From 54872d17e24bc73d5e10f8aed84fe732f7532941 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 20 Dec 2023 21:40:39 +0100 Subject: [PATCH 1/3] cmp_client.c,Makefile_src:: fix types of 'ret' and 'len' after changes to UTIL_safe_string_copy() --- Makefile_src | 2 +- libsecutils | 2 +- src/cmpClient.c | 26 ++++++++++++++------------ 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/Makefile_src b/Makefile_src index 8bed0282..cf86f939 100644 --- a/Makefile_src +++ b/Makefile_src @@ -90,7 +90,7 @@ else DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og endif override CFLAGS += $(DEBUG_FLAGS) -std=gnu90 -fstack-protector -fno-omit-frame-pointer -override CFLAGS += -Werror -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter #-DPEDANTIC -pedantic -Wno-declaration-after-statement # -Werror +override CFLAGS += -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter -Werror #-DPEDANTIC -pedantic -Wno-declaration-after-statement ifeq ($(LPATH),) override CFLAGS += -I$(SECUTILS_DIR)/include endif diff --git a/libsecutils b/libsecutils index f8380047..505b32bb 160000 --- a/libsecutils +++ b/libsecutils @@ -1 +1 @@ -Subproject commit f838004741dad4e820305de0df5ede2da485017d +Subproject commit 505b32bb22a4525d1a7f06a7780a4e00df8b8e5f diff --git a/src/cmpClient.c b/src/cmpClient.c index 1e8415dd..6ab9145c 100644 --- a/src/cmpClient.c +++ b/src/cmpClient.c @@ -1300,45 +1300,47 @@ static int setup_transfer(CMP_CTX *ctx) } /* file (path) name using prefix, subject DN, "_", hash, ".", and suffix */ -static size_t get_cert_filename(const X509 *cert, const char *prefix, - const char *suffix, - char *buf, size_t buf_len) +static int get_cert_filename(const X509 *cert, const char *prefix, + const char *suffix, + char *buf, size_t buf_len) { if (buf == NULL || buf_len == 0) return 0; - size_t ret, len = UTIL_safe_string_copy(prefix, buf, buf_len, NULL); - if (len == 0) + int ret, len; + if ((len = UTIL_safe_string_copy(prefix, buf, buf_len, NULL)) <= 0) return 0; char subject[256], *p; if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, subject, sizeof(subject)) <= 0) return 0; - ret = UTIL_safe_string_copy(subject, buf + len, buf_len - len, NULL); - if (ret == 0) + ret = + UTIL_safe_string_copy(subject, buf + len, buf_len - (size_t)len, NULL); + if (ret <= 0) return 0; for (p = buf + len; *p != '\0'; p++) if (*p == ' ') *p = '_'; len += ret; - if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - len, NULL)) == 0) + if ((ret = UTIL_safe_string_copy("_", buf + len, buf_len - (size_t)len, NULL)) <= 0) return 0; len += ret; unsigned char sha1[EVP_MAX_MD_SIZE]; unsigned int size = 0; X509_digest(cert, EVP_sha1(), sha1, &size); - ret = UTIL_bintohex(sha1, size, false, '-', 4, - buf + len, buf_len - len, NULL); + ret = (int)UTIL_bintohex(sha1, size, false, '-', 4, + buf + len, buf_len - (size_t)len, NULL); if (ret == 0) return 0; len += ret; - if ((ret = UTIL_safe_string_copy(".", buf + len, buf_len - len, NULL)) == 0) + ret = UTIL_safe_string_copy(".", buf + len, buf_len - (size_t)len, NULL); + if (ret <= 0) return 0; len += ret; - ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - len, NULL); + ret = UTIL_safe_string_copy(suffix, buf + len, buf_len - (size_t)len, NULL); if (ret == 0) return 0; for (p = buf + len; *p != '\0'; p++) From d33f3d71201d35c2ed509db086e7aeb103e48c0f Mon Sep 17 00:00:00 2001 From: "Rufus J.W. Buschart" Date: Wed, 20 Dec 2023 17:36:24 +0100 Subject: [PATCH 2/3] Makefile_v1,config/demo.cnf,creds/trusted/: include CloudCA Connector --- Makefile_v1 | 60 +++++++++++++++----------- config/demo.cnf | 29 +++++++++++-- creds/trusted/CloudCA_Root.crt | 22 ++++++++++ creds/trusted/DigicertGlobalRootG2.crt | 22 ++++++++++ 4 files changed, 106 insertions(+), 27 deletions(-) create mode 100644 creds/trusted/CloudCA_Root.crt create mode 100644 creds/trusted/DigicertGlobalRootG2.crt diff --git a/Makefile_v1 b/Makefile_v1 index 28a7b825..fed9240a 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -381,22 +381,30 @@ ifneq ($(INSTA),) CA_SECTION=Insta OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt override EXTRA_OPTS += -path pkix/ -newkeytype rsa:1024 -else +endif +ifneq ($(CLOUDCA),) + CA_SECTION=CloudCA + OCSP_CHECK= + override EXTRA_OPTS += -path /.well-known/cmp -subject /CN=CloudCA-Integration-Test-User +endif +ifeq ($(INSTA)$(CLOUDCA),) CA_SECTION=EJBCA OCSP_CHECK=$(OPENSSL) ocsp -url $(EJBCA_OCSP_URL) \ - -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \ - -cert creds/operational.crt - ifeq ($(EJBCA_TLS_HOST),) # workaround for ephemeral TLS server certificate of ejbca-docker: - override EXTRA_OPTS += -tls_host `cat creds/docker/TLS_ROOTCA-docker-cn.txt` - BOOTSTRAP_CREDS = -cert creds/manufacturer.crt -key creds/manufacturer.pem - endif + -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \ + -cert creds/operational.crt + ifeq ($(EJBCA_TLS_HOST),) # workaround for ephemeral TLS server certificate of ejbca-docker: + override EXTRA_OPTS += -tls_host `cat creds/docker/TLS_ROOTCA-docker-cn.txt` + BOOTSTRAP_CREDS = -cert creds/manufacturer.crt -key creds/manufacturer.pem + endif endif -.phony: demo demo_Insta demo_EJBCA +.phony: demo demo_Insta demo_EJBCA demo_CloudCA demo: demo_Insta demo_Insta: get_Insta_crls $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" INSTA="using Insta" SLEEP="sleep 1" -# for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable + # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable +demo_CloudCA: + $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CLOUDCA="using CloudCA Connector" demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo stop_EJBCA CMPCLIENT=$(SET_PROXY) $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" $(OUT_DIR_BIN) @@ -404,17 +412,21 @@ GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signk .phony: run_demo run_demo: $(OUT_DIR_BIN) @which $(OPENSSL) >/dev/null || (echo "cannot find $(OPENSSL), please install it"; false) - @/bin/echo -e "\n##### running cmpClient demo $(INSTA) #####\n" + @/bin/echo -e "\n##### running cmpClient demo $(INSTA)$(CLOUDCA) #####\n" $(CMPCLIENT) imprint -section $(CA_SECTION) $(EXTRA_OPTS) @/bin/echo -e "\nValidating own CMP client cert" - ifeq ($(INSTA),) - $(CMPCLIENT) validate -section EJBCA -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) - ifneq ($(EJBCA_TLS_HOST),) - @/bin/echo -e "\nValidating own TLS client cert" - $(CMPCLIENT) validate -section validate -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) - endif + ifeq ($(INSTA)$(CLOUDCA),) + $(CMPCLIENT) validate -section EJBCA -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) + ifneq ($(EJBCA_TLS_HOST),) + @/bin/echo -e "\nValidating own TLS client cert" + $(CMPCLIENT) validate -section validate -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) + endif else - $(CMPCLIENT) validate -section Insta -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/InstaDemoCA.crt # -no_check_time + ifneq ($(INSTA),) + $(CMPCLIENT) validate -section Insta -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/InstaDemoCA.crt # -no_check_time + else + $(CMPCLIENT) validate -section CloudCA -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/CloudCA_Root.crt -untrusted creds/extracerts.pem + endif endif @echo $(CMPCLIENT) bootstrap -section $(CA_SECTION) $(EXTRA_OPTS) $(BOOTSTRAP_CREDS) @@ -437,12 +449,12 @@ run_demo: $(OUT_DIR_BIN) @echo : $(OCSP_CHECK) ifneq ($(INSTA),) - @echo - @$(SLEEP) - $(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS) - @echo : + @echo + @$(SLEEP) + $(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS) + @echo : endif - @echo -e "\n#### finished demo $(INSTA) ####" + @echo -e "\n#### finished demo $(INSTA)$(CLOUDCA) ####" @echo : # tests ######################################################################## @@ -552,10 +564,10 @@ tests_LwCmp: $(OUT_DIR_BIN) test_all: demo_EJBCA test test_Mock tests_LwCmp ifneq ($(TEST_SIMPLE),) -test_all: test_Simple test_profile + test_all: test_Simple test_profile endif ifneq ($(TEST_INSTA),) -test_all: test_Insta + test_all: test_Insta endif test: clean build_no_tls diff --git a/config/demo.cnf b/config/demo.cnf index d5cd4210..777d566c 100644 --- a/config/demo.cnf +++ b/config/demo.cnf @@ -140,6 +140,29 @@ tls_used = 0 #tls_cert = $cert #tls_key = $key +[CloudCA] +# Server +server = broker.sdo-qa.siemens.cloud:443 +path = /.well-known/cmp +tls_used = 1 +tls_trusted = creds/trusted/DigicertGlobalRootG2.crt + +# Tenant on server +recipient = /CN=CloudPKI-Integration-Test +cacert = creds/trusted/CloudCA_Root.crt +trusted = $cacert +out_trusted = $cacert + +# User in tenant +ref = /CN=CloudCA-Integration-Test-User +secret = pass:SiemensIT +subject = $ref + +# Local store for imprinting results +cert = creds/manufacturer.crt +key = creds/manufacturer.pem +keypass = pass:12345 + [imprint] path = ${ENV::EJBCA_PATH}/${ENV::EJBCA_PATH_IMPRINT} subject = ${ENV::EJBCA_CMP_SUBJECT_IMPRINT} @@ -214,9 +237,9 @@ infotype = signKeyPairTypes # default [validate] keypass = pass:12345 tls_keypass = $keypass -check_all = 1 +#check_all = 1 use_aia = 0 -use_cdp = 1 +#use_cdp = 1 crl_cache_dir = creds/crls/ verbosity = 6 @@ -229,7 +252,7 @@ verbosity = 6 #basicConstraints = CA:FASE keyUsage = "critical, digitalSignature" # is ignored by EJBCA extendedKeyUsage = "critical, serverAuth, 1.3.6.1.5.5.7.3.2" # is ignored by EJBCA -subjectAltName = @alt_names +#subjectAltName = @alt_names [alt_names] DNS.0 = localhost diff --git a/creds/trusted/CloudCA_Root.crt b/creds/trusted/CloudCA_Root.crt new file mode 100644 index 00000000..9706bc8d --- /dev/null +++ b/creds/trusted/CloudCA_Root.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmzCCAvygAwIBAgIIVFd61YYnHU8wCgYIKoZIzj0EAwQwXzETMBEGA1UEChMK +U2llbWVucyBJVDEpMCcGA1UECxMgU2VjdXJlIERldmljZSBPbmJvYXJkaW5nIEJh +Y2tlbmQxHTAbBgNVBAMTFE1hbnVmYWN0dXJlciBSb290IENBMB4XDTIzMTIwNDAw +MDAwMFoXDTMzMTIwMzIzNTk1OVowXzETMBEGA1UEChMKU2llbWVucyBJVDEpMCcG +A1UECxMgU2VjdXJlIERldmljZSBPbmJvYXJkaW5nIEJhY2tlbmQxHTAbBgNVBAMT +FE1hbnVmYWN0dXJlciBSb290IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB +EWVjgsSOSlW0ZDy1PdyfiataVc1mXmA8P1o6h9Z2/ixN3fWcGNba/ipXMFAnAPlP +p+9cnLKOiUM7avP8JK2aNUAAVNGE6xHXLuEGrFDFGMl167vapGdKuK7mh6HotEBz +p5E65FE5kj/xwz45mO+VPtxteXDc1krq9UUwHIGRJjK0r3yjggFdMIIBWTAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQLGbo3GjaEvplMOCntI6c862CdlDB4BgNV +HSMEcTBvoWOkYTBfMRMwEQYDVQQKEwpTaWVtZW5zIElUMSkwJwYDVQQLEyBTZWN1 +cmUgRGV2aWNlIE9uYm9hcmRpbmcgQmFja2VuZDEdMBsGA1UEAxMUTWFudWZhY3R1 +cmVyIFJvb3QgQ0GCCFRXetWGJx1PMAsGA1UdDwQEAwIBBjCBnwYDVR0gBIGXMIGU +MIGRBgMqAwQwgYkwKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2RvLXFhLnNpZW1lbnMu +Y2xvdWQvMFwGCCsGAQUFBwICMFAwGhYKU2llbWVucyBJVDAMAgEBAgECAgEDAgEE +GjJOZXZlciBldmVyIHVzZSB0aGlzIENBIGZvciBhbnkgcHJvZHVjdGl2ZSBzY2Vu +YXJpbzAKBggqhkjOPQQDBAOBjAAwgYgCQgG5d95P0XzYr9V527ssgkvSlb+igSgt +uBmgxMhVxT4odSHZbSzGmyV9e42+5gKo3ESUjYstO80RWtNaaD5yqN4pkwJCAWfH +XIFMnLje7ustqkMi3b54U6Gs5z9P4ZcEMiT7CzAlSusL83vX+PbvpKgWhj1IBCvM +rIHJ62WrVqw6SSI6WER2 +-----END CERTIFICATE----- diff --git a/creds/trusted/DigicertGlobalRootG2.crt b/creds/trusted/DigicertGlobalRootG2.crt new file mode 100644 index 00000000..3188acc7 --- /dev/null +++ b/creds/trusted/DigicertGlobalRootG2.