check for errors from X509_REQ_to_X509()

- backport change from git to not choke if X509_REQ_to_X509() fails when we're
  self-signing using OpenSSL

certmonger-x509-req-to-x509.patch

@@ -0,0 +1,98 @@
+Backported from master.
+
+commit 254a4b852a7c4c3cec4e99a0ae485a497fe09760
+Author: Nalin Dahyabhai <nalin@redhat.com>
+Date:   Tue Nov 27 12:18:51 2012 -0500
+
+    check for errors from X509_REQ_to_X509()
+
+diff --git a/src/submit-so.c b/src/submit-so.c
+index 7ad799e..39c3d33 100644
+--- a/src/submit-so.c
++++ b/src/submit-so.c
+@@ -117,45 +117,51 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
+ 							cert = X509_REQ_to_X509(req,
+ 										0,
+ 										pkey);
+-							ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
+-							ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
+-							X509_set_version(cert, 2);
+-							/* set the serial number */
+-							cm_log(3, "Setting certificate serial number \"%s\".\n",
+-							       ca->cm_ca_internal_serial);
+-							serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
+-							seriall = strlen(serial) / 2;
+-							seriald = talloc_size(ca, seriall);
+-							cm_store_hex_to_bin(serial, seriald, seriall);
+-							serialtmp = seriald;
+-							seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
+-							X509_set_serialNumber(cert, seriali);
++							if (cert != NULL) {
++								ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
++								ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
++								X509_set_version(cert, 2);
++								/* set the serial number */
++								cm_log(3, "Setting certificate serial number \"%s\".\n",
++								       ca->cm_ca_internal_serial);
++								serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
++								seriall = strlen(serial) / 2;
++								seriald = talloc_size(ca, seriall);
++								cm_store_hex_to_bin(serial, seriald, seriall);
++								serialtmp = seriald;
++								seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
++								X509_set_serialNumber(cert, seriali);
+ #ifdef HAVE_UUID
+-							if (cm_prefs_populate_unique_id()) {
+-								if (cm_submit_uuid_new(uuid) == 0) {
+-									cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
+-									if (cert->cert_info->subjectUID != NULL) {
+-										ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
+-										cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
+-										if (cert->cert_info->issuerUID != NULL) {
+-											ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
++								if (cm_prefs_populate_unique_id()) {
++									if (cm_submit_uuid_new(uuid) == 0) {
++										cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
++										if (cert->cert_info->subjectUID != NULL) {
++											ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
++											cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
++											if (cert->cert_info->issuerUID != NULL) {
++												ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
++											}
+ 										}
+ 									}
+ 								}
+-							}
+ #endif
+-							/* add basic constraints */
+-							cert->cert_info->extensions = X509_REQ_get_extensions(req);
+-							basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
+-							basicd = talloc_size(ca, basicl);
+-							cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
+-							basictmp = basicd;
+-							basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
+-							X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
++								/* add basic constraints */
++								cert->cert_info->extensions = X509_REQ_get_extensions(req);
++								basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
++								basicd = talloc_size(ca, basicl);
++								cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
++								basictmp = basicd;
++								basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
++								X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
++								/* finish up */
++								X509_sign(cert, pkey,
++									  cm_prefs_ossl_hash());
++								status = 0;
++							} else {
++								cm_log(1, "Error building "
++								       "certificate from "
++								       "signing request.\n");
++ 							}
+-							/* finish up */
+-							X509_sign(cert, pkey,
+-								  cm_prefs_ossl_hash());
+-							status = 0;
+ 						} else {
+ 							cm_log(1, "Error reading "
+ 							       "signing request.\n");

certmonger.spec

@@ -20,7 +20,7 @@
 
 Name:		certmonger
 Version:	0.61
-Release:	1%{?dist}
+Release:	3%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -28,6 +28,7 @@ License:	GPLv3+
 URL:		http://certmonger.fedorahosted.org
 Source0:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz
 Source1:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig
+Patch0:		certmonger-x509-req-to-x509.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel
@@ -87,6 +88,7 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 
 %prep
 %setup -q
+%patch0 -p1 -b .x509-req-to-x509
 %if 0%{?rhel} > 0
 # Enabled by default for RHEL for bug #765600, still disabled by default for
 # Fedora pending a similar bug report there.
@@ -201,6 +203,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
+- backport change from git to not choke if X509_REQ_to_X509() fails when we're
+  self-signing using OpenSSL
+
 * Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
 - fix a regression in reading old request tracking files where the
   request was in state NEED_TO_NOTIFY or NOTIFYING