Makefile_v1,config/demo.cnf: tweak inclusion of CloudCA and other CA …

…demo cases

Makefile_v1

@@ -377,18 +377,17 @@ get_Insta_crls: | creds/crls
 
 # demo #########################################################################
 
-ifneq ($(INSTA),)
-    CA_SECTION=Insta
-    OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt
+ifeq ($(CA_SECTION),Insta)
     override EXTRA_OPTS += -path pkix/ -newkeytype rsa:1024
-endif
-ifneq ($(CLOUDCA),)
-    CA_SECTION=CloudCA
+    CRL_SECTION=crls
+    OCSP_CHECK= #$(OPENSSL) ocsp -url "ldap://www.certificate.fi:389/CN=Insta Demo CA,O=Insta Demo,C=FI?caCertificate" -CAfile creds/trusted/InstaDemoCA.crt -issuer creds/trusted/InstaDemoCA.crt -cert creds/operational.crt
+else ifeq ($(CA_SECTION),CloudCA)
+    CRL_SECTION= # no crl-based checks
     OCSP_CHECK=
-    override EXTRA_OPTS += -path /.well-known/cmp -subject /CN=DI-Integration-Test-User
-endif
-ifeq ($(INSTA)$(CLOUDCA),)
+    override EXTRA_OPTS += -path /.well-known/cmp -reqexts empty -subject /CN=DI-Integration-Test-User
+else
     CA_SECTION=EJBCA
+    CRL_SECTION=crls
     OCSP_CHECK=$(OPENSSL) ocsp -url $(EJBCA_OCSP_URL) \
         -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \
         -cert creds/operational.crt
@@ -401,32 +400,28 @@ endif
 .phony: demo demo_Insta demo_EJBCA demo_CloudCA
 demo: demo_Insta
 demo_Insta: get_Insta_crls
-	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" INSTA="using Insta" SLEEP="sleep 1"
-	# for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable
+	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="Insta" SLEEP="sleep 1"
+        # for Insta, sleep 1 helps avoid ERROR: server response error : Code=503,Reason=Service Unavailable
 demo_CloudCA:
-	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CLOUDCA="using CloudCA Connector"
+	$(MAKE) -f Makefile_v1 run_demo BIN_DIR="$(BIN_DIR)" CA_SECTION="CloudCA"
 demo_EJBCA: start_EJBCA get_EJBCA_crls run_demo stop_EJBCA
 
 CMPCLIENT=$(SET_PROXY) $(DY)LD_LIBRARY_PATH="$(OUT_DIR):$(OPENSSL_LIB):$(SECUTILS_DIR):$(LIBCMP_DIR)" $(OUT_DIR_BIN)
 GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signkey creds/operational.pem -out creds/operational.csr -passin pass:12345 2>/dev/null
 .phony: run_demo
 run_demo: $(OUT_DIR_BIN)
 	@which $(OPENSSL) >/dev/null || (echo "cannot find $(OPENSSL), please install it"; false)
-	@/bin/echo -e "\n##### running cmpClient demo $(INSTA)$(CLOUDCA) #####\n"
+	@/bin/echo -e "\n##### running cmpClient demo using $(CA_SECTION) #####\n"
 	$(CMPCLIENT) imprint -section $(CA_SECTION) $(EXTRA_OPTS)
 	@/bin/echo -e "\nValidating own CMP client cert"
-    ifeq ($(INSTA)$(CLOUDCA),)
-		$(CMPCLIENT) validate -section EJBCA -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
+    ifeq ($(CA_SECTION),EJBCA)
+	$(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -cert $(EJBCA_CMP_CLIENT) -tls_cert "" -own_trusted $(EJBCA_CMP_TRUSTED),$(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
         ifneq ($(EJBCA_TLS_HOST),)
-			@/bin/echo -e "\nValidating own TLS client cert"
-			$(CMPCLIENT) validate -section validate -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED)
+	    @/bin/echo -e "\nValidating own TLS client cert"
+	    $(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert $(EJBCA_TLS_CLIENT) -tls_trusted $(EJBCA_TRUSTED) -untrusted $(EJBCA_UNTRUSTED) -no_check_time
         endif
     else
-        ifneq ($(INSTA),)
-			$(CMPCLIENT) validate -section Insta -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/InstaDemoCA.crt # -no_check_time
-        else
-			$(CMPCLIENT) validate -section CloudCA -tls_cert "" -cert creds/manufacturer.crt -own_trusted creds/trusted/CloudCA_Root.crt -untrusted creds/extracerts.pem
-        endif
+	$(CMPCLIENT) validate -section $(CA_SECTION),$(CRL_SECTION) -tls_cert "" -cert creds/manufacturer.crt -untrusted creds/extracerts.pem # -no_check_time
     endif
 	@echo
 	$(CMPCLIENT) bootstrap -section $(CA_SECTION) $(EXTRA_OPTS) $(BOOTSTRAP_CREDS)
@@ -448,13 +443,13 @@ run_demo: $(OUT_DIR_BIN)
 	$(CMPCLIENT) revoke -section $(CA_SECTION) $(EXTRA_OPTS)
 	@echo :
 	$(OCSP_CHECK)
-    ifneq ($(INSTA),)
-		@echo
-		@$(SLEEP)
-		$(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS)
-		@echo :
+    ifeq ($(CA_SECTION),Insta)
+	@echo
+	@$(SLEEP)
+	$(CMPCLIENT) genm -section $(CA_SECTION) $(EXTRA_OPTS)
+	@echo :
     endif
-	@echo -e "\n#### finished demo $(INSTA)$(CLOUDCA) ####"
+	@echo -e "\n#### finished demo using $(CA_SECTION) ####"
 	@echo :
 
