You can subscribe to this list here.
2011 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(3) |
Jun
(10) |
Jul
|
Aug
(2) |
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2017 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
From: Martin P. <ma...@pe...> - 2017-09-21 06:57:07
|
Hi Riccardo, thank you for reporting. Could you - create a ticket on https://sourceforge.net/p/cmpforopenssl/bugs/ - note the exact GIT commit you use (e.g. the output of 'git log | head') - note the exact command line you use - attach the full Wireshark trace I don't fully understand the OCSP issue you describe; it'd likely be good if that is also included in the code. Maybe you also have an CRL to look at? BR, Martin On Wed, Sep 20, 2017 at 10:21 PM, Riccardo Bruzzone < ric...@er...> wrote: > > > Hi all, > Using the git clone https://git.code.sf.net/p/cmpforopenssl/git > cmpforopenssl-git > > I downloaded and installed your last version of cmpforopenssl in a Ubuntu > 14.04.5 LTS VM (I made this on September 14th). > > > > Trying evaluating the cmpforopenssl, I saw that your application isn’t > managing correctly the revocation reason. > > The cmp revocation request was tested using both cmpforopenssl and > cmpclient (both have been run in clear test … no TLS used). > > In both case the Certificates were revoked > > but an unexpected wrong revocation code (different from all value tryied) > was observed invoking the OCSP protocol with the Serial Number of the > certificate previously revoked via cmpforopenssl. > > Independently from the value of revocation reason used in the > cmpforopenssl syntax, the certificates is always revoked with the reason of > cessationOfOperation. > > > Response verify OK > > trazas5.pem: revoked > > This Update: Sep 15 13:24:15 2017 GMT > > Reason: cessationOfOperation > > Revocation Time: Sep 15 13:23:02 2017 GMT > > root@security:/opt/cmp/bin > > > Analysing the RR answer in both cases, the first one sent from cmpclient > and the second one from cmpforopenssl, I’m seeing that: > > > - In Wireshark trace generated during the cmpclient test, the > CRLReason value (keyCompromise 1) associated to the id-ce-reasonCode is > correctly decoded. > > > > > > - In the Wireshark trace generated during the cmpforopenssl test, the > RR packet has been declared as malformed …. this after id-ce-reasonCode > row. > > > > > Can I help you to analyse this behaviour ? > Do you have a patch available on this part to be tested ? > > > > Br > > *Riccardo* > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > > |
From: Riccardo B. <ric...@er...> - 2017-09-20 19:22:44
|
Hi all, Using the git clone https://git.code.sf.net/p/cmpforopenssl/git cmpforopenssl-git I downloaded and installed your last version of cmpforopenssl in a Ubuntu 14.04.5 LTS VM (I made this on September 14th). Trying evaluating the cmpforopenssl, I saw that your application isn't managing correctly the revocation reason. The cmp revocation request was tested using both cmpforopenssl and cmpclient (both have been run in clear test ... no TLS used). In both case the Certificates were revoked but an unexpected wrong revocation code (different from all value tryied) was observed invoking the OCSP protocol with the Serial Number of the certificate previously revoked via cmpforopenssl. Independently from the value of revocation reason used in the cmpforopenssl syntax, the certificates is always revoked with the reason of cessationOfOperation. Response verify OK trazas5.pem: revoked This Update: Sep 15 13:24:15 2017 GMT Reason: cessationOfOperation Revocation Time: Sep 15 13:23:02 2017 GMT root@security:/opt/cmp/bin Analysing the RR answer in both cases, the first one sent from cmpclient and the second one from cmpforopenssl, I'm seeing that: * In Wireshark trace generated during the cmpclient test, the CRLReason value (keyCompromise 1) associated to the id-ce-reasonCode is correctly decoded. [cid:image005.jpg@01D33256.7C496F40] * In the Wireshark trace generated during the cmpforopenssl test, the RR packet has been declared as malformed .... this after id-ce-reasonCode row. [cid:image006.jpg@01D33256.7C496F40] Can I help you to analyse this behaviour ? Do you have a patch available on this part to be tested ? Br Riccardo |
From: Martin P. <ma...@pe...> - 2017-01-09 12:19:41
|
