Unable to compile the standalone cmp library with openssl 1.1.1d

[NAVEENJOYALEX]

Hello Team,

I tried to dynamically load the libcmp following the wiki intructions. I am unable to include cmp.h and crmf.h in my application because of these errors: I have placed the -Wno-discarded-qualifiers -Wno-incompatible-pointer-types -Wno-unused-parameter pragmas.

 [exec] In file included from /usr/include/openssl/cmp.h:23,
 [exec]                  from pkissh.cpp:24:
 [exec] /usr/include/openssl/crmf.h:52:1: error: expected constructor, destructor, or type conversion before 'SKM_DEFINE_STACK_OF_INTERNAL'
 [exec]  SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_MSG, OSSL_CRMF_MSG, OSSL_CRMF_MSG)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec] In file included from /usr/include/openssl/cmp.h:23,
 [exec]                  from pkissh.cpp:24:
 [exec] /usr/include/openssl/crmf.h:87:1: error: expected constructor, destructor, or type conversion before 'SKM_DEFINE_STACK_OF_INTERNAL'
 [exec]  SKM_DEFINE_STACK_OF_INTERNAL(OSSL_CRMF_CERTID, OSSL_CRMF_CERTID, OSSL_CRMF_CERTID)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec] In file included from /usr/include/openssl/objects.h:15,
 [exec]                  from /usr/include/openssl/evp.h:28,
 [exec]                  from /usr/include/openssl/x509.h:18,
 [exec]                  from PkiObj.hpp:72,
 [exec]                  from pkissh.cpp:20:
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' does not name a type; did you mean 'OSSL_CRMF_POPOSIGNINGKEY'?
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: variable or field 'OSSL_CRMF_PKIPUBLICATIONINFO_free' declared void
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' was not declared in this scope
 [exec] /usr/include/openssl/crmf.h:116:1: note: suggested alternative: 'OSSL_CRMF_POPOSIGNINGKEY'
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'a' was not declared in this scope
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' does not name a type; did you mean 'OSSL_CRMF_POPOSIGNINGKEY'?
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' was not declared in this scope
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: note: suggested alternative: 'i2d_OSSL_CRMF_PKIPUBLICATIONINFO'
 [exec] /usr/include/openssl/crmf.h:116:1: error: 'a' was not declared in this scope
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: expected primary-expression before 'unsigned'
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:116:1: error: expression list treated as compound expression in initializer [-fpermissive]
 [exec]  DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
 [exec]  ^~~~~~~~~~~~~~~~~~~~~~
 [exec] In file included from /usr/include/openssl/cmp.h:23,
 [exec]                  from pkissh.cpp:24:
 [exec] /usr/include/openssl/crmf.h:127:44: error: 'OSSL_LIB_CTX' was not declared in this scope
 [exec]  OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
 [exec]                                             ^~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:127:44: note: suggested alternative: 'OCSP_REQ_CTX'
 [exec]  OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
 [exec]                                             ^~~~~~~~~~~~
 [exec]                                             OCSP_REQ_CTX
 [exec] /usr/include/openssl/crmf.h:127:58: error: 'libctx' was not declared in this scope
 [exec]  OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
 [exec]                                                           ^~~~~~
 [exec] /usr/include/openssl/crmf.h:127:58: note: suggested alternative: 'linux'
 [exec]  OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
 [exec]                                                           ^~~~~~
 [exec]                                                           linux
 [exec] /usr/include/openssl/crmf.h:127:73: error: expected primary-expression before 'slen'
 [exec]  OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
 [exec]                                                                          ^~~~
 [exec] /usr/include/openssl/crmf.h:128:44: error: expected primary-expression before 'int'
 [exec]                                             int owfnid, size_t itercnt,
 [exec]                                             ^~~
 [exec] /usr/include/openssl/crmf.h:128:63: error: expected primary-expression before 'itercnt'
 [exec]                                             int owfnid, size_t itercnt,
 [exec]                                                                ^~~~~~~
 [exec] /usr/include/openssl/crmf.h:129:44: error: expected primary-expression before 'int'
 [exec]                                             int macnid);
 [exec]                                             ^~~
 [exec] /usr/include/openssl/crmf.h:129:54: error: expression list treated as compound expression in initializer [-fpermissive]
 [exec]                                             int macnid);
 [exec]                                                       ^
 [exec] /usr/include/openssl/crmf.h:130:23: error: 'OSSL_LIB_CTX' was not declared in this scope
 [exec]  int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 [exec]                        ^~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:130:23: note: suggested alternative: 'OCSP_REQ_CTX'
 [exec]  int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 [exec]                        ^~~~~~~~~~~~
 [exec]                        OCSP_REQ_CTX
 [exec] /usr/include/openssl/crmf.h:130:37: error: 'libctx' was not declared in this scope
 [exec]  int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 [exec]                                      ^~~~~~
 [exec] /usr/include/openssl/crmf.h:130:37: note: suggested alternative: 'linux'
 [exec]  int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 [exec]                                      ^~~~~~