 # tests ########################################################################
@@ -564,10 +559,10 @@ tests_LwCmp: $(OUT_DIR_BIN)
 
 test_all: demo_EJBCA test test_Mock tests_LwCmp
 ifneq ($(TEST_SIMPLE),)
-	test_all: test_Simple test_profile
+test_all: test_Simple test_profile
 endif
 ifneq ($(TEST_INSTA),)
-	test_all: test_Insta
+test_all: test_Insta
 endif
 
 test: clean build_no_tls

config/demo.cnf

@@ -87,6 +87,7 @@ server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTP_PORT}
 tls_used = 0
 
 [no-certstatus]
+check_all = 0
 crls =
 use_cdp = 0
 cdps =
@@ -118,6 +119,7 @@ out_trusted = creds/trusted/ENROLL_Root.pem
 
 [Insta]
 server = pki.certificate.fi:8700/pkix/
+# path = pkix/ # gets overridden by Makefile_v1
 secret = pass:insta
 ref = 3078
 #would need to be updated every 3 months:
@@ -133,6 +135,7 @@ cacert = creds/trusted/InstaDemoCA.crt
 trusted = $cacert
 crls = creds/crls/InstaDemoCA.crl
 out_trusted = $cacert
+own_trusted = $cacert
 
 tls_used = 0
 #tls_trusted = $cacert
@@ -143,7 +146,7 @@ tls_used = 0
 [CloudCA]
 # Server
 server = broker.sdo-qa.siemens.cloud:443
-path = /.well-known/cmp
+# path = /.well-known/cmp # gets overridden by Makefile_v1
 tls_used = 1
 tls_trusted = creds/trusted/DigicertGlobalRootG2.crt
 
@@ -152,6 +155,7 @@ recipient = /CN=CloudPKI-Integration-Test
 cacert = creds/trusted/CloudCA_Root.crt
 trusted = $cacert
 out_trusted = $cacert
+own_trusted = $cacert
 
 # User in tenant
 ref = /CN=DI-Integration-Test-User
@@ -237,11 +241,12 @@ infotype = signKeyPairTypes # default
 [validate]
 keypass = pass:12345
 tls_keypass = $keypass
-#check_all = 1
 use_aia = 0
-#use_cdp = 1
 crl_cache_dir = creds/crls/
 verbosity = 6
+[crls]
+check_all = 1
+use_cdp = 1
 
 [empty]
 #keyUsage =
@@ -252,7 +257,7 @@ verbosity = 6
 #basicConstraints = CA:FASE
 keyUsage = "critical, digitalSignature" # is ignored by EJBCA
 extendedKeyUsage = "critical, serverAuth, 1.3.6.1.5.5.7.3.2" # is ignored by EJBCA
-#subjectAltName = @alt_names
+subjectAltName = @alt_names
 
 [alt_names]
 DNS.0 = localhost