Merge branch 'cloudPKIDemo' of https://github.com/siemens/gencmpclient …

…into cloudPKIDemo

# Conflicts:
#	Makefile_v1
#	config/demo.cnf

Makefile_src

@@ -90,7 +90,7 @@ else
     DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og
 endif
 override CFLAGS += $(DEBUG_FLAGS) -std=gnu90 -fstack-protector -fno-omit-frame-pointer
-override CFLAGS += -Werror -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter #-DPEDANTIC -pedantic -Wno-declaration-after-statement # -Werror
+override CFLAGS += -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter -Werror #-DPEDANTIC -pedantic -Wno-declaration-after-statement
 ifeq ($(LPATH),)
    override CFLAGS += -I$(SECUTILS_DIR)/include
 endif

Makefile_v1

@@ -377,18 +377,17 @@ get_Insta_crls: | creds/crls
 
 # demo #########################################################################
 
-ifneq ($(INSTA),)
-    CA_SECTION=Insta
-    OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt
+ifeq ($(CA_SECTION),Insta)
     override EXTRA_OPTS += -path pkix/ -newkeytype rsa:1024
-endif
-ifneq ($(CLOUDCA),)
-    CA_SECTION=CloudCA
+    CRL_SECTION=crls
+    OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt
+else ifeq ($(CA_SECTION),CloudCA)
+    CRL_SECTION= # no crl-based checks
     OCSP_CHECK=
-    override EXTRA_OPTS += -path /.well-known/cmp -subject /CN=CloudCA-Integration-Test-User
-endif
-ifeq ($(INSTA)$(CLOUDCA),)
+    override EXTRA_OPTS += -path /.well-known/cmp -reqexts empty -subject /CN=CloudCA-Integration-Test-User
+else
     CA_SECTION=EJBCA
+    CRL_SECTION=crls
     OCSP_CHECK=$(OPENSSL) ocsp -url $(EJBCA_OCSP_URL) \
         -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \
         -cert creds/operational.crt
@@ -401,32 +400,28 @@ endif
 .phony: demo demo_Insta demo_EJBCA demo_CloudCA
 demo: demo_Insta
 demo_Insta: get_Insta_crls
-	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" INSTA="using Insta" SLEEP="sleep 1"
-	# for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable
+	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="Insta" SLEEP="sleep 1"
+        # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable
 demo_CloudCA:
-	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CLOUDCA="using CloudCA Connector"
+	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="CloudCA"
 demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo stop_EJBCA
 
 CMPCLIENT=$(SET_PROXY) $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" $(OUT_DIR_BIN)
 GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signkey creds/operational.pem -out creds/operational.csr -passin pass:12345 2>/dev/null
 .phony: run_demo
 run_demo: $(OUT_DIR_BIN)
 	@which $(OPENSSL) >/dev/null || (echo "cannot find $(OPENSSL), please install it"; false)
-	@/bin/echo -e "\n##### running cmpClient demo $(INSTA)$(CLOUDCA) #####\n"
+	@/bin/echo -e "\n##### running cmpClient demo using $(CA_SECTION) #####\n"
 	$(CMPCLIENT) imprint -section $(CA_SECTION) $(EXTRA_OPTS)
 	@/bin/echo -e "\nValidating own CMP client cert"
-    ifeq ($(INSTA)$(CLOUDCA),)
-		$(CMPCLIENT) validate -section EJBCA -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
+    ifeq ($(CA_SECTION),EJBCA)
+	$(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
         ifneq ($(EJBCA_TLS_HOST),)
-			@/bin/echo -e "\nValidating own TLS client cert"
-			$(CMPCLIENT) validate -section validate -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
+	    @/bin/echo -e "\nValidating own TLS client cert"
+	    $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) -no_check_time
         endif
     else
-        ifneq ($(INSTA),)
-			$(CMPCLIENT) validate -section Insta -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/InstaDemoCA.crt # -no_check_time
-        else
-			$(CMPCLIENT) validate -section CloudCA -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/CloudCA_Root.crt -untrusted creds/extracerts.pem
-        endif
+	$(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert "" -cert creds/manufacturer.crt -untrusted creds/extracerts.pem # -no_check_time
     endif
 	@echo
 	$(CMPCLIENT) bootstrap -section $(CA_SECTION) $(EXTRA_OPTS) $(BOOTSTRAP_CREDS)
@@ -448,13 +443,13 @@ run_demo: $(OUT_DIR_BIN)
 	$(CMPCLIENT) revoke -section $(CA_SECTION) $(EXTRA_OPTS)
 	@echo :
 	$(OCSP_CHECK)
-    ifneq ($(INSTA),)
-		@echo
-		@$(SLEEP)
-		$(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS)
-		@echo :
+    ifeq ($(CA_SECTION),Insta)
+	@echo
+	@$(SLEEP)
+	$(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS)
+	@echo :
     endif
-	@echo -e "\n#### finished demo $(INSTA)$(CLOUDCA) ####"
+	@echo -e "\n#### finished demo using $(CA_SECTION) ####"
 	@echo :
 
