPCLIENT) -section CmpRa, -CMPOSSL = $(OPENSSL) cmp -config config/demo.cnf -section CmpRa, +BASIC_ARGS = -verbosity 3 -path /lra -section CmpRa, +CMPCLNT = LD_LIBRARY_PATH=. $(CMPCLIENT) $(BASIC_ARGS) +CMPOSSL = $(OPENSSL) cmp -config config/demo.cnf $(BASIC_ARGS) .phony: test_conformance_openssl test_conformance_cmpclient test_conformance test_conformance_openssl: start_LwCmp conformance_openssl stop_LwCmp test_conformance_cmpclient: start_LwCmp conformance_cmpclient stop_LwCmp @@ -88,13 +89,13 @@ conformance_openssl: newkey conformance_cmpclient: @CMPCL="$(CMPCLNT)" $(MAKE) -f Makefile_tests conformance conformance: $(CMPCLIENT) - $(CMPCL)imprint -verbosity 3 - $(CMPCL)bootstrap -verbosity 3 + $(CMPCL)imprint + $(CMPCL)bootstrap @$(GENERATE_OPERATIONAL) - $(CMPCL)pkcs10 -verbosity 3 - $(CMPCL)update -path /lra -verbosity 3 - $(CMPCL)revoke -path /lra -verbosity 3 - @ # $(CMPCL)bootstrap -verbosity 3 -server localhost:6003/delayedlra + $(CMPCL)pkcs10 # when using openssl, requires at least version 3.3(-dev) + $(CMPCL)update + $(CMPCL)revoke + @ # $(CMPCL)bootstrap $(BASIC_ARGS) -server localhost:6003/delayedlra # cli ########################################################################## @@ -124,16 +125,19 @@ test_cli: $(CMPCLIENT) .phony: test_Mock test_Mock: $(MAKE) -f Makefile_tests test_cli OPENSSL_CMP_SERVER=Mock OPENSSL=$(OPENSSL) \ - || (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.1\|3\.0") + || (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.0\|1\.1") # with OpenSSL 1.1 and 3.0, these Mock genm command test cases fail: 'genm certReqTemplate' 'genm caCerts' +# with OpenSSL 1.1, Mock enrollment test 'out_trusted accept issuing ca cert ...' fails likely due to -partial_chain not being respected +# Better use these extended tests only with builds with USE_LIBCMP and OpenSSL >= 3.0. # LwCmp ######################################################################## .phony: test_LwCmp test_LwCmp: $(MAKE) -f Makefile_tests test_cli OPENSSL_CMP_SERVER=LwCmp OPENSSL=$(OPENSSL) \ - || (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.1\|3\.0") + || (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.0\|1\.1") # with OpenSSL 1.1 and 3.0, most LwCmp genm command test cases fail +# Better use these extended tests only with builds with USE_LIBCMP and OpenSSL >= 3.0. # clean ######################################################################## diff --git a/Makefile_v1 b/Makefile_v1 index d62d64d0..f6aaaab9 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -148,8 +148,8 @@ ifneq ($(filter-out doc start stop doc doc_this doc/cmpClient.md doc/cmpClient.1 endif OPENSSL_VERSION=$(shell $(MAKE) -s --no-print-directory -f OpenSSL_version.mk LIB=header OPENSSL_DIR="$(OPENSSL_DIR)") ifeq ($(OPENSSL_VERSION),) - $(warning WARNING: cannot determine version of OpenSSL in directory '$(OPENSSL_DIR)', assuming 1.1.1) - OPENSSL_VERSION=1.1.1 + $(warning WARNING: cannot determine version of OpenSSL in directory '$(OPENSSL_DIR)', assuming 3.0) + OPENSSL_VERSION=3.0 endif $(info detected OpenSSL version $(OPENSSL_VERSION).x) ifeq ($(shell expr "$(OPENSSL_VERSION)" \< 1.1),1) # same as comparing == 1.0 @@ -161,7 +161,7 @@ ifneq ($(filter-out doc start stop doc doc_this doc/cmpClient.md doc/cmpClient.1 USE_LIBCMP=1 endif else - OPENSSL_VERSION=1.1.1 # dummy + OPENSSL_VERSION=3.0 # dummy endif OPENSSL_MAJOR_VERSION=$(shell echo $(OPENSSL_VERSION) | sed 's/\..*//') @@ -334,7 +334,7 @@ clean_this: clean_test $(MAKE) -f Makefile_src -s clean OUT_DIR="$(OUT_DIR)" BIN_DIR="$(BIN_DIR)" LIB_NAME="$(OUTLIB)" VERSION="$(VERSION)" rm -f *.1{,.gz} -clean: clean_this +clean: clean_this clean_config ifeq ($(LPATH),) ifneq ("$(wildcard $(SECUTILS_DIR))","") $(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 -s clean OPENSSL_DIR="$(OPENSSL_DIR)" OUT_DIR="$(OUT_DIR_REVERSE_DIR)" || true @@ -349,7 +349,7 @@ endif clean_config: rm -f $(GENCMPCLIENT_CONFIG) -clean_all: clean clean_config clean_deb +clean_all: clean clean_deb rm -fr Makefile CMakeCache.txt *.cmake CMakeFiles/ rm -f install_manifest*.txt compile_commands.json rm -f doc/$(OUT_DOC) doc/cmpClient.md @@ -391,22 +391,26 @@ else OCSP_CHECK=$(OPENSSL) ocsp -url $(EJBCA_OCSP_URL) \ -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \ -cert creds/operational.crt + EJBCA_TLS_HOST_FILE=creds/docker/TLS_ROOTCA-docker-cn.txt ifeq ($(EJBCA_TLS_HOST),) # workaround for ephemeral TLS server certificate of ejbca-docker: - override EXTRA_OPTS += -tls_host `cat creds/docker/TLS_ROOTCA-docker-cn.txt` + override EXTRA_OPTS += -tls_host `cat $(EJBCA_TLS_HOST_FILE)` BOOTSTRAP_CREDS = -cert creds/manufacturer.crt -key creds/manufacturer.pem endif endif -.phony: demo demo_Insta demo_EJBCA demo_CloudCA +.phony: demo demo_all demo_Insta demo_EJBCA demo_CloudCA demo: demo_Insta +demo_all: demo demo_EJBCA demo_CloudCA demo_Insta: get_Insta_crls $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="Insta" SLEEP="sleep 1" # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable demo_CloudCA: $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="CloudCA" -demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo stop_EJBCA +demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo # stop_EJBCA +# avoid stopping EJBCA docker container because restart will take long time -CMPCLIENT=$(SET_PROXY) $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" $(OUT_DIR_BIN) +# $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" +CMPCLIENT=$(SET_PROXY) LD_LIBRARY_PATH="$(OUT_DIR)" $(OUT_DIR_BIN) GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signkey creds/operational.pem -out creds/operational.csr -passin pass:12345 2>/dev/null .phony: run_demo run_demo: $(OUT_DIR_BIN) @@ -415,7 +419,7 @@ run_demo: $(OUT_DIR_BIN) $(CMPCLIENT) imprint -section $(CA_SECTION) $(EXTRA_OPTS) @/bin/echo -e "\nValidating own CMP client cert" ifeq ($(CA_SECTION),EJBCA) - $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) + $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -cert $(EJBCA_CMP_CLIENT_CERT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) ifneq ($(EJBCA_TLS_HOST),) @/bin/echo -e "\nValidating own TLS client cert" $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) -no_check_time @@ -429,8 +433,11 @@ run_demo: $(OUT_DIR_BIN) $(OPENSSL) x509 -noout -text -in creds/operational.crt @echo : $(OPENSSL) x509 -noout -text -in creds/operational.crt | sed '/^ [0-9a-f].*/d' - @# @echo - @# $(CMPCLIENT) pkcs10 -section $(CA_SECTION) + ifneq ($(CA_SECTION),Insta) + @echo + @$(SLEEP) + $(CMPCLIENT) pkcs10 -section $(CA_SECTION) $(EXTRA_OPTS) + endif @echo @$(SLEEP) $(CMPCLIENT) update -section $(CA_SECTION) $(EXTRA_OPTS) @@ -482,7 +489,8 @@ ifeq ($(EJBCA_CONFIG),) ifeq ($(EJBCA_TLS_HOST),) # workaround for ephemeral TLS server certificate of ejbca-docker: @$(OPENSSL) s_client -connect $(EJBCA_HOST):$(EJBCA_HTTPS_PORT) 2>/dev/null \ -verify_return_error -showcerts >creds/docker/TLS_ROOTCA-docker.pem || true - @echo `fgrep "CN = " creds/docker/TLS_ROOTCA-docker.pem|head -n 1 | sed 's/.