 [exec]                                      linux
 [exec] /usr/include/openssl/crmf.h:130:45: error: expected primary-expression before 'const'
 [exec]  int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
 [exec]                                              ^~~~~
 [exec] /usr/include/openssl/crmf.h:131:23: error: expected primary-expression before 'const'
 [exec]                        const OSSL_CRMF_PBMPARAMETER *pbmp,
 [exec]                        ^~~~~
 [exec] /usr/include/openssl/crmf.h:132:23: error: expected primary-expression before 'const'
 [exec]                        const unsigned char *msg, size_t msglen,
 [exec]                        ^~~~~
 [exec] /usr/include/openssl/crmf.h:132:56: error: expected primary-expression before 'msglen'
 [exec]                        const unsigned char *msg, size_t msglen,
 [exec]                                                         ^~~~~~
 [exec] /usr/include/openssl/crmf.h:133:23: error: expected primary-expression before 'const'
 [exec]                        const unsigned char *sec, size_t seclen,
 [exec]                        ^~~~~
 [exec] /usr/include/openssl/crmf.h:133:56: error: expected primary-expression before 'seclen'
 [exec]                        const unsigned char *sec, size_t seclen,
 [exec]                                                         ^~~~~~
 [exec] /usr/include/openssl/crmf.h:134:23: error: expected primary-expression before 'unsigned'
 [exec]                        unsigned char **mac, size_t *maclen);
 [exec]                        ^~~~~~~~
 [exec] /usr/include/openssl/crmf.h:134:51: error: expected primary-expression before '*' token
 [exec]                        unsigned char **mac, size_t *maclen);
 [exec]                                                    ^
 [exec] /usr/include/openssl/crmf.h:134:52: error: 'maclen' was not declared in this scope
 [exec]                        unsigned char **mac, size_t *maclen);
 [exec]                                                     ^~~~~~
 [exec] /usr/include/openssl/crmf.h:134:52: note: suggested alternative: 'mblen'
 [exec]                        unsigned char **mac, size_t *maclen);
 [exec]                                                     ^~~~~~
 [exec]                                                     mblen
 [exec] /usr/include/openssl/crmf.h:134:58: error: expression list treated as compound expression in initializer [-fpermissive]
 [exec]                        unsigned char **mac, size_t *maclen);
 [exec]                                                           ^
 [exec] /usr/include/openssl/crmf.h:146:54: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' was not declared in this scope
 [exec]  OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:146:54: note: suggested alternative: 'OSSL_CRMF_PKIPUBLICATIONINFO_it'
 [exec]  OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec]                                                       OSSL_CRMF_PKIPUBLICATIONINFO_it
 [exec] /usr/include/openssl/crmf.h:146:84: error: 'pi' was not declared in this scope
 [exec]  OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                                                     ^~
 [exec] /usr/include/openssl/crmf.h:147:78: error: expected primary-expression before '*' token
 [exec]                                                       OSSL_CRMF_SINGLEPUBINFO *spi);
 [exec]                                                                               ^
 [exec] /usr/include/openssl/crmf.h:147:79: error: 'spi' was not declared in this scope
 [exec]                                                       OSSL_CRMF_SINGLEPUBINFO *spi);
 [exec]                                                                                ^~~
 [exec] /usr/include/openssl/crmf.h:147:82: error: expression list treated as compound expression in initializer [-fpermissive]
 [exec]                                                       OSSL_CRMF_SINGLEPUBINFO *spi);
 [exec]                                                                                   ^
 [exec] /usr/include/openssl/crmf.h:156:49: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' was not declared in this scope
 [exec]  int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec] /usr/include/openssl/crmf.h:156:49: note: suggested alternative: 'OSSL_CRMF_PKIPUBLICATIONINFO_it'
 [exec]  int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec]                                                  OSSL_CRMF_PKIPUBLICATIONINFO_it
 [exec] /usr/include/openssl/crmf.h:156:79: error: 'pi' was not declared in this scope
 [exec]  int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
 [exec]                                                                                ^~
 [exec] /usr/include/openssl/crmf.h:157:49: error: expected primary-expression before 'int'
 [exec]                                                  int action);
 [exec]                                                  ^~~
 [exec] /usr/include/openssl/crmf.h:157:59: error: expression list treated as compound expression in initializer [-fpermissive]
 [exec]                                                  int action);
 [exec]                                                            ^
 [exec] /usr/include/openssl/crmf.h:159:57: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' does not name a type; did you mean 'OSSL_CRMF_PKIPUBLICATIONINFO_it'?
 [exec]                                                    const OSSL_CRMF_PKIPUBLICATIONINFO *pi);
 [exec]                                                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [exec]                                                          OSSL_CRMF_PKIPUBLICATIONINFO_it
 [exec] /usr/include/openssl/crmf.h:160:1: error: 'OSSL_CRMF_PKIPUBLICATIONINFO' does not name a type; did you mean 'OSSL_CRMF_PKIPUBLICATIONINFO_it'?
 [exec]  OSSL_CRMF_PKIPUBLICATIONINFO

