Skip to content

add support for ML-DSA and TPM2-held keys referenced via handle; OpenSSL 4.0 compat#119

Draft
DDvO wants to merge 27 commits into
masterfrom
extend_KEY_new
Draft

add support for ML-DSA and TPM2-held keys referenced via handle; OpenSSL 4.0 compat#119
DDvO wants to merge 27 commits into
masterfrom
extend_KEY_new

Conversation

@DDvO
Copy link
Copy Markdown
Member

@DDvO DDvO commented Apr 24, 2026
edited
Loading

usage examples:

  • ./cmpClient imprint -section EJBCA -newkeytype "ML-DSA-65"
  • ./cmpClient imprint -section EJBCA -newkey "tpm2:handle=0x81000001"

On this occasion also:

  • various other small fixes and adaptations for OpenSSL 4.0 compatibility
  • fixes regarding the -tls_host option and SNI and related documentation
  • fixes on genericCMPClient_util.{c,h}
  • tweaks of demo_EJBCA
  • align 80-test_cmp_http.t with latest upstream OpenSSL version of that script, fixing CI hangs for OpenSSL 3.6+

@DDvO DDvO added the enhancement New feature or request label Apr 24, 2026
@DDvO DDvO requested a review from Copilot April 27, 2026 06:57
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support needed for newer key types (ML-DSA) and TPM2 handle-referenced keys in the cmpClient workflow by updating how new keys are created and slightly adjusting OpenSSL library detection behavior in the legacy Makefile.

Changes:

  • Switch key generation to KEY_new_ex(..., libctx) to support provider-/libctx-aware algorithms (e.g., ML-DSA) and non-file key references.
  • Adjust Makefile_v1 behavior when libcrypto cannot be found by disabling a previously-run diagnostic fallback call.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/cmpClient.c Uses KEY_new_ex() with the app libctx when generating a new key for enrollment flows.
Makefile_v1 Removes (comments out) a fallback call that previously re-ran OpenSSL lib detection to emit diagnostics before failing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile_v1 Outdated
Comment thread src/cmpClient.c
Comment thread src/cmpClient.c
@DDvO DDvO force-pushed the extend_KEY_new branch 3 times, most recently from 23d630d to 6faf9b2 Compare April 29, 2026 09:22
@DDvO DDvO requested a review from Copilot April 29, 2026 09:24
@DDvO DDvO changed the title add support for ML-DSA and TPM2-held keys referenced via handle add support for ML-DSA and TPM2-held keys referenced via handle; OpenSSL 4.0 compat Apr 29, 2026
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 13 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/cmpClient.c Outdated
Comment thread src/cmpClient.c
Comment thread doc/cmpClient.pod Outdated
Comment thread doc/cmpClient.pod Outdated
Comment thread doc/cmpClient.pod Outdated
Comment thread README.md Outdated
@DDvO DDvO force-pushed the extend_KEY_new branch 3 times, most recently from aa867cb to a6dec70 Compare April 29, 2026 12:57
@DDvO DDvO force-pushed the extend_KEY_new branch 2 times, most recently from ccf639a to 62cb823 Compare May 11, 2026 17:35
@DDvO DDvO requested a review from Copilot May 11, 2026 17:36
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 16 out of 19 changed files in this pull request and generated 8 comments.

Comment thread test/recipes/80-test_cmp_http.t
Comment thread test/recipes/80-test_cmp_http.t Outdated
Comment thread test/recipes/80-test_cmp_http.t
Comment thread test/recipes/80-test_cmp_http.t Outdated
Comment thread test/recipes/80-test_cmp_http.t Outdated
Comment thread include/genericCMPClient.h Outdated
Comment thread doc/cmpClient.pod Outdated
Comment thread doc/cmpClient.pod Outdated
@DDvO DDvO force-pushed the extend_KEY_new branch from 62cb823 to 17a20ea Compare May 15, 2026 07:45
@DDvO DDvO requested a review from Copilot May 15, 2026 08:17
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 25 changed files in this pull request and generated 5 comments.

