import certmonger-0.79.14-5.el9
This commit is contained in:
commit
48877eeb22
1
.certmonger.metadata
Normal file
1
.certmonger.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
40c73b20ce99e2ffd521c5e6039ab4982ef363b6 SOURCES/certmonger-0.79.14.tar.gz
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/certmonger-0.79.14.tar.gz
|
573
SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch
Normal file
573
SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch
Normal file
@ -0,0 +1,573 @@
|
|||||||
|
From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Tue, 18 May 2021 15:40:53 -0400
|
||||||
|
Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
|
||||||
|
|
||||||
|
---
|
||||||
|
src/keyiread-o.c | 16 +++++--
|
||||||
|
src/util-o.c | 2 +
|
||||||
|
tests/001-keyiread-ec/run.sh | 2 +-
|
||||||
|
tests/001-keyiread-rsa/run.sh | 2 +-
|
||||||
|
tests/001-keyiread/run.sh | 2 +-
|
||||||
|
tests/002-keygen-sql/prequal.sh | 5 +++
|
||||||
|
tests/002-keygen/run.sh | 2 +-
|
||||||
|
tests/003-csrgen-ec/run.sh | 2 +-
|
||||||
|
tests/003-csrgen-rsa/run.sh | 2 +-
|
||||||
|
tests/003-csrgen/run.sh | 2 +-
|
||||||
|
tests/004-selfsign-ec/run.sh | 2 +-
|
||||||
|
tests/004-selfsign-rsa/run.sh | 2 +-
|
||||||
|
tests/004-selfsign/run.sh | 2 +-
|
||||||
|
tests/025-casave/run.sh | 2 +-
|
||||||
|
tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
|
||||||
|
tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
|
||||||
|
tests/026-local/expected.out | 74 +------------------------------
|
||||||
|
tests/026-local/run.sh | 11 ++++-
|
||||||
|
tests/030-rekey/expected.out | 4 --
|
||||||
|
tests/030-rekey/run.sh | 10 +----
|
||||||
|
tests/036-getcert/run.sh | 2 +-
|
||||||
|
21 files changed, 184 insertions(+), 103 deletions(-)
|
||||||
|
create mode 100755 tests/002-keygen-sql/prequal.sh
|
||||||
|
create mode 100644 tests/026-local/expected.openssl1
|
||||||
|
create mode 100644 tests/026-local/expected.openssl3
|
||||||
|
|
||||||
|
diff --git a/src/keyiread-o.c b/src/keyiread-o.c
|
||||||
|
index 9fceacf6..51f7f829 100644
|
||||||
|
--- a/src/keyiread-o.c
|
||||||
|
+++ b/src/keyiread-o.c
|
||||||
|
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||||
|
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
}
|
||||||
|
tmp = NULL;
|
||||||
|
- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
|
||||||
|
+ length = i2d_PublicKey(pkey, NULL);
|
||||||
|
if (length > 0) {
|
||||||
|
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
+ tmp = malloc(length);
|
||||||
|
+ if (tmp != NULL) {
|
||||||
|
+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
|
||||||
|
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
|
||||||
|
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||||
|
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
}
|
||||||
|
tmp = NULL;
|
||||||
|
- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
|
||||||
|
+ length = i2d_PublicKey(nextpkey, NULL);
|
||||||
|
if (length > 0) {
|
||||||
|
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
+ tmp = malloc(length);
|
||||||
|
+ if (tmp != NULL) {
|
||||||
|
+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
|
||||||
|
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
|
||||||
|
} else {
|
||||||
|
diff --git a/src/util-o.c b/src/util-o.c
|
||||||
|
index 0415014a..2208ab64 100644
|
||||||
|
--- a/src/util-o.c
|
||||||
|
+++ b/src/util-o.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
void
|
||||||
|
util_o_init(void)
|
||||||
|
{
|
||||||
|
+#if OPENSSL_VERSION_MAJOR < 3
|
||||||
|
#if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
|
||||||
|
OpenSSL_add_all_algorithms();
|
||||||
|
#elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
|
||||||
|
@@ -53,6 +54,7 @@ util_o_init(void)
|
||||||
|
#else
|
||||||
|
SSL_library_init();