Thank you.

[DDvO]

Hello, thanks for your report. The instructions on the wiki page unfortunately are outdated. I suggest to use instead the genCMPClient, which also supports building and using a standalone CMP library.

[NAVEENJOYALEX]

Hi @DDvO ,

Thank you for your response. I cloned the genCMPClient but the make target for "make get_submodules" is failing for openssl 1.1.1d

fatal: reference is not a tree: c78e5acd89dffd1dfd8068d0a5b310a44e5e371e Unable to checkout 'c78e5acd89dffd1dfd8068d0a5b310a44e5e371e' in submodule path 'cmpossl' Makefile:189: recipe for target 'cmpossl/include' failed

Is this because of unpushed commits in the cmpossl submodule?

BR.

[DDvO]

Hmm, strange, something seems inconsistent with the submodules. This must be unrelated to the OpenSSL version (1.1.1d or whichever) to be used. I just tried myself the following, and it worked all fine:

cd /tmp && git clone https://github.com/siemens/gencmpclient.git

Cloning into 'gencmpclient'...
remote: Enumerating objects: 206, done.
remote: Counting objects: 100% (206/206), done.
remote: Compressing objects: 100% (150/150), done.
remote: Total 206 (delta 58), reused 186 (delta 40), pack-reused 0
Receiving objects: 100% (206/206), 7.90 MiB | 669.00 KiB/s, done.
Resolving deltas: 100% (58/58), done.

cd gencmpclient && make

detected OpenSSL version 1.1.x
enabling compilation with standalone CMP library
git submodule update --progress --init --depth 1 libsecutils
Submodule 'libsecutils' (http://github.com/siemens/libsecutils.git) registered for path 'libsecutils'
Cloning into '/tmp/gencmpclient/libsecutils'...
remote: Enumerating objects: 97, done.        
remote: Counting objects: 100% (97/97), done.        
remote: Compressing objects: 100% (88/88), done.        
remote: Total 97 (delta 1), reused 70 (delta 0), pack-reused 0        
Submodule path 'libsecutils': checked out '415b900b16fb7ff29db3c464d86a844b288646fc'
git submodule update --progress --init --depth 1 cmpossl
Submodule 'cmpossl' (http://github.com/mpeylo/cmpossl.git) registered for path 'cmpossl'
Cloning into '/tmp/gencmpclient/cmpossl'...
remote: Enumerating objects: 24198, done.        
remote: Counting objects: 100% (24198/24198), done.        
remote: Compressing objects: 100% (19273/19273), done.        
remote: Total 24198 (delta 1768), reused 20734 (delta 1473), pack-reused 0        
Receiving objects: 100% (24198/24198), 20.71 MiB | 593.00 KiB/s, done.
Resolving deltas: 100% (1768/1768), done.
remote: Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: Enumerating objects: 4891, done.
remote: Counting objects: 100% (4891/4891), done.
remote: Compressing objects: 100% (2531/2531), done.
remote: Total 2738 (delta 2018), reused 483 (delta 186), pack-reused 0
Receiving objects: 100% (2738/2738), 2.89 MiB | 684.00 KiB/s, done.
Resolving deltas: 100% (2018/2018), completed with 1773 local objects.
From http://github.com/mpeylo/cmpossl
 * branch              c78e5acd89dffd1dfd8068d0a5b310a44e5e371e -> FETCH_HEAD
Submodule path 'cmpossl': checked out 'c78e5acd89dffd1dfd8068d0a5b310a44e5e371e'
make -C cmpossl -f Makefile_cmp build DEBUG_FLAGS="-g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all " CFLAGS="-DOPENSSL_FUNC=__func__ " OUT_DIR="../." OPENSSL_DIR="/usr"
make[1]: Entering directory '/tmp/gencmpclient/cmpossl'
detected OpenSSL version 1.1.x
...

