cmpforopenssl-devel — all CMP for OpenSSL development discussions

Re: [Cmpforopenssl-devel] cmpforopenssl - Problem in the management of the revocation reason

[Martin P. <ma...@pe...>]

Hi Riccardo,

thank you for reporting.

Could you
- create a ticket on https://sourceforge.net/p/cmpforopenssl/bugs/
- note the exact GIT commit you use (e.g. the output of 'git log | head')
- note the exact command line you use
- attach the full Wireshark trace

I don't fully understand the OCSP issue you describe; it'd likely be good
if that is also included in the code. Maybe you also have an CRL to look at?

BR,
Martin


On Wed, Sep 20, 2017 at 10:21 PM, Riccardo Bruzzone <
ric...@er...> wrote:

>
>
> Hi all,
> Using the git clone https://git.code.sf.net/p/cmpforopenssl/git
> cmpforopenssl-git
>
> I downloaded and installed your last version of cmpforopenssl in a Ubuntu
> 14.04.5 LTS VM (I made this on September 14th).
>
>
>
> Trying evaluating the cmpforopenssl, I saw that your application isn’t
> managing correctly the revocation reason.
>
> The cmp revocation request was tested using both cmpforopenssl and
> cmpclient (both have been run in clear test … no TLS used).
>
> In both case the Certificates were revoked
>
> but an unexpected wrong revocation code (different from all value tryied)
> was observed invoking the OCSP protocol with the Serial Number of the
> certificate previously revoked via cmpforopenssl.
>
> Independently from the value of revocation reason used in the
> cmpforopenssl syntax, the certificates is always revoked with the reason of
> cessationOfOperation.
>
>
> Response verify OK
>
> trazas5.pem: revoked
>
>         This Update: Sep 15 13:24:15 2017 GMT
>
>         Reason: cessationOfOperation
>
>         Revocation Time: Sep 15 13:23:02 2017 GMT
>
> root@security:/opt/cmp/bin
>
>
> Analysing the RR answer in both cases, the first one sent from cmpclient
> and the second one from cmpforopenssl, I’m seeing that:
>
>
>    - In Wireshark trace generated during the cmpclient test, the
>    CRLReason value (keyCompromise 1) associated to the id-ce-reasonCode is
>    correctly decoded.
>
>
>
>
>
>    - In the Wireshark trace generated during the cmpforopenssl test, the
>    RR packet has been declared as malformed  …. this after id-ce-reasonCode
>    row.
>
>
>
>
> Can I help you to analyse this behaviour ?
> Do you have a patch available on this part to be tested ?
>
>
>
> Br
>
> *Riccardo*
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>
>

[Cmpforopenssl-devel] cmpforopenssl - Problem in the management of the revocation reason

[Riccardo B. <ric...@er...>]

Hi all,
Using the git clone https://git.code.sf.net/p/cmpforopenssl/git cmpforopenssl-git
I downloaded and installed your last version of cmpforopenssl in a Ubuntu 14.04.5 LTS VM (I made this on September 14th).

Trying evaluating the cmpforopenssl, I saw that your application isn't managing correctly the revocation reason.
The cmp revocation request was tested using both cmpforopenssl and cmpclient (both have been run in clear test ... no TLS used).

In both case the Certificates were revoked
but an unexpected wrong revocation code (different from all value tryied) was observed invoking the OCSP protocol with the Serial Number of the certificate previously revoked via cmpforopenssl.
Independently from the value of revocation reason used in the cmpforopenssl syntax, the certificates is always revoked with the reason of cessationOfOperation.

Response verify OK
trazas5.pem: revoked
        This Update: Sep 15 13:24:15 2017 GMT
        Reason: cessationOfOperation
        Revocation Time: Sep 15 13:23:02 2017 GMT
root@security:/opt/cmp/bin

Analysing the RR answer in both cases, the first one sent from cmpclient and the second one from cmpforopenssl, I'm seeing that:


  *   In Wireshark trace generated during the cmpclient test, the CRLReason value (keyCompromise 1) associated to the id-ce-reasonCode is correctly decoded.