|
||||||
|
#endif
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
char *
|
||||||
|
diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
|
||||||
|
index 3045f6d0..8a810d15 100755
|
||||||
|
--- a/tests/001-keyiread-ec/run.sh
|
||||||
|
+++ b/tests/001-keyiread-ec/run.sh
|
||||||
|
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
|
||||||
|
EOF
|
||||||
|
$toolsdir/keyiread entry.nss.$size
|
||||||
|
# Export the key.
|
||||||
|
- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
|
||||||
|
+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
|
||||||
|
echo Error exporting key for $size, continuing.
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
|
||||||
|
index c6b4d38b..997ce000 100755
|
||||||
|
--- a/tests/001-keyiread-rsa/run.sh
|
||||||
|
+++ b/tests/001-keyiread-rsa/run.sh
|
||||||
|
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -k rsa
|
||||||
|
# Export the key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
|
||||||
|
cat > entry.openssl.$size <<- EOF
|
||||||
|
key_storage_type=FILE
|
||||||
|
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
|
||||||
|
index 25acdbd8..3a2502a6 100755
|
||||||
|
--- a/tests/001-keyiread/run.sh
|
||||||
|
+++ b/tests/001-keyiread/run.sh
|
||||||
|
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u
|
||||||
|
# Export the key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
|
||||||
|
cat > entry.openssl.$size <<- EOF
|
||||||
|
key_storage_type=FILE
|
||||||
|
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..d146a650
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/002-keygen-sql/prequal.sh
|
||||||
|
@@ -0,0 +1,5 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+if test `id -u` -eq 0 ; then
|
||||||
|
+ echo "This test won't work right if run as root."
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
|
||||||
|
index 8bb609c5..e7e6525f 100755
|
||||||
|
--- a/tests/002-keygen/run.sh
|
||||||
|
+++ b/tests/002-keygen/run.sh
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
|
||||||
|
cd "$tmpdir"
|
||||||
|
|
||||||
|
-scheme="${scheme:-dbm:}"
|
||||||
|
+scheme="${scheme:-sql:}"
|
||||||
|
|
||||||
|
source "$srcdir"/functions
|
||||||
|
initnssdb "$scheme$tmpdir"