Hi Sinan, 1.0.1e is stable and should build without problems on most systems (well, some issues with Visual Studio are known). Did you try to build it like this: "./config && make depend && make update && make"? If that didn't work, could you copy/paste the exact error? We're currently heavily working on the version in openssl-master-cmp, so that might not be not so stable, but it should also build using the same command as above. For the simple use case, it should not really matter whether you use this or 1.0.1e from a functionality point of view. As always I'm interested where CMP is used, is it possible that share more about your use case? Kind regards, Martin On Fri, Jan 6, 2017 at 4:01 PM, Sinan Senol <si...@gm...> wrote: > Hello, > > I need to add CMP support to OpenSSL to test a CMP server. It is enough to > test the CMP functionality of the server. I downloaded the up-to-date copy > of the Sourceforge codes. But "make" command results in errors in Kali > Linux 64-bit OS. I tried only 1.0.1e version but make results in that "make > depend" must run. > > Is there a stable version that results in successful installation? > > Thank you, > > Sinan. > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > |
From: Sinan S. <si...@gm...> - 2017-01-06 14:01:11
|
Hello, I need to add CMP support to OpenSSL to test a CMP server. It is enough to test the CMP functionality of the server. I downloaded the up-to-date copy of the Sourceforge codes. But "make" command results in errors in Kali Linux 64-bit OS. I tried only 1.0.1e version but make results in that "make depend" must run. Is there a stable version that results in successful installation? Thank you, Sinan. |
From: <Ad....@in...> - 2014-11-20 14:52:48
|
Hi all, Question on "improper protection of PollReq messages". The PollReq-messages from OpenSSL-CMP are signed, but the certificate required to verify that signature is not provided (in the extraCerts field). My PKI-environment refuses this polling request due to "badMessageCheck". I've tested another client which does provide the certificate; this request is processed properly. The CR-request does contain the RA-certificate. Is this a bug? Ad Schoonen OIB/ITS/UA/Auth&KeyMngt Location code HLW C.04.182 T +31 20 584 6470 E ad....@in...<mailto:ad....@in...> ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- |
From: Martin P. <cmp...@iz...> - 2013-09-18 14:35:51
|
Hi Iris, I'm not aware whether it has been tested on Windows but in general there shouldn't be any difference to building OpenSSL under Windows with or without the patch. Please let us know in case you'd encounter any issues. Kind regards, Martin On Tue, Sep 17, 2013 at 1:09 PM, Iris Su <iri...@gm...> wrote: > Hello, > > Does latet CMPv2 patch (run on openssl-1.0.1e) support windows platform? > If yes, is there any procedure to build windows version? > > BR, > Iris > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > |
From: Iris Su <iri...@gm...> - 2013-09-17 10:09:09
|
Hello, Does latet CMPv2 patch (run on openssl-1.0.1e) support windows platform? If yes, is there any procedure to build windows version? BR, Iris |
From: VP Dominic-M. <MV...@mo...> - 2012-10-10 12:03:00
|
Hi Martin, We need to implement a CMPv2 client for business purpose and we are exploring the option of using opensource for this. Cmpforopenssl seems to be a good option so we are exploring more on this. Regarding interoperability with EJBCA, Initial request (ir) message exchange is working fine after configuring EJBCA CMP in RA mode and re-deploying EJBCA. But the 'certificate request' is still failing. Following are the commands that were executed on the cmpforopenssl cmpclient, Initial request: ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1" This command was successful and the initial client certificate was successfully received. Certificate request: ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem This command failed. and the following error was observed on the EJBCA side. 15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1. 15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer 15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15 Any idea why i am getting this error ? Packet capture is attached. Regards Dominic -----Original Message----- From: Martin Peylo [mailto:cmp...@iz...] Sent: 10 October 2012 13:16 To: dominic peter Cc: cmp...