[cid:image005.jpg@01D33256.7C496F40]


  *   In the Wireshark trace generated during the cmpforopenssl test, the RR packet has been declared as malformed  .... this after id-ce-reasonCode row.

[cid:image006.jpg@01D33256.7C496F40]

Can I help you to analyse this behaviour ?
Do you have a patch available on this part to be tested ?

Br
Riccardo

Re: [Cmpforopenssl-devel] CMP for Openssl

[Martin P. <ma...@pe...>]

Hi Sinan,

1.0.1e is stable and should build without problems on most systems (well,
some issues with Visual Studio are known). Did you try to build it like
this: "./config && make depend && make update && make"? If that didn't
work, could you copy/paste the exact error?

We're currently heavily working on the version in openssl-master-cmp, so
that might not be not so stable, but it should also build using the same
command as above. For the simple use case, it should not really matter
whether you use this or 1.0.1e from a functionality point of view.

As always I'm interested where CMP is used, is it possible that share more
about your use case?

Kind regards,
Martin



On Fri, Jan 6, 2017 at 4:01 PM, Sinan Senol <si...@gm...> wrote:

> Hello,
>
> I need to add CMP support to OpenSSL to test a CMP server. It is enough to
> test the CMP functionality of the server. I downloaded the up-to-date copy
> of the Sourceforge codes. But "make" command results in errors in Kali
> Linux 64-bit OS. I tried only 1.0.1e version but make results in that "make
> depend" must run.
>
> Is there a stable version that results in successful installation?
>
> Thank you,
>
> Sinan.
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>

[Cmpforopenssl-devel] CMP for Openssl

[Sinan S. <si...@gm...>]

Hello,

I need to add CMP support to OpenSSL to test a CMP server. It is enough to test the CMP functionality of the server. I downloaded the up-to-date copy of the Sourceforge codes. But "make" command results in errors in Kali Linux 64-bit OS. I tried only 1.0.1e version but make results in that "make depend" must run.

Is there a stable version that results in successful installation?

Thank you,

Sinan.

[Cmpforopenssl-devel] Improper protection of PollReq?

[<Ad....@in...>]

Hi all,

Question on "improper protection of PollReq messages". The PollReq-messages from OpenSSL-CMP are signed, but the certificate required to verify that signature is not provided (in the extraCerts field). My PKI-environment refuses this polling request due to "badMessageCheck". I've tested another client which does provide the certificate; this request is processed properly.

The CR-request does contain the RA-certificate. Is this a bug?



Ad Schoonen
OIB/ITS/UA/Auth&KeyMngt
Location code HLW C.04.182
T +31 20 584 6470
E ad....@in...<mailto:ad....@in...>

-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------

Re: [Cmpforopenssl-devel] Does latest CMPv2 patch support on Windows platform?

[Martin P. <cmp...@iz...>]

Hi Iris,

I'm not aware whether it has been tested on Windows but in general
there shouldn't be any difference to building OpenSSL under Windows
with or without the patch.

Please let us know in case you'd encounter any issues.

Kind regards,
Martin



On Tue, Sep 17, 2013 at 1:09 PM, Iris Su <iri...@gm...> wrote:
> Hello,
>
> Does latet CMPv2 patch (run on openssl-1.0.1e) support windows platform?
> If yes, is there any procedure to build windows version?
>
> BR,
> Iris
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>

[Cmpforopenssl-devel] Does latest CMPv2 patch support on Windows platform?

[Iris Su <iri...@gm...>]

Hello,

Does latet CMPv2 patch (run on openssl-1.0.1e) support windows platform?
If yes, is there any procedure to build windows version?

BR,
Iris

Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA

[VP Dominic-M. <MV...@mo...>]

Hi Martin,

We need to implement a CMPv2 client for business purpose and we are exploring the option of using opensource for this.
Cmpforopenssl seems to be a good option so we are exploring more on this.