|
||||||
|
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
|
||||||
|
index 91117ec8..408ea526 100755
|
||||||
|
--- a/tests/003-csrgen-ec/run.sh
|
||||||
|
+++ b/tests/003-csrgen-ec/run.sh
|
||||||
|
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -k ec -q $size
|
||||||
|
# Export the key.
|
||||||
|
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
|
||||||
|
# Read the public key and cache it.
|
||||||
|
cat > entry.openssl.$size <<- EOF
|
||||||
|
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
||||||
|
index bb8ebecb..9c11c708 100755
|
||||||
|
--- a/tests/003-csrgen-rsa/run.sh
|
||||||
|
+++ b/tests/003-csrgen-rsa/run.sh
|
||||||
|
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -k rsa
|
||||||
|
# Export the key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
|
||||||
|
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
|
||||||
|
# Read the public key and cache it.
|
||||||
|
cat > entry.openssl.$size <<- EOF
|
||||||
|
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
||||||
|
index d3dfbaf0..2a674679 100755
|
||||||
|
--- a/tests/003-csrgen/run.sh
|
||||||
|
+++ b/tests/003-csrgen/run.sh
|
||||||
|
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u
|
||||||
|
# Export the key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
|
||||||
|
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
|
||||||
|
# Read the public key and cache it.
|
||||||
|
cat > entry.openssl.$size <<- EOF
|
||||||
|
diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
|
||||||
|
index 9d5bd11f..d1161fe5 100755
|
||||||
|
--- a/tests/004-selfsign-ec/run.sh
|
||||||
|
+++ b/tests/004-selfsign-ec/run.sh
|
||||||
|
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -k ec -q $size
|
||||||
|
# Export the certificate and key.
|
||||||
|
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
|
||||||
|
# Read that OpenSSL key.
|
||||||
|
cat > entry.$size <<- EOF
|
||||||
|
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
|
||||||
|
index c1dd4c80..b0cc71d2 100755
|
||||||
|
--- a/tests/004-selfsign-rsa/run.sh
|
||||||
|
+++ b/tests/004-selfsign-rsa/run.sh
|
||||||
|
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -k rsa
|
||||||
|
# Export the certificate and key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
|
||||||
|
# Read that OpenSSL key.
|
||||||
|
cat > entry.$size <<- EOF
|
||||||
|
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
|
||||||
|
index eb1df4ee..ea00f4d7 100755
|
||||||
|
--- a/tests/004-selfsign/run.sh
|
||||||
|
+++ b/tests/004-selfsign/run.sh
|
||||||
|
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u
|
||||||
|
# Export the certificate and key.
|
||||||
|
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
|
||||||
|
# Read that OpenSSL key.
|
||||||
|
cat > entry.$size <<- EOF
|
||||||
|
diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
|
||||||
|
index d81df82f..089d8223 100755
|
||||||
|
--- a/tests/025-casave/run.sh
|
||||||
|
+++ b/tests/025-casave/run.sh
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
|
||||||
|
cd $tmpdir
|
||||||
|
|
||||||
|
-scheme="${scheme:-dbm}"
|
||||||
|
+scheme="${scheme:-sql}"
|
||||||
|
cat > $tmpdir/entrycb1 <<- EOF
|
||||||
|
id=EntryCB1
|
||||||
|
ca_name=CAB1
|
||||||
|
diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..1f81c7ce
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/026-local/expected.openssl1
|
||||||
|
@@ -0,0 +1,73 @@
|
||||||
|
+[key]
|
||||||
|
+OK.
|
||||||
|
+[csr]
|
||||||
|
+Certificate Request:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 1 (0x0)
|
||||||
|
+ Subject: CN=Babs Jensen's Signer
|
||||||
|
+ Attributes:
|
||||||
|
+ friendlyName :unable to print attribute
|
||||||
|
+ Requested Extensions:
|
||||||
|
+ X509v3 Key Usage:
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+ X509v3 Subject Alternative Name:
|
||||||
|
+ email:root@localhost, email:root@localhost.localdomain
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ keyid:(160 bits)
|
||||||
|
+
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ Authority Information Access:
|
||||||
|
+ OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
+ OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
+
|
||||||
|
+ OCSP No Check:
|
||||||
|
+
|
||||||
|
+[issue]
|
||||||
|
+[issuer]
|
||||||
|
+Certificate:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 3 (0x2)
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ Subject: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ X509v3 extensions:
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ keyid:(160 bits)
|
||||||
|
+
|
||||||
|
+ X509v3 Key Usage: critical
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+[subject]
|
||||||
|
+Certificate:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 3 (0x2)
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ Subject: CN=Babs Jensen's Signer
|
||||||
|
+ X509v3 extensions:
|
||||||
|
+ X509v3 Key Usage:
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+ X509v3 Subject Alternative Name:
|
||||||
|
+ email:root@localhost, email:root@localhost.localdomain
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ keyid:(160 bits)
|
||||||
|
+
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ Authority Information Access:
|
||||||
|
+ OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
+ OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
+
|
||||||
|
+ OCSP No Check:
|
||||||
|
+
|
||||||
|
+[verify]
|
||||||
|
+cert: OK
|
||||||
|
+OK.
|
||||||
|
diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..05666ccc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/026-local/expected.openssl3
|
||||||
|
@@ -0,0 +1,68 @@
|
||||||
|
+[key]
|
||||||
|
+OK.
