rpms
/
certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to upstream 0.79.17

This commit is contained in:
Rob Crittenden 2022-12-06 15:18:53 -05:00 committed by Stepan Oksanichenko
parent 247b3ff94d
commit 1ae2cc706e
27 changed files with 8 additions and 208125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.certmonger.metadata Normal file
View File

@ -0,0 +1 @@
ab77485e556d96c5c2b885ee3d0f27794276dfee certmonger-0.79.17.tar.gz

1
.gitignore vendored
View File

@ -131,3 +131,4 @@ certmonger-0.28.tar.gz
/certmonger-0.79.12.tar.gz
/certmonger-0.79.13.tar.gz
/certmonger-0.79.14.tar.gz
/certmonger-0.79.17.tar.gz

29
0001-Don-t-free-soptions-while-it-is-still-needed.patch
View File

@ -1,29 +0,0 @@
From c5270bde4dab84f18c347e82376ef00733865247 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 1 Jul 2020 10:46:50 -0400
Subject: [PATCH] Don't free soptions while it is still needed
Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
to avoid leaking soptions and aoptions.
https://pagure.io/certmonger/issue/163
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/dogtag.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 91c9c588..faf81f97 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -579,7 +579,6 @@ main(int argc, const char **argv)
pin = NULL;
}
}
- free(soptions);
/* Add client creds. */
if (uid != NULL) {
uid = cm_submit_u_url_encode(uid);
--
2.25.4

28
0002-Don-t-send-SIGKILL-to-children-give-them-a-chance-to.patch
View File

@ -1,28 +0,0 @@
From 00e948049acf0ca1b61ed9c2b8579b06b4bcb46a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Aug 2020 14:33:17 -0400
Subject: [PATCH 02/11] Don't send SIGKILL to children, give them a chance to
die
This was causing issues in IPA which uses a lock file to
serialize some operations. The kill was leaving the lock in
place causing things to time out.
---
src/subproc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/subproc.c b/src/subproc.c
index 8df836ae..70d4ed93 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -240,7 +240,6 @@ cm_subproc_done(struct cm_subproc_state *state)
if (state != NULL) {
if (state->pid != -1) {
- kill(state->pid, SIGKILL);
do {
pid = waitpid(state->pid, &state->status, 0);
cm_log(4, "Waited for %ld, got %ld.\n",
--
2.25.4

573
0002-candidate-openssl-3.0-compat-fixes.patch
View File

@ -1,573 +0,0 @@
From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 May 2021 15:40:53 -0400
Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
---
src/keyiread-o.c | 16 +++++--
src/util-o.c | 2 +
tests/001-keyiread-ec/run.sh | 2 +-
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-sql/prequal.sh | 5 +++
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-ec/run.sh | 2 +-
tests/003-csrgen-rsa/run.sh | 2 +-
tests/003-csrgen/run.sh | 2 +-
tests/004-selfsign-ec/run.sh | 2 +-
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/run.sh | 2 +-
tests/025-casave/run.sh | 2 +-
tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
tests/026-local/expected.out | 74 +------------------------------
tests/026-local/run.sh | 11 ++++-
tests/030-rekey/expected.out | 4 --
tests/030-rekey/run.sh | 10 +----
tests/036-getcert/run.sh | 2 +-
21 files changed, 184 insertions(+), 103 deletions(-)
create mode 100755 tests/002-keygen-sql/prequal.sh
create mode 100644 tests/026-local/expected.openssl1
create mode 100644 tests/026-local/expected.openssl3
diff --git a/src/keyiread-o.c b/src/keyiread-o.c
index 9fceacf6..51f7f829 100644
--- a/src/keyiread-o.c
+++ b/src/keyiread-o.c
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(pkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(nextpkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
} else {
diff --git a/src/util-o.c b/src/util-o.c
index 0415014a..2208ab64 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -46,6 +46,7 @@
void
util_o_init(void)
{
+#if OPENSSL_VERSION_MAJOR < 3
#if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
OpenSSL_add_all_algorithms();
#elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
@@ -53,6 +54,7 @@ util_o_init(void)
#else
SSL_library_init();
#endif
+#endif
}
char *
diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
index 3045f6d0..8a810d15 100755
--- a/tests/001-keyiread-ec/run.sh
+++ b/tests/001-keyiread-ec/run.sh
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
EOF
$toolsdir/keyiread entry.nss.$size
# Export the key.
- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
echo Error exporting key for $size, continuing.
continue
fi
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c6b4d38b..997ce000 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index 25acdbd8..3a2502a6 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-sql/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 8bb609c5..e7e6525f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -2,7 +2,7 @@
cd "$tmpdir"
-scheme="${scheme:-dbm:}"
+scheme="${scheme:-sql:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..408ea526 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..9c11c708 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..2a674679 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
index 9d5bd11f..d1161fe5 100755
--- a/tests/004-selfsign-ec/run.sh
+++ b/tests/004-selfsign-ec/run.sh
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the certificate and key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index c1dd4c80..b0cc71d2 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index eb1df4ee..ea00f4d7 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
index d81df82f..089d8223 100755
--- a/tests/025-casave/run.sh
+++ b/tests/025-casave/run.sh
@@ -2,7 +2,7 @@
cd $tmpdir
-scheme="${scheme:-dbm}"
+scheme="${scheme:-sql}"
cat > $tmpdir/entrycb1 <<- EOF
id=EntryCB1
ca_name=CAB1
diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
new file mode 100644
index 00000000..1f81c7ce
--- /dev/null
+++ b/tests/026-local/expected.openssl1
@@ -0,0 +1,73 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
new file mode 100644
index 00000000..05666ccc
--- /dev/null
+++ b/tests/026-local/expected.openssl3
@@ -0,0 +1,68 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
index 1f81c7ce..64afb8f5 100644
--- a/tests/026-local/expected.out
+++ b/tests/026-local/expected.out
@@ -1,73 +1 @@
-[key]
-OK.
-[csr]
-Certificate Request:
- Data:
- Version: 1 (0x0)
- Subject: CN=Babs Jensen's Signer
- Attributes:
- friendlyName :unable to print attribute
- Requested Extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[issue]
-[issuer]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Local Signing Authority, CN=$UUID
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- (160 bits)
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
-[subject]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Babs Jensen's Signer
- X509v3 extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[verify]
-cert: OK
-OK.
+# purposely empty
diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
index 6f0e74c9..3e7ade56 100755
--- a/tests/026-local/run.sh
+++ b/tests/026-local/run.sh
@@ -1,4 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+
+openssl cmp -h > /dev/null 2>&1
+if [ $? == 1 ]; then
+ cp expected.openssl1 expected.out
+else
+ cp expected.openssl3 expected.out
+fi
+
+set -e
cd $tmpdir
diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
index e9a04221..8a9ac3fa 100644
--- a/tests/030-rekey/expected.out
+++ b/tests/030-rekey/expected.out
@@ -11,7 +11,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -98,7 +97,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -185,7 +183,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -270,7 +267,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
index 07fea683..7b9125ec 100755
--- a/tests/030-rekey/run.sh
+++ b/tests/030-rekey/run.sh
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -m 4660 -f pinfile
# Export the certificate and key.
- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
# Grab a copy of the public key.
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
echo '(submit OpenSSL)'
$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
grep ^key.\*count= entry.openssl.$size | LANG=C sort
- # Now compare the self-signed certificates built from the keys.
- if ! cmp cert.nss.$size cert.openssl.$size ; then
- echo First round certificates differ:
- cat cert.nss.$size cert.openssl.$size
- exit 1
- else
- echo First round certificates OK.
- fi
# Now generate new keys, CSRs, and certificates (NSS).
echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
index 1c99803d..bcb821d7 100755
--- a/tests/036-getcert/run.sh
+++ b/tests/036-getcert/run.sh
@@ -51,7 +51,7 @@ listdb() {
}
extract() {
- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
echo -n cert:
--
2.26.3

204174
0003-Remove-empty-translation-files.patch
View File

File diff suppressed because it is too large Load Diff

34
0003-Temporarily-disable-the-csrgen-tests.patch
View File

@ -1,34 +0,0 @@
From 0228a6e2d2ef28ab26a722ed893dc8eed4e751fe Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 May 2021 18:03:52 -0400
Subject: [PATCH 2/3] Temporarily disable the csrgen tests
They fail due to BZ https://bugzilla.redhat.com/show_bug.cgi?id=1961687
---
tests/Makefile.am | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34bf..f53bb4cd 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -359,8 +359,6 @@ subdirs = \
001-keyiread \
001-keyiread-rsa \
002-keygen-rsa \
- 003-csrgen \
- 003-csrgen-rsa \
004-selfsign \
004-selfsign-rsa \
005-dbusm \
@@ -425,7 +423,6 @@ if HAVE_EC
subdirs += \
001-keyiread-ec \
002-keygen-ec \
- 003-csrgen-ec \
004-selfsign-ec
endif
--
2.26.3

