mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 03:54:14 +08:00
Chunk 11 of CMP contribution to OpenSSL: CMP command-line interface
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
This commit is contained in:
parent
3c38fa4b79
commit
8d9a4d833f
@ -93,10 +93,10 @@ OpenSSL 3.0
|
|||||||
*Richard Levitte*
|
*Richard Levitte*
|
||||||
|
|
||||||
* Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
|
* Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
|
||||||
This adds crypto/cmp/, crpyto/crmf/, and test/cmp_*.
|
This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*.
|
||||||
See L<OSSL_CMP_exec_IR_ses(3)> as starting point.
|
See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
|
||||||
|
|
||||||
*David von Oheimb*
|
*David von Oheimb, Martin Peylo*
|
||||||
|
|
||||||
* Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
|
* Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
|
||||||
The legacy OCSP-focused and only partly documented API is retained.
|
The legacy OCSP-focused and only partly documented API is retained.
|
||||||
|
2
NEWS.md
2
NEWS.md
@ -34,7 +34,7 @@ OpenSSL 3.0
|
|||||||
disabled; the project uses address sanitize/leak-detect instead.
|
disabled; the project uses address sanitize/leak-detect instead.
|
||||||
* Added a Certificate Management Protocol (CMP, RFC 4210) implementation
|
* Added a Certificate Management Protocol (CMP, RFC 4210) implementation
|
||||||
also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
|
also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
|
||||||
It is part of the crypto lib, while a 'cmp' app using it is in preparation.
|
It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
|
||||||
All widely used CMP features are supported for both clients and servers.
|
All widely used CMP features are supported for both clients and servers.
|
||||||
* Added a proper HTTP(S) client to libcrypto supporting GET and POST,
|
* Added a proper HTTP(S) client to libcrypto supporting GET and POST,
|
||||||
redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
|
redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
|
||||||
|
@ -52,7 +52,7 @@ IF[{- !$disabled{'deprecated-3.0'} -}]
|
|||||||
ENDIF
|
ENDIF
|
||||||
ENDIF
|
ENDIF
|
||||||
IF[{- !$disabled{'cmp'} -}]
|
IF[{- !$disabled{'cmp'} -}]
|
||||||
$OPENSSLSRC=$OPENSSLSRC cmp_mock_srv.c
|
$OPENSSLSRC=$OPENSSLSRC cmp.c cmp_mock_srv.c
|
||||||
ENDIF
|
ENDIF
|
||||||
|
|
||||||
IF[{- !$disabled{apps} -}]
|
IF[{- !$disabled{apps} -}]
|
||||||
|
3329
apps/cmp.c
Normal file
3329
apps/cmp.c
Normal file
File diff suppressed because it is too large
Load Diff
@ -348,3 +348,59 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
|||||||
# (optional, default: no)
|
# (optional, default: no)
|
||||||
ess_cert_id_alg = sha1 # algorithm to compute certificate
|
ess_cert_id_alg = sha1 # algorithm to compute certificate
|
||||||
# identifier (optional, default: sha1)
|
# identifier (optional, default: sha1)
|
||||||
|
|
||||||
|
[insta] # CMP using Insta Demo CA
|
||||||
|
# Message transfer
|
||||||
|
server = pki.certificate.fi:8700
|
||||||
|
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
|
||||||
|
# tls_use = 0
|
||||||
|
path = pkix/
|
||||||
|
|
||||||
|