|
||||||
|
+[csr]
|
||||||
|
+Certificate Request:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 1 (0x0)
|
||||||
|
+ Subject: CN=Babs Jensen's Signer
|
||||||
|
+ Attributes:
|
||||||
|
+ friendlyName :unable to print attribute
|
||||||
|
+ Requested Extensions:
|
||||||
|
+ X509v3 Key Usage:
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+ X509v3 Subject Alternative Name:
|
||||||
|
+ email:root@localhost, email:root@localhost.localdomain
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ Authority Information Access:
|
||||||
|
+ OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
+ OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
+ OCSP No Check:
|
||||||
|
+
|
||||||
|
+[issue]
|
||||||
|
+[issuer]
|
||||||
|
+Certificate:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 3 (0x2)
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ Subject: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ X509v3 extensions:
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ X509v3 Key Usage: critical
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+[subject]
|
||||||
|
+Certificate:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 3 (0x2)
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
+ Subject: CN=Babs Jensen's Signer
|
||||||
|
+ X509v3 extensions:
|
||||||
|
+ X509v3 Key Usage:
|
||||||
|
+ Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
+ X509v3 Subject Alternative Name:
|
||||||
|
+ email:root@localhost, email:root@localhost.localdomain
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ (160 bits)
|
||||||
|
+ Authority Information Access:
|
||||||
|
+ OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
+ OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
+ OCSP No Check:
|
||||||
|
+
|
||||||
|
+[verify]
|
||||||
|
+cert: OK
|
||||||
|
+OK.
|
||||||
|
diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
|
||||||
|
index 1f81c7ce..64afb8f5 100644
|
||||||
|
--- a/tests/026-local/expected.out
|
||||||
|
+++ b/tests/026-local/expected.out
|
||||||
|
@@ -1,73 +1 @@
|
||||||
|
-[key]
|
||||||
|
-OK.
|
||||||
|
-[csr]
|
||||||
|
-Certificate Request:
|
||||||
|
- Data:
|
||||||
|
- Version: 1 (0x0)
|
||||||
|
- Subject: CN=Babs Jensen's Signer
|
||||||
|
- Attributes:
|
||||||
|
- friendlyName :unable to print attribute
|
||||||
|
- Requested Extensions:
|
||||||
|
- X509v3 Key Usage:
|
||||||
|
- Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
- X509v3 Subject Alternative Name:
|
||||||
|
- email:root@localhost, email:root@localhost.localdomain
|
||||||
|
- X509v3 Basic Constraints: critical
|
||||||
|
- CA:TRUE
|
||||||
|
- X509v3 Authority Key Identifier:
|
||||||
|
- keyid:(160 bits)
|
||||||
|
-
|
||||||
|
- X509v3 Subject Key Identifier:
|
||||||
|
- (160 bits)
|
||||||
|
- Authority Information Access:
|
||||||
|
- OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
- OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
-
|
||||||
|
- OCSP No Check:
|
||||||
|
-
|
||||||
|
-[issue]
|
||||||
|
-[issuer]
|
||||||
|
-Certificate:
|
||||||
|
- Data:
|
||||||
|
- Version: 3 (0x2)
|
||||||
|
- Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
- Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
- Subject: CN=Local Signing Authority, CN=$UUID
|
||||||
|
- X509v3 extensions:
|
||||||
|
- X509v3 Basic Constraints: critical
|
||||||
|
- CA:TRUE
|
||||||
|
- X509v3 Subject Key Identifier:
|
||||||
|
- (160 bits)
|
||||||
|
- X509v3 Authority Key Identifier:
|
||||||
|
- keyid:(160 bits)
|
||||||
|
-
|
||||||
|
- X509v3 Key Usage: critical
|
||||||
|
- Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
-[subject]
|
||||||
|
-Certificate:
|
||||||
|
- Data:
|
||||||
|
- Version: 3 (0x2)
|
||||||
|
- Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
- Issuer: CN=Local Signing Authority, CN=$UUID
|
||||||
|
- Subject: CN=Babs Jensen's Signer
|
||||||
|
- X509v3 extensions:
|
||||||
|
- X509v3 Key Usage:
|
||||||
|
- Digital Signature, Certificate Sign, CRL Sign
|
||||||
|
- X509v3 Subject Alternative Name:
|
||||||
|
- email:root@localhost, email:root@localhost.localdomain
|
||||||
|
- X509v3 Basic Constraints: critical
|
||||||
|
- CA:TRUE
|
||||||
|
- X509v3 Authority Key Identifier:
|
||||||
|
- keyid:(160 bits)
|
||||||
|
-
|
||||||
|
- X509v3 Subject Key Identifier:
|
||||||
|
- (160 bits)
|
||||||
|
- Authority Information Access:
|
||||||
|
- OCSP - URI:http://ocsp-1.example.com:12345
|
||||||
|
- OCSP - URI:http://ocsp-2.example.com:12345
|
||||||
|
-
|
||||||
|
- OCSP No Check:
|
||||||
|
-
|
||||||
|
-[verify]
|
||||||
|
-cert: OK
|
||||||
|
-OK.
