import certmonger-0.79.7-14.el8

SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch

@@ -0,0 +1,62 @@
+From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 22 May 2020 12:58:44 -0400
+Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert
+ requests
+
+The guttman spec is quite unclear on this and in the GetCACaps
+section doesn't mention &message at all. It only appears in the
+generic GET requests section 4.1
+
+The nourse spec is clearer and requires &message=CA-IDENT on
+GetCACaps requests.
+
+AD 2012 R2 servers also require message on GetCACert requests.
+
+This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1839181
+https://pagure.io/certmonger/issue/103
+---
+ src/scep.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/scep.c b/src/scep.c
+index 4dde1ce..11ebd6f 100644
+--- a/src/scep.c
++++ b/src/scep.c
+@@ -370,11 +370,11 @@ main(int argc, const char **argv)
+ 		break;
+ 	case op_get_ca_caps:
+ 		/* Only step: read capabilities for the daemon. */
+-		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
++		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
+ 		break;
+ 	case op_get_ca_certs:
+ 		/* First step: get the root certificate. */
+-		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT);
++		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id);
+ 		break;
+ 	case op_get_cert_initial:
+ 		if ((racert == NULL) || (strlen(racert) == 0)) {
+@@ -393,7 +393,7 @@ main(int argc, const char **argv)
+ 				goto done;
+ 			}
+ 			/* First step: read capabilities for our use. */
+-			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
++			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
+ 		}
+ 		break;
+ 	case op_pkcsreq:
+@@ -413,7 +413,7 @@ main(int argc, const char **argv)
+ 				goto done;
+ 			}
+ 			/* First step: read capabilities for our use. */
+-			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
++			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
+ 		}
+ 		break;
+ 	}
+-- 
+2.25.4
+

SPECS/certmonger.spec

@@ -9,7 +9,7 @@
 
 Name:		certmonger
 Version:	0.79.7
-Release:	13%{?dist}
+Release:	14%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -109,6 +109,7 @@ Patch41:	0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
 Patch42:	0042-Add-long-command-line-options-to-man-pages.patch
 Patch43:	0043-Add-long-options-to-command-line-help.patch
 Patch44:	0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
+Patch45:	0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
 
 
 %description
@@ -146,6 +147,7 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
 
 %build
 autoreconf -i -f
@@ -272,6 +274,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
+- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
+
 * Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
 - Exit gracefully if dbus is restarted (#1687698)