add support for ML-DSA-* etc., various small fixes; OpenSSL 4.0 compat by DDvO · Pull Request #119 · siemens/gencmpclient

DDvO · 2026-04-24T13:07:41Z

usage examples:

./cmpClient imprint -section EJBCA -newkeytype "ML-DSA-65"
~~./cmpClient imprint -section EJBCA -newkey "tpm2:handle=0x81000001"~~

On this occasion also:

various other small fixes and adaptations for OpenSSL 4.0 compatibility
fixes regarding the -tls_host option and SNI and related documentation
fixes on genericCMPClient_util.{c,h}
tweaks of demo_EJBCA
align 80-test_cmp_http.t with latest upstream OpenSSL version of that script, fixing CI hangs for OpenSSL 3.6+

Copilot

Pull request overview

Adds support needed for newer key types (ML-DSA) and TPM2 handle-referenced keys in the cmpClient workflow by updating how new keys are created and slightly adjusting OpenSSL library detection behavior in the legacy Makefile.

Changes:

Switch key generation to KEY_new_ex(..., libctx) to support provider-/libctx-aware algorithms (e.g., ML-DSA) and non-file key references.
Adjust Makefile_v1 behavior when libcrypto cannot be found by disabling a previously-run diagnostic fallback call.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/cmpClient.c	Uses `KEY_new_ex()` with the app libctx when generating a new key for enrollment flows.
Makefile_v1	Removes (comments out) a fallback call that previously re-ran OpenSSL lib detection to emit diagnostics before failing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 12 out of 13 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 16 out of 19 changed files in this pull request and generated 8 comments.

Copilot

Pull request overview

Copilot reviewed 21 out of 25 changed files in this pull request and generated 5 comments.

Copilot

Pull request overview

Copilot reviewed 23 out of 27 changed files in this pull request and generated 6 comments.

…ator (did you mean TAB instead of 8 spaces?).

…nce OpenSSL 4.0

…s, removing 3.1 .. 3.3 and adding 4.0

…QC credential creation, and 'make' steps

… 'bool maybe_stdin'

…t script

…defunct

…ions

…ts what to do when not using it

…tions

…iltering of key/signature hex strings

…D for verifying own TLS client cert

…TLS.p12 and use that

…_server-docker-cn.txt, add EJBCA_TLS_SERVCER_CERTS

…_add_nconf_sk() makes empty exts NULL since OpenSSL 4.0

…nt on OpenSSL version or libcmp use

… for local host if -tls_host not given

…st part, not any given -tls_host

…scheme() using it

…orithms

sonarqubecloud · 2026-06-15T13:55:16Z

Quality Gate failed

Failed conditions
1 Security Hotspot
26.0% Coverage on New Code (required ≥ 80%)
12.2% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

DDvO added the enhancement New feature or request label Apr 24, 2026

DDvO requested a review from Copilot April 27, 2026 06:57

Copilot started reviewing on behalf of DDvO April 27, 2026 06:57 View session

Copilot AI reviewed Apr 27, 2026

View reviewed changes

Comment thread Makefile_v1 Outdated

Comment thread src/cmpClient.c Outdated

Comment thread src/cmpClient.c Outdated

DDvO force-pushed the extend_KEY_new branch 3 times, most recently from 23d630d to 6faf9b2 Compare April 29, 2026 09:22

DDvO requested a review from Copilot April 29, 2026 09:24

Copilot started reviewing on behalf of DDvO April 29, 2026 09:25 View session

DDvO changed the title ~~add support for ML-DSA and TPM2-held keys referenced via handle~~ add support for ML-DSA and TPM2-held keys referenced via handle; OpenSSL 4.0 compat Apr 29, 2026

Copilot AI reviewed Apr 29, 2026

View reviewed changes

Comment thread src/cmpClient.c Outdated

Comment thread src/cmpClient.c

Comment thread doc/cmpClient.pod Outdated

Comment thread doc/cmpClient.pod Outdated

Comment thread doc/cmpClient.pod Outdated

Comment thread README.md Outdated

DDvO force-pushed the extend_KEY_new branch 3 times, most recently from aa867cb to a6dec70 Compare April 29, 2026 12:57

DDvO force-pushed the extend_KEY_new branch 2 times, most recently from ccf639a to 62cb823 Compare May 11, 2026 17:35

DDvO requested a review from Copilot May 11, 2026 17:36

Copilot started reviewing on behalf of DDvO May 11, 2026 17:37 View session

Copilot AI reviewed May 11, 2026

View reviewed changes

DDvO force-pushed the extend_KEY_new branch from 62cb823 to 17a20ea Compare May 15, 2026 07:45