# Server authentication
|
||||||
|
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
|
||||||
|
ignore_keyusage = 1 # potentially needed quirk
|
||||||
|
unprotected_errors = 1 # potentially needed quirk
|
||||||
|
extracertsout = insta.extracerts.pem
|
||||||
|
|
||||||
|
# Client authentication
|
||||||
|
ref = 3078 # user identification
|
||||||
|
secret = pass:insta # can be used for both client and server side
|
||||||
|
|
||||||
|
# Generic message options
|
||||||
|
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
|
||||||
|
|
||||||
|
# Certificate enrollment
|
||||||
|
subject = "/CN=openssl-cmp-test"
|
||||||
|
newkey = insta.priv.pem
|
||||||
|
out_trusted = insta.ca.crt
|
||||||
|
certout = insta.cert.pem
|
||||||
|
|
||||||
|
[pbm] # Password-based protection for Insta CA
|
||||||
|
# Server and client authentication
|
||||||
|
ref = $insta::ref # 3078
|
||||||
|
secret = $insta::secret # pass:insta
|
||||||
|
|
||||||
|
[signature] # Signature-based protection for Insta CA
|
||||||
|
# Server authentication
|
||||||
|
trusted = insta.ca.crt # does not include keyUsage digitalSignature
|
||||||
|
|
||||||
|
# Client authentication
|
||||||
|
secret = # disable PBM
|
||||||
|
key = $insta::newkey # insta.priv.pem
|
||||||
|
cert = $insta::certout # insta.cert.pem
|
||||||
|
|
||||||
|
[ir]
|
||||||
|
cmd = ir
|
||||||
|
|
||||||
|
[cr]
|
||||||
|
cmd = cr
|
||||||
|
|
||||||
|
[kur]
|
||||||
|
# Certificate update
|
||||||
|
cmd = kur
|
||||||
|
oldcert = $insta::certout # insta.cert.pem
|
||||||
|
|
||||||
|
[rr]
|
||||||
|
# Certificate revocation
|
||||||
|
cmd = rr
|
||||||
|
oldcert = $insta::certout # insta.cert.pem
|
||||||
|
@ -348,3 +348,59 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
|||||||
# (optional, default: no)
|
# (optional, default: no)
|
||||||
ess_cert_id_alg = sha1 # algorithm to compute certificate
|
ess_cert_id_alg = sha1 # algorithm to compute certificate
|
||||||
# identifier (optional, default: sha1)
|
# identifier (optional, default: sha1)
|
||||||
|
|
||||||
|
[insta] # CMP using Insta Demo CA
|
||||||
|
# Message transfer
|
||||||
|
server = pki.certificate.fi:8700
|
||||||
|
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
|
||||||
|
# tls_use = 0
|
||||||
|
path = pkix/
|
||||||
|
|
||||||
|
# Server authentication
|
||||||
|
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
|
||||||
|
ignore_keyusage = 1 # potentially needed quirk
|
||||||
|
unprotected_errors = 1 # potentially needed quirk
|
||||||
|
extracertsout = insta.extracerts.pem
|
||||||
|
|
||||||
|
# Client authentication
|
||||||
|
ref = 3078 # user identification
|
||||||
|
secret = pass:insta # can be used for both client and server side
|
||||||
|
|
||||||
|
# Generic message options
|
||||||
|
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
|
||||||
|
|
||||||
|
# Certificate enrollment
|
||||||
|
subject = "/CN=openssl-cmp-test"
|
||||||
|
newkey = insta.priv.pem
|
||||||
|
out_trusted = insta.ca.crt
|
||||||
|
certout = insta.cert.pem
|
||||||
|
|
||||||
|
[pbm] # Password-based protection for Insta CA
|
||||||
|
# Server and client authentication
|
||||||
|
ref = $insta::ref # 3078
|
||||||
|
secret = $insta::secret # pass:insta
|
||||||
|
|
||||||