Regarding interoperability with EJBCA, Initial request (ir) message exchange is working fine after configuring EJBCA CMP in RA mode and re-deploying EJBCA. 
But the 'certificate request' is still failing.

Following are the commands that were executed on the cmpforopenssl cmpclient,

Initial request:

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1"

This command was successful and the initial client certificate was successfully received.  

Certificate request:

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem

This command failed. and the following error was observed on the EJBCA side.

15:48:28,521 INFO  [CmpServlet] CMP message received from: 127.0.0.1.
15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer
15:48:28,538 INFO  [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15

Any idea why i am getting this error ?
Packet capture is attached.

Regards
Dominic 

-----Original Message-----
From: Martin Peylo [mailto:cmp...@iz...] 
Sent: 10 October 2012 13:16
To: dominic peter
Cc: cmp...@li...
Subject: Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA

Hi Dominic,

did you configure EJBCA as described in
<http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=EJBCA>?

There's also a way to do that RegTokenPwd thing in the code if you really need that. Unfortunately in this very moment I lack the time to give a good explanation - come back to me if you don't find it.

NB: try using the OpenSSL app which you can use with "openssl cmp ...". I just saw that the --help is broken somehow but there is on openssl_cmp.pod in the documentation explaining its usage. The cmpclient will not be updated in the future and probably removed soon.

Just interested: Are you using CMP for research or business?

If you're developing on the code, we're always open for contributions and bug reports. Please attach Wireshark traces on further queries, that makes it easy to check out what's going on.

Kind regards,
Martin




On Tue, Oct 9, 2012 at 2:51 PM, dominic peter <dom...@gm...> wrote:
> Hi,
> I am using cmpforopenssl version and EJBCA 4.0.12 Has anyone tried to 
> interop cmpforopenssl client with EJBCA.
>
> I am trying to send an 'ir' request to EJBCA from the cmpclient using 
> the following command,
>
> ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp 
> --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 
> --newclcert test1.pem --newkey test1.key --subject 
> "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1"
>
> I am seeing the following error on the EJBCA after sending the 'ir' 
> request from the client,
>
> 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password 
> from CRMF request using the RegTokenPwd authentication module
> 15:40:36,997 INFO  [CmpServlet] Sent a CMP response to: 127.0.0.1, 
> process time 217.
>
> On the cmpclient i am seeing the following error,
>
> INFO: Sending Initialization Request
> ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 
> 401
> 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:1319:
> 3078551176:error:0D07803A:asn1 encoding 
> routines:ASN1_ITEM_EX_D2I:nested
> asn1 error:tasn_dec.c:381:Type=X509
> 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody
> error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
> PKIFailureInfo: wrongAuthority"
>
> And ideas ?
>
> Thanks in advance.
>
> Regards
> Dominic
>
> ----------------------------------------------------------------------
> -------- Don't let slow site performance ruin your business. Deploy 
> New Relic APM Deploy New Relic app performance management and know 
> exactly what is happening inside your Ruby, Python, PHP, Java, and 
> .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Cmpforopenssl-devel mailing list
Cmp...@li...
https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel

Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA

[Martin P. <cmp...@iz...>]

Hi Dominic,

did you configure EJBCA as described in
<http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=EJBCA>?

There's also a way to do that RegTokenPwd thing in the code if you
really need that. Unfortunately in this very moment I lack the time to
give a good explanation - come back to me if you don't find it.

NB: try using the OpenSSL app which you can use with "openssl cmp
...". I just saw that the --help is broken somehow but there is on
openssl_cmp.pod in the documentation explaining its usage. The
cmpclient will not be updated in the future and probably removed soon.

Just interested: Are you using CMP for research or business?

If you're developing on the code, we're always open for contributions
and bug reports. Please attach Wireshark traces on further queries,
that makes it easy to check out what's going on.

