Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
David von Oheimb (DDvO) from Siemens and I (mpeylo) from Nokia are planning to create a pull request for the CMP (RFC 4210) extension for OpenSSL in the near future. Even before the official pull request, we would enjoy if the community could already provide any possible thoughts and advice additionally to the generic contribution hints.
The latest code can be found at https://github.com/mpeylo/cmpossl in the "cmp" branch (our long-time SourceForge repo is nowadays discontinued).
The last rebase to OpenSSL master happened on 2018-04-10. Future rebases, done every couple of months and latest before any new pull request, will usually end up in the same "cmp" branch, sqashing all CMP-related commits into one single one, and archiving individual commits into new branches. Therefore, for successfully updating local "cmp" branches, rebasing will require either a fresh "git clone" or "git reset" to the remote branch.
There are extensive man pages for the cmp app and the library API. A quick-start guide is available, including references to a publicly available test server: https://github.com/mpeylo/cmpossl/wiki
The issue tracker with feature requests and bug reports can be found here: https://github.com/mpeylo/cmpossl/issues
We are currently in progress to close outstanding feature requests, and known “bugs”, prioritized to be done before upstream contribution. The most relevant outstanding tasks are polishing-related: increasing the number of unit tests and interoperability tests, consolidating the API, and improving compliance with the OpenSSL coding style. In parallel, David has started carving out and separately contributing general improvements which would also add value for other OpenSSL applications.
It has been over 5 years since the first attempt to submit the CMP patch as legacy RT item # 3101. Since then, a lot of things have happened, in the OpenSSL project, and also on the CMP code. All needed CCLAs, ICLAs are in place, and we have been busy implementing any explicit and implicit advice we got hold of over the years.
We are very close to having the extensive feature set prescribed by the RFC as minimum for standards compliance, with the missing pieces not really supported by any current server-side implementation. For message transfer, there is plain HTTP and also TLS (so HTTPS) support. One can make use of OCSP and CRLs and OCSP for CMP server validation, and use CRLs and OCSP including stapling for TLS server certificate validation.
The main CMP code is in crypto/cmp/, crypto/crmf/, apps/cmp.c, plus headers, documentation, test cases in their usual locations. While making extensive use of it, there is little interference with the other OpenSSL code, besides the absolutely needed additions to build scripts etc.
For quality assurance, we utilize static code analysis and did fuzz testing with leading commercial tools. The API and application documentation is rather complete and extensive - we might even slightly reduce it again along with the ongoing API consolidation. We regularly build on Linux (gcc) and Windows (with both, gcc on cygwin and Visual Studio).
We are constantly testing interoperability with both Insta Certifier and EJBCA, which leads to having a superset of the CMP features they’re implementing. Further, we became aware that there has been successful interoperability testing with other CMP-enabled CAs like RSA BSAFE and Nexus Certificate Manager in the past, at least for the basic set of CMP functionality. Also Wireshark includes a nicely working CMP dissector.
The work on CMP functionality was started by Nokia in 2007, with the main use case for 3GPP-specified LTE base stations. Since 2015 Siemens has become a very active user of and contributor to the CMP code.
There are several rather silent users of the CMP protocol and code; over the years individuals working in the fields of telecommunications, networking, academia, banking, and cloud have been reaching out when they had any questions using the code. Besides the use of CMP in 3GPP specifications, in LTE (aka 4G) and very likely also in the future 5G specifications, there is nowadays also standardized use of CMP in European Train Control Systems. While it might not be public when or where this CMP code is actually used, it is unlikely that there would be other open source or relevant proprietary CMP implementations which wouldn’t be based on this well-featured and nicely working FOSS CMP code.
As mentioned above, any thoughts and advice are very welcome!
This would be a great addition to openssl.
RT # 3101... that brings back some vague memories ;-)
I just looked through the current main commit, and noted a few things that you need to be aware of:
The timing is unfortunate... OpenSSL 1.1.1 is currently in its beta cycle, no new features will be added to it. The earliest a CMP PR can be considered for is OpenSSL 1.1.2 or 1.2.0, whichever we decide will be next. This is not a bad thing in itself, just something to be aware of.
Great to learn about this CMP PR !
Happy to see the CMP PR !