46
0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch
View File

@ -1,46 +0,0 @@
From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 28 Sep 2021 10:01:35 -0400
Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id
EVP_PKEY_id is no longer available as a function, only as a preprocessor
macro, so AC_CHECK_FUNCS cannot recognize it.
This was changed in OpenSSL 3.0.0-beta2
https://bugzilla.redhat.com/show_bug.cgi?id=2008451
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
configure.ac | 1 +
src/util-o.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 8bfa3fa..3b413a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then
AC_CHECK_FUNCS(ASN1_TIME_set)
AC_CHECK_FUNCS(EVP_PKEY_base_id)
AC_CHECK_FUNCS(EVP_PKEY_id)
+ AC_CHECK_FUNCS(EVP_PKEY_get_id)
AC_CHECK_FUNCS(OBJ_get0_data)
AC_CHECK_FUNCS(OBJ_length)
AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object)
diff --git a/src/util-o.c b/src/util-o.c
index 2208ab6..db45964 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t)
int
util_EVP_PKEY_id(const EVP_PKEY *pkey)
{
-#ifdef HAVE_EVP_PKEY_ID
+#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID)
return EVP_PKEY_id(pkey);
#else
return pkey->type;
--
2.31.1

28
0004-remove-dead-make-targets.patch
View File

@ -1,28 +0,0 @@
From 93974735c31e653acc0d3de7e1cb165dbe764aef Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 16 Sep 2020 15:49:00 +1000
Subject: [PATCH 04/11] remove dead make targets
Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
but left dangling references to those files in tests/Makefile.am,
breaking the build. Delete references to the deleted files.
---
tests/Makefile.am | 2 --
1 file changed, 2 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c1ce8412..013d34bf 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -156,8 +156,6 @@ EXTRA_DIST = \
002-keygen-dsa/prequal.sh \
002-keygen-dsa/run.sh \
002-keygen-dsa/expected.out \
- 002-keygen-dsa/expected.out.2 \
- 002-keygen-dsa/expected.out.3 \
002-keygen-ec/prequal.sh \
002-keygen-ec/run.sh \
002-keygen-ec/expected.out \
--
2.25.4

123
0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
View File

@ -1,123 +0,0 @@
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 9 Jul 2021 20:49:28 +0000
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
OTP
SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.
This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.
This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/certmonger.conf.5.in | 9 +++++++++
src/certsave.c | 13 +++++++++++++
src/prefs.c | 15 +++++++++++++++
src/prefs.h | 4 ++++
4 files changed, 41 insertions(+)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 6a42d3cb..1b941b9d 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
\fIselfsign\fR section, if one is set there, will be used. The default value
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+.SH SCEP
+Within the \fIscep\fR section, these variables and values are recognized:
+
+.IP challenge_password_otp
+This controls whether the SCEP challenge password is treated as a one-time
+password. If set to yes then the challenge password and/or challenge password
+file will be removed from the tracking request after the first certificate
+issuance so will not be sent with renewal requests. The default is no.
+
.SH BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
diff --git a/src/certsave.c b/src/certsave.c
index 6eaafe59..f8503662 100644
--- a/src/certsave.c
+++ b/src/certsave.c
@@ -18,12 +18,25 @@
#include "config.h"
#include "certsave.h"
#include "certsave-int.h"
+#include "prefs.h"
#include "store-int.h"
+#include "talloc.h"
/* Start writing the certificate from the entry to the configured location. */
struct cm_certsave_state *
cm_certsave_start(struct cm_store_entry *entry)
{
+ /* If saving a SCEP certificate wipe out the challenge password */
+ if ((cm_prefs_scep_password_otp()) &&
+ (entry->cm_template_challenge_password != NULL) &&
+ (entry->cm_scep_nonce != NULL))
+ {
+ talloc_free(entry->cm_template_challenge_password);
+ entry->cm_template_challenge_password = NULL;
+ talloc_free(entry->cm_template_challenge_password_file);
+ entry->cm_template_challenge_password_file = NULL;
+ }
+
switch (entry->cm_cert_storage_type) {
#ifdef HAVE_OPENSSL
case cm_cert_storage_file:
diff --git a/src/prefs.c b/src/prefs.c
index 669e8f1f..52ffc908 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
}
return count;
}
+
+int
+cm_prefs_scep_password_otp(void)
+{
+ static int populate = -1;
+ if (populate == -1) {
+ const char *val;
+ val = cm_prefs_config("scep", "challenge_password_otp");
+ if (val == NULL) {
+ val = "no";
+ }
+ populate = cm_prefs_yesno(val);
+ }
+ return populate != -1 ? populate : 0;
+}
diff --git a/src/prefs.h b/src/prefs.h
index 248e1016..a107fb6c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,8 @@
#ifndef cmprefs_h
#define cmprefs_h
+#include <time.h>
+
enum cm_prefs_cipher {
cm_prefs_aes128,
cm_prefs_aes192,
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
long long prefs_key_end_of_life(time_t ref);
long prefs_max_key_use_count(void);
+int cm_prefs_scep_password_otp(void);
+
#endif
--
2.31.1

201
0005-Require-jansson-for-IPA-RPC-calls-make-xmlrpc-option.patch
View File

@ -1,201 +0,0 @@
From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:52:13 -0400
Subject: [PATCH 05/11] Require jansson for IPA RPC calls, make xmlrpc optional
xmlrpc is now only used for certmaster
IPA will only make JSON RPC calls to retrieve certificates
---
configure.ac | 59 ++++++++++++++++++++++++++++++-------------------
src/Makefile.am | 33 ++++++++++++++++++++-------
2 files changed, 61 insertions(+), 31 deletions(-)
diff --git a/configure.ac b/configure.ac
index abcd6d84..14991244 100644
--- a/configure.ac
+++ b/configure.ac
@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
CPPFLAGS="$savedCPPFLAGS"
LDFLAGS="$savedLDFLAGS"
- dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
- savedCFLAGS="$CFLAGS"
- CFLAGS=
- AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
- AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
- if test -z "$XMLRPC_C_CONFIG" ; then
- AC_MSG_ERROR(xmlrpc-c-config not found)
- fi
- AC_MSG_CHECKING(for XMLRPC CFLAGS)
- XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
- AC_MSG_RESULT([$XMLRPC_CFLAGS])
- AC_SUBST(XMLRPC_CFLAGS)
- AC_MSG_CHECKING(for XMLRPC LIBS)
- XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
- AC_MSG_RESULT([$XMLRPC_LIBS])
- AC_SUBST(XMLRPC_LIBS)
- CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
- AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
- [
- #include <xmlrpc-c/client.h>
- #include <xmlrpc-c/transport.h>
- ])
- CFLAGS="$savedCFLAGS"
+ PKG_CHECK_MODULES(JANSSON,jansson)
+ have_jansson=true
+
+ AC_ARG_WITH([xmlrpc],
+ [AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
+ [with_xmlrpc=${with_xmlrpc}],
+ [with_xmlrpc=no])
+ AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
+ [include XMLRPC support])])
+ AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
+
+ AS_IF([test x"$with_xmlrpc" = xyes], [
+ dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
+ savedCFLAGS="$CFLAGS"
+ CFLAGS=
+ AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
+ AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
+ if test -z "$XMLRPC_C_CONFIG" ; then
+ AC_MSG_ERROR(xmlrpc-c-config not found)
+ fi
+ AC_MSG_CHECKING(for XMLRPC CFLAGS)
+ XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
+ AC_MSG_RESULT([$XMLRPC_CFLAGS])
+ AC_SUBST(XMLRPC_CFLAGS)
+ AC_MSG_CHECKING(for XMLRPC LIBS)
+ XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
+ AC_MSG_RESULT([$XMLRPC_LIBS])
+ AC_SUBST(XMLRPC_LIBS)
+ CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
+ AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
+ [
+ #include <xmlrpc-c/client.h>
+ #include <xmlrpc-c/transport.h>
+ ])
+ CFLAGS="$savedCFLAGS"
+ ])
savedCFLAGS="$CFLAGS"
savedCPPFLAGS="$CPPFLAGS"
diff --git a/src/Makefile.am b/src/Makefile.am
index 5343dbc4..13bd87d9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
endif
man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
- selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
+ selfsign-getcert.1 ipa-getcert.1 \
getcert-resubmit.1 certmonger-ipa-submit.8 \
- certmonger-certmaster-submit.8 \
certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
certmonger-local-submit.8 getcert-status.1 \
certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
getcert-remove-ca.1 getcert-rekey.1
+if WITH_XMLRPC
+man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
+endif
pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
pkgsysconf_DATA = certmonger.conf
EXTRA_PROGRAMS =
@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
submit-sn.c \
submit-u.c \
submit-u.h \
- submit-x.c \
- submit-x.h \
subproc.c \
subproc.h \
tdbus.c \
@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
util-m.h \
util-n.c \
util-n.h
+if WITH_XMLRPC
+libcm_a_SOURCES += \
+ submit-x.c \
+ submit-x.h
+endif
libcm_o_a_SOURCES =
if HAVE_OPENSSL
libcm_o_a_SOURCES += \
@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
ipa_getcert_LDADD = $(getcert_LDADD)
endif
if WITH_IPA
+if WITH_XMLRPC
bin_PROGRAMS += certmaster-getcert
certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
certmaster_getcert_LDADD = $(getcert_LDADD)
endif
+endif
bin_PROGRAMS += selfsign-getcert
selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
certmonger_session_LDADD = libcm.a \
$(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
-noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
+noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
+if WITH_XMLRPC
+noinst_PROGRAMS += submit-x
+endif
tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
+if WITH_XMLRPC
submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
tm.c tm.h
submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
+endif
toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
if WITH_CERTMASTER
+if WITH_XMLRPC
pkglibexec_PROGRAMS += certmaster-submit
endif
+endif
if WITH_IPA
pkglibexec_PROGRAMS += ipa-submit
endif
@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
pkglibexec_PROGRAMS += scep-submit
endif
noinst_PROGRAMS += submit-h submit-d
-ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
- submit-x.c submit-x.h submit-u.c submit-u.h \
+ submit-h.c submit-h.h submit-u.c submit-u.h \
submit-e.h util.c util.h log.c log.h tm.c tm.h
ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
- $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+ $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
+ $(JANSSON_LIBS)
+if WITH_XMLRPC
certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
tm.c tm.h
certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+endif
dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
$(NSS_CFLAGS) $(CURL_CFLAGS) \
-DDOGTAG_IPA_RENEW_AGENT=1
--
2.25.4