 # tests ########################################################################

config/demo.cnf

@@ -87,6 +87,7 @@ server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTP_PORT}
 tls_used = 0
 
 [no-certstatus]
+check_all = 0
 crls =
 use_cdp = 0
 cdps =
@@ -118,6 +119,7 @@ out_trusted = creds/trusted/ENROLL_Root.pem
 
 [Insta]
 server = pki.certificate.fi:8700/pkix/
+# path = pkix/ # gets overridden by Makefile_v1
 secret = pass:insta
 ref = 3078
 #would need to be updated every 3 months:
@@ -133,6 +135,7 @@ cacert = creds/trusted/InstaDemoCA.crt
 trusted = $cacert
 crls = creds/crls/InstaDemoCA.crl
 out_trusted = $cacert
+own_trusted = $cacert
 
 tls_used = 0
 #tls_trusted = $cacert
@@ -143,7 +146,7 @@ tls_used = 0
 [CloudCA]
 # Server
 server = broker.sdo-qa.siemens.cloud:443
-path = /.well-known/cmp
+# path = /.well-known/cmp # gets overridden by Makefile_v1
 tls_used = 1
 tls_trusted = creds/trusted/DigicertGlobalRootG2.crt
 
@@ -152,6 +155,7 @@ recipient = /CN=CloudPKI-Integration-Test
 cacert = creds/trusted/CloudCA_Root.crt
 trusted = $cacert
 out_trusted = $cacert
+own_trusted = $cacert
 
 # User in tenant
 ref = /CN=CloudCA-Integration-Test-User
@@ -237,11 +241,18 @@ infotype = signKeyPairTypes # default
 [validate]
 keypass = pass:12345
 tls_keypass = $keypass
+<<<<<<< HEAD
 #check_all = 1
 use_aia = 0
 #use_cdp = 1
+=======
+use_aia = 0
+>>>>>>> e6d00f34ebfdd76edff271eb890905661a204651
 crl_cache_dir = creds/crls/
 verbosity = 6
+[crls]
+check_all = 1
+use_cdp = 1
 
 [empty]
 #keyUsage =

src/cmpClient.c

@@ -1300,45 +1300,47 @@ static int setup_transfer(CMP_CTX *ctx)
 }
 
 /* file (path) name using prefix, subject DN, "_", hash, ".", and suffix */
-static size_t get_cert_filename(const X509 *cert, const char *prefix,
-                                const char *suffix,
-                                char *buf, size_t buf_len)
+static int get_cert_filename(const X509 *cert, const char *prefix,
+                             const char *suffix,
+                             char *buf, size_t buf_len)
 {
     if (buf == NULL || buf_len == 0)
         return 0;
 
-    size_t ret, len = UTIL_safe_string_copy(prefix, buf, buf_len, NULL);
-    if (len == 0)
+    int ret, len;
+    if ((len = UTIL_safe_string_copy(prefix, buf, buf_len, NULL)) <= 0)
         return 0;
 
     char subject[256], *p;
     if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName,
                                   subject, sizeof(subject)) <= 0)
         return 0;
-    ret = UTIL_safe_string_copy(subject, buf + len, buf_len - len, NULL);
-    if (ret == 0)
+    ret =
+        UTIL_safe_string_copy(subject, buf + len, buf_len - (size_t)len, NULL);
+    if (ret <= 0)
         return 0;
     for (p = buf + len; *p != '\0'; p++)
         if (*p == ' ')
             *p = '_';
     len += ret;
-    if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - len, NULL)) == 0)
+    if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - (size_t)len, NULL)) <= 0)
         return 0;
     len += ret;
 
     unsigned char sha1[EVP_MAX_MD_SIZE];
     unsigned int size = 0;
     X509_digest(cert, EVP_sha1(), sha1, &size);
-    ret = UTIL_bintohex(sha1, size, false, '-', 4,
-                        buf + len, buf_len - len, NULL);
+    ret = (int)UTIL_bintohex(sha1, size, false, '-', 4,
+                             buf + len, buf_len - (size_t)len, NULL);
     if (ret == 0)
         return 0;
     len += ret;
-    if ((ret = UTIL_safe_string_copy(".", buf + len, buf_len - len, NULL)) == 0)
+    ret = UTIL_safe_string_copy(".", buf + len, buf_len - (size_t)len, NULL);
+    if (ret <= 0)
         return 0;
     len += ret;
 
-    ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - len, NULL);
+    ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - (size_t)len, NULL);
     if (ret == 0)
         return 0;
     for (p = buf + len; *p != '\0'; p++)