Kind regards,
Martin




On Tue, Oct 9, 2012 at 2:51 PM, dominic peter <dom...@gm...> wrote:
> Hi,
> I am using cmpforopenssl version and EJBCA 4.0.12
> Has anyone tried to interop cmpforopenssl client with EJBCA.
>
> I am trying to send an 'ir' request to EJBCA from the cmpclient using the
> following command,
>
> ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
> --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1
> --newclcert test1.pem --newkey test1.key --subject
> "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1"
>
> I am seeing the following error on the EJBCA after sending the 'ir' request
> from the client,
>
> 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from CRMF
> request using the RegTokenPwd authentication module
> 15:40:36,997 INFO  [CmpServlet] Sent a CMP response to: 127.0.0.1, process
> time 217.
>
> On the cmpclient i am seeing the following error,
>
> INFO: Sending Initialization Request
> ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401
> 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:1319:
> 3078551176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
> asn1 error:tasn_dec.c:381:Type=X509
> 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody
> error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
> PKIFailureInfo: wrongAuthority"
>
> And ideas ?
>
> Thanks in advance.
>
> Regards
> Dominic
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>

[Cmpforopenssl-devel] Interop cmpclient with EJBCA

[dominic p. <dom...@gm...>]

Hi,
I am using cmpforopenssl version and EJBCA 4.0.12
Has anyone tried to interop cmpforopenssl client with EJBCA.

I am trying to send an 'ir' request to EJBCA from the cmpclient using the
following command,

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp
--srvcert myAdminCA.cacert.pem --ir --user test1 --password test1
--newclcert test1.pem --newkey test1.key --subject
"C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1"

I am seeing the following error on the EJBCA after sending the 'ir' request
from the client,

15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password from
CRMF request using the RegTokenPwd authentication module
15:40:36,997 INFO  [CmpServlet] Sent a CMP response to: 127.0.0.1, process
time 217.

On the cmpclient i am seeing the following error,

INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 401
3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1319:
3078551176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
asn1 error:tasn_dec.c:381:Type=X509
3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: wrongAuthority"

And ideas ?

Thanks in advance.

Regards
Dominic

[Cmpforopenssl-devel] Does this support ipv6

[Umarale, L. S (Lakshmi) <lak...@al...>]

I have enabled ipv6 in curl-plugin. Is there anything that needs to be enabled for cmpforopenssl to support ipv6.

Thanks
Lakshmi

[Cmpforopenssl-devel] Cryplib error

[Bálint V. <var...@gm...>]

2012-04-02 07:16:56 PDT
Hello, I am trying to configure and launch a sample of CMPv2 server, but
blocked at a step where it is needed to add PKI user. Could you please
point me a right direction for my issue? I got the following errors while
execution of the script: $ ./srv_add_pki_usr.sh ./../bin/cmpserver-cl
--createuser --country DE --organization NSN --unit PG RDE 324440
--commonname Martin Peylo SUCCESS init SUCCESS add random ERROR create and
open certstore - in FILE: cmpserver-cl.c, LINE 608, status=-3 ERROR open
certstore - in FILE: cmpserver-cl.c, LINE 613, status=-3 INFO: Creating PKI
User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 324987" CN:"Martin Peylo" SUCCESS
creating certificate ERROR storing the PKI User - in FILE: cmpserver-cl.c,
LINE 316, status=-1 SUCCESS destroying certificate ERROR close certstore -
in FILE: cmpserver-cl.c, LINE 617, status=-1 SUCCESS shutting down cryptlib
ODBC connection works fine, I just checked it with isql tool. I am using
Ubuntu 10.04.3 as a workstation.