37
0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
View File

@ -1,37 +0,0 @@
From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.
This second half wasn't being closed after reading to test for
errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/cadata.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cadata.c b/src/cadata.c
index cb9c13e2..c2764d3b 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
ca->cm_ca_external_helper, strerror(u));
/* return the state so the process can be reaped */
}
+ close(error_fd[0]);
return ret;
}
--
2.31.1

93
0006-Make-xmlrpc-optional-in-the-certmonger-spec-file-dis.patch
View File

@ -1,93 +0,0 @@
From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:53:50 -0400
Subject: [PATCH 06/11] Make xmlrpc optional in the certmonger spec file,
disable certmaster
This disables certmaster support by default since it requires
xmlrpc
---
certmonger.spec | 22 +++++++++++++++++++++-
configure.ac | 1 +
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index e1f5536e..a8e1d2e8 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -24,6 +24,8 @@
%global sysvinitdir %{_initrddir}
%endif
+%bcond_with xmlrpc
+
Name: certmonger
Version: 0.79.11
Release: 1%{?dist}
@@ -37,6 +39,7 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
+BuildRequires: krb5-devel
BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
BuildRequires: autoconf, automake, gcc, gettext-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@@ -50,7 +53,11 @@ BuildRequires: libcurl-devel
%else
BuildRequires: curl-devel
%endif
-BuildRequires: libxml2-devel, xmlrpc-c-devel
+BuildRequires: libxml2-devel
+%if %{with xmlrpc}
+BuildRequires: xmlrpc-c-devel
+%endif
+BuildRequires: jansson-devel
%if 0%{?rhel} && 0%{?rhel} < 6
BuildRequires: bind-libbind-devel
BuildRequires: mktemp
@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
--enable-tmpfiles \
%endif
--with-homedir=/run/certmonger \
+%if %{with xmlrpc}
+ --with-xmlrpc \
+%endif
--with-tmpdir=/run/certmonger --enable-pie --enable-now
+%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
# tell us about libxmlrpc_client, but we need more. Work around.
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
+%else
+make %{?_smp_mflags}
+%endif
%install
rm -rf $RPM_BUILD_ROOT
@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
if test $1 -eq 1 ; then
%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
fi
+%if %{without xmlrpc}
+# remove any existing certmaster CA configuration
+if test $1 -gt 1 ; then
+ %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+fi
+%endif
%if %{systemd}
if test $1 -eq 1 ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
diff --git a/configure.ac b/configure.ac
index 14991244..f2964856 100644
--- a/configure.ac
+++ b/configure.ac
@@ -876,6 +876,7 @@ else
AM_CONDITIONAL(HAVE_EC,false)
AM_CONDITIONAL(WITH_IPA,false)
AM_CONDITIONAL(WITH_CERTMASTER,false)
+ AM_CONDITIONAL(WITH_XMLRPC,false)
AM_CONDITIONAL(WITH_LOCAL,false)
AM_CONDITIONAL(HAVE_UUID,false)
fi
--
2.25.4

155
0007-Add-Referer-header-option-to-the-submit-h-API.patch
View File

@ -1,155 +0,0 @@
From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:55:36 -0400
Subject: [PATCH 07/11] Add Referer header option to the submit-h API
This will allow IPA API requests that require the Referer header
to be set.
---
src/dogtag.c | 2 +-
src/scep.c | 6 +++---
src/submit-d.c | 2 +-
src/submit-h.c | 20 +++++++++++++++-----
src/submit-h.h | 1 +
5 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index faf81f97..d36ac008 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -691,7 +691,7 @@ main(int argc, const char **argv)
/* Submit the form(s). */
hctx = NULL;
while (url != NULL) {
- hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/scep.c b/src/scep.c
index c74ca574..e384e8da 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -496,7 +496,7 @@ main(int argc, const char **argv)
}
/* Submit the first request. */
- hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
cainfo, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -593,7 +593,7 @@ main(int argc, const char **argv)
}
/* Submit a second HTTP request if we have one to make. */
if (params2 != NULL) {
- hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -794,7 +794,7 @@ main(int argc, const char **argv)
OP_GET_CA_CERT
"&message=%d", i++);
hctx = cm_submit_h_init(ctx, "GET", url, params,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-d.c b/src/submit-d.c
index 3adaa4a6..f1877c34 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1188,7 +1188,7 @@ restart:
fprintf(stderr, "url = \"%s%s%s\"\n", uri,
params ? "?" : "", params ? params : "");
}
- hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-h.c b/src/submit-h.c
index 9b507dbe..c04909b1 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -51,7 +51,7 @@
struct cm_submit_h_context {
int ret;
long response_code;
- char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
+ char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
int result_length;
char *sslcert, *sslkey, *sslpass;
enum cm_submit_h_opt_negotiate negotiate;
@@ -66,7 +66,7 @@ struct cm_submit_h_context *
cm_submit_h_init(void *parent,
const char *method, const char *uri, const char *args,
const char *content_type, const char *accept,
- const char *cainfo, const char *capath,
+ const char *referer, const char *cainfo, const char *capath,
const char *sslcert, const char *sslkey, const char *sslpass,
enum cm_submit_h_opt_negotiate neg,
enum cm_submit_h_opt_delegate del,
@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
ctx->ctype = content_type ?
talloc_strdup(ctx, content_type) :
NULL;
+ ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
}
}
if (ctx->negotiate == cm_submit_h_negotiate_on) {
-#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
+#if defined(CURLAUTH_NEGOTIATE)
curl_easy_setopt(ctx->curl,
CURLOPT_HTTPAUTH,
- CURLAUTH_GSSNEGOTIATE);
+ CURLAUTH_NEGOTIATE);
+ curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
#else
cm_log(-1,
"warning: libcurl doesn't appear to support "
@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
header);
}
}
+ if (ctx->referer != NULL) {
+ header = talloc_asprintf(ctx, "Referer: %s",
+ ctx->referer);
+ if (header != NULL) {
+ headers = curl_slist_append(headers,
+ header);
+ }
+ }
curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
append_result);
@@ -415,7 +425,7 @@ main(int argc, const char **argv)
}
ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
- ctype, accept,
+ ctype, accept, NULL,
cainfo, capath, sslcert, sslkey, sslpass,
negotiate, negotiate_delegate,
clientauth, cm_submit_h_env_modify_on,
diff --git a/src/submit-h.h b/src/submit-h.h
index 931cc890..b33544af 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
const char *args,
const char *content_type,
const char *accept,
+ const char *referer,
const char *cainfo,
const char *capath,
const char *sslcert,
--
2.25.4

80
0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
View File

@ -1,80 +0,0 @@
From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 5 Oct 2021 11:04:10 -0400
Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output
OpenSSL 3.0.0 change a lot of output messages. When verifying
a certificate instead of printing just "verify OK" it prints
"Certificate request self-signature verify OK"
Modify the check to match both OpenSSL 1.x and 3.x
Related: https://pagure.io/certmonger/issue/223
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
tests/003-csrgen-ec/run.sh | 4 ++--
tests/003-csrgen-rsa/run.sh | 4 ++--
tests/003-csrgen/run.sh | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..7c0505f8 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
# The RSA tests already verify the contents of the requests, so we really only
# need to care about the signatures passing verification.
-openssl req -verify -noout < csr.nss.$size 2>&1
-openssl req -verify -noout < csr.openssl.$size 2>&1
+openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
+openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
openssl spkac -verify -noout < spkac.nss.$size 2>&1
openssl spkac -verify -noout < spkac.openssl.$size 2>&1
openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..4f0c0ef0 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -118,14 +118,14 @@ iterate() {
echo key_pubkey=616263 >> entry.openssl.$size
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
# Both should verify.
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for OpenSSL:
cat csr.openssl.$size
echo Private key:
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
exit 1
fi
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for NSS:
cat csr.nss.$size
echo Private key:
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..093beabf 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -170,14 +170,14 @@ iterate() {
echo key_pubkey=616263 >> entry.openssl.$size
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
# Both should verify.
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for OpenSSL:
cat csr.openssl.$size
echo Private key:
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
exit 1
fi
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for NSS:
cat csr.nss.$size
echo Private key:
--
2.31.1

