build.adoc

Back to Manual

Build

Prerequisites

Component	Version	Notes
C Compiler	TBD	Ubuntu 19.x - Consider using sudo apt-get install build-essential
OpenSSL	1.1.1 (or higher)	Ubuntu 19.x - Consider using sudo apt-get install libssl-dev
CMake	3.12 (or higher)	Ubuntu 19.x - Consider using sudo apt-get install cmake
cURL	7.65 (or higher)	Ubuntu 19.x - Consider using sudo apt-get install libcurl4-openssl-dev
zLib	1.2.11 (or higher)	Ubuntu 19.x - Consider using sudo apt install zlib1g-dev
cMocka	1.1	https://cmocka.org/ Ubuntu 19.x - Consider using sudo apt-get install libcmocka-dev
mbedTLS	Optional	Ubuntu 19.x - Consider using sudo apt-get install -y libmbedtls-dev cURL has to be compiled with mbedTLS. Please see - https://tls.mbed.org/kb/how-to/compile-curl-with-mbedtls
Valgrind	Optional	Ubuntu 18.x - Consider using sudo apt-get install -y valgrind

Build types

The project supports following build configurations (to be used as an argument for option -DCMAKE_BUILD_TYPE=):

• Release - build project with compiler optimization and without debug information

• Debug - build project with debug information

• asan - build with Address Sanitizer features for real-time address checking

• lsan - build with Address Sanitizer features for real-time memory leaks checking

• ubsan - build with Address Sanitizer features for real-time checking for undefined behavior

The default build type is Debug.

Examples

Cmake can be run from any directory, it requires only a path (relative or absolute) to the source directory and makes a build directory with all executables where it runs.

With OpenSSL & Tests & Valgrind ready & Debug configuration

mkdir -p Debug
cd Debug
cmake .. -DENABLE_CMAKE_VERBOSE_MAKEFILE=ON -DENABLE_CMOCKA=OFF -DENABLE_MBEDTLS=OFF -DENABLE_TESTS=ON -DCMAKE_BUILD_TYPE=Debug

With mbedTLS & Tests & ASAN configuration

mkdir -p asan
cd asan
cmake .. -DENABLE_CMAKE_VERBOSE_MAKEFILE=ON -DENABLE_CMOCKA=OFF -DENABLE_MBEDTLS=ON -DENABLE_TESTS=ON -DCMAKE_BUILD_TYPE=asan

From the build directory (if -DENABLE_TESTS=ON)

1. Type in cmake --build . --target clean or make clean

2. Type in cmake --build . or make

3. Type in ./certifierTests to run the unit tests

Now, run the functional test below. This script will attempt to read the device attestation certificate (seed.p12), create an X509 token from it (for authentication), and make an HTTPS call to certifier to creates a PKCS12 file. The resulting PKCS12 file will contain a public/private keypair and X509 certificate chain.

./test-fetch-cert.sh seed.p12 changeit . If successful, there should be an output.p12 file in your current directory.

Build Options

Name	Default Value	Description
ENABLE_MBEDTLS	OFF	Enables mbedTLS as the crypto provider. Otherwise, OpenSSL is the default.
ENABLE_TESTS	OFF	Build unit tests (requires CMocka or Unit to be used)
ENABLE_CMOCKA	OFF	Unit testing framework to use. If OFF, Unit (self-contained is used)
ENABLE_CMAKE_VERBOSE_MAKEFILE	OFF	Enable verbose nakefiles for debugging

Sanitizers

Address Sanitizer works in runtime always if CMAKE_BUILD_TYPE=asan is chosen. Similar for Leakage Sanitizer (lsan) and Undefined Behavior sanitizer (ubsan). Normally Sanitizer produces list of errors after the program finishes, but all these errors have been fixed and there are no messages after that. Remember that project built with CMAKE_BUILD_TYPE=asan fails Valgrind tests invoked with the command ctest -T memcheck.

Valgrind

Valgrind checks can be run on any tests added to CMakeLists.txt and runnable with ctest by the command

ctest -T memcheck

MacOS

Building/running on MacOS is a bit tricky.

OpenSSL 1.1.1f

If you already have openssl version 1.1.1 or higher, you can skip this section.