Re: [Cmpforopenssl-devel] Interoperabilty with cryptlib

[mviljane <mvi...@us...>]

Hi,

The current cmpclient is compatible with cryptlib using the --cryptlib
commandline argument, there should be no interoperability problems when using
the client with a cryptlib server.. However, if you do encounter
interoperability problems or other bugs, bug reports and patches are always
very welcome. :-)

best regards,
mviljane


On 2011-09-01 22:32:47 +0300, Salvarani, Alexandro (Alex) wrote:
> Hi there,
> I need help on using the source code for support of CMPv2
> I would like to use the sourceforge code to implement a CMPv2 client. I am developing a CMPv2 server that is able to interoperate with the CMPv2.
> If I build the CMPv2 server in cryptlib (and not OpenSSL) would I have an interoperability problem?
> 
> Please let me know the technical details, because I saw slides from Martin Peylo where he mentioned that the CMPv2 client source code does not interoperate with CMPv2 servers implemented using cryptlib.
> 
> Regards,
> Alex Salvarani
> System Development
> Murray Hill NJ
> Alcatel-Lucent

[Cmpforopenssl-devel] Interoperabilty with cryptlib

[Salvarani, A. (Alex) <ale...@al...>]

Hi there,
I need help on using the source code for support of CMPv2
I would like to use the sourceforge code to implement a CMPv2 client. I am developing a CMPv2 server that is able to interoperate with the CMPv2.
If I build the CMPv2 server in cryptlib (and not OpenSSL) would I have an interoperability problem?

Please let me know the technical details, because I saw slides from Martin Peylo where he mentioned that the CMPv2 client source code does not interoperate with CMPv2 servers implemented using cryptlib.

Regards,
Alex Salvarani
System Development
Murray Hill NJ
Alcatel-Lucent

Re: [Cmpforopenssl-devel] how to create database for cryptlib?

[Martin P. <cmp...@iz...>]

Hi,

creating the database access is always problematic and AFAIK using a
native (non-Ubuntu) installation of the database might have better
changes to succeed. As soon as you have succeeded please provide a
detailed guide how to do the setup to the community.

The server side example will be most probably be removed from here
very soon to permit core development to concentrate fully of the
library implementation. I'd suggest to search (commercial?) support
from one of the CMP server vendors (e.g. the creators of cryptib or
ECBCA) directly.

Please subscribe to this mailing list when posting! If you're not
subscribed, it is pretty much luck when and if someone approves (or
discards) your mail to the list.

Kind regards,
Martin


On Tue, Aug 16, 2011 at 2:07 PM, Vikalp Bansal <vik...@gm...> wrote:
> create database in ubuntu for cryptlib CA to acess
> step by step instruction please

[Cmpforopenssl-devel] how to create database for cryptlib?

[Vikalp B. <vik...@gm...>]

create database in ubuntu for cryptlib CA to acess
step by step instruction please

Re: [Cmpforopenssl-devel] Need 2048-bits RSA key files and +, regardless the presence of the "--extcert FILE" option.

[Miikka V. <mvi...@us...>]

Hi,

It would indeed be a good idea to allow an input key file. As Martin mentioned,
the cmpclient tool is not much more than a proof-of-concept at this point, so
these options have mainly been used for testing the library. The behaviour of
'--key' flag is a bit confusing since in an IR message it specifies a file where
a newly generated key will be saved and in a KUR it specifies a key to be used
as input. The '--extcert' option is used for authentication with an external
certificate.

I will change the --key flag so that it checks if the key file already exists,
and if it does the file will be used as an input for initial request. Thanks for
pointing this out!

best regards,
Miikka

Excerpts from ABULIUS, MUGUR (MUGUR)'s message of 2011-06-13 18:16:36 +0300:
> Hello,
> This topic concerns the client's private key and the interdependency between the options:
> "-key FILE"
> "-extcert FILE"
> Our understanding (after reading the source code) concerning the relationship between these 2 options is the following:
> *       If the two options are specified then the tool uses for the initial request as client's private key the file specified by the "--key FILE" option.
> *       If the option "--extcert FILE" doesn't exist for the initial request then the tool generates a 1024 bits RSA key at location specified by "--key FILE" option.
> In our scenarios we need ***2048*** bits RSA keys (possibly more) without using the "--extcert FILE".  We think that the greatest flexibility is to allow (as an additional option) an input key file even in case the option "--extcert FILE" is not specified.
> Is possible to add such option / behavior?
> Which is, please, the rational of the current interdependency between these two options?
> Best Regards
> Mugur