838
0008-Switch-IPA-calls-to-use-the-JSON-RPC-endpoint-instea.patch
View File

@ -1,838 +0,0 @@
From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:57:38 -0400
Subject: [PATCH 08/11] Switch IPA calls to use the JSON-RPC endpoint instead
of XMLRPC
IPA has provided a JSON-RPC interface for many years now and has
long term plans to drop support for XMLRPC.
---
src/ipa.c | 546 ++++++++++++++++++++++++++++++++++++++--------
src/store-files.c | 2 +
2 files changed, 463 insertions(+), 85 deletions(-)
diff --git a/src/ipa.c b/src/ipa.c
index e4295826..8c089e68 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -33,8 +33,7 @@
#include <talloc.h>
-#include <xmlrpc-c/client.h>
-#include <xmlrpc-c/transport.h>
+#include <jansson.h>
#include <ldap.h>
#include <krb5.h>
@@ -46,7 +45,7 @@
#include "store.h"
#include "submit-e.h"
#include "submit-u.h"
-#include "submit-x.h"
+#include "submit-h.h"
#include "util.h"
#ifdef ENABLE_NLS
@@ -56,6 +55,229 @@
#define _(_text) (_text)
#endif
+static char *
+get_error_message(krb5_context ctx, krb5_error_code kcode)
+{
+ const char *ret;
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
+ ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
+ if (ret == NULL) {
+ ret = error_message(kcode);
+ }
+#else
+ ret = error_message(kcode);
+#endif
+ return strdup(ret);
+}
+
+char *
+cm_submit_ccache_realm(char **msg)
+{
+ krb5_context ctx;
+ krb5_ccache ccache;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_data *data;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing Kerberos: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_default(ctx, &ccache);
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving default ccache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_get_principal(ctx, ccache, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error reading default principal: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ data = krb5_princ_realm(ctx, princ);
+ if (data == NULL) {
+ fprintf(stderr, "Error retrieving principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Error retrieving principal realm.\n";
+ }
+ return NULL;
+ }
+ ret = malloc(data->length + 1);
+ if (ret == NULL) {
+ fprintf(stderr, "Out of memory for principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Out of memory for principal realm.\n";
+ }
+ return NULL;
+ }
+ memcpy(ret, data->data, data->length);
+ ret[data->length] = '\0';
+ return ret;
+}
+
+krb5_error_code
+cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
+{
+ krb5_context ctx;
+ krb5_keytab keytab;
+ krb5_ccache ccache;
+ krb5_creds creds;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_get_init_creds_opt gicopts, *gicoptsp;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ ret = get_error_message(ctx, kret);
+ fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ if (ktname != NULL) {
+ kret = krb5_kt_resolve(ctx, ktname, &keytab);
+ } else {
+ kret = krb5_kt_default(ctx, &keytab);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving keytab: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ princ = NULL;
+ if (principal != NULL) {
+ kret = krb5_parse_name(ctx, principal, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error parsing \"%s\": %s.\n",
+ principal, ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ } else {
+ kret = krb5_sname_to_principal(ctx, NULL, NULL,
+ KRB5_NT_SRV_HST, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error building client name: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ }
+ memset(&creds, 0, sizeof(creds));
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ memset(&gicopts, 0, sizeof(gicopts));
+ gicoptsp = NULL;
+ kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
+ if (kret != 0) {
+ fprintf(stderr, "Internal error: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+#else
+ krb5_get_init_creds_opt_init(&gicopts);
+ gicoptsp = &gicopts;
+#endif
+ krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
+ kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
+ 0, NULL, gicoptsp);
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ krb5_get_init_creds_opt_free(ctx, gicoptsp);
+#endif
+ if (kret != 0) {
+ fprintf(stderr, "Error obtaining initial credentials: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ ccache = NULL;
+ kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
+ &ccache);
+ if (kret == 0) {
+ kret = krb5_cc_initialize(ctx, ccache, creds.client);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ kret = krb5_cc_store_cred(ctx, ccache, &creds);
+ if (kret != 0) {
+ fprintf(stderr,
+ "Error storing creds in credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ krb5_cc_close(ctx, ccache);
+ krb5_kt_close(ctx, keytab);
+ krb5_free_principal(ctx, princ);
+ krb5_free_context(ctx);
+ putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
+ return 0;
+}
+
static int
interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
{
@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
}
static int
-cm_locate_xmlrpc_service(const char *server,
+cm_locate_jsonrpc_service(const char *server,
int ldap_uri_cmd, const char *ldap_uri,
const char *host,
const char *domain,
@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
LDAPDN rdn;
struct berval *lbv;
char *lattrs[2] = {"cn", NULL};
- const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
+ const char *relativedn = "cn=masters,cn=ipa,cn=etc";
+ char *dn;
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
int i, j, rc, n;
unsigned int flags;
+ int rval = 0;
+ int alloc_basedn = 0;
*uris = NULL;
@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
- free(basedn);
- return i;
+ rval = i;
+ goto done;
}
+ alloc_basedn = 1;
}
if (basedn == NULL) {
printf(_("Unable to determine base DN of "
"domain information on IPA server.\n"));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Now look up the names of the master CAs. */
snprintf(lfilter, sizeof(lfilter),
@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
"(ipaConfigString=enabledService)"
")", service);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
+ if (alloc_basedn) {
+ free(basedn);
+ }
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Read their parents' for "cn" values. */
n = ldap_count_entries(ld, lresult);
if (n == 0) {
fprintf(stderr, "No CA masters found.\n");
ldap_msgfree(lresult);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list = talloc_array_ptrtype(NULL, list, n + 2);
if (list == NULL) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
i = 0;
for (lmsg = ldap_first_entry(ld, lresult);
@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
switch (flags & 0x0f) {
case LDAP_AVA_STRING:
list[i] = talloc_asprintf(list,
- "https://%.*s/ipa/xml",
+ "https://%.*s/ipa/json",
(int) lbv->bv_len,
lbv->bv_val);
if (list[i] != NULL) {
@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
ldap_dnfree(rdn);
}
}
+ ldap_memfree(dn);
}
ldap_msgfree(lresult);
if (i == 0) {
free(list);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list[i] = NULL;
*uris = list;
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+
+done:
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+
+ return rval;
+}
+
+/*
+ * Parse the JSON response from the IPA server.
+ *
+ * It will return one of three types of values:
+ *
+ * < 0 is failure to parse JSON output
+ * 0 is success, no errors were found
+ * > 0 is the IPA API error code
+ */
+static int
+parse_json_result(const char *result, char **error_message) {
+ json_error_t j_error;
+
+ json_t *j_root = NULL;
+ json_t *j_error_obj = NULL;
+
+ int error_code = 0;
+
+ j_root = json_loads(result, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ return -1;
+ }
+
+ j_error_obj = json_object_get(j_root, "error");
+ if (!j_error_obj || json_is_null(j_error_obj)) {
+ json_decref(j_root);
+ return 0; // no errors
+ }
+
+ if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
+ "code", &error_code,
+ "message", error_message) != 0) {
+ cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
+ json_decref(j_root);
+ return -1;
+ }
+
+ cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
+ json_decref(j_root);
+ return error_code;
}
/* Make an XML-RPC request to the "cert_request" method. */
@@ -344,63 +628,98 @@ static int
submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
const char *uid, const char *pwd, const char *csr,
const char *reqprinc, const char *profile,
- const char *issuer)
+ const char *issuer, int verbose)
{
- struct cm_submit_x_context *ctx;
- const char *args[2];
+ void *ctx;
+ struct cm_submit_h_context *hctx;
char *s, *p;
int i;
+ json_t *json_req = NULL;
+ json_error_t j_error;
+ const char *results = NULL;
+ char *json_str = NULL;
+ char *error_message = NULL;
+ char *referer = NULL;
+ int rval = 0;
+ json_t *j_root = NULL;
+ json_t *j_result_outer = NULL;
+ json_t *j_result = NULL;
+ json_t *j_cert = NULL;
+ const char *certificate = NULL;
if ((uri == NULL) || (strlen(uri) == 0)) {
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Prepare to make an XML-RPC request. */
+ ctx = talloc_new(NULL);
+
+ referer = talloc_asprintf(ctx, "%s", uri);
+
+ /* Prepare to make a JSON-RPC request. */
submit:
- if ((uid != NULL) && (pwd != NULL) &&
- (strlen(uid) > 0) && (strlen(pwd) > 0)) {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, uid, pwd,
- cm_submit_x_negotiate_off,
- cm_submit_x_delegate_off);;
- } else {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, NULL, NULL,