@li... Subject: Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA Hi Dominic, did you configure EJBCA as described in <http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=EJBCA>? There's also a way to do that RegTokenPwd thing in the code if you really need that. Unfortunately in this very moment I lack the time to give a good explanation - come back to me if you don't find it. NB: try using the OpenSSL app which you can use with "openssl cmp ...". I just saw that the --help is broken somehow but there is on openssl_cmp.pod in the documentation explaining its usage. The cmpclient will not be updated in the future and probably removed soon. Just interested: Are you using CMP for research or business? If you're developing on the code, we're always open for contributions and bug reports. Please attach Wireshark traces on further queries, that makes it easy to check out what's going on. Kind regards, Martin On Tue, Oct 9, 2012 at 2:51 PM, dominic peter <dom...@gm...> wrote: > Hi, > I am using cmpforopenssl version and EJBCA 4.0.12 Has anyone tried to > interop cmpforopenssl client with EJBCA. > > I am trying to send an 'ir' request to EJBCA from the cmpclient using > the following command, > > ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp > --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 > --newclcert test1.pem --newkey test1.key --subject > "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1" > > I am seeing the following error on the EJBCA after sending the 'ir' > request from the client, > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password > from CRMF request using the RegTokenPwd authentication module > 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, > process time 217. > > On the cmpclient i am seeing the following error, > > INFO: Sending Initialization Request > ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE > 401 > 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1319: > 3078551176:error:0D07803A:asn1 encoding > routines:ASN1_ITEM_EX_D2I:nested > asn1 error:tasn_dec.c:381:Type=X509 > 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, > PKIFailureInfo: wrongAuthority" > > And ideas ? > > Thanks in advance. > > Regards > Dominic > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Cmpforopenssl-devel mailing list Cmp...@li... https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel |
From: Martin P. <cmp...@iz...> - 2012-10-10 08:42:13
|
Hi Dominic, did you configure EJBCA as described in <http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=EJBCA>? There's also a way to do that RegTokenPwd thing in the code if you really need that. Unfortunately in this very moment I lack the time to give a good explanation - come back to me if you don't find it. NB: try using the OpenSSL app which you can use with "openssl cmp ...". I just saw that the --help is broken somehow but there is on openssl_cmp.pod in the documentation explaining its usage. The cmpclient will not be updated in the future and probably removed soon. Just interested: Are you using CMP for research or business? If you're developing on the code, we're always open for contributions and bug reports. Please attach Wireshark traces on further queries, that makes it easy to check out what's going on. Kind regards, Martin On Tue, Oct 9, 2012 at 2:51 PM, dominic peter <dom...@gm...> wrote: > Hi, > I am using cmpforopenssl version and EJBCA 4.0.12 > Has anyone tried to interop cmpforopenssl client with EJBCA. > > I am trying to send an 'ir' request to EJBCA from the cmpclient using the > following command, > > ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp > --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 > --newclcert test1.pem --newkey test1.key --subject > "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1" > > I am seeing the following error on the EJBCA after sending the 'ir' request > from the client, > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from CRMF > request using the RegTokenPwd authentication module > 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process > time 217. > > On the cmpclient i am seeing the following error, > > INFO: Sending Initialization Request > ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401 > 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1319: > 3078551176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested > asn1 error:tasn_dec.c:381:Type=X509 > 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, > PKIFailureInfo: wrongAuthority" > > And ideas ? > > Thanks in advance. > > Regards > Dominic > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > |
From: dominic p. <dom...@gm...> - 2012-10-09 11:51:58
|