Re: [Cmpforopenssl-devel] Support of the CMPv2 error message - code '06'H

[Miikka V. <mvi...@us...>]

Hi,

Support for this message is implemented - see the function PKIError_data() in
cmp_ses.c for example. The cmpclient doesn't necessarily yet print out the error
messages in every situation though.

best regards,
Miikka


Excerpts from ABULIUS, MUGUR (MUGUR)'s message of 2011-06-13 18:25:46 +0300:
> Hello,
> This topic concerns the support of the CMPv2 error message - code '06'H (ErrorMsgContent / ErrorMsgRep).
> Do you intend to support this CMPv2 message with OpenSSL?
> Best Regards
> Mugur

Re: [Cmpforopenssl-devel] How to retrieve extra certificates from extraCerts on a client side?

[Martin P. <cmp...@iz...>]

Hi,

same here - the "cmpforopenssl" *tool* is not the main focus of that
project so not all functionality present in the API is necessarily
available there.

Patches are welcome :-)

Martin



On Mon, Jun 13, 2011 at 5:25 PM, ABULIUS, MUGUR (MUGUR)
<mug...@al...> wrote:
> Hello,
> This topic concerns the “extraCerts” field of the CMPv2 PKIMessage for the
> “Initialization Response”.
> The 3GPP “TS 33.310 V9.5.0 (2010-12)” specifies at §9.5.4.3:
> “The extraCerts field of the PKIMessage carrying the initialization response
> shall contain the operator root certificate and  …”
> However I didn’t see any way to retrieve the extraCerts certificates from
> the ip (init response) with the  “cmpforopenssl” tool. In my understanding
> (looking sources) the option “--extracert FILE” is an input option only.
> Also the option “--capubs DIRECTORY” is used only to retrieve caPubs
> certificates.
> Do you intend to provide any option to retrieve extraCerts certificates from
> initial response?
> Best Regards
> Mugur
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>
>

Re: [Cmpforopenssl-devel] Need new option to specify recipient instead "--cacert"

[Martin P. <cmp...@iz...>]

Hi,

the cmpforopenssl tool is not much more than a very simple
proof-of-concept for utilizing the library's API.

It is certainly possible to add the new option.

Please consider to give your enhancements back to the project -
preferably as bug report on Sourceforge. We'll then test and integrate
it.

Kind regards,
Martin



On Mon, Jun 13, 2011 at 5:45 PM, ABULIUS, MUGUR (MUGUR)
<mug...@al...> wrote:
> Hello,
> This topic concerns the option “—cacert FILE’ of  “cmpforopenssl” tool in
> case of a initial CMPv2 request sequence.
> Our understanding is that this option is mandatory and that it specifies the
> path to a client local CA certificate file corresponding to the signing CA.
> Looking to the source files I have the feeling that the only usage of this
> option with the initial CMPv2 request sequence is to provide the issuer's
> name that will fill up the recipient field on the header of the request. I
> didn't see any other usage of the CA file.
> On my specific scenario I know the “issuer” name for the CA but I don’t have
> the CA certificate on the client side before sending the ir (initial
> request) to server.
> My question is if it is possible to add a new option “—caname” or
> "--recipient" (or similar) to specify the missing field (i.e. issuer). This
> option could be VERY useful when the “—cacert” is unknown.
>
> Best Regards
> Mugur
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Cmpforopenssl-devel mailing list
> Cmp...@li...
> https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel
>
>

[Cmpforopenssl-devel] Need 2048-bits RSA key files and +, regardless the presence of the "--extcert FILE" option.