It’s recommended to manually compile and install OpenSSL on MacOS. Here’s example instructions:

Step 1 - Get the source code for OpenSSL 1.1.1f -

cd ~
curl --remote-name https://www.openssl.org/source/openssl-1.1.1f.tar.gz

Step 2 - Extract the archive and move into the folder -

tar -xzvf openssl-1.1.1f.tar.gz
cd openssl-1.1.1f

Step 3 - Configure, compile and install into /usr/local/mac-dev-env/openssl-1.1.1f

./Configure darwin64-x86_64-cc shared enable-deprecated enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 no-comp --prefix=/usr/local/mac-dev-env/openssl-1.1.1f --openssldir=/usr/local/mac-dev-env/openssl-1.1.1f --api=1.0.0
make depend
make
sudo make install

Notice that the enable-deprecated flag is enabled. There are still places in our code, openssl.c, where older APIs in 1.0.x were used. These have been deprecated in OpenSSL 1.1.1.

Step 5 - OpenSSL should be installed.

cURL 7.69.1

If you already have curl version 7.69.1 or higher, you can skip this section.

Just like OpenSSL, it’s recommended to manually compile and install cURL on MacOS.

Step 1 - Get the source code for cURL 7.69.1 -

cd ~
curl --remote-name https://curl.haxx.se/download/curl-7.69.1.tar.gz

Step 2 - Extract the archive and move into the folder -

tar -xzvf curl-7.69.1.tar.gz
cd curl-7.69.1

Step 3 - Configure, compile and install into /usr/local/mac-dev-env/curl-7.69.1

./configure --with-darwinssl --prefix=/usr/local/mac-dev-env/curl-7.69.1
make
sudo make install

Notice the --with-darwinssl flag. This uses MacOS’s built-in OpenSSL version and not the one we just built.

If you have OpenSSL installed somewhere else (for example, /opt/OpenSSL) and you have pkg-config installed, set the pkg-config path first, like this:

env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-ssl

Without pkg-config installed, use this:

./configure --with-ssl=/opt/OpenSSL

Step 5 - Now cURL should be installed.

Step 6 - Type the following command to see build output as shown below. Make sure the output successfully finds openssl, curl and zlib.

cmake .
-- Found OpenSSL: /usr/local/lib/libcrypto.dylib (found suitable version "1.1.1f", minimum required is "1.1.1")
-- Found ZLIB: /usr/lib/libz.dylib (found suitable version "1.2.11", minimum required is "1.2.11")
-- Found CURL: /usr/lib/libcurl.dylib (found suitable version "7.64.1", minimum required is "7.60")
-- Performing Test HAS_SSP
-- Performing Test HAS_SSP - Success
-- Stack smashing protection enabled
-- AddressSanitizer enabled (debug builds)
-- buildType:
-- extra cflags:  -Wall  -std=c99 -fstack-protector-strong --param=ssp-buffer-size=4 -g -fsanitize=address,undefined
-- Configuring done
-- Generating done
-- Build files have been written to: /Users/ahaque201/Github/libcertifier

If the steps above fail, you can create a file, called build.sh with the following contents -

#!/bin/bash
export CC=/usr/bin/clang
export OPENSSL_ROOT_DIR=/usr/local/mac-dev-env/openssl-1.1.1f
export CURL_ROOT_DIR=/usr/local/mac-dev-env/curl-7.69.1
export CFLAGS='-DOPENSSL_API_COMPAT=0x10000000L'
export CURL_INCLUDE_DIR=${CURL_ROOT_DIR}/include
export CURL_LIBRARY_RELEASE=${CURL_ROOT_DIR}/lib/libcurl.dylib
cmake . -DENABLE_MBEDTLS=OFF -DENABLE_CMAKE_VERBOSE_MAKEFILE=ON -DENABLE_CMOCKA=OFF -DENABLE_TESTS=ON -DOPENSSL_ROOT_DIR=${OPENSSL_ROOT_DIR} -DOPENSSL_INCLUDE_DIR=${OPENSSL_ROOT_DIR}/include -DCURL_INCLUDE_DIR=${CURL_INCLUDE_DIR} -DCURL_LIBRARY_RELEASE=${CURL_LIBRARY_RELEASE}

Please make sure the file is marked as executable chmod 755 ./build.sh.

Reference -

https://github.com/Kitware/CMake/blob/300979e7889b34d61803675c560fe450c7404447/Modules/FindOpenSSL.cmake

https://github.com/Kitware/CMake/blob/300979e7889b34d61803675c560fe450c7404447/Modules/FindCURL.cmake

Then you can run it via ./build.sh and then

make clean

followed by -

make

If you get symbols that cannot be referenced, it’s most likely because something else is defined as in implicit include directory (like an older version of OpenSSL), such as /opt/local/include/openssl/ so please be sure that the older OpenSSL include files do not exist.

cURL (alternative)

An alternative to building cURL is running the following -

brew install curl-openssl

mbedTLS

mbedTLS is more straightforward.

You could use brew install mbedtls to install.