|
[signature] # Signature-based protection for Insta CA
|
||||||
|
# Server authentication
|
||||||
|
trusted = insta.ca.crt # does not include keyUsage digitalSignature
|
||||||
|
|
||||||
|
# Client authentication
|
||||||
|
secret = # disable PBM
|
||||||
|
key = $insta::newkey # insta.priv.pem
|
||||||
|
cert = $insta::certout # insta.cert.pem
|
||||||
|
|
||||||
|
[ir]
|
||||||
|
cmd = ir
|
||||||
|
|
||||||
|
[cr]
|
||||||
|
cmd = cr
|
||||||
|
|
||||||
|
[kur]
|
||||||
|
# Certificate update
|
||||||
|
cmd = kur
|
||||||
|
oldcert = $insta::certout # insta.cert.pem
|
||||||
|
|
||||||
|
[rr]
|
||||||
|
# Certificate revocation
|
||||||
|
cmd = rr
|
||||||
|
oldcert = $insta::certout # insta.cert.pem
|
||||||
|
@ -4,6 +4,7 @@ DEPEND[]= \
|
|||||||
openssl-ca.pod \
|
openssl-ca.pod \
|
||||||
openssl-ciphers.pod \
|
openssl-ciphers.pod \
|
||||||
openssl-cmds.pod \
|
openssl-cmds.pod \
|
||||||
|
openssl-cmp.pod \
|
||||||
openssl-cms.pod \
|
openssl-cms.pod \
|
||||||
openssl-crl2pkcs7.pod \
|
openssl-crl2pkcs7.pod \
|
||||||
openssl-crl.pod \
|
openssl-crl.pod \
|
||||||
@ -58,6 +59,7 @@ DEPEND[openssl-asn1parse.pod]=../perlvars.pm
|
|||||||
DEPEND[openssl-ca.pod]=../perlvars.pm
|
DEPEND[openssl-ca.pod]=../perlvars.pm
|
||||||
DEPEND[openssl-ciphers.pod]=../perlvars.pm
|
DEPEND[openssl-ciphers.pod]=../perlvars.pm
|
||||||
DEPEND[openssl-cmds.pod]=../perlvars.pm
|
DEPEND[openssl-cmds.pod]=../perlvars.pm
|
||||||
|
DEPEND[openssl-cmp.pod]=../perlvars.pm
|
||||||
DEPEND[openssl-cms.pod]=../perlvars.pm
|
DEPEND[openssl-cms.pod]=../perlvars.pm
|
||||||
DEPEND[openssl-crl2pkcs7.pod]=../perlvars.pm
|
DEPEND[openssl-crl2pkcs7.pod]=../perlvars.pm
|
||||||
DEPEND[openssl-crl.pod]=../perlvars.pm
|
DEPEND[openssl-crl.pod]=../perlvars.pm
|
||||||
@ -112,6 +114,7 @@ GENERATE[openssl-asn1parse.pod]=openssl-asn1parse.pod.in
|
|||||||
GENERATE[openssl-ca.pod]=openssl-ca.pod.in
|
GENERATE[openssl-ca.pod]=openssl-ca.pod.in
|
||||||
GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in
|
GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in
|
||||||
GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in
|
GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in
|
||||||
|
GENERATE[openssl-cmp.pod]=openssl-cmp.pod.in
|
||||||
GENERATE[openssl-cms.pod]=openssl-cms.pod.in
|
GENERATE[openssl-cms.pod]=openssl-cms.pod.in
|
||||||
GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in
|
GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in
|
||||||
GENERATE[openssl-crl.pod]=openssl-crl.pod.in
|
GENERATE[openssl-crl.pod]=openssl-crl.pod.in
|
||||||
|
1157
doc/man1/openssl-cmp.pod.in
Normal file
1157
doc/man1/openssl-cmp.pod.in
Normal file
File diff suppressed because it is too large
Load Diff
27
test/insta.priv.pem
Executable file
27
test/insta.priv.pem
Executable file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpQIBAAKCAQEAoiNNxo5pwk1lD1em3madbpKz86GSYyGlQtd0ZhIX1tOUFo9l
|
||||||
|
Fex7n5Osv0A99pKb+7EKqB9Ghg6mJ29kIUUmLACnfZJ/q+U6s9T4zFrYyXweUNJv
|
||||||
|
QgbA2ojDPyVoRp2T1ekahPh4DpxPWNKfYECDRbrxkHMM3WiIqYFLU8hYvEMGSWRH
|
||||||
|
HbnS/vG7MTaVDkR8d0zixTOp0fST5c1UUTqppYlThac/BG1kk3hyjIjz5o7lspfX
|
||||||
|
3s/eAYgT9GhYHL6Uy4o4OqCleR39aVc0dMrrjb7hsmX6ecNwqJOE5AHHOG4Ti6Cb
|
||||||
|