- cm_submit_x_negotiate_on,
- cm_submit_x_delegate_on);
+ json_req = json_pack_ex(&j_error, 0,
+ "{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
+ "method", "cert_request",
+ "params",
+ csr,
+ "principal", reqprinc,
+ "profile_id", profile,
+ "cacn", issuer,
+ "add", 1);
+ if (!json_req) {
+ cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- if (ctx == NULL) {
- fprintf(stderr, "Error setting up for XMLRPC to %s on "
- "the client.\n", uri);
- printf(_("Error setting up for XMLRPC on the client.\n"));
+ json_str = json_dumps(json_req, 0);
+ json_decref(json_req);
+ if (!json_str) {
+ cm_log(0, "json_dumps() failed\n");
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Add the CSR contents as the sole unnamed argument. */
- args[0] = csr;
- args[1] = NULL;
- cm_submit_x_add_arg_as(ctx, args);
- /* Add the principal name named argument. */
- cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
- /* Add the requested profile name named argument. */
- if (profile != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
- }
- /* Add the requested CA issuer named argument. */
- if (issuer != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
+ hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
+ "application/json", "application/json",
+ referer, cainfo, capath,
+ NULL, NULL, NULL,
+ cm_submit_h_negotiate_on,
+ cm_submit_h_delegate_off,
+ cm_submit_h_clientauth_off,
+ cm_submit_h_env_modify_off,
+ verbose > 1 ?
+ cm_submit_h_curl_verbose_on :
+ cm_submit_h_curl_verbose_off);
+ free(json_str);
+
+ if (hctx == NULL) {
+ fprintf(stderr, "Error setting up JSON-RPC to %s on "
+ "the client.\n", uri);
+ printf(_("Error setting up for JSON-RPC on the client.\n"));
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto cleanup;
}
- /* Tell the server to add entries for a principal if one
- * doesn't exist yet. */
- cm_submit_x_add_named_arg_b(ctx, "add", 1);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
- cm_submit_x_run(ctx);
+ cm_submit_h_run(hctx);
/* Check the results. */
- if (cm_submit_x_faulted(ctx) == 0) {
- i = cm_submit_x_fault_code(ctx);
+
+ results = cm_submit_h_results(hctx, NULL);
+ cm_log(1, "%s\n", results);
+ if (cm_submit_h_response_code(hctx) != 200) {
+ cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
+ cm_submit_h_response_code(hctx));
+ cm_log(0, "code = %d, code_text = \"%s\"\n",
+ cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ i = parse_json_result(results, &error_message);
+ if (i < 0) {
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ if (i > 0) {
/* Interpret the error. See errors.py to get the
* classifications. */
switch (i / 1000) {
@@ -424,8 +743,9 @@ submit:
}
printf("Server at %s denied our request, "
"giving up: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_REJECTED;
+ error_message);
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto cleanup;
break;
case 1: /* authentication error - transient? */
case 4: /* execution error - transient? */
@@ -433,22 +753,51 @@ submit:
default:
printf("Server at %s failed request, "
"will retry: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ error_message);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
break;
}
- } else
- if (cm_submit_x_has_results(ctx) == 0) {
- if (cm_submit_x_get_named_s(ctx, "certificate",
- &s) == 0) {
+ } else {
+ j_root = json_loads(results, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result_outer = json_object_get(j_root, "result");
+ if (!j_result_outer) {
+ cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result = json_object_get(j_result_outer, "result");
+ if (!j_result) {
+ cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_cert = json_object_get(j_result, "certificate");
+ if (!j_cert) {
+ cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ certificate = json_string_value(j_cert);
+
+ if (certificate) {
/* If we got a certificate, we're probably
* okay. */
- fprintf(stderr, "Certificate: \"%s\"\n", s);
- s = cm_submit_u_base64_from_text(s);
+ fprintf(stderr, "Certificate: \"%s\"\n", certificate);
+ s = cm_submit_u_base64_from_text(certificate);
if (s == NULL) {
printf("Out of memory parsing server "
"response, will retry.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
}
p = cm_submit_u_pem_from_base64("CERTIFICATE",
FALSE, s);
@@ -457,15 +806,19 @@ submit:
}
free(s);
free(p);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto cleanup;
} else {
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
}
- } else {
- /* No useful response, no fault. Try again, from
- * scratch, later. */
- return CM_SUBMIT_STATUS_UNREACHABLE;
}
+
+cleanup:
+ json_decref(j_root);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+
+ return rval;
}
static int
@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
const char *server, int ldap_uri_cmd, const char *ldap_uri,
const char *host, const char *domain, char *basedn,
const char *uid, const char *pwd, const char *csr,
- const char *reqprinc, const char *profile, const char *issuer)
+ const char *reqprinc, const char *profile, const char *issuer,
+ int verbose)
{
int i, u;
char **uris;
i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
(i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
- u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
+ u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
host, domain, basedn, "CA", &uris);
if ((u == 0) && (uris != NULL)) {
for (u = 0; uris[u] != NULL; u++) {
@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
}
i = submit_or_poll_uri(uris[u], cainfo, capath,
uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
(i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
talloc_free(uris);
@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
return CM_SUBMIT_STATUS_ISSUED;
}
/* Read our realm name from our ccache. */
- realm = cm_submit_x_ccache_realm(&kerr);
+ realm = cm_submit_ccache_realm(&kerr);
/* Read all of the certificates. */
for (lmsg = ldap_first_entry(ld, lresult);
lmsg != NULL;
@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
ldap_msgfree(lresult);
free(realm);
free(kerr);
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
return CM_SUBMIT_STATUS_ISSUED;
}
@@ -600,7 +957,8 @@ main(int argc, const char **argv)
char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
- int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
+ const char *jsonrpc_uri = NULL;
+ int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
const char *mode = CM_OP_SUBMIT;
char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
krb5_error_code kret;
@@ -609,6 +967,7 @@ main(int argc, const char **argv)
{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
+ {"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
while ((c = poptGetNextOpt(pctx)) > 0) {
switch (c) {
- case 'H':
- xmlrpc_uri = poptGetOptArg(pctx);
- xmlrpc_uri_cmd++;
+ case 'H': /* XMLRPC URI kept for backwards compatibility */
+ case 'J':
+ jsonrpc_uri = poptGetOptArg(pctx);
+ jsonrpc_uri_cmd++;
break;
case 'L':
ldap_uri = poptGetOptArg(pctx);
@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
"global",
"xmlrpc_uri");
}
+ if (jsonrpc_uri == NULL) {
+ jsonrpc_uri = get_config_entry(ipaconfig,
+ "global",
+ "jsonrpc_uri");
+ }
if (ldap_uri == NULL) {
/* Preferred, but likely to only be set on a
* server. */
@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
}
}
}
+ free(ipaconfig);
csr = NULL;
memset(uri, '\0', sizeof(uri));
memset(ldn, '\0', sizeof(ldn));
@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
(getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
}
- if ((server != NULL) && !xmlrpc_uri_cmd) {
+ if ((server != NULL) && !jsonrpc_uri_cmd) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", server);
+ "https://%s/ipa/json", server);
+ } else
+ if (jsonrpc_uri != NULL) {
+ snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
} else
if (xmlrpc_uri != NULL) {
- snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
+ /* strip off the trailing xml and replace with json */
+ if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
+ printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
+ }
+ snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
+ strcat(uri, "json");
} else
if (host != NULL) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", host);
+ "https://%s/ipa/json", host);
}
/* Read the CSR from the environment, or from the file named on
@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
/* Setup a ccache unless we're told to use the default one. */
kerr = NULL;
if (make_keytab_ccache &&
- ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
+ ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
fprintf(stderr, "Error setting up ccache at the client: %s.\n",
kerr);
if (ktname == NULL) {
@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
- issuer);
+ issuer, verbose);
free(csr);
free(profile);
free(issuer);
free(reqprinc);
+ free(basedn);
return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
diff --git a/src/store-files.c b/src/store-files.c
index 4c3b2232..85ac692e 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#ifdef WITH_XMLRPC
#ifdef WITH_CERTMASTER
/* Make sure we get at least one certmaster entry. */
for (k = 0; k < j; k++) {
@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#endif
#ifdef WITH_IPA
/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
for (k = 0; k < j; k++) {
--
2.25.4

