Can't compile on Centos7

[AndreiBrajnicov]

Steps to reproduce.

./configure

make

And after that I receive following error:

mv -f .deps/libpki_openssl_la-pki_x509_crl.Tpo .deps/libpki_openssl_la-pki_x509_crl.Plo
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc  -I. -I../../src/libpki -I.. -DENABLE_ECDSA=1     -D__LIB_BUILD__  -I/usr/include -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors   -DENABLE_ECDSA=1   -I/usr/include/libxml2   -DLINUX -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -MT libpki_openssl_la-pki_x509_req.lo -MD -MP -MF .deps/libpki_openssl_la-pki_x509_req.Tpo -c -o libpki_openssl_la-pki_x509_req.lo `test -f 'pki_x509_req.c' || echo './'`pki_x509_req.c
libtool: compile:  gcc -I. -I../../src/libpki -I.. -DENABLE_ECDSA=1 -D__LIB_BUILD__ -I/usr/include -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -DENABLE_ECDSA=1 -I/usr/include/libxml2 -DLINUX -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -MT libpki_openssl_la-pki_x509_req.lo -MD -MP -MF .deps/libpki_openssl_la-pki_x509_req.Tpo -c pki_x509_req.c  -fPIC -DPIC -o .libs/libpki_openssl_la-pki_x509_req.o
pki_x509_req.c: In function 'PKI_X509_REQ_get_attribute':
pki_x509_req.c:700:34: error: 'X509_REQ' has no member named 'req_info_attributes'
  if (val->req_info != NULL && val->req_info_attributes != NULL) {
                                  ^
compilation terminated due to -Wfatal-errors.
make[2]: *** [libpki_openssl_la-pki_x509_req.lo] Error 1
make[2]: Leaving directory `/usr/local/src/libpki/src/openssl'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/libpki/src'
make: *** [all-recursive] Error 1

Some additional info:

OpenSSL Configuration:
----------------------

 Library ..............: OpenSSL
 Prefix ...............: /usr
 Compiler Flags .......:   -DENABLE_ECDSA=1
 Linker Flags .........: 
 libs .................: -lssl -lcrypto  
 Support for ECDSA ....: yes

Configuration for libpki 0.9.0 :
--------------------------------

 Architecture .........: linux (64 bits)
 Host System Type .....: x86_64-unknown-linux-gnu
 Supported URLs .......: file http https ldap dns
 Library Version ......: v = 90, r = 90, a = 10
 Install lib path .....: /usr/lib64
 Install path .........: /usr
 Compiler Flags .......: -I/usr/include -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors   -DENABLE_ECDSA=1   -I/usr/include/libxml2  
 Linker Flags .........: -L/usr/lib64 -L/usr/lib64 -Wl,-rpath -Wl,"/usr/lib64" 
 Libs .................: -lpthread -ldl -lrt -lldap_r -lssl -lcrypto   -lxml2 -lz -lm -ldl    -lresolv

 Package configured for: \S  (x86_64)

[opencrypto]

Hi Andrei,

are you trying to compile for OpenSSL 1.1.+ ? The OpenSSL's developers have decided to "mask" many of the data structures and provide, instead, access to the data via functions. We are in the process of updating the support for the newer version(s) of OpenSSL and, in the process, to fix some of the LibPKI APIs that had some issues (e.g., non-symmetrical memory management). The effort is taking more time than expected, but it should be over relatively soon.

After that we will need to re-test the whole library and upgrade some parts of it. In particular we want to (in no particular order):

• update the includes structure to avoid the inclusion of non-essentials headers in each file to speedup the compilation of the library
• provide better documentation - in particular, we want to move all the documentation in the headers files to make it available to developers where it matter most. In our experience that should help a lot with the usability of the library in general (also man pages would really be useful, but it is a matter of.. time :D)
• update the support for CMS format (given that OpenSSL's now has its own implementation, we would need to wrap it and provide similar interface to the PKCS#7 one)
• add support for EST (the newer version of SCEP) and maybe add support there for mass-certificate issuing
• complete the PKI_MSG interface to support EST
• Add support for JSON-based configuration files (still in debate if this would be useful)
• Add support for ACME protocol within the PKI_MSG interface (still in debate if this would be useful because of the poor design of the ACME protocol itself which is quite inefficient and mixes users and accounts management with PKI operations - very bad idea)
• Add support for revocation information distribution over DNS.

I guess this is all for now :D Thanks for reporting the issue. We are not sure when the support for OSSL 1.1+ will be done, but we will make a new official release when that will be done (probably an alpha + beta cycles will be needed to fix all the little issues related to the code changes introduced by OpenSSL).

Cheers, Max

[AndreiBrajnicov]

Hi Max.

Thank you for such detailed answer. As answer for your question, I was trying to compile using following openssl version:

# rpm -qa | grep openssl
openssl-libs-1.0.1e-60.el7_3.1.x86_64
openssl-devel-1.0.1e-60.el7_3.1.x86_64
openssl-1.0.1e-60.el7_3.1.x86_64

[opencrypto]

I see... I guess you were trying to compile from the sources ? Which version of LibPKI were you using? I just finished updating the main branch of the repository and it should be able to compile properly on CentOS.. but I have not yet run tests to guarantee the correctness, yet - so do not use it in production. Still working on the port to 1.1.x+ branches of OpenSSL and some API might change because of that...

[opencrypto]

You can safely use the libpki-0.8.9 release (libpki-0.8.9 branch) on CentOS7. You can download the packages directly from the website at https://www.openca.org/projects/libpki/downloads.shtml. We are still working on the master branch to provide full compatibility with the 1.1.x OpenSSL branches.