Hi, I am using cmpforopenssl version and EJBCA 4.0.12 Has anyone tried to interop cmpforopenssl client with EJBCA. I am trying to send an 'ir' request to EJBCA from the cmpclient using the following command, ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 --newclcert test1.pem --newkey test1.key --subject "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1" I am seeing the following error on the EJBCA after sending the 'ir' request from the client, 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from CRMF request using the RegTokenPwd authentication module 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 217. On the cmpclient i am seeing the following error, INFO: Sending Initialization Request ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 3078551176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: wrongAuthority" And ideas ? Thanks in advance. Regards Dominic |
From: Umarale, L. S (Lakshmi) <lak...@al...> - 2012-05-01 16:14:27
|
I have enabled ipv6 in curl-plugin. Is there anything that needs to be enabled for cmpforopenssl to support ipv6. Thanks Lakshmi |
From: Bálint V. <var...@gm...> - 2012-04-11 12:38:46
|
2012-04-02 07:16:56 PDT Hello, I am trying to configure and launch a sample of CMPv2 server, but blocked at a step where it is needed to add PKI user. Could you please point me a right direction for my issue? I got the following errors while execution of the script: $ ./srv_add_pki_usr.sh ./../bin/cmpserver-cl --createuser --country DE --organization NSN --unit PG RDE 324440 --commonname Martin Peylo SUCCESS init SUCCESS add random ERROR create and open certstore - in FILE: cmpserver-cl.c, LINE 608, status=-3 ERROR open certstore - in FILE: cmpserver-cl.c, LINE 613, status=-3 INFO: Creating PKI User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 324987" CN:"Martin Peylo" SUCCESS creating certificate ERROR storing the PKI User - in FILE: cmpserver-cl.c, LINE 316, status=-1 SUCCESS destroying certificate ERROR close certstore - in FILE: cmpserver-cl.c, LINE 617, status=-1 SUCCESS shutting down cryptlib ODBC connection works fine, I just checked it with isql tool. I am using Ubuntu 10.04.3 as a workstation. |
From: mviljane <mvi...@us...> - 2011-09-19 11:11:33
|
Hi, The current cmpclient is compatible with cryptlib using the --cryptlib commandline argument, there should be no interoperability problems when using the client with a cryptlib server.. However, if you do encounter interoperability problems or other bugs, bug reports and patches are always very welcome. :-) best regards, mviljane On 2011-09-01 22:32:47 +0300, Salvarani, Alexandro (Alex) wrote: > Hi there, > I need help on using the source code for support of CMPv2 > I would like to use the sourceforge code to implement a CMPv2 client. I am developing a CMPv2 server that is able to interoperate with the CMPv2. > If I build the CMPv2 server in cryptlib (and not OpenSSL) would I have an interoperability problem? > > Please let me know the technical details, because I saw slides from Martin Peylo where he mentioned that the CMPv2 client source code does not interoperate with CMPv2 servers implemented using cryptlib. > > Regards, > Alex Salvarani > System Development > Murray Hill NJ > Alcatel-Lucent |
From: Salvarani, A. (Alex) <ale...@al...> - 2011-09-01 19:33:00
|
Hi there, I need help on using the source code for support of CMPv2 I would like to use the sourceforge code to implement a CMPv2 client. I am developing a CMPv2 server that is able to interoperate with the CMPv2. If I build the CMPv2 server in cryptlib (and not OpenSSL) would I have an interoperability problem? Please let me know the technical details, because I saw slides from Martin Peylo where he mentioned that the CMPv2 client source code does not interoperate with CMPv2 servers implemented using cryptlib. Regards, Alex Salvarani System Development Murray Hill NJ Alcatel-Lucent |
From: Martin P. <cmp...@iz...> - 2011-08-17 22:47:07
|
Hi, creating the database access is always problematic and AFAIK using a native (non-Ubuntu) installation of the database might have better changes to succeed. As soon as you have succeeded please provide a detailed guide how to do the setup to the community. The server side example will be most probably be removed from here very soon to permit core development to concentrate fully of the library implementation. I'd suggest to search (commercial?) support from one of the CMP server vendors (e.g. the creators of cryptib or ECBCA) directly. Please subscribe to this mailing list when posting! If you're not subscribed, it is pretty much luck when and if someone approves (or discards) your mail to the list. Kind regards, Martin On Tue, Aug 16, 2011 at 2:07 PM, Vikalp Bansal <vik...@gm...> wrote: > create database in ubuntu for cryptlib CA to acess > step by step instruction please |
From: Vikalp B. <vik...@gm...> - 2011-08-16 11:07:48
|