280
0008-Use-implicit-empty-FALSE-for-extensions.patch
View File

@ -1,280 +0,0 @@
From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 18:52:53 +0200
Subject: [PATCH] Use implicit, empty FALSE for extensions
Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
It was encoding extension's critical element even for default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 7 +-
tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------
tests/003-csrgen/expected.out | 110 +++++++++++++-----------------
3 files changed, 91 insertions(+), 108 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index 0d66971e..e5e0b4dc 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
CERTCertExtension ext[13], *exts[14], **exts_ptr;
SECOidData *oid;
SECItem *item, encoded;
+ /* X509v3 extension's critical element has an implicit default,
+ * see https://pagure.io/certmonger/issue/223
+ */
SECItem der_false = {
- .len = 1,
- .data = (unsigned char *) "\000",
+ .len = 0,
+ .data = NULL,
};
SECItem der_true = {
.len = 1,
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index def53fe4..0fb88323 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
4096 OK.
Signature OK
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1413 cons: SEQUENCE
- 4:d=1 hl=4 l=1133 cons: SEQUENCE
+ 0:d=0 hl=4 l=1389 cons: SEQUENCE
+ 4:d=1 hl=4 l=1109 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l= 808 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 687 cons: SEQUENCE
+ 450:d=3 hl=4 l= 663 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 672 cons: SET
- 469:d=5 hl=4 l= 668 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 648 cons: SET
+ 469:d=5 hl=4 l= 644 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 264 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
- 757:d=6 hl=2 l= 32 cons: SEQUENCE
- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 791:d=6 hl=2 l= 18 cons: SEQUENCE
- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 811:d=6 hl=2 l= 34 cons: SEQUENCE
- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 847:d=6 hl=2 l= 32 cons: SEQUENCE
- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 881:d=6 hl=2 l= 107 cons: SEQUENCE
- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 990:d=6 hl=2 l= 96 cons: SEQUENCE
- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1088:d=6 hl=2 l= 51 cons: SEQUENCE
- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1141:d=1 hl=2 l= 13 cons: SEQUENCE
- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1154:d=2 hl=2 l= 0 prim: NULL
- 1156:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 261 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
+ 751:d=6 hl=2 l= 29 cons: SEQUENCE
+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 782:d=6 hl=2 l= 18 cons: SEQUENCE
+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 802:d=6 hl=2 l= 31 cons: SEQUENCE
+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 835:d=6 hl=2 l= 29 cons: SEQUENCE
+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 866:d=6 hl=2 l= 104 cons: SEQUENCE
+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 972:d=6 hl=2 l= 93 cons: SEQUENCE
+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1130:d=2 hl=2 l= 0 prim: NULL
+ 1132:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (32 combinations).
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 46e010cf..1081a678 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -11,8 +11,8 @@ Signature OK
minicert.openssl.4096.pem: OK
4096 OK.
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1635 cons: SEQUENCE
- 4:d=1 hl=4 l=1355 cons: SEQUENCE
+ 0:d=0 hl=4 l=1599 cons: SEQUENCE
+ 4:d=1 hl=4 l=1319 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l=1030 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 909 cons: SEQUENCE
+ 450:d=3 hl=4 l= 873 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 894 cons: SET
- 469:d=5 hl=4 l= 890 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 858 cons: SET
+ 469:d=5 hl=4 l= 854 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 290 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
- 783:d=6 hl=2 l= 32 cons: SEQUENCE
- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 817:d=6 hl=2 l= 18 cons: SEQUENCE
- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 837:d=6 hl=2 l= 34 cons: SEQUENCE
- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 873:d=6 hl=2 l= 32 cons: SEQUENCE
- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 907:d=6 hl=2 l= 107 cons: SEQUENCE
- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 1016:d=6 hl=2 l= 96 cons: SEQUENCE
- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1114:d=6 hl=2 l= 106 cons: SEQUENCE
- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
- 1222:d=6 hl=2 l= 51 cons: SEQUENCE
- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1275:d=6 hl=2 l= 18 cons: SEQUENCE
- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
- 1295:d=6 hl=2 l= 44 cons: SEQUENCE
- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
- 1341:d=6 hl=2 l= 20 cons: SEQUENCE
- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
- 1363:d=1 hl=2 l= 13 cons: SEQUENCE
- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1376:d=2 hl=2 l= 0 prim: NULL
- 1378:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 287 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
+ 777:d=6 hl=2 l= 29 cons: SEQUENCE
+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 808:d=6 hl=2 l= 18 cons: SEQUENCE
+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 828:d=6 hl=2 l= 31 cons: SEQUENCE
+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 861:d=6 hl=2 l= 29 cons: SEQUENCE
+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 892:d=6 hl=2 l= 104 cons: SEQUENCE
+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 998:d=6 hl=2 l= 93 cons: SEQUENCE
+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE
+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE
+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE
+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE
+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1340:d=2 hl=2 l= 0 prim: NULL
+ 1342:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (69 combinations).
--
2.31.1

201
0009-Remove-the-certmaster-CA-from-the-028-dbus-test.patch
View File

@ -1,201 +0,0 @@
From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:28:08 -0400
Subject: [PATCH 09/11] Remove the certmaster CA from the 028-dbus test
The certmaster CA is disabled by default so no longer look for it
in the dbus test.
This test will fail if certmaster is enabled. There is currently no
mechanism to dynamically enable/disable features of the tests. It
can be added if it comes up but its unclear if anyoen took advantage
of the certmaster support in the first place.
---
tests/028-dbus/expected.out | 130 ++----------------------------------
1 file changed, 6 insertions(+), 124 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 4d6a9a59..ca7de34f 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -34,10 +34,6 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
- is-default: no
- ca-type: EXTERNAL
- helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -182,7 +178,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
- <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -957,7 +952,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="xml_data" type="s" direction="out"/>
- </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
- <method name="Get">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="out"/>
- </method>
- <method name="Set">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="in"/>
- </method>
- <method name="GetAll">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="props" type="a{sv}" direction="out"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface_name" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidated_properties" type="as"/>
- </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
- <method name="get_config_file_path">
- <arg name="path" type="s" direction="out"/>
- </method>
- <method name="get_nickname">
- <arg name="nickname" type="s" direction="out"/>
- </method>
- <property name="nickname" type="s" access="read"/>
- <property name="aka" type="s" access="read"/>
- <method name="get_is_default">
- <arg name="default" type="b" direction="out"/>
- </method>
- <property name="is-default" type="b" access="readwrite"/>
- <method name="get_type">
- <arg name="type" type="s" direction="out"/>
- </method>
- <method name="get_serial">
- <arg name="serial_hex" type="s" direction="out"/>
- </method>
- <method name="get_location">
- <arg name="path" type="s" direction="out"/>
- </method>
- <property name="external-helper" type="s" access="readwrite"/>
- <method name="get_issuer_names">
- <arg name="names" type="as" direction="out"/>
- </method>
- <method name="refresh">
- <arg name="working" type="b" direction="out"/>
- </method>
- <property name="ca-error" type="s" access="read"/>
- <property name="issuer-names" type="as" access="read"/>
- <property name="root-certs" type="a(ss)" access="read"/>
- <property name="root-other-certs" type="a(ss)" access="read"/>
- <property name="other-certs" type="a(ss)" access="read"/>
- <property name="required-enroll-attributes" type="as" access="read"/>
- <property name="required-renew-attributes" type="as" access="read"/>
- <property name="supported-profiles" type="as" access="read"/>
- <property name="default-profile" type="s" access="read"/>
- <property name="root-cert-files" type="as" access="readwrite"/>
- <property name="root-other-cert-files" type="as" access="readwrite"/>
- <property name="other-cert-files" type="as" access="readwrite"/>
- <property name="root-cert-nssdbs" type="as" access="readwrite"/>
- <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="ca-presave-command" type="s" access="read"/>
- <property name="ca-presave-uid" type="s" access="read"/>
- <property name="ca-postsave-command" type="s" access="read"/>
- <property name="ca-postsave-uid" type="s" access="read"/>
- <property name="scep-cipher" type="s" access="readwrite"/>
- <property name="scep-digest" type="s" access="readwrite"/>
- <property name="scep-ca-identifier" type="s" access="readwrite"/>
- <property name="scep-ca-capabilities" type="as" access="read"/>
- <property name="scep-ra-cert" type="s" access="read"/>
- <property name="scep-ca-cert" type="s" access="read"/>
- <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-
--
2.25.4

80
0009-Use-extensions-template-from-NSS.patch
View File

@ -1,80 +0,0 @@
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 15:55:44 +0200
Subject: [PATCH] Use extensions template from NSS
Drop certmonger's custom extension template and use the sequence of X509v3
extensions template from NSS.
The certmonger template had a bug that caused certmonger to create CSRs
with invalid DER. It was encoding extension's critical element even for
default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 41 +----------------------------------------
1 file changed, 1 insertion(+), 40 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index be536987..0d66971e 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
{0, 0, NULL, 0},
};
-/* RFC 5280, 4.1 */
-const SEC_ASN1Template
-cm_certext_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(CERTCertExtension),
- },
- {
- .kind = SEC_ASN1_OBJECT_ID,
- .offset = offsetof(CERTCertExtension, id),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_BOOLEAN,
- .offset = offsetof(CERTCertExtension, critical),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_OCTET_STRING,
- .offset = offsetof(CERTCertExtension, value),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {0, 0, NULL, 0},
-};
-const SEC_ASN1Template
-cm_certext_sequence_of_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE_OF,
- .offset = 0,
- .sub = cm_certext_cert_extension_template,
- .size = sizeof(CERTCertExtension **),
- },
-};
-
/* Windows 2000-style UPN */
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
static const SECOidData oid_ms_upn_name = {
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
/* Encode the sequence. */
memset(&encoded, 0, sizeof(encoded));
if (i > 1) {
- template = cm_certext_sequence_of_cert_extension_template;
+ template = CERT_SequenceOfCertExtensionTemplate;
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
template) == &encoded) {
*extensions = talloc_memdup(entry, encoded.data,
--
2.31.1