*CN = //; s/, UID = .*//;'` >creds/docker/TLS_ROOTCA-docker-cn.txt + @echo `grep -E "CN ?= ?" creds/docker/TLS_ROOTCA-docker.pem|head -n 1 | sed -E 's/^.*CN ?= ?//; s/, ?UID ?= ?.*//;'` >$(EJBCA_TLS_HOST_FILE) + @grep -qE '\w' $(EJBCA_TLS_HOST_FILE) || (echo "cannot determine EJBCA docker TLS host name"; false) endif @echo "waiting $(EJBCA_CRL_INTERVAL) seconds to ensure EJBCA docker has updated its CRLs..." @sleep $(EJBCA_CRL_INTERVAL) @@ -508,7 +516,11 @@ stop_Simple: test_Simple: build get_EJBCA_crls test/recipes/80-test_cmp_http_data/Simple test/recipes/80-test_cmp_http_data/test_Simple.cnf $(MAKE) -f Makefile_v1 start_Simple make -f Makefile_tests test_cli CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL_CMP_SERVER=Simple OPENSSL=$(OPENSSL) OPENSSL_CMP_CONFIG="Simple/../test.cnf" \ - || ($(OPENSSL) version | grep " 1.0") # with OpenSSL <1.1, some certstatus test cases fail due to missing OCSP support + || (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.0\|1\.1") +# with OpenSSL <1.1, some certstatus test cases fail due to missing OCSP support +# with OpenSSL 1.1 and 3.0, these Mock genm command test cases fail: 'genm certReqTemplate' 'genm caCerts' +# with OpenSSL 1.1, Mock enrollment test 'out_trusted accept issuing ca cert ...' fails likely due to -partial_chain not being respected +# Better use these extended tests only with builds with USE_LIBCMP and OpenSSL >= 3.0. $(MAKE) -f Makefile_v1 stop_Simple .phony: test_Insta @@ -557,7 +569,7 @@ test_Mock: tests_LwCmp: $(OUT_DIR_BIN) $(MAKE) -f Makefile_tests tests_LwCmp CMPCLIENT="$(OUT_DIR_BIN)" OPENSSL=$(OPENSSL) OPENSSL_VERSION=$(OPENSSL_VERSION) -test_all: demo_EJBCA test test_Mock tests_LwCmp +test_all: demo_all test test_Mock tests_LwCmp ifneq ($(TEST_SIMPLE),) test_all: test_Simple test_profile endif diff --git a/README.md b/README.md index 1fb10ff2..2a0ee880 100644 --- a/README.md +++ b/README.md @@ -46,15 +46,16 @@ and with MacOS. The following network and development tools are needed or recommended. * Git (for getting the software, tested with versions 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2) -* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested with versions 3.18.4, 3.26.3, 3.27.0) +* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested with versions 3.18.4, 3.26.3, 3.27.7) * GNU make (tested with versions 3.81, 4.1, 4.2.1, 4.3) * GNU C compiler (gcc, tested with versions 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1) - or clang (tested with version 14.0.3) + or clang (tested with version 14.0.3 and 17.0.3) * wget (for running the demo, tested with versions 1.17, 1.18, 1.20, 1.21) * Perl (for running the tests, tested with versions 5.30.3 and 5.32.1) The following OSS components are used. -* OpenSSL development edition; supported versions: 1.1.1, 3.0, 3.1 +* OpenSSL development edition; supported versions: 3.0, 3.1, 3.2 + * [Security Utilities (libsecutils)](https://github.com/siemens/libsecutils) * [CMPforOpenSSL](https://github.com/mpeylo/cmpossl), a CMP+CRMF+HTTP extension to OpenSSL, needed when using OpenSSL 1.x @@ -67,7 +68,7 @@ sudo apt install cmake libssl-dev libc-dev linux-libc-dev ``` while `sudo apt install git make gcc wget` usually is not needed as far as these tools are pre-installed. -As a sanity check you can execute in a shell: +As a sanity check you can execute in a shell on a Unix-like system: ``` git clone https://github.com/siemens/gencmpclient.git cd genCMPClient @@ -118,7 +119,7 @@ make update ``` -## Configuring and building +## Configuring The generic CMP client (as well as its underlying libraries) assumes that OpenSSL is already installed, @@ -155,14 +156,17 @@ which may be produced using `util/icvutil`. * Use of the UTA library can be enabled by setting `SECUTILS_USE_UTA`. * The TLS-related functions may be disabled by setting `SECUTILS_NO_TLS`. -When using CMake, `cmake` must be (re-)run -after setting or unsetting environment variables. - Since genCMPClient version 2, it is recommended to use CMake to produce the `Makefile`, for instance as follows: ``` cmake . ``` +When using CMake, `cmake` must be (re-)run +after setting or unsetting environment variables. +By default, CMake builds are in Release mode. +This may also be enforced by defining the environment variable `NDEBUG`. +For switching to Debug mode, use `cmake` with `-DCMAKE_BUILD_TYPE=Debug`. +The chosen mode is remembered in `CMakeCache.txt`. For backward compatibility it is also possible to use instead of CMake pre-defined [`Makefile_v1`](Makefile_v1); to this end symlink it to `Makefile`: @@ -171,6 +175,9 @@ ln -s Makefile_v1 Makefile ``` or use for instance `make -f Makefile_v1`. +By default, builds using `Makefile_v1` are in Debug mode. +Release mode can be selected by defining the environment variable `NDEBUG`. + By default `Makefile_v1` behaves as if ``` OPENSSL_DIR=/usr @@ -178,9 +185,6 @@ OPENSSL_DIR=/usr was given, such that the OpenSSL headers will be searched for in `/usr/include` and its shared objects in `/usr/lib` (or `/usr/bin` for Cygwin). -When using CMake, `cmake` must be (re-)run -after setting or unsetting environment variables. - When using [`Makefile_v1`](Makefile_v1), you may specify via the environment variable `OUT_DIR` where the produced libraries (e.g., `libgencmp.so*`, `libcmp.so*`, and `libsecutils.so*`) shall be placed. @@ -191,23 +195,28 @@ If the variable is unset, `.` is used by default. For all path variables, relative paths such as `.