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH +MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI +2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx +1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ +q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz +tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ +vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV +5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY +1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 +NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG +Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 +8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe +pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl +MrY= +-----END CERTIFICATE----- From e6d00f34ebfdd76edff271eb890905661a204651 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 20 Dec 2023 21:29:09 +0100 Subject: [PATCH 3/3] Makefile_v1,config/demo.cnf: tweak inclusion of CloudCA and other CA demo cases --- Makefile_v1 | 55 ++++++++++++++++++++++--------------------------- config/demo.cnf | 13 ++++++++---- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/Makefile_v1 b/Makefile_v1 index fed9240a..d62d64d0 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -377,18 +377,17 @@ get_Insta_crls: | creds/crls # demo ######################################################################### -ifneq ($(INSTA),) - CA_SECTION=Insta - OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt +ifeq ($(CA_SECTION),Insta) override EXTRA_OPTS += -path pkix/ -newkeytype rsa:1024 -endif -ifneq ($(CLOUDCA),) - CA_SECTION=CloudCA + CRL_SECTION=crls + OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt +else ifeq ($(CA_SECTION),CloudCA) + CRL_SECTION= # no crl-based checks OCSP_CHECK= - override EXTRA_OPTS += -path /.well-known/cmp -subject /CN=CloudCA-Integration-Test-User -endif -ifeq ($(INSTA)$(CLOUDCA),) + override EXTRA_OPTS += -path /.well-known/cmp -reqexts empty -subject /CN=CloudCA-Integration-Test-User +else CA_SECTION=EJBCA + CRL_SECTION=crls OCSP_CHECK=$(OPENSSL) ocsp -url $(EJBCA_OCSP_URL) \ -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \ -cert creds/operational.crt @@ -401,10 +400,10 @@ endif .phony: demo demo_Insta demo_EJBCA demo_CloudCA demo: demo_Insta demo_Insta: get_Insta_crls - $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" INSTA="using Insta" SLEEP="sleep 1" - # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable + $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="Insta" SLEEP="sleep 1" + # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable demo_CloudCA: - $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CLOUDCA="using CloudCA Connector" + $(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="CloudCA" demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo stop_EJBCA CMPCLIENT=$(SET_PROXY) $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" $(OUT_DIR_BIN) @@ -412,21 +411,17 @@ GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signk .phony: run_demo run_demo: $(OUT_DIR_BIN) @which $(OPENSSL) >/dev/null || (echo "cannot find $(OPENSSL), please install it"; false) - @/bin/echo -e "\n##### running cmpClient demo $(INSTA)$(CLOUDCA) #####\n" + @/bin/echo -e "\n##### running cmpClient demo using $(CA_SECTION) #####\n" $(CMPCLIENT) imprint -section $(CA_SECTION) $(EXTRA_OPTS) @/bin/echo -e "\nValidating own CMP client