0.79.14-6

- Certificate format validation when adding the SCEP server's CA
  (#1492112)
- Replace some SHA1 usages with SHA256 in the unit tests needed
  becaus of OpenSSL 3 update

Resolves: #1492112
This commit is contained in:
Rob Crittenden 2022-03-17 16:13:46 -04:00
parent ea4ff2c97f
commit 010cc6087f
4 changed files with 788 additions and 1 deletions

View File

@ -0,0 +1,702 @@
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Nov 2021 13:51:31 -0400
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:
status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.
Try to do basic validation of user-provided PEM files by:
- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block
This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.
The unit tests use some Let's Encrypt CA certificates.
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/Makefile.am | 2 +-
src/getcert-add-scep-ca.1.in | 2 +
src/getcert.c | 39 ++++-
src/util-o.c | 144 ++++++++++++++++++
src/util-o.h | 7 +
tests/040-pem/bad.empty | 0
.../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++
tests/040-pem/expected.out | 7 +
.../good.isrg-root-x1-cross-signed.pem | 31 ++++
.../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++
tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++
tests/040-pem/run.sh | 21 +++
tests/Makefile.am | 8 +-
tests/tools/Makefile.am | 3 +-
tests/tools/pem.c | 69 +++++++++
15 files changed, 474 insertions(+), 8 deletions(-)
create mode 100644 tests/040-pem/bad.empty
create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
create mode 100644 tests/040-pem/expected.out
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
create mode 100755 tests/040-pem/run.sh
create mode 100644 tests/tools/pem.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 53571c5..d8e0a2e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
getcert_SOURCES = getcert.c tm.c tm.h
getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
if WITH_IPA
bin_PROGRAMS += ipa-getcert
ipa_getcert_CFLAGS = $(getcert_CFLAGS)
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index c2751ed..901791e 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
.SH OPTIONS
.TP
+All user\-provided certificate files must be in PEM format.
+.TP
\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
The nickname to give to this CA configuration. This same value can later be
passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
diff --git a/src/getcert.c b/src/getcert.c
index 4afafcb..ddcb739 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -49,6 +49,7 @@
#include "submit-u.h"
#include "tdbus.h"
#include "tdbusm.h"
+#include "util-o.h"
#ifdef ENABLE_NLS
#include <libintl.h>
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
static DBusMessage *req, *rep;
+ const char *poptarg;
poptContext pctx;
struct poptOption popts[] = {
{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
while ((c = poptGetNextOpt(pctx)) > 0) {
+ poptarg = poptGetOptArg(pctx);
switch (c) {
case 's':
bus = cm_tdbus_session;
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
poptPrintHelp(pctx, stdout, 0);
return 1;
break;
+ case 'R':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ root = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'r':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ racert = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'I':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ certs = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'N':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ signingca = talloc_strdup(globals.tctx, poptarg);
+ break;
}
}
if (c != -1) {
diff --git a/src/util-o.c b/src/util-o.c
index db45964..c05872c 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
{
return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
}
+
+static unsigned char *
+decode_base64(const unsigned char *input, int length, int *outlength) {
+ int expected_len;
+ unsigned char *output;
+ int output_len;
+
+ expected_len = 3 * length / 4;
+ output = calloc(expected_len + 1, 1);
+ output_len = EVP_DecodeBlock(output, input, length);
+
+ if (output_len < 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (output_len % 3 != 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (expected_len != output_len) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ *outlength = output_len;
+ return output;
+}
+
+int
+validate_pem(void *parent, const char *path)
+{
+ char *p;
+ char *s = NULL, *sp, *sq;
+ int ret = 0;
+ FILE *fp;
+ struct stat st;
+ char *tmp1 = NULL;
+ unsigned char *tmp2 = NULL;
+ char *buffer;
+ int n, i, length;
+ int found = 0;
+
+ fp = fopen(path, "r");
+ if (fp == NULL) {
+ printf("Unable to open %s for reading: %s\n",
+ path, strerror(errno));
+ return -1;
+ }
+ if (fstat(fileno(fp), &st) == -1) {
+ printf("Error opening %s for reading: %s\n",
+ path, strerror(errno));
+ fclose(fp);
+ return -1;
+ }
+ if (st.st_size == 0) {
+ printf("%s is an empty file.\n", path);
+ fclose(fp);
+ return -1;
+ }
+
+ buffer = malloc(st.st_size + 1);
+ if (buffer == NULL) {
+ printf("Error allocating memory.\n");
+ fclose(fp);
+ return -1;
+ }
+
+ n = 0;
+ while (n < st.st_size) {