create database in ubuntu for cryptlib CA to acess step by step instruction please |
From: Miikka V. <mvi...@us...> - 2011-06-17 14:20:03
|
Hi, It would indeed be a good idea to allow an input key file. As Martin mentioned, the cmpclient tool is not much more than a proof-of-concept at this point, so these options have mainly been used for testing the library. The behaviour of '--key' flag is a bit confusing since in an IR message it specifies a file where a newly generated key will be saved and in a KUR it specifies a key to be used as input. The '--extcert' option is used for authentication with an external certificate. I will change the --key flag so that it checks if the key file already exists, and if it does the file will be used as an input for initial request. Thanks for pointing this out! best regards, Miikka Excerpts from ABULIUS, MUGUR (MUGUR)'s message of 2011-06-13 18:16:36 +0300: > Hello, > This topic concerns the client's private key and the interdependency between the options: > "-key FILE" > "-extcert FILE" > Our understanding (after reading the source code) concerning the relationship between these 2 options is the following: > * If the two options are specified then the tool uses for the initial request as client's private key the file specified by the "--key FILE" option. > * If the option "--extcert FILE" doesn't exist for the initial request then the tool generates a 1024 bits RSA key at location specified by "--key FILE" option. > In our scenarios we need ***2048*** bits RSA keys (possibly more) without using the "--extcert FILE". We think that the greatest flexibility is to allow (as an additional option) an input key file even in case the option "--extcert FILE" is not specified. > Is possible to add such option / behavior? > Which is, please, the rational of the current interdependency between these two options? > Best Regards > Mugur |
From: Miikka V. <mvi...@us...> - 2011-06-17 12:44:09
|
Hi, Support for this message is implemented - see the function PKIError_data() in cmp_ses.c for example. The cmpclient doesn't necessarily yet print out the error messages in every situation though. best regards, Miikka Excerpts from ABULIUS, MUGUR (MUGUR)'s message of 2011-06-13 18:25:46 +0300: > Hello, > This topic concerns the support of the CMPv2 error message - code '06'H (ErrorMsgContent / ErrorMsgRep). > Do you intend to support this CMPv2 message with OpenSSL? > Best Regards > Mugur |
From: Martin P. <cmp...@iz...> - 2011-06-17 09:59:23
|
Hi, same here - the "cmpforopenssl" *tool* is not the main focus of that project so not all functionality present in the API is necessarily available there. Patches are welcome :-) Martin On Mon, Jun 13, 2011 at 5:25 PM, ABULIUS, MUGUR (MUGUR) <mug...@al...> wrote: > Hello, > This topic concerns the “extraCerts” field of the CMPv2 PKIMessage for the > “Initialization Response”. > The 3GPP “TS 33.310 V9.5.0 (2010-12)” specifies at §9.5.4.3: > “The extraCerts field of the PKIMessage carrying the initialization response > shall contain the operator root certificate and …” > However I didn’t see any way to retrieve the extraCerts certificates from > the ip (init response) with the “cmpforopenssl” tool. In my understanding > (looking sources) the option “--extracert FILE” is an input option only. > Also the option “--capubs DIRECTORY” is used only to retrieve caPubs > certificates. > Do you intend to provide any option to retrieve extraCerts certificates from > initial response? > Best Regards > Mugur > > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > > |
From: Martin P. <cmp...@iz...> - 2011-06-17 09:56:33
|
Hi, the cmpforopenssl tool is not much more than a very simple proof-of-concept for utilizing the library's API. It is certainly possible to add the new option. Please consider to give your enhancements back to the project - preferably as bug report on Sourceforge. We'll then test and integrate it. Kind regards, Martin On Mon, Jun 13, 2011 at 5:45 PM, ABULIUS, MUGUR (MUGUR) <mug...@al...> wrote: > Hello, > This topic concerns the option “—cacert FILE’ of “cmpforopenssl” tool in > case of a initial CMPv2 request sequence. > Our understanding is that this option is mandatory and that it specifies the > path to a client local CA certificate file corresponding to the signing CA. > Looking to the source files I have the feeling that the only usage of this > option with the initial CMPv2 request sequence is to provide the issuer's > name that will fill up the recipient field on the header of the request. I > didn't see any other usage of the CA file. > On my specific scenario I know the “issuer” name for the CA but I don’t have > the CA certificate on the client side before sending the ir (initial > request) to server. > My question is if it is possible to add a new option “—caname” or > "--recipient" (or similar) to specify the missing field (i.e. issuer). This > option could be VERY useful when the “—cacert” is unknown. > > Best Regards > Mugur > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > > |
From: ABULIUS, M. (MUGUR) <mug...@al...> - 2011-06-13 15:31:46
|
Hello, This topic concerns the client's private key and the interdependency between the options: "-key FILE" "-extcert FILE" Our understanding (after reading the source code) concerning the relationship between these 2 options is the following: * If the two options are specified then the tool uses for the initial request as client's private key the file specified by the "--key FILE" option. * If the option "--extcert FILE" doesn't exist for the initial request then the tool generates a 1024 bits RSA key at location specified by "--key FILE" option. In our scenarios we need ***2048*** bits RSA keys (possibly more) without using the "--extcert FILE". We think that the greatest flexibility is to allow (as an additional option) an input key file even in case the option "--extcert FILE" is not specified. Is possible to add such option / behavior? Which is, please, the rational of the current interdependency between these two options? Best Regards Mugur |
From: ABULIUS, M. (MUGUR) <mug...@al...> - 2011-06-13 15:26:02
|
Hello, This topic concerns the support of the CMPv2 error message - code '06'H (ErrorMsgContent / ErrorMsgRep). Do you intend to support this CMPv2 message with OpenSSL? Best Regards Mugur |
From: ABULIUS, M. (MUGUR) <mug...@al...> - 2011-06-13 15:03:07
|
Hello, This topic concerns the "extraCerts" field of the CMPv2 PKIMessage for the "Initialization Response". The 3GPP "TS 33.310 V9.5.0 (2010-12)" specifies at §9.5.4.3: "The extraCerts field of the PKIMessage carrying the initialization response shall contain the operator root certificate and ..." However I didn't see any way to retrieve the extraCerts certificates from the ip (init response) with the "cmpforopenssl" tool. In my understanding (looking sources) the option "--extracert FILE" is an input option only. Also the option "--capubs DIRECTORY" is used only to retrieve caPubs certificates. Do you intend to provide any option to retrieve extraCerts certificates from initial response? Best Regards Mugur |
From: ABULIUS, M. (MUGUR) <mug...@al...> - 2011-06-13 15:03:01
|
Hello, This topic concerns the option "-cacert FILE' of "cmpforopenssl" tool in case of a initial CMPv2 request sequence. Our understanding is that this option is mandatory and that it specifies the path to a client local CA certificate file corresponding to the signing CA. Looking to the source files I have the feeling that the only usage of this option with the initial CMPv2 request sequence is to provide the issuer's name that will fill up the recipient field on the header of the request. I didn't see any other usage of the CA file. On my specific scenario I know the "issuer" name for the CA but I don't have the CA certificate on the client side before sending the ir (initial request) to server. My question is if it is possible to add a new option "-caname" or "--recipient" (or similar) to specify the missing field (i.e. issuer). This option could be VERY useful when the "-cacert" is unknown. Best Regards Mugur |
From: Viljanen M. <mii...@aa...> - 2011-06-06 05:44:17
|
Hello Andrei, You can send the patch to me via email and I'll take a look at integrating it. I'm developing mainly on Linux, but I guess a Windows-version patch shouldn't be too much of a problem to integrate, unless of course you had to use some Window specific APIs or something. :-) Thanks, and best regards, Miikka Viljanen ________________________________ From: Andrei Cipu [ac...@ix...] Sent: Friday, June 03, 2011 10:12 PM To: cmp...@li... Cc: George Ciobanu Subject: [Cmpforopenssl-devel] A Windows port for cmpforopenssl Hi, In the last months I have been working on integrating cmpforopenssl in a Windows product of Ixia. We now have a working cmpforopenssl version (and CMP client) for Windows and we would like to offer this patch back. I must warn you that this is a Windows-version patch (I've made no effort in making it cross-platform), so you'll probably have to put some more work on integrating it. If you're interested, what's the preferred way to give you the patch? Thanks, Andrei Cipu |