cert" - ifeq ($(INSTA)$(CLOUDCA),) - $(CMPCLIENT) validate -section EJBCA -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) + ifeq ($(CA_SECTION),EJBCA) + $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) ifneq ($(EJBCA_TLS_HOST),) - @/bin/echo -e "\nValidating own TLS client cert" - $(CMPCLIENT) validate -section validate -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) + @/bin/echo -e "\nValidating own TLS client cert" + $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) -no_check_time endif else - ifneq ($(INSTA),) - $(CMPCLIENT) validate -section Insta -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/InstaDemoCA.crt # -no_check_time - else - $(CMPCLIENT) validate -section CloudCA -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/CloudCA_Root.crt -untrusted creds/extracerts.pem - endif + $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert "" -cert creds/manufacturer.crt -untrusted creds/extracerts.pem # -no_check_time endif @echo $(CMPCLIENT) bootstrap -section $(CA_SECTION) $(EXTRA_OPTS) $(BOOTSTRAP_CREDS) @@ -448,13 +443,13 @@ run_demo: $(OUT_DIR_BIN) $(CMPCLIENT) revoke -section $(CA_SECTION) $(EXTRA_OPTS) @echo : $(OCSP_CHECK) - ifneq ($(INSTA),) - @echo - @$(SLEEP) - $(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS) - @echo : + ifeq ($(CA_SECTION),Insta) + @echo + @$(SLEEP) + $(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS) + @echo : endif - @echo -e "\n#### finished demo $(INSTA)$(CLOUDCA) ####" + @echo -e "\n#### finished demo using $(CA_SECTION) ####" @echo : # tests ######################################################################## @@ -564,10 +559,10 @@ tests_LwCmp: $(OUT_DIR_BIN) test_all: demo_EJBCA test test_Mock tests_LwCmp ifneq ($(TEST_SIMPLE),) - test_all: test_Simple test_profile +test_all: test_Simple test_profile endif ifneq ($(TEST_INSTA),) - test_all: test_Insta +test_all: test_Insta endif test: clean build_no_tls diff --git a/config/demo.cnf b/config/demo.cnf index 777d566c..1f277c9f 100644 --- a/config/demo.cnf +++ b/config/demo.cnf @@ -87,6 +87,7 @@ server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTP_PORT} tls_used = 0 [no-certstatus] +check_all = 0 crls = use_cdp = 0 cdps = @@ -118,6 +119,7 @@ out_trusted = creds/trusted/ENROLL_Root.pem [Insta] server = pki.certificate.fi:8700/pkix/ +# path = pkix/ # gets overridden by Makefile_v1 secret = pass:insta ref = 3078 #would need to be updated every 3 months: @@ -133,6 +135,7 @@ cacert = creds/trusted/InstaDemoCA.crt trusted = $cacert crls = creds/crls/InstaDemoCA.crl out_trusted = $cacert +own_trusted = $cacert tls_used = 0 #tls_trusted = $cacert @@ -143,7 +146,7 @@ tls_used = 0 [CloudCA] # Server server = broker.sdo-qa.siemens.cloud:443 -path = /.well-known/cmp +# path = /.well-known/cmp # gets overridden by Makefile_v1 tls_used = 1 tls_trusted = creds/trusted/DigicertGlobalRootG2.crt @@ -152,6 +155,7 @@ recipient = /CN=CloudPKI-Integration-Test cacert = creds/trusted/CloudCA_Root.crt trusted = $cacert out_trusted = $cacert +own_trusted = $cacert # User in tenant ref = /CN=CloudCA-Integration-Test-User @@ -237,11 +241,12 @@ infotype = signKeyPairTypes # default [validate] keypass = pass:12345 tls_keypass = $keypass -#check_all = 1 use_aia = 0 -#use_cdp = 1 crl_cache_dir = creds/crls/ verbosity = 6 +[crls] +check_all = 1 +use_cdp = 1 [empty] #keyUsage = @@ -252,7 +257,7 @@ verbosity = 6 #basicConstraints = CA:FASE keyUsage = "critical, digitalSignature" # is ignored by EJBCA extendedKeyUsage = "critical, serverAuth, 1.3.6.1.5.5.7.3.2" # is ignored by EJBCA -#subjectAltName = @alt_names +subjectAltName = @alt_names [alt_names] DNS.0 = localhost