702
0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
View File

@ -1,702 +0,0 @@
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Nov 2021 13:51:31 -0400
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:
status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.
Try to do basic validation of user-provided PEM files by:
- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block
This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.
The unit tests use some Let's Encrypt CA certificates.
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/Makefile.am | 2 +-
src/getcert-add-scep-ca.1.in | 2 +
src/getcert.c | 39 ++++-
src/util-o.c | 144 ++++++++++++++++++
src/util-o.h | 7 +
tests/040-pem/bad.empty | 0
.../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++
tests/040-pem/expected.out | 7 +
.../good.isrg-root-x1-cross-signed.pem | 31 ++++
.../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++
tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++
tests/040-pem/run.sh | 21 +++
tests/Makefile.am | 8 +-
tests/tools/Makefile.am | 3 +-
tests/tools/pem.c | 69 +++++++++
15 files changed, 474 insertions(+), 8 deletions(-)
create mode 100644 tests/040-pem/bad.empty
create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
create mode 100644 tests/040-pem/expected.out
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
create mode 100755 tests/040-pem/run.sh
create mode 100644 tests/tools/pem.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 53571c5..d8e0a2e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
getcert_SOURCES = getcert.c tm.c tm.h
getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
if WITH_IPA
bin_PROGRAMS += ipa-getcert
ipa_getcert_CFLAGS = $(getcert_CFLAGS)
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index c2751ed..901791e 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
.SH OPTIONS
.TP
+All user\-provided certificate files must be in PEM format.
+.TP
\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
The nickname to give to this CA configuration. This same value can later be
passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
diff --git a/src/getcert.c b/src/getcert.c
index 4afafcb..ddcb739 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -49,6 +49,7 @@
#include "submit-u.h"
#include "tdbus.h"
#include "tdbusm.h"
+#include "util-o.h"
#ifdef ENABLE_NLS
#include <libintl.h>
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
static DBusMessage *req, *rep;
+ const char *poptarg;
poptContext pctx;
struct poptOption popts[] = {
{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
while ((c = poptGetNextOpt(pctx)) > 0) {
+ poptarg = poptGetOptArg(pctx);
switch (c) {
case 's':
bus = cm_tdbus_session;
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
poptPrintHelp(pctx, stdout, 0);
return 1;
break;
+ case 'R':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ root = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'r':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ racert = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'I':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ certs = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'N':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ signingca = talloc_strdup(globals.tctx, poptarg);
+ break;
}
}
if (c != -1) {
diff --git a/src/util-o.c b/src/util-o.c
index db45964..c05872c 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
{
return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
}
+
+static unsigned char *
+decode_base64(const unsigned char *input, int length, int *outlength) {
+ int expected_len;
+ unsigned char *output;
+ int output_len;
+
+ expected_len = 3 * length / 4;
+ output = calloc(expected_len + 1, 1);
+ output_len = EVP_DecodeBlock(output, input, length);
+
+ if (output_len < 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (output_len % 3 != 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (expected_len != output_len) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ *outlength = output_len;
+ return output;
+}
+
+int
+validate_pem(void *parent, const char *path)
+{
+ char *p;
+ char *s = NULL, *sp, *sq;
+ int ret = 0;
+ FILE *fp;
+ struct stat st;
+ char *tmp1 = NULL;
+ unsigned char *tmp2 = NULL;
+ char *buffer;
+ int n, i, length;
+ int found = 0;
+
+ fp = fopen(path, "r");
+ if (fp == NULL) {
+ printf("Unable to open %s for reading: %s\n",
+ path, strerror(errno));
+ return -1;
+ }
+ if (fstat(fileno(fp), &st) == -1) {
+ printf("Error opening %s for reading: %s\n",
+ path, strerror(errno));
+ fclose(fp);
+ return -1;
+ }
+ if (st.st_size == 0) {
+ printf("%s is an empty file.\n", path);
+ fclose(fp);
+ return -1;
+ }
+
+ buffer = malloc(st.st_size + 1);
+ if (buffer == NULL) {
+ printf("Error allocating memory.\n");
+ fclose(fp);
+ return -1;
+ }
+
+ n = 0;
+ while (n < st.st_size) {
+ i = fread(buffer + n, 1, st.st_size - n, fp);
+ if (i <= 0) {
+ printf("Error reading %s: %s.\n",
+ path, strerror(errno));
+ fclose(fp);
+ ret = -1;
+ goto done;
+ }
+ n += i;
+ }
+ fclose(fp);
+ buffer[st.st_size] = '\0';
+ length = st.st_size;
+ s = malloc(length + 1);
+ if (s == NULL) {
+ printf("Error allocating memory.\n");
+ ret = -1;
+ goto done;
+ }
+ memcpy(s, buffer, length);
+ s[length] = '\0';
+ sp = s;
+ tmp1 = NULL;
+ tmp2 = NULL;
+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
+ sq = strstr(sp, "-----END");
+ if (sq != NULL) {
+ found++;
+ sq += strcspn(sq, "\r\n");
+ sq += strspn(sq, "\r\n");
+
+ /* Strip down to pure base64 so no headers, new lines or cr */
+ tmp1 = strndup(sp, sq - sp);
+ p = strstr(tmp1, "-----BEGIN");
+ if (p != NULL) {
+ p += strcspn(p, "\n");
+ if (*p == '\n') {
+ p++;
+ }
+ memmove(tmp1, p, strlen(p) + 1);
+ }
+ p = strstr(tmp1, "\n-----END");
+ if (p != NULL) {
+ *p = '\0';
+ }
+ while ((p = strchr(tmp1, '\r')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ while ((p = strchr(tmp1, '\n')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ length = 0;
+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
+ if (length < 0) {
+ ret = -1;
+ goto done;
+ }
+ sp = sq;
+ }
+ }
+
+ if (found == 0) {
+ ret = -1;
+ }
+
+done:
+ free(buffer);
+ free(s);
+ free(tmp1);
+ free(tmp2);
+
+ return ret;
+}
diff --git a/src/util-o.h b/src/util-o.h
index 916777b..8550e07 100644
--- a/src/util-o.h
+++ b/src/util-o.h
@@ -16,6 +16,12 @@
*/
#ifndef utilo_h
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
#define utilo_h
struct cm_store_entry;
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
+int validate_pem(void *parent, const char *path);
#endif
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
new file mode 100644
index 0000000..e69de29
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
new file mode 100644
index 0000000..f9d7e5b
--- /dev/null
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
@@ -0,0 +1,25 @@
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
+6GtPAQw4dy753ec5
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
new file mode 100644
index 0000000..0459fd2
--- /dev/null
+++ b/tests/040-pem/expected.out
@@ -0,0 +1,7 @@
+OK
+OK
+OK
+got expected error with bad.empty
+got expected error with bad.isrg-root-x1-cross-signed.der
+got expected error with bad.notfound
+OK
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
new file mode 100644
index 0000000..29a16ff
--- /dev/null
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
@@ -0,0 +1,93 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
new file mode 100755
index 0000000..1d4d1f4
--- /dev/null
+++ b/tests/040-pem/run.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+cd "$tmpdir"
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
+
+for good in "$srcdir"/040-pem/good.* ; do
+ if ! "$toolsdir"/pem "$good" ; then
+ exit 1
+ fi
+done
+for bad in "$tmpdir"/bad.* bad.notfound; do
+ if "$toolsdir"/pem "$bad" > /dev/null; then
+ echo unexpected success with `basename "$bad"`
+ exit 1
+ else
+ echo got expected error with `basename "$bad"`
+ fi
+done
+echo OK
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34b..e20b6d8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -132,6 +132,8 @@ CLEANFILES = \
038-ms-v2-template/actual.err \
039-fromfile/actual.out \
039-fromfile/actual.err
+ 040-pem/actual.out \
+ 040-pem/actual.err
EXTRA_DIST = \
run-tests.sh functions certmonger.conf tools/cachain.sh \
001-keyiread/run.sh \
@@ -353,7 +355,8 @@ EXTRA_DIST = \
038-ms-v2-template/expected.out \
038-ms-v2-template/extract-extdata.py \
038-ms-v2-template/run.sh \
- 039-fromfile/run.sh
+ 039-fromfile/run.sh \
+ 040-pem/run.sh
subdirs = \
001-keyiread \
@@ -388,7 +391,8 @@ subdirs = \
036-getcert \
037-rekey2 \
038-ms-v2-template \
- 039-fromfile
+ 039-fromfile \
+ 040-pem
if HAVE_DBM_NSSDB
subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 53f658e..1a01ee6 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,8 @@ endif
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
name2oid iterate prefs dates listnicks pem2base base2pem \
dparse payload checksig base64 cadata citerate casave hooks \
- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
+ pem
noinst_LIBRARIES = libtools.a
if HAVE_OPENSSL
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
new file mode 100644
index 0000000..4fdd4f4
--- /dev/null
+++ b/tests/tools/pem.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <popt.h>
+
+#include <talloc.h>
+
+#include "../../src/util-o.h"
+
+int
+main(int argc, const char **argv)
+{
+ const char *filename;
+ void *parent;
+ int i, ret = 0;
+ poptContext pctx;
+ struct poptOption popts[] = {
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ parent = talloc_new(NULL);
+ pctx = poptGetContext("pem", argc, argv, popts, 0);
+ while ((i = poptGetNextOpt(pctx)) > 0) {
+ continue;
+ }
+ if (i != -1) {
+ poptPrintUsage(pctx, stdout, 0);
+ return 1;
+ }
+ while ((filename = poptGetArg(pctx)) != NULL) {
+ if (validate_pem(parent, (char *)filename) == 0) {
+ printf("OK\n");
+ } else {
+ ret = 1;
+ }
+ }
+ talloc_free(parent);
+ poptFreeContext(pctx);
+ return ret;
+}
--
2.31.1