DDvO requested a review from Copilot May 15, 2026 08:17

Copilot started reviewing on behalf of DDvO May 15, 2026 08:17 View session

Copilot AI reviewed May 15, 2026

View reviewed changes

Comment thread src/credential_loading.c Outdated

Comment thread src/credential_loading.c Outdated

Comment thread Makefile_v1 Outdated

Comment thread src/cmpClient.c

Comment thread src/genericCMPClient.c

DDvO force-pushed the extend_KEY_new branch from 17a20ea to 7929f4d Compare May 15, 2026 22:13

DDvO requested a review from Copilot May 15, 2026 22:13

Copilot started reviewing on behalf of DDvO May 15, 2026 22:14 View session

github-advanced-security AI found potential problems May 15, 2026

View reviewed changes

Comment thread creds/docker/Docker_Playground_CMP.pem Fixed

Comment thread creds/docker/Docker_Playground_TLS.pem Fixed

Copilot AI reviewed May 15, 2026

View reviewed changes

Comment thread src/genericCMPClient_util.c Outdated

Comment thread src/genericCMPClient.c

Comment thread src/credential_loading.c Outdated

Comment thread src/credential_loading.c Outdated

Comment thread src/credential_loading.c

Comment thread src/cmpClient.c

DDvO force-pushed the extend_KEY_new branch 2 times, most recently from 2ca5abf to 374def0 Compare May 15, 2026 22:25

DDvO force-pushed the extend_KEY_new branch 2 times, most recently from 1b7f2db to e0c7be6 Compare June 15, 2026 13:46

DDvO added 26 commits June 15, 2026 15:52

Makefile_v1: prevent strange error Makefile_v1:20t: *** missing separ…

95f0041

…ator (did you mean TAB instead of 8 spaces?).

OpenSSL_version.mk: fix tab -> spaces in one line

a7407a6

cmpClient.c: replace use of X509_NAME_get_text_by_NID() deprecated si…

e60384e

…nce OpenSSL 4.0

cmpossl: fixes for OpenSSL 4.0 compatibility and small other fixes

9d1daf2

.github/workflows/OpenSSL_versions.yml: update active OpenSSL version…

6d120de

…s, removing 3.1 .. 3.3 and adding 4.0

.github/workflows/OpenSSL_versions.yml: clean up 'cmake', Mock test P…

757848b

…QC credential creation, and 'make' steps

credential_loading.{c,h}: consistently use 'file_format_t format' and…

952bc64

… 'bool maybe_stdin'

80-test_cmp_http.t: align with latest upstream OpenSSL version of tha…

c453621

…t script

80-test_cmp_http.t: drop special cases for Insta Demo CA since it is …

99b5c64

…defunct

80-test_cmp_http.t,test_certstatus.csv: (re-)enable certstatus aspect

23dbc68

80-test_cmp_http.t: fix Perl code according to Copilot review suggest…

01258f0

…ions

README.md: make more clear that using git is not required, adding hin…

addf1a0

…ts what to do when not using it

Makefile_src,CMakeLists.txt: align and strengthen compiler warning op…

2326b8b

…tions

Makefile_v1: fix duplicate display of creds/operational.crt and the f…

7342a96

…iltering of key/signature hex strings

config/EJBCA.env: add creds/docker/TLS_ROOTCA.pem to EJBCA_TLS_TRUSTE…

586e0fc

…D for verifying own TLS client cert

config/EJBCA.env,creds/docker/: add PEM variant of Docker_Playground_…

ecde126

…TLS.p12 and use that

creds/docker/: add PEM variant of Docker_Playground_CMP.p12

b51ddc1

config/EJBCA.env,Makefile_v1/: rename TLS_ROOTCA-docker-cn.txt to TLS…

adb8643

…_server-docker-cn.txt, add EJBCA_TLS_SERVCER_CERTS

cmpClient.c: adapt (and rename) setup_X509_extensions() as X509V3_EXT…

b05b86b

…_add_nconf_sk() makes empty exts NULL since OpenSSL 4.0

cmpClient.c: fix usability of -nonmatched_error_nonces option depende…

25c452a

…nt on OpenSSL version or libcmp use

cmpClient.c,CMPclient_setup_HTTP(): make sure to skip host name check…

104ff90

… for local host if -tls_host not given

CMPclient_setup_HTTP(),doc/: fix setting TLS SNI: use just -server ho…

36bd40e

…st part, not any given -tls_host

update doc/OpenSSL_CMP-and-generic_CMP_client_overview.pptx

c0bf119

genericCMPClient_util.{c,h}: improve CONN_IS_IP_ADDR()

bb4ce6d

genericCMPClient_util.{c,h}: add UTIL_SKIP_SCHEME() and improve skip_…

339e89d

…scheme() using it

cmpClient.c: add support for ML-DSA-* and potentially further PQC alg…

2f5e997

…orithms

DDvO force-pushed the extend_KEY_new branch from e0c7be6 to 2f5e997 Compare June 15, 2026 13:52

Conversation

DDvO commented Apr 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud Bot commented Jun 15, 2026

Quality Gate failed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

DDvO commented Apr 24, 2026 •

edited

Loading