Chunk 12 of CMP contribution to OpenSSL: CLI-based test #11998

DDvO · 2020-05-30T17:10:38Z

Finally the last chunk of the CMP contribution,
adding numerous tests run via the cmp app.

These tests address all previous contribution chunks:

high-level use cases for the CRMF+CMP sub-libraries contributed in chunks 1-7,
using the CMP server lib contributed in chunk 8: Chunk 8 of CMP contribution to OpenSSL: CMP server #11142 and mock server (in chunk 11),
using the CMP client logic contributed in chunk 9: Chunk 9 of CMP contribution to OpenSSL: CMP client and related tests #11300,
using the HTTP client contributed in chunk 10: Chunk 10 of CMP contribution to OpenSSL: CMP HTTP client and related tests #11404, and
the CLI option handling of the cmp app, contributed in chunk 11: Chunk 11 of CMP contribution to OpenSSL: CMP command-line interface #11470.

For part of the test cases the CMP client side is sufficient,
while many tests naturally also require a CMP server.
Therefore we made sure that our contribution contains
a simple CMP server that is sufficient for testing purposes.

The test bed is sufficiently flexible to support addressing also externals servers.
Throughout our development we have been testing against various EJBCA instances,
the Demo CA of the Insta Certifier, and Siemens-internal prototype RA implementations.

While updating and consolidating the many test cases that we have compiled earlier
I came across various issues mostly with the CMP code contributed so far but also
with the internal app library. So this PR also contains commits implementing fixes for
those as far as needed for successfully running all the CMP tests added in this PR.

The high number of lines added by the last commit is mostly due to large test data files.

Checklist

documentation is added or updated
tests are added or updated

DDvO · 2020-05-30T19:39:37Z

Can we have the Perl module Proc::Background installed on the build systems?
I even tried system ("perl -MCPAN -e \"install 'Proc::Background'\"") from within the tests
but no luck.
This module would offer a very nice system-independent way of launching the CMP test server in the background and shutting it down at the end of 81-test_cmp_cli.t.

So far I'm using the system("cmd &") pattern but of course this does not work on Windows.
Meanwhile I've disabled the tests for Windows and made sure they launch fine also on Mac OS.

DDvO · 2020-05-31T10:33:24Z

The Travis s390x build keeps timing out after 50 minutes; everything else works fine.

DDvO · 2020-06-09T06:01:32Z

Again my question:
what is the preferred way of launching a test server to run in parallel to a client and shutting it down at the end of the test?
There would be a nice likely system-independent Perl module for this purpose: Proc::Background, but at least so far it is not available on the build systems.

So I had to restrict these sort of tests to Unix-like systems, where the shell ampersand operator & for running commands in the background, the lsof command, and the kill command are available.

mattcaswell

what is the preferred way of launching a test server to run in parallel to a client and shutting it down at the end of the test?

We do this in util/perl/TLSProxy.pm where we start instances of s_server and s_client and get them to talk to each other. You might like to take a look how it is done there.

apps/lib/opt.c

crypto/cmp/cmp_server.c

doc/internal/man3/ossl_cmp_msg_check_update.pod

doc/man1/openssl-cmp.pod.in

doc/man3/OSSL_CMP_SRV_CTX_new.pod

test/recipes/81-test_cmp_cli.t

…nder CMP options

…g numbers

…ate_msg()

…k_update() Bugfix: allow using extraCerts contained in msg already while checking signature Improve function name, simplify its return value, and update its documentation

Also adds ossl_cmp_hdr_get_protection_nid() simplifying cmp_vfy.c

…ted sender

as checking expected_sender and adding caPubs is not part of msg validation. Also constify a couple of internal and public functions related to cmp_vfy.c

… request template

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests.

DDvO · 2020-06-10T20:04:52Z

Thanks @mattcaswell for your yesterday's review comments!
I've handled all of them, rebased the PR, and squashed the commits where it made sense.

DDvO · 2020-06-10T20:23:27Z

what is the preferred way of launching a test server to run in parallel to a client and shutting it down at the end of the test?

We do this in util/perl/TLSProxy.pm where we start instances of s_server and s_client and get them to talk to each other. You might like to take a look how it is done there.

Thanks @mattcaswell for this hint.
I've meanwhile had a look at util/perl/TLSProxy/Proxy.pm
and its use in test/recipes/70-test_*.t.
This appears pretty cumbersome for the basic use needed in 81-test_cmp_cli.t, and it would be hard to extract a simple mechanism for just launching any process in the background, checking if it is running, and shutting it down later.

With the Perl module Proc::Background it would be very nice and straightforward:

use Proc::Background;

# launch the server:
my $proc = Proc::Background->new({'die_upon_destroy' => 1}, "$cmd $args");
die "Cannot start server" unless $proc;

# interact with the server

# shut down the server:
$proc = undef;

As mentioned above, since unfortunately Proc::Background is not available (by default at least),
I've resorted to using instead the shell ampersand operator & for running commands in the background, the lsof command for obtaining its pid, and the kill command.
Due to this implementation I had to restrict the server-based to tests to Unix-like systems.

Would this be acceptable for the time being,
as long as apparently no general and simple-to-use solution is available?