[ABULIUS, M. (MUGUR) <mug...@al...>]

Hello,
This topic concerns the client's private key and the interdependency between the options:
"-key FILE"
"-extcert FILE"
Our understanding (after reading the source code) concerning the relationship between these 2 options is the following:
*       If the two options are specified then the tool uses for the initial request as client's private key the file specified by the "--key FILE" option.
*       If the option "--extcert FILE" doesn't exist for the initial request then the tool generates a 1024 bits RSA key at location specified by "--key FILE" option.
In our scenarios we need ***2048*** bits RSA keys (possibly more) without using the "--extcert FILE".  We think that the greatest flexibility is to allow (as an additional option) an input key file even in case the option "--extcert FILE" is not specified.
Is possible to add such option / behavior?
Which is, please, the rational of the current interdependency between these two options?
Best Regards
Mugur

[Cmpforopenssl-devel] Support of the CMPv2 error message - code '06'H

[ABULIUS, M. (MUGUR) <mug...@al...>]

Hello,
This topic concerns the support of the CMPv2 error message - code '06'H (ErrorMsgContent / ErrorMsgRep).
Do you intend to support this CMPv2 message with OpenSSL?
Best Regards
Mugur

[Cmpforopenssl-devel] How to retrieve extra certificates from extraCerts on a client side?

[ABULIUS, M. (MUGUR) <mug...@al...>]

Hello,
This topic concerns the "extraCerts" field of the CMPv2 PKIMessage for the "Initialization Response".
The 3GPP "TS 33.310 V9.5.0 (2010-12)" specifies at §9.5.4.3:
"The extraCerts field of the PKIMessage carrying the initialization response shall contain the operator root certificate and  ..."
However I didn't see any way to retrieve the extraCerts certificates from the ip (init response) with the  "cmpforopenssl" tool. In my understanding (looking sources) the option "--extracert FILE" is an input option only. Also the option "--capubs DIRECTORY" is used only to retrieve caPubs certificates.
Do you intend to provide any option to retrieve extraCerts certificates from initial response?
Best Regards
Mugur

[Cmpforopenssl-devel] Need new option to specify recipient instead "--cacert"

[ABULIUS, M. (MUGUR) <mug...@al...>]

Hello,
This topic concerns the option "-cacert FILE' of  "cmpforopenssl" tool in case of a initial CMPv2 request sequence.
Our understanding is that this option is mandatory and that it specifies the path to a client local CA certificate file corresponding to the signing CA.
Looking to the source files I have the feeling that the only usage of this option with the initial CMPv2 request sequence is to provide the issuer's name that will fill up the recipient field on the header of the request. I didn't see any other usage of the CA file.
On my specific scenario I know the "issuer" name for the CA but I don't have the CA certificate on the client side before sending the ir (initial request) to server.
My question is if it is possible to add a new option "-caname" or "--recipient" (or similar) to specify the missing field (i.e. issuer). This option could be VERY useful when the "-cacert" is unknown.

Best Regards
Mugur

Re: [Cmpforopenssl-devel] A Windows port for cmpforopenssl

[Viljanen M. <mii...@aa...>]

Hello Andrei,

You can send the patch to me via email and I'll take a look at integrating it. I'm developing mainly on Linux, but I guess a Windows-version patch shouldn't be too much of a problem to integrate, unless of course you had to use some Window specific APIs or something. :-)

Thanks, and best regards,
Miikka Viljanen

________________________________
From: Andrei Cipu [ac...@ix...]
Sent: Friday, June 03, 2011 10:12 PM
To: cmp...@li...
Cc: George Ciobanu
Subject: [Cmpforopenssl-devel] A Windows port for cmpforopenssl


Hi,

In the last months I have been working on integrating cmpforopenssl in a Windows product of Ixia. We now have a working cmpforopenssl version (and CMP client) for Windows and we would like to offer this patch back. I must warn you that this is a Windows-version patch (I've made no effort in making it cross-platform), so you'll probably have to put some more work on integrating it.

If you're interested, what's the preferred way to give you the patch?

Thanks,
   Andrei Cipu