Chunk 11 of CMP contribution to OpenSSL: CMP command-line interface

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
This commit is contained in:
Dr. David von Oheimb 2020-04-03 10:43:58 +02:00
parent 3c38fa4b79
commit 8d9a4d833f
10 changed files with 4655 additions and 5 deletions

View File

@ -93,10 +93,10 @@ OpenSSL 3.0
*Richard Levitte* *Richard Levitte*
* Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
This adds crypto/cmp/, crpyto/crmf/, and test/cmp_*. This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*.
See L<OSSL_CMP_exec_IR_ses(3)> as starting point. See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
*David von Oheimb* *David von Oheimb, Martin Peylo*
* Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/. * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
The legacy OCSP-focused and only partly documented API is retained. The legacy OCSP-focused and only partly documented API is retained.

View File

@ -34,7 +34,7 @@ OpenSSL 3.0
disabled; the project uses address sanitize/leak-detect instead. disabled; the project uses address sanitize/leak-detect instead.
* Added a Certificate Management Protocol (CMP, RFC 4210) implementation * Added a Certificate Management Protocol (CMP, RFC 4210) implementation
also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
It is part of the crypto lib, while a 'cmp' app using it is in preparation. It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
All widely used CMP features are supported for both clients and servers. All widely used CMP features are supported for both clients and servers.
* Added a proper HTTP(S) client to libcrypto supporting GET and POST, * Added a proper HTTP(S) client to libcrypto supporting GET and POST,
redirection, plain and ASN.1-encoded contents, proxies, and timeouts. redirection, plain and ASN.1-encoded contents, proxies, and timeouts.

View File

@ -52,7 +52,7 @@ IF[{- !$disabled{'deprecated-3.0'} -}]
ENDIF ENDIF
ENDIF ENDIF
IF[{- !$disabled{'cmp'} -}] IF[{- !$disabled{'cmp'} -}]
$OPENSSLSRC=$OPENSSLSRC cmp_mock_srv.c $OPENSSLSRC=$OPENSSLSRC cmp.c cmp_mock_srv.c
ENDIF ENDIF
IF[{- !$disabled{apps} -}] IF[{- !$disabled{apps} -}]

3329
apps/cmp.c Normal file

File diff suppressed because it is too large Load Diff

View File

@ -348,3 +348,59 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no) # (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1) # identifier (optional, default: sha1)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = insta.ca.crt
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = insta.ca.crt # does not include keyUsage digitalSignature
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

View File

@ -348,3 +348,59 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no) # (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1) # identifier (optional, default: sha1)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = insta.ca.crt
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = insta.ca.crt # does not include keyUsage digitalSignature
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

View File

@ -4,6 +4,7 @@ DEPEND[]= \
openssl-ca.pod \ openssl-ca.pod \
openssl-ciphers.pod \ openssl-ciphers.pod \
openssl-cmds.pod \ openssl-cmds.pod \
openssl-cmp.pod \
openssl-cms.pod \ openssl-cms.pod \
openssl-crl2pkcs7.pod \ openssl-crl2pkcs7.pod \
openssl-crl.pod \ openssl-crl.pod \
@ -58,6 +59,7 @@ DEPEND[openssl-asn1parse.pod]=../perlvars.pm
DEPEND[openssl-ca.pod]=../perlvars.pm DEPEND[openssl-ca.pod]=../perlvars.pm
DEPEND[openssl-ciphers.pod]=../perlvars.pm DEPEND[openssl-ciphers.pod]=../perlvars.pm
DEPEND[openssl-cmds.pod]=../perlvars.pm DEPEND[openssl-cmds.pod]=../perlvars.pm
DEPEND[openssl-cmp.pod]=../perlvars.pm
DEPEND[openssl-cms.pod]=../perlvars.pm DEPEND[openssl-cms.pod]=../perlvars.pm
DEPEND[openssl-crl2pkcs7.pod]=../perlvars.pm DEPEND[openssl-crl2pkcs7.pod]=../perlvars.pm
DEPEND[openssl-crl.pod]=../perlvars.pm DEPEND[openssl-crl.pod]=../perlvars.pm
@ -112,6 +114,7 @@ GENERATE[openssl-asn1parse.pod]=openssl-asn1parse.pod.in
GENERATE[openssl-ca.pod]=openssl-ca.pod.in GENERATE[openssl-ca.pod]=openssl-ca.pod.in
GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in
GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in
GENERATE[openssl-cmp.pod]=openssl-cmp.pod.in
GENERATE[openssl-cms.pod]=openssl-cms.pod.in GENERATE[openssl-cms.pod]=openssl-cms.pod.in
GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in
GENERATE[openssl-crl.pod]=openssl-crl.pod.in GENERATE[openssl-crl.pod]=openssl-crl.pod.in

