check for errors from X509_REQ_to_X509()

- backport change from git to not choke if X509_REQ_to_X509() fails when we're self-signing using OpenSSL
2012-11-27 18:21:56 -05:00 · 2012-11-27 18:21:56 -05:00 · 04733941c2
commit 04733941c2
parent 7deadd699a
2 changed files with 105 additions and 1 deletions
--- a/certmonger-x509-req-to-x509.patch
+++ b/certmonger-x509-req-to-x509.patch
@ -0,0 +1,98 @@
+Backported from master.
+
+commit 254a4b852a7c4c3cec4e99a0ae485a497fe09760
+Author: Nalin Dahyabhai <nalin@redhat.com>
+Date:   Tue Nov 27 12:18:51 2012 -0500
+
+    check for errors from X509_REQ_to_X509()
+
+diff --git a/src/submit-so.c b/src/submit-so.c
+index 7ad799e..39c3d33 100644
+--- a/src/submit-so.c
+++ b/src/submit-so.c
+@@ -117,45 +117,51 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ 							cert = X509_REQ_to_X509(req,
+ 										0,
+ 										pkey);
+-							ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
+-							ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
+-							X509_set_version(cert, 2);
+-							/* set the serial number */
+-							cm_log(3, "Setting certificate serial number \"%s\".\n",
+-							       ca->cm_ca_internal_serial);
+-							serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
+-							seriall = strlen(serial) / 2;
+-							seriald = talloc_size(ca, seriall);
+-							cm_store_hex_to_bin(serial, seriald, seriall);
+-							serialtmp = seriald;
+-							seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
+-							X509_set_serialNumber(cert, seriali);
+							if (cert != NULL) {
+								ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
+								ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
+								X509_set_version(cert, 2);
+								/* set the serial number */
+								cm_log(3, "Setting certificate serial number \"%s\".\n",
+								       ca->cm_ca_internal_serial);
+								serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
+								seriall = strlen(serial) / 2;
+								seriald = talloc_size(ca, seriall);
+								cm_store_hex_to_bin(serial, seriald, seriall);
+								serialtmp = seriald;
+								seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
+								X509_set_serialNumber(cert, seriali);
+ #ifdef HAVE_UUID
+-							if (cm_prefs_populate_unique_id()) {
+-								if (cm_submit_uuid_new(uuid) == 0) {
+-									cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
+-									if (cert->cert_info->subjectUID != NULL) {
+-										ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
+-										cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
+-										if (cert->cert_info->issuerUID != NULL) {
+-											ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
+								if (cm_prefs_populate_unique_id()) {
+									if (cm_submit_uuid_new(uuid) == 0) {
+										cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
+										if (cert->cert_info->subjectUID != NULL) {
+											ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
+											cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
+											if (cert->cert_info->issuerUID != NULL) {
+												ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
+											}
+ 										}
+ 									}
+ 								}
+-							}
+ #endif
+-							/* add basic constraints */
+-							cert->cert_info->extensions = X509_REQ_get_extensions(req);
+-							basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
+-							basicd = talloc_size(ca, basicl);
+-							cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
+-							basictmp = basicd;
+-							basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
+-							X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
+								/* add basic constraints */
+								cert->cert_info->extensions = X509_REQ_get_extensions(req);
+								basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
+								basicd = talloc_size(ca, basicl);
+								cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
+								basictmp = basicd;
+								basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
+								X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
+								/* finish up */
+								X509_sign(cert, pkey,
+									  cm_prefs_ossl_hash());
+								status = 0;
+							} else {
+								cm_log(1, "Error building "
+								       "certificate from "
+								       "signing request.\n");
+ 							}
+-							/* finish up */
+-							X509_sign(cert, pkey,
+-								  cm_prefs_ossl_hash());
+-							status = 0;
+ 						} else {
+ 							cm_log(1, "Error reading "
+ 							       "signing request.\n");
--- a/certmonger.spec
+++ b/certmonger.spec
@ -20,7 +20,7 @@

 Name:		certmonger
 Version:	0.61
-Release:	1%{?dist}
+Release:	3%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client

 Group:		System Environment/Daemons
@ -28,6 +28,7 @@ License:	GPLv3+
 URL:		http://certmonger.fedorahosted.org
 Source0:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz
 Source1:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig
+Patch0:		certmonger-x509-req-to-x509.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel
@ -87,6 +88,7 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.

 %prep
 %setup -q
+%patch0 -p1 -b .x509-req-to-x509
 %if 0%{?rhel} > 0
 # Enabled by default for RHEL for bug #765600, still disabled by default for
 # Fedora pending a similar bug report there.
@ -201,6 +203,10 @@ exit 0
 %endif

 %changelog
+* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
+- backport change from git to not choke if X509_REQ_to_X509() fails when we're
+  self-signing using OpenSSL
+
 * Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
 - fix a regression in reading old request tracking files where the
  request was in state NEED_TO_NOTIFY or NOTIFYING