[NAVEENJOYALEX]

Thank you for checking it. The make targets work if the underlying version is 3.0.0 as only header files are populated in the cmpossl submodule.

For 1.1.1, it fails to checkout cmpossl.

detected OpenSSL version 1.1.x
enabling compilation with standalone CMP library
git submodule update  --init --depth 1 libsecutils
Submodule 'libsecutils' (https://github.com/siemens/libsecutils.git) registered for path 'libsecutils'
Cloning into 'libsecutils'...
remote: Enumerating objects: 97, done.
remote: Counting objects: 100% (97/97), done.
remote: Compressing objects: 100% (88/88), done.
remote: Total 97 (delta 1), reused 70 (delta 0), pack-reused 0
Unpacking objects: 100% (97/97), done.
Checking connectivity... done.
Submodule path 'libsecutils': checked out '415b900b16fb7ff29db3c464d86a844b288646fc'
git submodule update  --init --depth 1 cmpossl
Submodule 'cmpossl' (https://github.com/mpeylo/cmpossl.git) registered for path 'cmpossl'
Cloning into 'cmpossl'...
remote: Enumerating objects: 24198, done.
remote: Counting objects: 100% (24198/24198), done.
remote: Compressing objects: 100% (19273/19273), done.
remote: Total 24198 (delta 1768), reused 20734 (delta 1473), pack-reused 0
Receiving objects: 100% (24198/24198), 20.71 MiB | 4.04 MiB/s, done.
Resolving deltas: 100% (1768/1768), done.
Checking connectivity... done.
fatal: reference is not a tree: c78e5acd89dffd1dfd8068d0a5b310a44e5e371e
Unable to checkout 'c78e5acd89dffd1dfd8068d0a5b310a44e5e371e' in submodule path 'cmpossl'
Makefile:189: recipe for target 'cmpossl/include' failed
make: *** [cmpossl/include] Error 1

The cmpossl submodule head is at a commit different from the c78e5acd89dffd1dfd8068d0a5b310a44e5e371e tree.

genCMPClient/cmpossl$ git log
commit fb886a3d593f9382d7a175b130fa868066b66269
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date:   Mon Mar 8 14:23:57 2021 +0100

    add auto-generated doc/man1

Thank you.

[DDvO]

Sorry to hear that you still have problems getting to the right commit. It looks like for some reason you are on the wrong cmpossl branch, namely cmp:

commit fb886a3d593f9382d7a175b130fa868066b66269 (origin/cmp, origin/HEAD)
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date:   Mon Mar 8 14:23:57 2021 +0100

    add auto-generated doc/man1/openssl-cmp.pod for supporting direct viewing in web browsers

while the correct current branch for the standalone CMP library is cmp-lib4.

What happens if you try manually correcting this as follows? cd cmpossl && git checkout cmp-lib4 or cd cmpossl && git checkout c78e5ac

And what is the output of cd cmpossl && git remote -v ?

[NAVEENJOYALEX]

Thanks DDvO, How can I add cmp-lib4 into the git pathspec? I am unable to check out them.

genCMPClient/cmpossl$ git remote -v
origin https://github.com/mpeylo/cmpossl.git (fetch)
origin https://github.com/mpeylo/cmpossl.git (push)
genCMPClient/cmpossl$ git checkout cmp-lib4
error: pathspec 'cmp-lib4' did not match any file(s) known to git.
genCMPClient/cmpossl$ git checkout c78e5ac
error: pathspec 'c78e5ac' did not match any file(s) known to git.

[DDvO]

The remote is fine, so the issue must be elsewhere. As a workaround, please do in the cmpossl dir:

git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"
git fetch 
git checkout cmp-lib4

[NAVEENJOYALEX]

This works, I can build the cmpClient app now. Thank you!