1157
doc/man1/openssl-cmp.pod.in Normal file

File diff suppressed because it is too large Load Diff

27
test/insta.priv.pem Executable file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAoiNNxo5pwk1lD1em3madbpKz86GSYyGlQtd0ZhIX1tOUFo9l
Fex7n5Osv0A99pKb+7EKqB9Ghg6mJ29kIUUmLACnfZJ/q+U6s9T4zFrYyXweUNJv
QgbA2ojDPyVoRp2T1ekahPh4DpxPWNKfYECDRbrxkHMM3WiIqYFLU8hYvEMGSWRH
HbnS/vG7MTaVDkR8d0zixTOp0fST5c1UUTqppYlThac/BG1kk3hyjIjz5o7lspfX
3s/eAYgT9GhYHL6Uy4o4OqCleR39aVc0dMrrjb7hsmX6ecNwqJOE5AHHOG4Ti6Cb
weSOcdH5PRFzdpao5rlTErsFHlUSTca4mfVeWwIDAQABAoIBAQCUYAZevBjgbP8c
qTPVtsY/WBVB0Qwrl7CqmIy2k7wpJfoRIyx4ga8n+3ZMlredm9EO5ZdA/04EhAdd
czyIjcU+42JjMduQLPgpda4xJLnauLDteYXDQHbgBePXN55TcQTG7skMAm2rwTOD
r0uWQ7Nd7pP9gqu1OmJF7EJI68D4llCU1FrOrliwSDzHWP3p4QmCW3M9PQJ68xw1
gE7X1QflROGivcFoRgcgeoJDzpxveGvPbEn6Q+05/FMRVxjqWhpxdZ9/SL7iRz1e
45T+P9a8OLgTyErT3Lp/f/vuHA1tlbAYumhSnxXsb+nHi80aDcImOrNQHAp076Ik
bkZ1NpOxAoGBAM3Ulgi2hUPdoAMFtHZF8eBHRzn+4uTfY2s33wObiUJQ8VbGDeJY
ifCfOwLThiAXAqktrs7ItwWDYmzd5xPYGQeWoKcBEoZ+dvaaOe8H7TCMnjB3R3i1
ACSDHo/3c+NfFOnPJtXL85jeAqGYH50uOtYmYaBVe6xASTBgNvP7snYHAoGBAMmo
ZBQqgIhoqMRapGh6n4OpzH0Nt9ruOTJoteAfbLdAu7X+wAaMuxEaAmZQRDYj0lzX
Ty8DlKSy7vfvXtghxMBEv4+dsYpagXcUOeEZSPfu1c3e253dAov6C0MdREKWBT7P
+NwPBowPy0CP/yBeHaw7d/P7/SYIoPXLGraGl6ANAoGBAMmmce7LUjgw0mjjl+8f
i14cts08x3FO4YnTTOut34VW43oNwuBzuYBBn4CfVpHtuS+hj9cKkTQXib/6jj7E
wZDLo0y6Ijodf9MNOaDSdS/RM9Frqlu5iBA9XR3SYnjpWAXQas2eaGLlblJ+RMqq
1f2j0JVR6j3RJWL9gBj8B9TVAoGBALYZrs4bF1iXEhfGNoL2gIdX1QX0VluIFfR0
ZBDQr87H0Ppm4qbHfMHTt+kGgKJXNMaL08CDvj4AKxWPfhk0XUS2kDmzUDi8w/5x
MFcaCy+A6Gdw4OcsRfl7QaJIknSCnpf7HCI0G1hthsB1iBCFjMwUI50ap54p2pg6
4ZOD9PYdAoGAERi5Hlq7+rJeDi3VunKHySqV9mvbOPNclEUmAdKi1yuu3INF1Zgv
Lf432ZI/Ufk2g888ed5ZGE1IMULc2tgSIAMzdX4ZYI4uGFLkHWzSOM6a7NCeZuVt
W+NgUYa2qsqFEd9kqaoDbNry+nPvLM7fWXvBoE4oNkeJhHjOIabBPvw=
-----END RSA PRIVATE KEY-----