+ i = fread(buffer + n, 1, st.st_size - n, fp);
+ if (i <= 0) {
+ printf("Error reading %s: %s.\n",
+ path, strerror(errno));
+ fclose(fp);
+ ret = -1;
+ goto done;
+ }
+ n += i;
+ }
+ fclose(fp);
+ buffer[st.st_size] = '\0';
+ length = st.st_size;
+ s = malloc(length + 1);
+ if (s == NULL) {
+ printf("Error allocating memory.\n");
+ ret = -1;
+ goto done;
+ }
+ memcpy(s, buffer, length);
+ s[length] = '\0';
+ sp = s;
+ tmp1 = NULL;
+ tmp2 = NULL;
+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
+ sq = strstr(sp, "-----END");
+ if (sq != NULL) {
+ found++;
+ sq += strcspn(sq, "\r\n");
+ sq += strspn(sq, "\r\n");
+
+ /* Strip down to pure base64 so no headers, new lines or cr */
+ tmp1 = strndup(sp, sq - sp);
+ p = strstr(tmp1, "-----BEGIN");
+ if (p != NULL) {
+ p += strcspn(p, "\n");
+ if (*p == '\n') {
+ p++;
+ }
+ memmove(tmp1, p, strlen(p) + 1);
+ }
+ p = strstr(tmp1, "\n-----END");
+ if (p != NULL) {
+ *p = '\0';
+ }
+ while ((p = strchr(tmp1, '\r')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ while ((p = strchr(tmp1, '\n')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ length = 0;
+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
+ if (length < 0) {
+ ret = -1;
+ goto done;
+ }
+ sp = sq;
+ }
+ }
+
+ if (found == 0) {
+ ret = -1;
+ }
+
+done:
+ free(buffer);
+ free(s);
+ free(tmp1);
+ free(tmp2);
+
+ return ret;
+}
diff --git a/src/util-o.h b/src/util-o.h
index 916777b..8550e07 100644
--- a/src/util-o.h
+++ b/src/util-o.h
@@ -16,6 +16,12 @@
*/
#ifndef utilo_h
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
#define utilo_h
struct cm_store_entry;
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
+int validate_pem(void *parent, const char *path);
#endif
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
new file mode 100644
index 0000000..e69de29
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
new file mode 100644
index 0000000..f9d7e5b
--- /dev/null
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
@@ -0,0 +1,25 @@
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
+6GtPAQw4dy753ec5
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
new file mode 100644
index 0000000..0459fd2
--- /dev/null
+++ b/tests/040-pem/expected.out
@@ -0,0 +1,7 @@
+OK
+OK
+OK
+got expected error with bad.empty
+got expected error with bad.isrg-root-x1-cross-signed.der
+got expected error with bad.notfound
+OK
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
new file mode 100644
index 0000000..29a16ff
--- /dev/null
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
@@ -0,0 +1,93 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
new file mode 100755
index 0000000..1d4d1f4
--- /dev/null
+++ b/tests/040-pem/run.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+cd "$tmpdir"
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
+
+for good in "$srcdir"/040-pem/good.* ; do
+ if ! "$toolsdir"/pem "$good" ; then
+ exit 1
+ fi
+done
+for bad in "$tmpdir"/bad.* bad.notfound; do
+ if "$toolsdir"/pem "$bad" > /dev/null; then
+ echo unexpected success with `basename "$bad"`
+ exit 1
+ else
+ echo got expected error with `basename "$bad"`
+ fi
+done
+echo OK
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34b..e20b6d8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -132,6 +132,8 @@ CLEANFILES = \
038-ms-v2-template/actual.err \
039-fromfile/actual.out \
039-fromfile/actual.err
+ 040-pem/actual.out \
+ 040-pem/actual.err
EXTRA_DIST = \
run-tests.sh functions certmonger.conf tools/cachain.sh \
001-keyiread/run.sh \
@@ -353,7 +355,8 @@ EXTRA_DIST = \
038-ms-v2-template/expected.out \
038-ms-v2-template/extract-extdata.py \
038-ms-v2-template/run.sh \
- 039-fromfile/run.sh
+ 039-fromfile/run.sh \
+ 040-pem/run.sh
subdirs = \
001-keyiread \
@@ -388,7 +391,8 @@ subdirs = \
036-getcert \
037-rekey2 \
038-ms-v2-template \
- 039-fromfile
+ 039-fromfile \
+ 040-pem
if HAVE_DBM_NSSDB
subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 53f658e..1a01ee6 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,8 @@ endif
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
name2oid iterate prefs dates listnicks pem2base base2pem \
dparse payload checksig base64 cadata citerate casave hooks \
- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
+ pem
noinst_LIBRARIES = libtools.a
if HAVE_OPENSSL
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
new file mode 100644
index 0000000..4fdd4f4
--- /dev/null
+++ b/tests/tools/pem.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <popt.h>
+
+#include <talloc.h>
+
+#include "../../src/util-o.h"
+
+int
+main(int argc, const char **argv)
+{
+ const char *filename;
+ void *parent;
+ int i, ret = 0;
+ poptContext pctx;
+ struct poptOption popts[] = {
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ parent = talloc_new(NULL);
+ pctx = poptGetContext("pem", argc, argv, popts, 0);
+ while ((i = poptGetNextOpt(pctx)) > 0) {
+ continue;
+ }
+ if (i != -1) {
+ poptPrintUsage(pctx, stdout, 0);
+ return 1;
+ }
+ while ((filename = poptGetArg(pctx)) != NULL) {
+ if (validate_pem(parent, (char *)filename) == 0) {
+ printf("OK\n");
+ } else {
+ ret = 1;
+ }
+ }
+ talloc_free(parent);
+ poptFreeContext(pctx);
+ return ret;
+}
--
2.31.1