|
||||||
|
+# purposely empty
|
||||||
|
diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
|
||||||
|
index 6f0e74c9..3e7ade56 100755
|
||||||
|
--- a/tests/026-local/run.sh
|
||||||
|
+++ b/tests/026-local/run.sh
|
||||||
|
@@ -1,4 +1,13 @@
|
||||||
|
-#!/bin/bash -e
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+openssl cmp -h > /dev/null 2>&1
|
||||||
|
+if [ $? == 1 ]; then
|
||||||
|
+ cp expected.openssl1 expected.out
|
||||||
|
+else
|
||||||
|
+ cp expected.openssl3 expected.out
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
|
||||||
|
cd $tmpdir
|
||||||
|
|
||||||
|
diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
|
||||||
|
index e9a04221..8a9ac3fa 100644
|
||||||
|
--- a/tests/030-rekey/expected.out
|
||||||
|
+++ b/tests/030-rekey/expected.out
|
||||||
|
@@ -11,7 +11,6 @@ key_requested_count=0
|
||||||
|
(submit OpenSSL)
|
||||||
|
key_issued_count=0
|
||||||
|
key_requested_count=1
|
||||||
|
-First round certificates OK.
|
||||||
|
NSS keys before re-keygen (preserve=1,pin=""):
|
||||||
|
<-> rsa originalhex NSS Certificate DB:i2048
|
||||||
|
key_issued_count=0
|
||||||
|
@@ -98,7 +97,6 @@ key_requested_count=0
|
||||||
|
(submit OpenSSL)
|
||||||
|
key_issued_count=0
|
||||||
|
key_requested_count=1
|
||||||
|
-First round certificates OK.
|
||||||
|
NSS keys before re-keygen (preserve=1,pin="password"):
|
||||||
|
<-> rsa originalhex NSS Certificate DB:i2048
|
||||||
|
key_issued_count=0
|
||||||
|
@@ -185,7 +183,6 @@ key_requested_count=0
|
||||||
|
(submit OpenSSL)
|
||||||
|
key_issued_count=0
|
||||||
|
key_requested_count=1
|
||||||
|
-First round certificates OK.
|
||||||
|
NSS keys before re-keygen (preserve=0,pin=""):
|
||||||
|
<-> rsa originalhex NSS Certificate DB:i2048
|
||||||
|
key_issued_count=0
|
||||||
|
@@ -270,7 +267,6 @@ key_requested_count=0
|
||||||
|
(submit OpenSSL)
|
||||||
|
key_issued_count=0
|
||||||
|
key_requested_count=1
|
||||||
|
-First round certificates OK.
