124 lines
3.8 KiB
Diff
124 lines
3.8 KiB
Diff
|
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Fri, 9 Jul 2021 20:49:28 +0000
|
||
|
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
|
||
|
OTP
|
||
|
|
||
|
SCEP RFC 8894 specifies that a challenge password SHOULD be
|
||
|
removed from subsequent requests but that it MAY be included.
|
||
|
|
||
|
This adds a new configuration option to treat the challenge password
|
||
|
as a one-time password (OTP) so that it will not be sent on
|
||
|
subsequent requests, like renewals, by removing it completely
|
||
|
from the tracking request.
|
||
|
|
||
|
This allows certmonger to be able to renew AD-issued SCEP certificates
|
||
|
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
|
||
|
|
||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
---
|
||
|
src/certmonger.conf.5.in | 9 +++++++++
|
||
|
src/certsave.c | 13 +++++++++++++
|
||
|
src/prefs.c | 15 +++++++++++++++
|
||
|
src/prefs.h | 4 ++++
|
||
|
4 files changed, 41 insertions(+)
|
||
|
|
||
|
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
|
||
|
index 6a42d3cb..1b941b9d 100644
|
||
|
--- a/src/certmonger.conf.5.in
|
||
|
+++ b/src/certmonger.conf.5.in
|
||
|
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
|
||
|
\fIselfsign\fR section, if one is set there, will be used. The default value
|
||
|
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
|
||
|
|
||
|
+.SH SCEP
|
||
|
+Within the \fIscep\fR section, these variables and values are recognized:
|
||
|
+
|
||
|
+.IP challenge_password_otp
|
||
|
+This controls whether the SCEP challenge password is treated as a one-time
|
||
|
+password. If set to yes then the challenge password and/or challenge password
|
||
|
+file will be removed from the tracking request after the first certificate
|
||
|
+issuance so will not be sent with renewal requests. The default is no.
|
||
|
+
|
||
|
.SH BUGS
|
||
|
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
|
||
|
|
||
|
diff --git a/src/certsave.c b/src/certsave.c
|
||
|
index 6eaafe59..f8503662 100644
|
||
|
--- a/src/certsave.c
|
||
|
+++ b/src/certsave.c
|
||
|
@@ -18,12 +18,25 @@
|
||
|
#include "config.h"
|
||
|
#include "certsave.h"
|
||
|
#include "certsave-int.h"
|
||
|
+#include "prefs.h"
|
||
|
#include "store-int.h"
|
||
|
+#include "talloc.h"
|
||
|
|
||
|
/* Start writing the certificate from the entry to the configured location. */
|
||
|
struct cm_certsave_state *
|
||
|
cm_certsave_start(struct cm_store_entry *entry)
|
||
|
{
|
||
|
+ /* If saving a SCEP certificate wipe out the challenge password */
|
||
|
+ if ((cm_prefs_scep_password_otp()) &&
|
||
|
+ (entry->cm_template_challenge_password != NULL) &&
|
||
|
+ (entry->cm_scep_nonce != NULL))
|
||
|
+ {
|
||
|
+ talloc_free(entry->cm_template_challenge_password);
|
||
|
+ entry->cm_template_challenge_password = NULL;
|
||
|
+ talloc_free(entry->cm_template_challenge_password_file);
|
||
|
+ entry->cm_template_challenge_password_file = NULL;
|
||
|
+ }
|
||
|
+
|
||
|
switch (entry->cm_cert_storage_type) {
|
||
|
#ifdef HAVE_OPENSSL
|
||
|
case cm_cert_storage_file:
|
||
|
diff --git a/src/prefs.c b/src/prefs.c
|
||
|
index 669e8f1f..52ffc908 100644
|
||
|
--- a/src/prefs.c
|
||
|
+++ b/src/prefs.c
|
||
|
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
|
||
|
}
|
||
|
return count;
|
||
|
}
|
||
|
+
|
||
|
+int
|
||
|
+cm_prefs_scep_password_otp(void)
|
||
|
+{
|
||
|
+ static int populate = -1;
|
||
|
+ if (populate == -1) {
|
||
|
+ const char *val;
|
||
|
+ val = cm_prefs_config("scep", "challenge_password_otp");
|
||
|
+ if (val == NULL) {
|
||
|
+ val = "no";
|
||
|
+ }
|
||
|
+ populate = cm_prefs_yesno(val);
|
||
|
+ }
|
||
|
+ return populate != -1 ? populate : 0;
|
||
|
+}
|
||
|
diff --git a/src/prefs.h b/src/prefs.h
|
||
|
index 248e1016..a107fb6c 100644
|
||
|
--- a/src/prefs.h
|
||
|
+++ b/src/prefs.h
|
||
|
@@ -18,6 +18,8 @@
|
||
|
#ifndef cmprefs_h
|
||
|
#define cmprefs_h
|
||
|
|
||
|
+#include <time.h>
|
||
|
+
|
||
|
enum cm_prefs_cipher {
|
||
|
cm_prefs_aes128,
|
||
|
cm_prefs_aes192,
|
||
|
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
|
||
|
long long prefs_key_end_of_life(time_t ref);
|
||
|
long prefs_max_key_use_count(void);
|
||
|
|
||
|
+int cm_prefs_scep_password_otp(void);
|
||
|
+
|
||
|
#endif
|
||
|
--
|
||
|
2.31.1
|
||
|
|