weSOcdH5PRFzdpao5rlTErsFHlUSTca4mfVeWwIDAQABAoIBAQCUYAZevBjgbP8c
|
||||||
|
qTPVtsY/WBVB0Qwrl7CqmIy2k7wpJfoRIyx4ga8n+3ZMlredm9EO5ZdA/04EhAdd
|
||||||
|
czyIjcU+42JjMduQLPgpda4xJLnauLDteYXDQHbgBePXN55TcQTG7skMAm2rwTOD
|
||||||
|
r0uWQ7Nd7pP9gqu1OmJF7EJI68D4llCU1FrOrliwSDzHWP3p4QmCW3M9PQJ68xw1
|
||||||
|
gE7X1QflROGivcFoRgcgeoJDzpxveGvPbEn6Q+05/FMRVxjqWhpxdZ9/SL7iRz1e
|
||||||
|
45T+P9a8OLgTyErT3Lp/f/vuHA1tlbAYumhSnxXsb+nHi80aDcImOrNQHAp076Ik
|
||||||
|
bkZ1NpOxAoGBAM3Ulgi2hUPdoAMFtHZF8eBHRzn+4uTfY2s33wObiUJQ8VbGDeJY
|
||||||
|
ifCfOwLThiAXAqktrs7ItwWDYmzd5xPYGQeWoKcBEoZ+dvaaOe8H7TCMnjB3R3i1
|
||||||
|
ACSDHo/3c+NfFOnPJtXL85jeAqGYH50uOtYmYaBVe6xASTBgNvP7snYHAoGBAMmo
|
||||||
|
ZBQqgIhoqMRapGh6n4OpzH0Nt9ruOTJoteAfbLdAu7X+wAaMuxEaAmZQRDYj0lzX
|
||||||
|
Ty8DlKSy7vfvXtghxMBEv4+dsYpagXcUOeEZSPfu1c3e253dAov6C0MdREKWBT7P
|
||||||
|
+NwPBowPy0CP/yBeHaw7d/P7/SYIoPXLGraGl6ANAoGBAMmmce7LUjgw0mjjl+8f
|
||||||
|
i14cts08x3FO4YnTTOut34VW43oNwuBzuYBBn4CfVpHtuS+hj9cKkTQXib/6jj7E
|
||||||
|
wZDLo0y6Ijodf9MNOaDSdS/RM9Frqlu5iBA9XR3SYnjpWAXQas2eaGLlblJ+RMqq
|
||||||
|
1f2j0JVR6j3RJWL9gBj8B9TVAoGBALYZrs4bF1iXEhfGNoL2gIdX1QX0VluIFfR0
|
||||||
|
ZBDQr87H0Ppm4qbHfMHTt+kGgKJXNMaL08CDvj4AKxWPfhk0XUS2kDmzUDi8w/5x
|
||||||
|
MFcaCy+A6Gdw4OcsRfl7QaJIknSCnpf7HCI0G1hthsB1iBCFjMwUI50ap54p2pg6
|
||||||
|
4ZOD9PYdAoGAERi5Hlq7+rJeDi3VunKHySqV9mvbOPNclEUmAdKi1yuu3INF1Zgv
|
||||||
|
Lf432ZI/Ufk2g888ed5ZGE1IMULc2tgSIAMzdX4ZYI4uGFLkHWzSOM6a7NCeZuVt
|
||||||
|
W+NgUYa2qsqFEd9kqaoDbNry+nPvLM7fWXvBoE4oNkeJhHjOIabBPvw=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
22
test/insta_ca.cert.pem
Executable file
22
test/insta_ca.cert.pem
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDkDCCAnigAwIBAgIDCZU1MA0GCSqGSIb3DQEBBQUAMDoxCzAJBgNVBAYTAkZJ
|
||||||
|
MRMwEQYDVQQKEwpJbnN0YSBEZW1vMRYwFAYDVQQDEw1JbnN0YSBEZW1vIENBMB4X
|
||||||
|
DTA2MDEwMjA4NDgzOFoXDTI1MTIzMTA4NDgzOFowOjELMAkGA1UEBhMCRkkxEzAR
|
||||||
|
BgNVBAoTCkluc3RhIERlbW8xFjAUBgNVBAMTDUluc3RhIERlbW8gQ0EwggEiMA0G
|
||||||
|
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF57bSwj+hZnkgLyLtFsoNIN19qBv9
|
||||||
|
GIoqFaCiPvw6VQgMXR15t+Z5sdYHdydGp875yJD4wDq2K7cjMoCXALxLeyp6dCY6
|
||||||
|
WPC6Hk3QvZtMRuDAz8+0Nb5qaC4+O+7c7j1h/Gs8Jpj+TUuSkmtlCVIGPSWkWaQl
|
||||||
|
FhLWeUnKRW8bj1CJQguV7igF19kGQKUZ/VZj+n5xIXKHc8njC1ZrS/s0IBFViQkZ
|
||||||
|
63nTdNPLHQ4Xu8uKrbJbYEK1S4KVNH3L9yA4ut+brqX8n6OulTsKntvMdwNWZdor
|
||||||
|
KoM15D3lmM7QUGDflJdSQ/qvBVTda+ccrT21sp4hdwwiU01vxQguT26JAgMBAAGj
|
||||||
|
gZ4wgZswHwYDVR0jBBgwFoAUPHjduMGNV/UFKl5t4FhySvpEJWEwHQYDVR0OBBYE
|
||||||
|
FDx43bjBjVf1BSpebeBYckr6RCVhMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
|
||||||
|
CDAGAQH/AgEAMDUGCWCGSAGG+EIBDQQoFiZJbnN0YSBEZW1vIENBIC0gb25seSBm
|
||||||
|
b3IgZGVtbyBwdXJwb3NlczANBgkqhkiG9w0BAQUFAAOCAQEAuVRmRimTxVTZMNXi
|
||||||
|
3u4bRCq7GxJ4Lonx3mocxYiwBjCYwqn5dPAd4AHrA1HWYCEvIPo52FibpUNNljqH
|
||||||
|
v7CSoEBg2f4If6cFtwudobqNvf8Z50CAnxlwpPy4k+EbXlh49/uZBtu8+Lc2Ss7L
|
||||||
|
QaNHHiOeHxYeGX7pTcr6fnXQWAbbn4SLyqniW7ZTqjNJvC79Ym7KowMYzCbmozzv
|
||||||
|
3xqElA+g/MLFfxn52c/vl/obOVk5eBf3f7V68qKL2IDEip3fyZyoelhfTypq944m
|
||||||
|
sSJFQjoVzgd7ykgouEwOceOT8YMWWigNsWl/hsVJ03Ri7TxRX4+v8dMEbat+SsTL
|
||||||
|
AqTTgQ==
|
||||||
|
-----END CERTIFICATE-----
|
Loading…
Reference in New Issue
Block a user