search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

How do you test the protocol? #229

Closed mickae1 closed 1 year ago

mickae1 commented 1 year ago

Hi, I would like to know if you have a server that is easy to configure to test the protocol cmpv2.

Thanks you.

mickae1 commented 1 year ago

I found the option : -use_mock_srv

Do you have an example of this?

mickae1 commented 1 year ago

I dont see the support of the psk with the mock server

DDvO commented 1 year ago

Hi, yes, you can use the CMP mock server that comes with OpenSSL. Yet note that it is very primitive and for instance returns always the same (preconfigured) certificate.

As can be seen on the man page, it supports MAC-based message protection with a pre-shared secrect using the -srv_secret option. You can run the CMP client in internal connection with the mock server for instance like this:

openssl cmp -config "" -use_mock_srv \
  -srv_secret pass:1234 -srv_ref xyz       -rsp_cert test/certs/ee-cert.pem \
      -secret pass:1234     -ref xyz -cmd ir -newkey test/certs/ee-key.pem \
      -subject "/CN=any" -certout test.cert.pem

Usage examples could also be taken from the HTTP-based CMP tests within OpenSSL and its mock server configuration file. Here is a simple example for connecting the mock server via HTTP on your local machine:

openssl cmp -port             8080  -srv_secret pass:1234 -srv_ref xyz       -rsp_cert test/certs/ee-cert.pem
openssl cmp -server localhost:8080      -secret pass:1234     -ref xyz -cmd ir -newkey test/certs/ee-key.pem -subject "/CN=any" -certout test.cert.pem
DDvO commented 1 year ago

As written on the man page, you can also use the Insta demo CA, e.g.:

openssl cmp -config apps/openssl.cnf -section insta 
   -trusted apps/insta.ca.crt -out_trusted apps/insta.ca.crt \
   -cmd cr -newkey test/certs/ee-key.pem \
   -certout test.cert.pem -extracertsout test.extracerts.pem

or without using the pre-defined configration file:

openssl cmp -server pki.certificate.fi:8700/pkix/ -recipient "/C=FI/O=Insta Demo/CN=Insta Demo CA" \
  -secret pass:insta -ref 3078 \
  -cmd cr -newkey test/certs/ee-key.pem -subject "/CN=test" -certout test.cert.pem
DDvO commented 1 year ago

If you have follow-up questions or problems using the test/demo servers, you can state them here, otherwise please close this issue when you consider it resolved.

DDvO commented 1 year ago

Looks like this can be closed as answered.