Implement RAT extensions#121
Conversation
|
Replaced by #122 |
DDvO
left a comment
DDvO
left a comment
There was a problem hiding this comment.
Please avoid extending OSSL_CMP_CTX,
as this should not be needed at all -
please keep all RAT-related data local in cmpClient().
There are various memory leaks, at least in error cases.
See also further comments.
| #include <secutils/credentials/credentials.h> /* for CERT{,S}_save and CERTS_free */ | ||
| #include <secutils/credentials/cert.h> /* for UTIL_parse_name */ | ||
|
|
||
|
|
There was a problem hiding this comment.
nit: avoid needless whitespace changes like this new line
| "File to save newly enrolled certificate, possibly with chain and key"}, | ||
| { "chainout", OPT_TXT, {.txt = NULL}, { &opt_chainout }, | ||
| "File to save the chain of the newly enrolled certificate"}, | ||
| { "rats", OPT_BOOL, {.bit = false}, |
There was a problem hiding this comment.
please generally:
rats -> RAT
RATS -> RAT
| { "rats", OPT_BOOL, {.bit = false}, | |
| { "RAT", OPT_BOOL, {.bit = false}, |
| @@ -0,0 +1,3 @@ | |||
| cd ~/git/gencmpclient/test/recipes/80-test_cmp_http_data/Mock | |||
There was a problem hiding this comment.
use relative path and add the option for further CLI options:
| cd ~/git/gencmpclient/test/recipes/80-test_cmp_http_data/Mock | |
| cd test/recipes/80-test_cmp_http_data/Mock "$@" |
also for the other new .sh files
| export OPENSSL_DIR=~/git/openssl | ||
| export OPENSSL_LIB=~/git/openssl | ||
| export LD_LIBRARY_PATH=~/git/openssl/:~/git/gencmpclient | ||
| export PATH=~/git/openssl/apps:$PATH |
There was a problem hiding this comment.
Why would we need this?
The LD_LIBRARY_PATH should generally not be needed due to rpath.
Everything else is user-specific, not for general use in this project.
Better not commit this file.
| unsigned int status = atg_generate_evidence(ctx->tpm_kd_req, &req_resp); | ||
| if (status != ATG_SUCCESS) { | ||
| LOG_err("Request TPM key data failed"); | ||
| goto err; |
There was a problem hiding this comment.
Before each goto err, please set a specify new error code in the range -7x, e.g., err = -70;
| reqout = "/tmp/req1.der /tmp/req2.der /tmp/req3.der /tmp/req4.der /tmp/req5.der /tmp/req6.der" | ||
| rspout = "/tmp/rsp1.der /tmp/rsp2.der /tmp/rsp3.der /tmp/rsp4.der /tmp/rsp5.der /tmp/rsp6.der" | ||
|
|
There was a problem hiding this comment.
Move these to CLI options in doCrWithRat.sh
| #attime = 1524704000 | ||
| server_host = 127.0.0.1 # localhost | ||
| server_port = 0 # 0 means that the port is determined by the server | ||
| server_port = 8888 # 0 means that the port is determined by the server |
There was a problem hiding this comment.
do not set the port here but in the respective new.sh file(s)
| } | ||
| if (!OSSL_CMP_CTX_push0_genm_ITAV(ctx->osslctx, itav)) { | ||
| LOG_err("OSSL_CMP_CTX_push0_genm_ITAV failed"); | ||
| goto err; |
| [cmp] # mock server configuration | ||
|
|
||
| port = 0 | ||
| port = 8888 |
There was a problem hiding this comment.
do not set the port here but in the respective new .sh file(s)
|
|
||
| typedef struct CMP_CTX { | ||
| OSSL_CMP_CTX *osslctx; | ||
| bool do_rats; | ||
| struct token_req tpm_kd_req; | ||
| struct token_req attest_chal; | ||
| } CMP_CTX; | ||
|
|
||
|
|
There was a problem hiding this comment.
Please avoid extending OSSL_CMP_CTX,
ai this should not be needed at all -
please keep all RAT-related data local in cmpClient().
2 participants
Motivation
Implement https://siemens-my.sharepoint.com/:p:/r/personal/ranjan_rajeev_siemens_com/Documents/Work/RATS/MDC-Provisioning/FY25-POC-output/[CMPwithKeyAttesation-POC.pptx](https://siemens-my.sharepoint.com/:p:/r/personal/ranjan_rajeev_siemens_com/Documents/Work/RATS/MDC-Provisioning/FY25-POC-output/CMPwithKeyAttesation-POC.pptx?d=w0038945968694af3a1029a2406b05285&csf=1&web=1&e=hvzIjl)?d=w0038945968694af3a1029a2406b05285&csf=1&web=1&e=hvzIjl , Slide #24
Proposed Changes
Test Plan
Modified OpenSSL CMP mock with verifier and/or
Modified CmpRaComponent with interface to verifier