22
test/insta_ca.cert.pem Executable file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIDCZU1MA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYTAkZJ
MRMwEQYDVQQKEwpJbnN0YSBEZW1vMRYwFAYDVQQDEw1JbnN0YSBEZW1vIENBMB4X
DTA2MDEwMjA4NDgzOFoXDTI1MTIzMTA4NDgzOFowOjELMAkGA1UEBhMCRkkxEzAR
BgNVBAoTCkluc3RhIERlbW8xFjAUBgNVBAMTDUluc3RhIERlbW8gQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF57bSwj+hZnkgLyLtFsoNIN19qBv9
GIoqFaCiPvw6VQgMXR15t+Z5sdYHdydGp875yJD4wDq2K7cjMoCXALxLeyp6dCY6
WPC6Hk3QvZtMRuDAz8+0Nb5qaC4+O+7c7j1h/Gs8Jpj+TUuSkmtlCVIGPSWkWaQl
FhLWeUnKRW8bj1CJQguV7igF19kGQKUZ/VZj+n5xIXKHc8njC1ZrS/s0IBFViQkZ
63nTdNPLHQ4Xu8uKrbJbYEK1S4KVNH3L9yA4ut+brqX8n6OulTsKntvMdwNWZdor
KoM15D3lmM7QUGDflJdSQ/qvBVTda+ccrT21sp4hdwwiU01vxQguT26JAgMBAAGj
gZ4wgZswHwYDVR0jBBgwFoAUPHjduMGNV/UFKl5t4FhySvpEJWEwHQYDVR0OBBYE
FDx43bjBjVf1BSpebeBYckr6RCVhMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
CDAGAQH/AgEAMDUGCWCGSAGG+EIBDQQoFiZJbnN0YSBEZW1vIENBIC0gb25seSBm
b3IgZGVtbyBwdXJwb3NlczANBgkqhkiG9w0BAQUFAAOCAQEAuVRmRimTxVTZMNXi
3u4bRCq7GxJ4Lonx3mocxYiwBjCYwqn5dPAd4AHrA1HWYCEvIPo52FibpUNNljqH
v7CSoEBg2f4If6cFtwudobqNvf8Z50CAnxlwpPy4k+EbXlh49/uZBtu8+Lc2Ss7L
QaNHHiOeHxYeGX7pTcr6fnXQWAbbn4SLyqniW7ZTqjNJvC79Ym7KowMYzCbmozzv
3xqElA+g/MLFfxn52c/vl/obOVk5eBf3f7V68qKL2IDEip3fyZyoelhfTypq944m
sSJFQjoVzgd7ykgouEwOceOT8YMWWigNsWl/hsVJ03Ri7TxRX4+v8dMEbat+SsTL
AqTTgQ==
-----END CERTIFICATE-----