` are interpreted relative to the directory of the genCMPClient module. The CC environment variable may be set as needed; it defaults to `gcc`. +It is also possible to statically link with `libcmp.a`, using `STATIC_LIBCMP`. For further details on optional environment variables, see the [`Makefile_v1`](Makefile_v1) and [`Makefile_src`](Makefile_src). + +## Building + Build the software with ``` make ``` -By default, builds are done in Debug mode. -For Release mode use `-DCMAKE_BUILD_TYPE=Release` or `NDEBUG=1`. -For switching to Debug mode, use `-DCMAKE_BUILD_TYPE=Debug` and unset `NDEBUG`. - The result is in, for instance, `./libgencmp.so.2.0`. This also builds all required dependencies (such as `libsecutils/libsecutils.so.2.0` and `cmpossl/libcmp.so.2.0`) and an application (`./cmpClient`) that is intended for demonstration, test, and exploration purposes. +When getting the compiler error: `'openssl/openssl_backport.h' file not found` +likely `include/genericCMPClient_config.h` is outdated +and contains `#define USE_LIBCMP` although the environment variable `USE_LIBCMP` +is not set. In such situations, `make -f Makfile_v1 clean` helps to reset it to a consistent state. + ### Installing and uninstalling @@ -235,13 +244,14 @@ The recommended way is to use CPack with the files produced by CMake as follows: ``` make deb ``` +which requries the `file` utility. Alternatively, [`Makefile_v1`](Makefile_v1) may be used like this: ``` make -f Makefile_v1 deb ``` In this case, the resulting packages are placed in the parent directory (`../`), -and the following dependencies need to be installed: +and requires the following Debian packages: * `debhelper` (needed for `dh`) * `devscripts` (needed for `debuild`) * `libssl-dev` @@ -284,7 +294,7 @@ or using an included Docker instance of the EJBCA that can be launched locally: make -f Makefile_v1 demo_EJBCA ``` -Furthermore it is possible to execute the tests against the reference playground CA operated by Siemens +or using the reference playground CA operated by Siemens over a test cloud CA: ``` make -f Makefile_v1 demo_CloudCA diff --git a/cmpossl b/cmpossl index 9ecbe84f..d756844e 160000 --- a/cmpossl +++ b/cmpossl @@ -1 +1 @@ -Subproject commit 9ecbe84f69d827d353b424e5d205db7fe4e34af4 +Subproject commit d756844e028f840529af05ee7ff66f74140e04c6 diff --git a/config/EJBCA.env b/config/EJBCA.env index 17ee9ef8..9b522963 100644 --- a/config/EJBCA.env +++ b/config/EJBCA.env @@ -17,7 +17,8 @@ export EJBCA_CDP3=CMP_ROOTCA export EJBCA_CDP4= export EJBCA_CDPS=${EJBCA_CDP1} ${EJBCA_CDP2} ${EJBCA_CDP3} ${EJBCA_CDP4} export EJBCA_CDP_URL_POSTFIX= -export EJBCA_CMP_CLIENT=creds/manufacturer.crt +export EJBCA_CMP_CLIENT_CERT=creds/manufacturer.crt +export EJBCA_CMP_CLIENT_KEY=creds/manufacturer.pem export EJBCA_TLS_CLIENT=creds/docker/Docker_Playground_TLS.p12 export EJBCA_CMP_TRUSTED=creds/docker/CMP_ROOTCA.pem export EJBCA_TLS_TRUSTED=creds/docker/TLS_ROOTCA-docker.pem diff --git a/config/demo.cnf b/config/demo.cnf index 1f277c9f..7f076769 100644 --- a/config/demo.cnf +++ b/config/demo.cnf @@ -25,7 +25,7 @@ ignore_keyusage = 1 unprotected_errors = 1 cacertsout = creds/cacerts.pem extracertsout = creds/extracerts.pem -extracerts_dir = creds/ +extracerts_dir = creds # workarounds in case the environment variables referenced via ${ENV::...} are not set EJBCA_HOST = @@ -62,8 +62,8 @@ server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTPS_PORT} path = ${ENV::EJBCA_PATH}/${ENV::EJBCA_PATH_RA} no_proxy = 127.0.0.1,localhost,${ENV::EJBCA_HOST} secret = pass:SecretCmp -cert = ${ENV::EJBCA_CMP_CLIENT} -key = $cert +cert = ${ENV::EJBCA_CMP_CLIENT_CERT} +key = ${ENV::EJBCA_CMP_CLIENT_KEY} keypass = pass:12345 recipient = ${ENV::EJBCA_CMP_RECIPIENT} subject = ${ENV::EJBCA_CMP_SUBJECT} diff --git a/debian/source/options b/debian/source/options index 118201c0..658e281e 100644 --- a/debian/source/options +++ b/debian/source/options @@ -3,6 +3,7 @@ tar-ignore = *.diff tar-ignore = *.d tar-ignore = *.o tar-ignore = *.so* +tar-ignore = .dylib tar-ignore = *.deb tar-ignore = *.gz tar-ignore = *_ @@ -35,7 +36,10 @@ tar-ignore = debian/tmp tar-ignore = debian/libgencmp tar-ignore = debian/libgencmp-dev tar-ignore = debian/cmpclient +tar-ignore = debian/md5sums +tar-ignore = debian/shlibs tar-ignore = debian/substvars +tar-ignore = debian/triggers tar-ignore = debian/.debhelper tar-ignore = _CPack_Packages tar-ignore = include/openssl-1.1.0f diff --git a/doc/cmpClient.pod b/doc/cmpClient.pod index 7008c848..5c6d958a 100644 --- a/doc/cmpClient.pod +++ b/doc/cmpClient.pod @@ -123,11 +123,6 @@ Client authentication and protection options: [B<-extracerts> I] [B<-unprotected_requests>] -Credentials format options: - -[B<-certform> I] -[B<-keyform> I] - TLS connection options: [B<-tls_used>] @@ -774,8 +769,7 @@ field of the last received response message that is not a pollRep nor PKIConf. Directory to save extra certificates received in the extraCerts field that are not self-issued. -If given, -the name must end with the (potentially platform-specific) path separator. +The I does not need to end with the path name separator. =item B<-extracerts_dir_format> @@ -796,8 +790,7 @@ is also stored in this file. Directory to save self-issued (root CA) certificates received in the caPubs field. -If given, -the name must end with the (potentially platform-specific) path separator. +The I does not need to end with the path name separator. =item B<-cacerts_dir_format> @@ -954,21 +947,6 @@ Send request messages without CMP-level protection. =back -=head2 Credentials format options - -=over 4 - -=item B<-certform> I - -File format to use when saving a certificate to a file. -Default value is PEM. - -=item B<-keyform> I - -The format of the key input; unspecified by default. - -=back - =head2 TLS connection options @@ -1139,8 +1117,7 @@ or to send issuer Distinguished Names (DNs) to in the form C. =item B<-crl_cache_dir> I Directory where to cache CRLs downloaded during verification. -If given, the name must end with the (potentially platform-specific) -path separator. +The I does not need to end with the path name separator. Then downloaded CRLs will be stored at the given location using files names uniquely derived from the URL of the CRL distribution point. diff --git a/include/genericCMPClient.h b/include/genericCMPClient.h index 217fbc13..7741af0b 100644 --- a/include/genericCMPClient.h +++ b/include/genericCMPClient.h @@ -143,7 +143,7 @@ CMP_err CMPclient_setup_HTTP(CMP_CTX *ctx, const char *server, const char *path, CMP_err CMPclient_setup_BIO(CMP_CTX *ctx, BIO *rw, const char *path, int keep_alive, int timeout); -# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +# if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP /* call optionally before requests; name may be UTF8-encoded string */ /* This calls OSSL_CMP_CTX_reset_geninfo_ITAVs() if name == NULL */ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name); @@ -209,16 +209,18 @@ CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds, /* reason codes are defined in openssl/x509v3.h */ CMP_err CMPclient_revoke(CMP_CTX *ctx, const X509 *cert, /* TODO: X509_REQ *csr, */ int reason); -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP /* get CA certs, discard duplicates, and verify they are non-expired CA certs */ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out); +# endif /* get certificate request template and related key specifications */ +# if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec); # endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +# if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP /* get any root CA key update and verify it as far as possible */ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, diff --git a/libsecutils b/libsecutils index 2a6ce1e1..66a78e3f 160000 --- a/libsecutils +++ b/libsecutils @@ -1 +1 @@ -Subproject commit 2a6ce1e132bd37703cbb14905938c84f20e7451d +Subproject commit 66a78e3fe20d790ae596fb5a7deae2357d1866fe diff --git a/src/cmpClient.c b/src/cmpClient.c index 6ab9145c..24dd199c 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -75,7 +75,7 @@ const char *opt_recipient; const char *opt_expect_sender; bool opt_ignore_keyusage; bool opt_unprotected_errors; -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP bool opt_no_cache_extracerts; #endif #if OPENSSL_VERSION_NUMBER >= 0x30200000L || defined USE_LIBCMP @@ -204,12 +204,13 @@ opt_t cmp_opts[] = { #endif }, #if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP + OPT_MORE("for 'caCerts' and 'rootCaCert'"), +#endif +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP OPT_MORE("for 'caCerts', 'rootCaCert', 'certReqTemplate', and 'crlStatusList'"), #endif -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP { "profile", OPT_TXT, {.txt = NULL}, { &opt_profile }, "Cert profile name to place in generalInfo field of PKIHeader of requests"}, -#endif { "geninfo", OPT_TXT, {.txt = NULL}, { (const char **)&opt_geninfo }, "Comma-separated list of OID and value to place in generalInfo PKIHeader"}, OPT_MORE("of form :int: or :str:, e.g. \'1.2.3.4:int:56789, id-kp:str:name'"), @@ -333,7 +334,7 @@ opt_t cmp_opts[] = { { (const char **) &opt_unprotected_errors }, "Accept missing or invalid protection of regular error messages and negative"}, OPT_MORE("certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"), -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP { "no_cache_extracerts", OPT_BOOL, {.bit = false}, { (const char **) &opt_no_cache_extracerts }, "Do not keep certificates received in the extraCerts CMP message field"}, @@ -356,7 +357,6 @@ opt_t cmp_opts[] = { { "cacerts_dir_format", OPT_TXT, {.txt = "pem"}, { &opt_cacerts_dir_format }, "Format to use for saving those certs. Default \"pem\""}, -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP { "oldwithold", OPT_TXT, {.txt = NULL}, { &opt_oldwithold }, "Root CA certificate to request update for in genm of type rootCaCert"}, { "newwithnew", OPT_TXT, {.txt = NULL}, { &opt_newwithnew }, @@ -369,7 +369,6 @@ opt_t cmp_opts[] = { "CRL to request update for in genm of type crlStatusList"}, { "crlout", OPT_TXT, {.txt = NULL}, { &opt_crlout }, "File to save new CRL received in genp of type 'crls'"}, -#endif OPT_HEADER("Client authentication and protection"), { "ref", OPT_TXT, {.txt = NULL}, { &opt_ref }, @@ -1036,9 +1035,10 @@ static int setup_ctx(CMP_CTX *ctx) /* set option flags directly via CMP API */ if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, opt_unprotected_errors ? 1 : 0) -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP - || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, - opt_no_cache_extracerts ? 1 : 0) +#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP + || (opt_no_cache_extracerts && // TODO remove this condition, which is just a workaround for wrong variant of OSSL_CMP_CTX_set_option() being called + !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_NO_CACHE_EXTRACERTS, + opt_no_cache_extracerts ? 1 : 0)) #endif || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, opt_ignore_keyusage ? 1 : 0) @@ -1056,10 +1056,10 @@ static int setup_ctx(CMP_CTX *ctx) } if (opt_profile != NULL) { -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP err = CMPclient_add_certProfile(ctx, opt_profile); #else - LOG_err("-profile option is not supported for OpenSSL < 3.2"); + LOG_err("-profile option is not supported for OpenSSL < 3.3"); err = -29; #endif if (err != CMP_OK) @@ -1300,52 +1300,55 @@ static int setup_transfer(CMP_CTX *ctx) } /* file (path) name using prefix, subject DN, "_", hash, ".", and suffix */ -static int get_cert_filename(const X509 *cert, const char *prefix, - const char *suffix, - char *buf, size_t buf_len) +static size_t get_cert_filename(const X509 *cert, const char *prefix, + const char *suffix, + char *buf, size_t buf_len) { if (buf == NULL || buf_len == 0) return 0; - int ret, len; - if ((len = UTIL_safe_string_copy(prefix, buf, buf_len, NULL)) <= 0) + int ret = UTIL_safe_string_copy(prefix, buf, buf_len, NULL); + if (ret < 0) return 0; + size_t len = (size_t)ret; + if (buf_len > len + 1 && buf[len] != '/' && buf[len] != '\\') { + buf[len] = '/'; /* add missing path name separator */ + buf[++len] = '\0'; + } char subject[256], *p; if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, subject, sizeof(subject)) <= 0) return 0; - ret = - UTIL_safe_string_copy(subject, buf + len, buf_len - (size_t)len, NULL); - if (ret <= 0) + ret = UTIL_safe_string_copy(subject, buf + len, buf_len - len, NULL); + if (ret < 0) return 0; for (p = buf + len; *p != '\0'; p++) if (*p == ' ') *p = '_'; - len += ret; - if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - (size_t)len, NULL)) <= 0) + len += (size_t)ret; + if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - len, NULL)) < 0) return 0; - len += ret; + len += (size_t)ret; unsigned char sha1[EVP_MAX_MD_SIZE]; unsigned int size = 0; X509_digest(cert, EVP_sha1(), sha1, &size); - ret = (int)UTIL_bintohex(sha1, size, false, '-', 4, - buf + len, buf_len - (size_t)len, NULL); - if (ret == 0) + size_t res = UTIL_bintohex(sha1, size, false, '-', 4, + buf + len, buf_len - len, NULL); + if (res == 0) return 0; - len += ret; - ret = UTIL_safe_string_copy(".", buf + len, buf_len - (size_t)len, NULL); - if (ret <= 0) + len += res; + if ((ret = UTIL_safe_string_copy(".", buf + len, buf_len - len, NULL)) < 0) return 0; - len += ret; + len += (size_t)ret; - ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - (size_t)len, NULL); - if (ret == 0) + ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - len, NULL); + if (ret < 0) return 0; for (p = buf + len; *p != '\0'; p++) *p = (char)tolower(*p); - len += ret; + len += (size_t)ret; return len; } @@ -1449,27 +1452,26 @@ static int add_object(unsigned char *data, int len, int nid, const char *name) static int complete_genm_asn1_objects(void) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L +# define ASN1_OID_IT 0x2B,0x06,0x01,0x05,0x05,0x07,0x04 +# define ASN1_OID_REGCTRL 0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01 # if OPENSSL_VERSION_NUMBER < 0x30200000L - static unsigned char so_rootCaCert[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x14 }; - static unsigned char so_certProfile[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x15 }; - static unsigned char so_crlStatusList[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x16 }; - static unsigned char