Comment thread src/credential_loading.c Outdated
Comment thread src/credential_loading.c Outdated
Comment thread Makefile_v1 Outdated
Comment thread src/cmpClient.c
Comment thread src/genericCMPClient.c
@DDvO DDvO force-pushed the extend_KEY_new branch from 17a20ea to 7929f4d Compare May 15, 2026 22:13
@DDvO DDvO requested a review from Copilot May 15, 2026 22:13
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread creds/docker/Docker_Playground_CMP.pem Fixed
Comment thread creds/docker/Docker_Playground_TLS.pem Fixed
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 27 changed files in this pull request and generated 6 comments.

Comment thread src/genericCMPClient_util.c Outdated
Comment thread src/genericCMPClient.c
Comment thread src/credential_loading.c Outdated
Comment thread src/credential_loading.c Outdated
Comment thread src/credential_loading.c
Comment thread src/cmpClient.c
@DDvO DDvO force-pushed the extend_KEY_new branch 2 times, most recently from 2ca5abf to 374def0 Compare May 15, 2026 22:25
@DDvO DDvO force-pushed the extend_KEY_new branch from 2a2c79f to e2f85d4 Compare May 18, 2026 12:50
@DDvO DDvO requested a review from Copilot May 18, 2026 12:51
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 27 changed files in this pull request and generated no new comments.

@DDvO DDvO mentioned this pull request May 18, 2026
Open
DDvO added 16 commits May 18, 2026 19:08
@DDvO
80-test_cmp_http.t: fix Perl code according to Copilot review suggest…
4a978b9 
…ions
@DDvO
README.md: make more clear that using git is not required, adding hin…
dfeb291 
…ts what to do when not using it
@DDvO
Makefile_src,CMakeLists.txt: align and strengthen compiler warning op…
5ce5473 
…tions
@DDvO
Makefile_v1: fix duplicate display of creds/operational.crt and the f…
64af3fa 
…iltering of key/signature hex strings
@DDvO
config/EJBCA.env: add creds/docker/TLS_ROOTCA.pem to EJBCA_TLS_TRUSTE…
6c5c6bb 
…D for verifying own TLS client cert
@DDvO
config/EJBCA.env,creds/docker/: add PEM variant of Docker_Playground_…
e7a5025 
…TLS.p12 and use that
@DDvO
creds/docker/: add PEM variant of Docker_Playground_CMP.p12
a2f42fc
@DDvO
config/EJBCA.env,Makefile_v1/: rename TLS_ROOTCA-docker-cn.txt to TLS…
4ac2d97 
…_server-docker-cn.txt, add EJBCA_TLS_SERVCER_CERTS
@DDvO
cmpClient.c: adapt (and rename) setup_X509_extensions() as X509V3_EXT…
59d1175 
…_add_nconf_sk() makes empty exts NULL since OpenSSL 4.0
@DDvO
cmpClient.c: fix usability of -nonmatched_error_nonces option depende…
0f92ff1 
…nt on OpenSSL version or libcmp use
@DDvO
cmpClient.c,CMPclient_setup_HTTP(): make sure to skip host name check…
b214e2b 
… for local host if -tls_host not given
@DDvO
CMPclient_setup_HTTP(),doc/: fix setting TLS SNI: use just -server ho…
46d5f36 
…st part, not any given -tls_host
@DDvO
update doc/OpenSSL_CMP-and-generic_CMP_client_overview.pptx
0d8a300
@DDvO
genericCMPClient_util.{c,h}: improve CONN_IS_IP_ADDR()
5641b2e
@DDvO
genericCMPClient_util.{c,h}: add UTIL_SKIP_SCHEME() and improve skip_…
1b42a25 
…scheme() using it
@DDvO
cmpClient.c: add support for ML-DSA and TPM2-held keys referenced via…
01512f3 
… handle
@DDvO DDvO force-pushed the extend_KEY_new branch from e2f85d4 to 01512f3 Compare May 18, 2026 17:09
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 18, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot
26.0% Coverage on New Code (required ≥ 80%)
12.4% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DDvO @github-advanced-security