38
0010-Add-a-local-srpm-target-to-build-an-srpm-from-the-cu.patch
View File

@ -1,38 +0,0 @@
From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:29:41 -0400
Subject: [PATCH 10/11] Add a local-srpm target to build an srpm from the
current checkout
The srpm target will pull the origin master branch and build from
that so it isn't useful for testing local changes.
---
Makefile.am | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 16d103ec..883c5932 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
local-archive:
$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
+local-srpm:
+ repo=`pwd`; \
+ tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
+ if test -d "$$tmpdir" ; then \
+ git clone . $$tmpdir;\
+ cd $$tmpdir;\
+ ./make-srpm.sh;\
+ cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
+ chmod -R u+rw $$tmpdir;\
+ rm -fr $$tmpdir;\
+ fi
+
srpm:
repo=`pwd`; \
tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
--
2.25.4

31
0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
View File

@ -1,31 +0,0 @@
From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Nov 2021 09:58:40 -0500
Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?=
=?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add an include for openssl/pem.h
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/submit-n.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/submit-n.c b/src/submit-n.c
index 3dcb820a..4f763a16 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -33,6 +33,7 @@
#include <openssl/pkcs7.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
+#include <openssl/pem.h>
#include <cert.h>
#include <certdb.h>
--
2.31.1

26
0011-Silence-a-rpm-macro-warning-with-an-unescaped-in-a-c.patch
View File

@ -1,26 +0,0 @@
From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:30:10 -0400
Subject: [PATCH 11/11] Silence a rpm macro warning with an unescaped % in a
comment
---
certmonger.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index a8e1d2e8..f2abd307 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -35,7 +35,7 @@ Group: System Environment/Daemons
License: GPLv3+
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
-#Source1: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
+#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
--
2.25.4

46
0012-Remove-dependency-on-SHA-1.patch
View File

@ -1,46 +0,0 @@
From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 17 Mar 2022 15:44:00 -0400
Subject: [PATCH] Remove dependency on SHA-1
---
tests/033-scep/run.sh | 4 ++--
tests/tools/cachain.sh | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
index a36cd5a..baaa581 100755
--- a/tests/033-scep/run.sh
+++ b/tests/033-scep/run.sh
@@ -148,7 +148,7 @@ check_nonce
check_digest sha256
echo OK
echo "[gic, old trust root]"
-set_digest sha1
+set_digest sha256
$toolsdir/scepgen ca entry > scepdata
if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then
echo missing gic
@@ -158,7 +158,7 @@ check_verified
check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL
check_txid
check_nonce
-check_digest sha1
+check_digest sha256
echo OK
echo "[req next, no trust root]"
if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then
diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh
index 58f0c49..93aca9b 100755
--- a/tests/tools/cachain.sh
+++ b/tests/tools/cachain.sh
@@ -1,5 +1,5 @@
#!/bin/bash -e
-digest=sha1
+digest=sha256
keytype=rsa:1024
serial=12345678
cat > openssl.cnf << EOF
--
2.31.1

267
0013-Disable-DSA-in-the-RPM-spec.patch
View File

@ -1,267 +0,0 @@
From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 7 Apr 2022 16:30:40 -0400
Subject: [PATCH] Disable DSA in the RPM spec
DSA has been disabled in default crypto policy since Fedora 30
and will cause crashes if used in FIPS mode.
Refresh the 028-dbus no-DSA expected output. It was out-of-sync
from previous changes.
https://bugzilla.redhat.com/show_bug.cgi?id=2066439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
certmonger.spec | 6 +-
tests/028-dbus/expected.out.nodsa | 135 +++---------------------------
2 files changed, 15 insertions(+), 126 deletions(-)
diff --git a/certmonger.spec b/certmonger.spec
index 6715d83..9c01438 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -28,7 +28,7 @@
Name: certmonger
Version: 0.79.14
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@@ -143,6 +143,7 @@ autoreconf -i -f
%if %{with xmlrpc}
--with-xmlrpc \
%endif
+ --disable-dsa \
--with-tmpdir=/run/certmonger --enable-pie --enable-now
%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@@ -264,6 +265,9 @@ exit 0
%endif
%changelog
+* Mon Mar 28 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-2
+- Disable DSA. It is not allowed by default crypto policy (#2066439)
+
* Tue Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
- update to 0.79.14
- Fix local CA to work under FIPS
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
index 20499bf..0e1b977 100644
--- a/tests/028-dbus/expected.out.nodsa
+++ b/tests/028-dbus/expected.out.nodsa
@@ -11,12 +11,14 @@ Request ID 'Buddy':
CA: local
issuer: CN=$UUID,CN=Local Signing Authority
subject: CN=localhost
+ issued: sometime
expires: sometime
dns: localhost
principal name: host/localhost@LOCALHOST
key usage: digitalSignature,dataEncipherment
eku: id-kp-serverAuth
certificate template/profile: SomeProfileName
+ profile: SomeProfileName
pre-save command: echo Pre
post-save command: echo Post
track: yes
@@ -33,10 +35,6 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
- is-default: no
- ca-type: EXTERNAL
- helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -181,7 +179,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -272,6 +270,7 @@ OK
<arg name="principal_names" type="as" direction="out"/>
<arg name="key_usage" type="x" direction="out"/>
<arg name="extended_key_usage" type="as" direction="out"/>
+ <arg name="not_before" type="x" direction="out"/>
</method>
<property name="issuer" type="s" access="read"/>
<property name="serial" type="s" access="read"/>
@@ -433,7 +432,7 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
- <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -956,7 +954,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="xml_data" type="s" direction="out"/>
- </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
- <method name="Get">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="out"/>
- </method>
- <method name="Set">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="in"/>
- </method>
- <method name="GetAll">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="props" type="a{sv}" direction="out"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface_name" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidated_properties" type="as"/>
- </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
- <method name="get_config_file_path">
- <arg name="path" type="s" direction="out"/>
- </method>
- <method name="get_nickname">
- <arg name="nickname" type="s" direction="out"/>
- </method>
- <property name="nickname" type="s" access="read"/>
- <property name="aka" type="s" access="read"/>
- <method name="get_is_default">
- <arg name="default" type="b" direction="out"/>
- </method>
- <property name="is-default" type="b" access="readwrite"/>
- <method name="get_type">
- <arg name="type" type="s" direction="out"/>
- </method>
- <method name="get_serial">
- <arg name="serial_hex" type="s" direction="out"/>
- </method>
- <method name="get_location">
- <arg name="path" type="s" direction="out"/>
- </method>
- <property name="external-helper" type="s" access="readwrite"/>
- <method name="get_issuer_names">
- <arg name="names" type="as" direction="out"/>
- </method>
- <method name="refresh">
- <arg name="working" type="b" direction="out"/>
- </method>
- <property name="ca-error" type="s" access="read"/>
- <property name="issuer-names" type="as" access="read"/>
- <property name="root-certs" type="a(ss)" access="read"/>
- <property name="root-other-certs" type="a(ss)" access="read"/>
- <property name="other-certs" type="a(ss)" access="read"/>
- <property name="required-enroll-attributes" type="as" access="read"/>
- <property name="required-renew-attributes" type="as" access="read"/>
- <property name="supported-profiles" type="as" access="read"/>
- <property name="default-profile" type="s" access="read"/>
- <property name="root-cert-files" type="as" access="readwrite"/>
- <property name="root-other-cert-files" type="as" access="readwrite"/>
- <property name="other-cert-files" type="as" access="readwrite"/>
- <property name="root-cert-nssdbs" type="as" access="readwrite"/>
- <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="ca-presave-command" type="s" access="read"/>
- <property name="ca-presave-uid" type="s" access="read"/>
- <property name="ca-postsave-command" type="s" access="read"/>
- <property name="ca-postsave-uid" type="s" access="read"/>
- <property name="scep-cipher" type="s" access="readwrite"/>
- <property name="scep-digest" type="s" access="readwrite"/>
- <property name="scep-ca-identifier" type="s" access="readwrite"/>
- <property name="scep-ca-capabilities" type="as" access="read"/>
- <property name="scep-ra-cert" type="s" access="read"/>
- <property name="scep-ca-cert" type="s" access="read"/>
- <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-
--
2.31.1

19
certmonger.spec
View File

@ -27,8 +27,8 @@
%bcond_with xmlrpc
Name: certmonger
Version: 0.79.14
Release: 7%{?dist}
Version: 0.79.17
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+
@ -36,18 +36,6 @@ URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch
Patch0004: 0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch
Patch0005: 0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch
Patch0009: 0009-Use-extensions-template-from-NSS.patch
Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
Patch0012: 0012-Remove-dependency-on-SHA-1.patch
Patch0013: 0013-Disable-DSA-in-the-RPM-spec.patch
BuildRequires: autoconf
BuildRequires: automake
@ -278,6 +266,9 @@ exit 0
%endif
%changelog
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17
* Thu Apr 07 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-7
- Disable DSA (#2066439)

2
sources
View File

@ -1 +1 @@
SHA512 (certmonger-0.79.14.tar.gz) = 8eed1675fa5c79249993d96ad053f5414ff406f614860d0eaab3cd26d17291caaf192e8f308ba1317d85ebc021b7c2ab0d2a6b8c741b1b8e7796793f3dcceae3
SHA512 (certmonger-0.79.17.tar.gz) = ed631cbfc0a757143af912549cecf65346994107f27651022ada8c70f0ed1bac7ee053a99b9a13290b844999710a3207aa0e7718428f3a3b6e5dd0d5db3a88a9