so_crls[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x17 }; - static unsigned char so_algId[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x05, 0x01, 0x0B }; - static unsigned char so_rsaKeyLen[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x05, 0x01, 0x0C }; + /* were added by OpenSSL commit 34959f7a2256eadd23d56f0efe855be7fde282b2 */ + static unsigned char so_rootCaCert[] = { ASN1_OID_IT, 20 }; + static unsigned char so_certProfile[] = { ASN1_OID_IT, 21 }; + static unsigned char so_crlStatusList[] = { ASN1_OID_IT, 22 }; + static unsigned char so_crls[] = { ASN1_OID_IT, 23 }; + static unsigned char so_algId[] = { ASN1_OID_REGCTRL, 11 }; + static unsigned char so_rsaKeyLen[] = { ASN1_OID_REGCTRL, 12 }; # if OPENSSL_VERSION_NUMBER < 0x30000000L - static unsigned char so_rootCaKeyUpdate[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x12 }; - static unsigned char so_certReqTemplate[] = - { 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x04, 0x13 }; - - if (!add_object(so_rootCaKeyUpdate, sizeof(so_rootCaKeyUpdate), - NID_id_it_rootCaKeyUpdate, "id-it-rootCaKeyUpdate") + /* were added by OpenSSL commit 15633d74dcfe446d309d612c69fd075616d45c5b */ + static unsigned char so_caCerts[] = { ASN1_OID_IT, 17 }; + static unsigned char so_rootCaKeyUpdate[] = { ASN1_OID_IT, 18 }; + static unsigned char so_certReqTemplate[] = { ASN1_OID_IT, 19 }; + + if (!add_object(so_caCerts, sizeof(so_caCerts), + NID_id_it_caCerts, "id-it-caCerts") + || !add_object(so_rootCaKeyUpdate, sizeof(so_rootCaKeyUpdate), + NID_id_it_rootCaKeyUpdate, "id-it-rootCaKeyUpdate") || !add_object(so_certReqTemplate, sizeof(so_certReqTemplate), NID_id_it_certReqTemplate, "id-it-certReqTemplate")) return -20; @@ -1636,13 +1638,13 @@ static CMP_err check_options(enum use_case use_case) if (opt_cacerts_dir_format != NULL && FILES_get_format(opt_cacerts_dir_format) == FORMAT_UNDEF) { - LOG_err("-cacerts_dir_format not accepted"); + LOG_err("-cacerts_dir_format argument not accepted"); return -9; } if (opt_extracerts_dir_format != NULL && FILES_get_format(opt_extracerts_dir_format) == FORMAT_UNDEF) { - LOG_err("-extracerts_format not accepted"); + LOG_err("-extracerts_format argument not accepted"); return -18; } @@ -1893,7 +1895,7 @@ static int save_cert_or_delete(X509 *cert, const char *file, const char *desc) static CMP_err save_certs(STACK_OF(X509) *certs, const char *field, const char *desc, - const char *file, const char *dir, const char *format) + const char *dir, const char *file, const char *format) { char desc_certs[80]; @@ -1910,11 +1912,12 @@ CMP_err save_certs(STACK_OF(X509) *certs, const char *field, const char *desc, } if (dir != NULL) { - if (sk_X509_num(certs) <= 0) + int i, n = sk_X509_num(certs); + + if (n <= 0) LOG(FL_INFO, "No %s certificate in %s to store in %s", desc, field, dir); - int i; - for (i = 0; i < sk_X509_num(certs); i++) { + for (i = 0; i < n; i++) { X509 *cert = sk_X509_value(certs, i); bool save_self_issued = strcmp(field, "caPubs") == 0; @@ -1925,8 +1928,7 @@ CMP_err save_certs(STACK_OF(X509) *certs, const char *field, const char *desc, } else { char path[FILENAME_MAX]; - if (get_cert_filename(cert, dir, format, path, - sizeof(path)) == 0 + if (get_cert_filename(cert, dir, format, path, sizeof(path)) == 0 || !FILES_store_cert(cert, path, FILES_get_format(format), desc_certs)) { LOG(FL_ERR, "Failed to store %s cert #%d from %s in %s", @@ -1945,8 +1947,8 @@ static CMP_err save_credentials(CMP_CTX *ctx, CREDENTIALS *new_creds, enum use_case use_case) { CMP_err err = save_certs(OSSL_CMP_CTX_get1_extraCertsIn(ctx), - "extraCerts", "extra", opt_extracertsout, - opt_extracerts_dir, opt_extracerts_dir_format); + "extraCerts", "extra", opt_extracerts_dir, + opt_extracertsout, opt_extracerts_dir_format); if (err != CMP_OK) return err; @@ -1955,7 +1957,7 @@ static CMP_err save_credentials(CMP_CTX *ctx, CREDENTIALS *new_creds, return CMP_OK; err = save_certs(OSSL_CMP_CTX_get1_caPubs(ctx), "caPubs", "CA", - opt_cacertsout, opt_cacerts_dir, opt_cacerts_dir_format); + opt_cacerts_dir, opt_cacertsout, opt_cacerts_dir_format); if (err != CMP_OK) return err; @@ -2024,7 +2026,7 @@ static int print_itavs(const STACK_OF(OSSL_CMP_ITAV) *itavs) return ret; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP static int save_template(const char *file, const OSSL_CRMF_CERTTEMPLATE *tmpl) { BIO *bio = BIO_new_file(file, "wb"); @@ -2132,7 +2134,9 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) X509_free(oldwithold); return err; } +#endif +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP case NID_id_it_crlStatusList: if (opt_oldcrl == NULL && opt_oldcert == NULL) { LOG(FL_ERR, "Missing -oldcrl and no -oldcert given for -infotype crlStatusList"); @@ -2261,8 +2265,8 @@ static CMP_err do_genm(CMP_CTX *ctx, X509 *oldcert) OSSL_CMP_ITAV *req = OSSL_CMP_ITAV_create(OBJ_nid2obj(infotype), NULL); - LOG(FL_WARN, "No specific support for -infotype %s available", - opt_infotype); + LOG(FL_WARN, "No specific support for -infotype %s available in OpenSSL version %lx", + opt_infotype, OpenSSL_version_num()); if (req == NULL || !OSSL_CMP_CTX_push0_genm_ITAV(ctx, req)) { LOG(FL_ERR, "Failed to create genm for -infotype %s", opt_infotype); diff --git a/src/genericCMPClient.c b/src/genericCMPClient.c index c6298bc2..93c48f9e 100644 --- a/src/genericCMPClient.c +++ b/src/genericCMPClient.c @@ -516,7 +516,7 @@ CMP_err CMPclient_setup_HTTP(OSSL_CMP_CTX *ctx, return err; } -#if OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP +#if OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP static int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, const char *text, int len) { @@ -571,7 +571,7 @@ CMP_err CMPclient_add_certProfile(CMP_CTX *ctx, OPTIONAL const char *name) err: return CMPOSSL_error(); } -#endif /* OPENSSL_VERSION_NUMBER > 0x30200000L || defined USE_LIBCMP */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30300000L || defined USE_LIBCMP */ CMP_err CMPclient_setup_certreq(OSSL_CMP_CTX *ctx, OPTIONAL const EVP_PKEY *new_key, @@ -970,7 +970,8 @@ static OSSL_CMP_ITAV *get_genm_itav(CMP_CTX *ctx, req = NULL; itavs = OSSL_CMP_exec_GENM_ses(ctx); if (itavs == NULL) { - if (OSSL_CMP_CTX_get_status(ctx) != OSSL_CMP_PKISTATUS_request) + if (OSSL_CMP_CTX_get_status(ctx) != OSSL_CMP_PKISTATUS_request + && OSSL_CMP_CTX_get_status(ctx) != OSSL_CMP_PKISTATUS_rejection) LOG(FL_ERR, "Could not obtain valid response message on genm requesting %s", desc); return NULL; @@ -1070,7 +1071,9 @@ CMP_err CMPclient_caCerts(CMP_CTX *ctx, STACK_OF(X509) **out) OSSL_CMP_ITAV_free(itav); return err; } +#endif +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP CMP_err CMPclient_certReqTemplate(CMP_CTX *ctx, OSSL_CRMF_CERTTEMPLATE **certTemplate, OPTIONAL