View File

@ -0,0 +1,31 @@
From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Nov 2021 09:58:40 -0500
Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?=
=?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add an include for openssl/pem.h
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/submit-n.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/submit-n.c b/src/submit-n.c
index 3dcb820a..4f763a16 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -33,6 +33,7 @@
#include <openssl/pkcs7.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
+#include <openssl/pem.h>
#include <cert.h>
#include <certdb.h>
--
2.31.1

View File

@ -0,0 +1,46 @@
From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 17 Mar 2022 15:44:00 -0400
Subject: [PATCH] Remove dependency on SHA-1
---
tests/033-scep/run.sh | 4 ++--
tests/tools/cachain.sh | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
index a36cd5a..baaa581 100755
--- a/tests/033-scep/run.sh
+++ b/tests/033-scep/run.sh
@@ -148,7 +148,7 @@ check_nonce
check_digest sha256
echo OK
echo "[gic, old trust root]"
-set_digest sha1
+set_digest sha256
$toolsdir/scepgen ca entry > scepdata
if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then
echo missing gic
@@ -158,7 +158,7 @@ check_verified
check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL
check_txid
check_nonce
-check_digest sha1
+check_digest sha256
echo OK
echo "[req next, no trust root]"
if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then
diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh
index 58f0c49..93aca9b 100755
--- a/tests/tools/cachain.sh
+++ b/tests/tools/cachain.sh
@@ -1,5 +1,5 @@
#!/bin/bash -e
-digest=sha1
+digest=sha256
keytype=rsa:1024
serial=12345678
cat > openssl.cnf << EOF
--
2.31.1

View File

@ -28,7 +28,7 @@
Name: certmonger Name: certmonger
Version: 0.79.14 Version: 0.79.14
Release: 5%{?dist} Release: 6%{?dist}
Summary: Certificate status monitor and PKI enrollment client Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+ License: GPLv3+
@ -43,6 +43,9 @@ Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch
Patch0009: 0009-Use-extensions-template-from-NSS.patch Patch0009: 0009-Use-extensions-template-from-NSS.patch
Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
Patch0012: 0012-Remove-dependency-on-SHA-1.patch
BuildRequires: autoconf BuildRequires: autoconf
@ -273,6 +276,11 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Mar 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
- Certificate format validation when adding the SCEP server's CA
(#1492112)
- Replace some SHA1 usages with SHA256 in the unit tests
* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5 * Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
- Certmonger SCEP renewal should not use old challenges (#1990926) - Certmonger SCEP renewal should not use old challenges (#1990926)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001082) - Certmonger certificates stuck in NEED_GUIDANCE (#2001082)