Skip to content

Implement RAT extensions #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Akretsch wants to merge 5 commits into from
Closed

Implement RAT extensions #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8755b74
introduce CMP_CTX to hold OSSL_CMP_CTX
Akretsch Apr 29, 2026
03a8eba
impl RATs
Akretsch Apr 29, 2026
3800e40
add some error handling
Akretsch May 19, 2026
ad4e3c4
fix parameter handling
Akretsch May 21, 2026
5cea0c9
add a test script
Akretsch May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,18 @@ cmake_minimum_required(VERSION 3.18)
project(libgencmp)
set(LIBGENCMP_NAME gencmp)

include(ExternalProject)
ExternalProject_Add(
atg
GIT_REPOSITORY git@code.siemens.com:ct-rda-cst-ses-de/remote-attestation/base-functionality/attestation-token-generator
GIT_TAG ak/tcg-key-attestation-plugin
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
TEST_COMMAND ""
SOURCE_DIR atg
)

if(NOT DEFINED GENCMPCLIENT_VERSION)
set(GENCMPCLIENT_VERSION_MAJOR 2)
set(GENCMPCLIENT_VERSION_MINOR 2)
Expand Down Expand Up @@ -215,7 +227,7 @@ if(DEFINED USE_LIBCMP)
endif()

include_directories(
${INC_DIR}
${INC_DIR} ${PROJECT_SOURCE_DIR}/atg
)
if(DEFINED USE_LIBCMP)
include_directories(SYSTEM ${CMPOSSL_INC_DIR}/cmp)
Expand Down Expand Up @@ -288,6 +300,7 @@ target_link_libraries(cmpClient
# important: libcmp before libcrypto such that its contents are preferred
OpenSSL::Crypto
$<$<NOT:$<BOOL:${GENCMP_NO_TLS}>>:OpenSSL::SSL>
${PROJECT_SOURCE_DIR}/atg/atglib-key-attestation-demo/libatg.so
)
if(DEFINED ENV{SECUTILS_USE_UTA})
target_link_libraries(cmpClient uta)
Expand Down
15 changes: 15 additions & 0 deletions doCrWithRat.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
cd ./test/recipes/80-test_cmp_http_data/Mock
# gdb --args \
../../../../cmpClient \
-config ../test.cnf \
-section "Mock" -cmd cr \
-rats \
-tpmkd_tokenname "tcg-key-req" \
-tpmkd_tokencfgpath "../../../../atg/atglib-key-attestation-demo/token-cfg.json" \
-tpmkd_plugincfgpath "../../../../atg/atglib-key-attestation-demo/plugins.json" \
-tpmkd_nonce test_nonce_1234 \
-atcha_tokenname "tcg-key-chal" \
-atcha_tokencfgpath "../../../../atg/atglib-key-attestation-demo/token-cfg.json" \
-atcha_plugincfgpath "../../../../atg/atglib-key-attestation-demo/plugins.json" \
-atcha_nonce test_nonce_5678

4 changes: 4 additions & 0 deletions env.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
export OPENSSL_DIR=~/git/openssl
export OPENSSL_LIB=~/git/openssl
export LD_LIBRARY_PATH=~/git/openssl/:~/git/gencmpclient
export PATH=~/git/openssl/apps:$PATH
Comment on lines +1 to +4
Copy link
Copy Markdown
Member

@DDvO DDvO May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we need this?
The LD_LIBRARY_PATH should generally not be needed due to rpath.
Everything else is user-specific, not for general use in this project.
Better not commit this file.

17 changes: 13 additions & 4 deletions include/genericCMPClient.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ extern "C" {
/* for low-level CMP API, in particular, type OSSL_CMP_CTX */
# include <openssl/cmp.h>
/* for abbreviation and backward compatibility: */
typedef OSSL_CMP_CTX CMP_CTX;

# if OPENSSL_VERSION_NUMBER < 0x30000080L
# define OSSL_CMP_PKISTATUS_request -3
Expand Down Expand Up @@ -126,6 +125,16 @@ typedef int CMP_err;
# include "genericCMPClient_util.h"
# endif /* ndef GENCMP_NO_SECUTILS */

#include "atglib-key-attestation-demo/libatg.h"

typedef struct CMP_CTX {
OSSL_CMP_CTX *osslctx;
bool do_rats;
struct token_req tpm_kd_req;
struct token_req attest_chal;
} CMP_CTX;


Comment on lines +129 to +137
Copy link
Copy Markdown
Member

@DDvO DDvO May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please avoid extending OSSL_CMP_CTX,
ai this should not be needed at all -
please keep all RAT-related data local in cmpClient().

/* CMP client core functions */
/* should be called once, as soon as the application starts */
CMP_err CMPclient_init(OPTIONAL const char *name, OPTIONAL LOG_cb_t log_fn);
Expand Down Expand Up @@ -216,10 +225,10 @@ CMP_err CMPclient_pkcs10(CMP_CTX *ctx, CREDENTIALS **new_creds,
const X509_REQ *csr);
CMP_err CMPclient_update(CMP_CTX *ctx, CREDENTIALS **new_creds,
OPTIONAL const EVP_PKEY *new_key);
CMP_err CMPclient_update_anycert(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds,
CMP_err CMPclient_update_anycert(CMP_CTX *ctx, CREDENTIALS **new_creds,
OPTIONAL const X509 *old_cert,
OPTIONAL const EVP_PKEY *new_key);
CMP_err CMPclient_update_with_exts(OSSL_CMP_CTX *ctx, CREDENTIALS **new_creds,
CMP_err CMPclient_update_with_exts(CMP_CTX *ctx, CREDENTIALS **new_creds,
OPTIONAL const X509 *old_cert,
OPTIONAL const EVP_PKEY *new_key,
OPTIONAL const X509_EXTENSIONS *exts);
Expand Down Expand Up @@ -252,7 +261,7 @@ CMP_err CMPclient_crlUpdate(CMP_CTX *ctx, OPTIONAL const X509 *cert,
# endif

/* get error information sent by the server */
char *CMPclient_snprint_PKIStatus(const OSSL_CMP_CTX *ctx,
char *CMPclient_snprint_PKIStatus(const CMP_CTX *ctx,
char *buf, size_t bufsize);

/* must be called between any of the above certificate management activities */
Expand Down
3 changes: 3 additions & 0 deletions runMock.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
cd ~/git/gencmpclient/test/recipes/80-test_cmp_http_data/Mock
openssl cmp -config server.cnf

Loading
Loading