OSSL_CMP_ATAVS **keySpec) @@ -1251,7 +1254,9 @@ CMP_err CMPclient_rootCaCert(CMP_CTX *ctx, OSSL_CMP_ITAV_free(itav); return err; } +#endif +#if OPENSSL_VERSION_NUMBER > 0x30300000L || defined USE_LIBCMP CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert, OPTIONAL const X509_CRL *last_crl, X509_CRL **crl) { diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index f4636a20..a02c2fac 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -123,13 +123,12 @@ sub load_config { } close CH; die "Cannot find all server-dependent config values in $test_config section [$section]\n" - if !defined $ca_dn - || !defined $server_dn || !defined $server_host + if !defined $ca_dn || !defined $server_host || !defined $server_port || !defined $server_tls || !defined $server_path || !defined $server_cert - || !defined $kur_port || !defined $pbm_port - || !defined $pbm_ref || !defined $pbm_secret - || !defined $column || !defined $sleep; + || !defined $kur_port || !defined $pbm_port + || !defined $pbm_ref || !defined $pbm_secret + || !defined $column || !defined $sleep; die "Invalid server_port number in $test_config section [$section]: $server_port" unless $server_port =~ m/^\d+$/; $server_dn = $server_dn // $ca_dn; @@ -378,7 +377,7 @@ sub start_server { } unless ($server_port > 0) { stop_server($server_name, $pid); - print "Cannot get expected output from the $server_name server"; + print "Cannot get expected output from the $server_name server\n"; return 0; } $kur_port = $server_port if $kur_port eq "\$server_port"; diff --git a/test/recipes/80-test_cmp_http_data/wrong.crl.pem b/test/recipes/80-test_cmp_http_data/Insta/wrong.crl similarity index 100% rename from test/recipes/80-test_cmp_http_data/wrong.crl.pem rename to test/recipes/80-test_cmp_http_data/Insta/wrong.crl diff --git a/test/recipes/80-test_cmp_http_data/LwCmp/wrong.crl b/test/recipes/80-test_cmp_http_data/LwCmp/wrong.crl new file mode 100644 index 00000000..a3307c13 Binary files /dev/null and b/test/recipes/80-test_cmp_http_data/LwCmp/wrong.crl differ diff --git a/test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt b/test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt index 3bd3458e..c183fc0b 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/big_trusted.crt @@ -1,21 +1,25 @@ - Subject: O = openssl_cmp - Issuer: O = openssl_cmp + Issuer: CN=Root CA + Validity + Not Before: Jan 14 22:29:05 2016 GMT + Not After : Jan 15 22:29:05 2116 GMT + Subject: CN=Root CA -----BEGIN CERTIFICATE----- -MIICpTCCAY2gAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQKDAtvcGVu -c3NsX2NtcDAeFw0xNzEyMjAxMzA0MDBaFw0xODEyMjAxMzA0MDBaMBYxFDASBgNV -BAoMC29wZW5zc2xfY21wMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZAJHnq0ypW/PZccrWj -o7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVVpLicMnItNFElfCoh -BzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuWq/vWW9r96/gBKKdd -mj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SOZf9bH1olBVsmBMsU -shFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6GvZ/i5KOhaqgJCnRKd -HHzijz9cLec5p9NSOuC1OwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQDGUXpFCBkV -WgPrBfZyBwt6VCjWB/e67q4IdcKMfDa4hwSquah1AyXHI0PlC/qitnoSx2+7f7pY -TEOay/3eEPUl1J5tdPF2Vg56Dw8jdhSkMwO7bXKDEE3R6o6jaa4ECgxwQtdGHmNU -A41PgKX76yEXku803ptO39/UR7i7Ye3MbyAmWE+PvixJYUbxd3fqz5fsaJqTCzAy -AT9hrr4uu8J7m3LYaYXo4LVL4jw5UsP5bIYtpmmEBfy9GhpUqH5/LzBNij7y3ziE -T59wHkzawAQDHsBPuCe07DFtlzqWWvaih0TQAw9MZ2tbyK9jt7P80Rqt9CwpM/i9 -jQYqSl/ix5hn +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjkwNVoYDzIxMTYwMTE1MjIyOTA1WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5oV1s3N +us7SINg7omu5AxueEgK97mh5PU3hgZpliSFaESmL2qLGeP609oXs/68XDXVW4utU +LCOjLh0np+5Xy3i3GRDXgBZ72QDe23WqqQqqaBlQVVm1WxG+amRtZJEWdSIsiFBt +k+8dBElHh2WQDhDOWqHGHQarQgJPxGB97MRhMSlbTwK1T5KAWOlqi5mJW5L6vNrQ +7Tra/YceH70fU0fJYOXhBxM92NwD1bbVd9GPYFSqrdrVj19bvo63XsxZduex5QHr +RkWqT5w5mgAHaEgCqWrS/64q9TR9UEwrB8kiZZg3k9/im+zBwEULTZu0r8oMEkpj +bTlXLmt8EMBqxwIDAQABo1AwTjAdBgNVHQ4EFgQUcH8uroNoWZgEIyrN6z4XzSTd +AUkwHwYDVR0jBBgwFoAUcH8uroNoWZgEIyrN6z4XzSTdAUkwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAuiLq2lhcOJHrwUP0txbHk2vy6rmGTPxqmcCo +CUQFZ3KrvUQM+rtRqqQ0+LzU4wSTFogBz9KSMfT03gPegY3b/7L2TOaMmUFRzTdd +c9PNT0lP8V3pNQrxp0IjKir791QkGe2Ux45iMKf/SXpeTWASp4zeMiD6/LXFzzaK +BfNS5IrIWRDev41lFasDzudK5/kmVaMvDOFyW51KkKkqb64VS4UA81JIEzClvz+3 +Vp3k1AXup5+XnTvhqu2nRhrLpJR5w8OXQpcn6qjKlVc2BXtb3xwci1/ibHlZy3CZ +n70e2NYihU5yYKccReP+fjLgVFsuhsDs/0hRML1u9bLp9nUbYA== -----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf index f9384cc5..f31eb37a 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -12,7 +12,7 @@ no_cache_extracerts = 1 ref_cert = signer_only.crt rsp_cert = signer_only.crt -rsp_capubs = server.crt +rsp_capubs = trusted.crt rsp_extracerts = signer_issuing.crt verbosity = 2 # do not show any errors diff --git a/test/recipes/80-test_cmp_http_data/test.cnf b/test/recipes/80-test_cmp_http_data/test.cnf index 2a3b0037..c32a5474 100644 --- a/test/recipes/80-test_cmp_http_data/test.cnf +++ b/test/recipes/80-test_cmp_http_data/test.cnf @@ -55,6 +55,7 @@ ca_dn = /CN=CMPCA-ENDENTITY recipient = $ca_dn server_dn = /CN=Downstream-CMP-ENDENTITY expect_sender = $ca_dn +# profile = RSA subject = "/CN=EE-CMP-ENDENTITY" newkey = signer.key out_trusted = signer_root.crt @@ -79,7 +80,6 @@ server_path = /ejbca/publicweb/cmp/ECCEndEntity path = $server_path ca_dn = /CN=ECC Issuing CA v10/OU=For test purpose only/O=CMPforOpenSSL/C=DE recipient = $ca_dn -server_dn = /CN=ECC Issuing CA v10/OU=For test purpose only/O=CMPforOpenSSL/C=DE subject = "/CN=ECC-EE/OU=For test purposes only/O=CMPforOpenSSL/C=DE" kur_port = 83 pbm_port = 80 @@ -102,7 +102,6 @@ server = $server_host:$server_port server_path = pkix/ path = $server_path ca_dn = /C=FI/O=Insta Demo/CN=Insta Demo CA -server_dn = /C=FI/O=Insta Demo/CN=Insta Demo CA recipient = $ca_dn subject = /C=FI/O=Insta Demo/CN=ECC-EE kur_port = 8700 diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index e3d18e2d..16a0b34b 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -55,6 +55,7 @@ TBD,TBD,TBD,TBD,config default all options set, -section,, -cmd,ir,, -cacertsout 0,*,*,*,without serial, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK,, -issuer, '"`openssl x509 -noout -issuer -nameopt compat -in test.cert.pem |sed 's/# //' |sed 's/issuer=//'`"' 0,*,*,*,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK, 0,*,*,*,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK, +0,*,*,*,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 0,-,0,0,wrong certificate to revoke using issuer and serial, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, '"`openssl x509 -noout -issuer -nameopt compat -in trusted.crt |sed 's/# //' |sed 's/issuer=//'`"', -serial, '"`openssl x509 -noout -serial -in trusted.crt |sed 's/# //' |sed 's/serial=/0x/'`"' 0,-,0,0,wrong certificate to revoke, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 0,*,*,*,revreason 11 (invalid), -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,test.cert.pem, -revreason,11 @@ -66,44 +67,44 @@ TBD,TBD,TBD,TBD,config default all options set, -section,, -cmd,ir,, -cacertsout 1,0,-,1,genm with infotype signKeyPairTypes, -section,, -cmd,genm,,BLANK,,, -infotype,signKeyPairTypes,,BLANK,,BLANK, 0,*,*,*,genm with missing infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,,,BLANK,,BLANK, 0,*,*,*,genm with invalid infotype value, -section,, -cmd,genm,,BLANK,,, -infotype,asdf,,BLANK,,BLANK, -1,1,-,-,genm certReqTemplate , -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" +Mock server must use OpenSSL 3.3 ,1,-,-,genm certReqTemplate - not with OpenSSL 1.1 , -section,, -cmd,genm,, -template,test.template.pem,, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,*,*,*,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK,, -infotype,certReqTemplate,,BLANK,,BLANK, 0,*,*,*,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,test.template.pem,test.template.pem, -infotype,certReqTemplate,,BLANK,,BLANK, *,0,*,*,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, -1,1,-,-,genm caCerts , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" +Mock server must use OpenSSL 3.2 ,1,-,-,genm caCerts - not with OpenSSL 1.1 , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,, -infotype,caCerts,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN 0,*,*,*,genm caCerts missing cacertsout option, -section,, -cmd,genm,, -cacertsout,"""",, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts missing cacertsout arg , -section,, -cmd,genm,, -cacertsout,BLANK,, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout extra arg , -section,, -cmd,genm,, -cacertsout,test.cacertsout.pem,test.cacertsout.pem, -infotype,caCerts,,BLANK,,BLANK, 0,*,*,*,genm caCerts cacertsout arg non-ex dir, -section,, -cmd,genm,, -cacertsout,idontexist/idontexist,, -infotype,caCerts,,BLANK,,BLANK, --,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert missing oldwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", BLANK,, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold,, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, empty.txt, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold random file, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, random.bin, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, idontexist, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, signer.crt, -newwithnew, test.newwithnew.pem -0,*,*,*,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem,BLANK,, -0,*,*,*,genm rootCaCert newwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew,, -0,*,*,*,genm rootCaCert newwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew,directory/, --,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem -0,*,*,*,genm rootCaCert oldwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,, -0,*,*,*,genm rootCaCert oldwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,/directory, --,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem -0,*,*,*,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,, -0,*,*,*,genm rootCaCert newwithold directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,/directory, --,1,-,-,genm rootCaCert with oldwithnew and newwithold, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem --,1,-,-,genm crlStatusList , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, crl.der, -crlout, test.crl.der --,1,-,-,genm crlStatusList with oldcert , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcert, root.crt, -crlout, test.crl.der -0,*,*,*,genm crlStatusList missing oldcrl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", BLANK, , -crlout, -test.crl.der -0,*,*,*,genm crlStatusList oldcrl missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, , -crlout, test.crl.der -0,*,*,*,genm crlStatusList oldcrl empty file , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, empty.txt , -crlout, test.crl.der -0,*,*,*,genm crlStatusList oldcrl random file, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, random.bin, -crlout, test.crl.der -0,*,*,*,genm crlStatusList oldcrl nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, idontexist, -crlout, test.crl.der -TBD,*,*,*,genm crlStatusList oldcrl wrong , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, crl_wrong.der, -crlout, test.crl.der -0,*,*,*,genm crlStatusList missing crlout , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, oldcrl.pem,BLANK,, -0,*,*,*,genm crlStatusList crlout missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, oldcrl.pem, -crlout,, -0,*,*,*,genm crlStatusList crlout directory , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender, """", -oldcrl, oldcrl.pem, -crlout,directory/, +-,1,-,-,genm rootCaCert , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert missing oldwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK , , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert oldwithold missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, empty.txt , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert oldwithold random file, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, random.bin , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert oldwithold nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, idontexist , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, signer.crt , -newwithnew, test.newwithnew.pem +0,*,*,*,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, BLANK,, +0,*,*,*,genm rootCaCert newwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,, +0,*,*,*,genm rootCaCert newwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew,directory/, +-,1,-,-,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem +0,*,*,*,genm rootCaCert oldwithnew missing arg, -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,, +0,*,*,*,genm rootCaCert oldwithnew directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew,/directory, +-,1,-,-,genm rootCaCert with newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold, test.newwithold.pem +0,*,*,*,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,, +0,*,*,*,genm rootCaCert newwithold directory , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -oldwithnew, test.oldwithnew.pem, -newwithold,/directory, +-,1,-,-,genm rootCaCert oldwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldwithold, oldwithold.pem, -newwithnew, test.newwithnew.pem, -newwithold, test.newwithold.pem +-,1,-,-,genm crlStatusList , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, crl.der , -crlout, test.crl.der +-,1,-,-,genm crlStatusList with oldcert , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcert, root.crt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList missing oldcrl , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, BLANK, , -crlout, test.crl.der +0,*,*,*,genm crlStatusList oldcrl missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, , -crlout, test.crl.der +0,*,*,*,genm crlStatusList oldcrl empty file , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, empty.txt , -crlout, test.crl.der +0,*,*,*,genm crlStatusList oldcrl random file, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, random.bin, -crlout, test.crl.der +0,*,*,*,genm crlStatusList oldcrl nonexistent, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, idontexist, -crlout, test.crl.der +TBD,*,*,*,genm crlStatusList oldcrl wrong , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, wrong.crl , -crlout, test.crl.der +0,*,*,*,genm crlStatusList missing crlout , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, BLANK,, +0,*,*,*,genm crlStatusList crlout missing arg, -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, -crlout,, +0,*,*,*,genm crlStatusList crlout directory , -section,,-cmd,genm,, BLANK,,,-infotype,crlStatusList,,BLANK,,BLANK,,BLANK,,, -expect_sender,_SERVER_DN, -oldcrl, oldcrl.pem, -crlout,directory/, ,,,,,,,,,,,,,,,,,,,,,,,, 1,1,1,1,geninfo int, -section,, -cmd,cr,, -cert,signer.crt,, -key,signer.p12,, -keypass,pass:12345,BLANK,, -geninfo,1.3:int:987 1,1,1,1,geninfo str, -section,, -cmd,cr,, -cert,signer.crt,, -key,signer.p12,, -keypass,pass:12345,BLANK,, -geninfo,id-kp:str:name diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index 9dca0482..fd4f170e 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -103,7 +103,7 @@ TBD,TBD,TBD,TBD,days 36525, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pa 0,*,*,*,out_trusted is non-existing file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,idontexist,,BLANK,,BLANK,,, 0,*,*,*,out_trusted too many parameters, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,abc,def,BLANK,,BLANK,,, 0,*,*,*,out_trusted empty certificate file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,empty.txt,,BLANK,,BLANK,,, -1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-crl_check,-crls,wrong.crl,-srvcert,server.crt +1,1,1,1,out_trusted accept issuing ca cert even with CRL check enabled by default - not with OpenSSL 1.1, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-check_all,-crls,wrong.crl,-srvcert,server.crt 0,0,0,0,out_trusted expired issuing ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,issuing_expired.crt,,BLANK,,BLANK,,,-partial_chain 0,0,0,0,out_trusted expired root ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.certout_out_trusted5.pem,, -out_trusted,root_expired.crt,,BLANK,,BLANK,,, 0,0,0,0,out_trusted wrong cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,test.cert.pem,, -out_trusted,signer.crt,,BLANK,,BLANK,,, diff --git a/test/recipes/80-test_cmp_http_data/test_verification.csv b/test/recipes/80-test_cmp_http_data/test_verification.csv index 9089d902..3803ea21 100644 --- a/test/recipes/80-test_cmp_http_data/test_verification.csv +++ b/test/recipes/80-test_cmp_http_data/test_verification.csv @@ -19,16 +19,14 @@ TODO,TODO,TODO,TODO,missing attribute in recipient name, -section,, -recipient,/ 0,*,*,*,wrong syntax in recipient name: C too long, -section,, -recipient,/CN=ECC Issuing CA v10/OU=For test purpose only/O=CMPforOpenSSL/C=DEE,BLANK,,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, 1,1,1,0,recipient name empty attribute (ignored by server), -section,, -recipient,/CN=/OU=/O=/C=,BLANK,,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,, -1,1,-,1,config default with expected sender, -section,, -recipient,_CA_DN, -expect_sender,_CA_DN,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, --,-,1,-,config default with expected sender, -section,, -recipient,_CA_DN, -expect_sender,/CN=Product PKI Playground CMP Signer/OU=PPKI Playground/OU=Corporate Technology/OU=For internal test purposes only/O=Siemens/C=DE,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, +1,*,1,1,config default with expected sender, -section,, -recipient,_CA_DN, -expect_sender,_SERVER_DN,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, 0,*,*,*,expected sender missing arg, -section,, -recipient,_CA_DN, -expect_sender,,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, TODO,TODO,TODO,TODO,order of sender and expected sender do not match, -section,,,, -expect_sender,/C=DE/CN=ECC Issuing CA v10/OU=For test purpose only/O=CMPforOpenSSL,BLANK,, -trusted,trusted.crt,BLANK,,BLANK,,,,,,,,,, TODO,TODO,TODO,TODO,expected sender lower case, -section,, -recipient,_CA_DN, -expect_sender,/CN=ecc issuing ca v10/OU=for test purpose only/O=cmpforopenssl/C=de,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, TODO,TODO,TODO,TODO,expected sender all lower case, -section,, -recipient,_CA_DN, -expect_sender,/cn=ecc issuing ca v10/ou=for test purpose only/o=cmpforopenssl/c=de,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, TODO,TODO,TODO,TODO,expected sender upper case, -section,, -recipient,_CA_DN, -expect_sender,/CN=ECC ISSUING CA V10/OU=FOR TEST PURPOSE ONLY/O=CMPFOROPENSSL/C=DE,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, 0,0,0,0,wrong expected sender, -section,, -recipient,_CA_DN, -expect_sender,/CN=Sample Cert/OU=R&D/O=Company Ltd./L=Dublin 4/C=IE,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, -1,1,-,1,unknown attribute in expected sender DN skipped, -section,, -recipient,_CA_DN, -expect_sender,_CA_DN/ABC=123,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, --,-,1,-,unknown attribute in expected sender DN skipped, -section,, -recipient,_CA_DN, -expect_sender,/CN=Product PKI Playground CMP Signer/OU=PPKI Playground/OU=Corporate Technology/OU=For internal test purposes only/O=Siemens/C=DE/ABC=123,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, +1,*,1,1,unknown attribute in expected sender DN skipped, -section,, -recipient,_CA_DN, -expect_sender,_SERVER_DN/ABC=123,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, 0,*,*,*,extra attribute in expected sender, -section,, -recipient,_CA_DN, -expect_sender,_SERVER_DN/serialNumber=123,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, *,*,0,*,double attribute in expected sender, -section,, -recipient,_CA_DN, -expect_sender,/CN=ECC Issuing CA v10_SERVER_DN,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,, *,*,0,*,missing attribute in expected sender, -section,, -recipient,_CA_DN, -expect_sender,/CN=ECC Issuing CA v10/OU=For test purpose only/C=DE,BLANK,, -trusted,trusted.crt,BLANK,,BLANK, -unprotected_errors,BLANK,,,,,,,,