|
||||||
|
NSS keys before re-keygen (preserve=0,pin="password"):
|
||||||
|
<-> rsa originalhex NSS Certificate DB:i2048
|
||||||
|
key_issued_count=0
|
||||||
|
diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
|
||||||
|
index 07fea683..7b9125ec 100755
|
||||||
|
--- a/tests/030-rekey/run.sh
|
||||||
|
+++ b/tests/030-rekey/run.sh
|
||||||
|
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
|
||||||
|
-s "cn=T$size" -c "cn=T$size" \
|
||||||
|
-x -t u -m 4660 -f pinfile
|
||||||
|
# Export the certificate and key.
|
||||||
|
- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
|
||||||
|
openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
|
||||||
|
openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
|
||||||
|
# Grab a copy of the public key.
|
||||||
|
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
|
||||||
|
echo '(submit OpenSSL)'
|
||||||
|
$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
|
||||||
|
grep ^key.\*count= entry.openssl.$size | LANG=C sort
|
||||||
|
- # Now compare the self-signed certificates built from the keys.
|
||||||
|
- if ! cmp cert.nss.$size cert.openssl.$size ; then
|
||||||
|
- echo First round certificates differ:
|
||||||
|
- cat cert.nss.$size cert.openssl.$size
|
||||||
|
- exit 1
|
||||||
|
- else
|
||||||
|
- echo First round certificates OK.
|
||||||
|
- fi
|
||||||
|
|
||||||
|
# Now generate new keys, CSRs, and certificates (NSS).
|
||||||
|
echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
|
||||||
|
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
|
||||||
|
index 1c99803d..bcb821d7 100755
|
||||||
|
--- a/tests/036-getcert/run.sh
|
||||||
|
+++ b/tests/036-getcert/run.sh
|
||||||
|
@@ -51,7 +51,7 @@ listdb() {
|
||||||
|
}
|
||||||
|
|
||||||
|
extract() {
|
||||||
|
- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
|
||||||
|
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
|
||||||
|
openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
|
||||||
|
openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
|
||||||
|
echo -n cert:
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Tue, 28 Sep 2021 10:01:35 -0400
|
||||||
|
Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id
|
||||||
|
|
||||||
|
EVP_PKEY_id is no longer available as a function, only as a preprocessor
|
||||||
|
macro, so AC_CHECK_FUNCS cannot recognize it.
|
||||||
|
|
||||||
|
This was changed in OpenSSL 3.0.0-beta2
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=2008451
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
configure.ac | 1 +
|
||||||
|
src/util-o.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 8bfa3fa..3b413a1 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then
|
||||||
|
AC_CHECK_FUNCS(ASN1_TIME_set)
|
||||||
|
AC_CHECK_FUNCS(EVP_PKEY_base_id)
|
||||||
|
AC_CHECK_FUNCS(EVP_PKEY_id)
|
||||||
|
+ AC_CHECK_FUNCS(EVP_PKEY_get_id)
|
||||||
|
AC_CHECK_FUNCS(OBJ_get0_data)
|
||||||
|
AC_CHECK_FUNCS(OBJ_length)
|
||||||
|
AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object)
|
||||||
|
diff --git a/src/util-o.c b/src/util-o.c
|
||||||
|
index 2208ab6..db45964 100644
|
||||||
|
--- a/src/util-o.c
|
||||||
|
+++ b/src/util-o.c
|
||||||
|
@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t)
|
||||||
|
int
|
||||||
|
util_EVP_PKEY_id(const EVP_PKEY *pkey)
|
||||||
|
{
|
||||||
|
-#ifdef HAVE_EVP_PKEY_ID
|
||||||
|
+#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID)
|
||||||
|
return EVP_PKEY_id(pkey);
|
||||||
|
#else
|
||||||
|
return pkey->type;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,123 @@
|
|||||||
|
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 9 Jul 2021 20:49:28 +0000
|
||||||
|
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
|
||||||
|
OTP
|
||||||
|
|
||||||
|
SCEP RFC 8894 specifies that a challenge password SHOULD be
|
||||||
|
removed from subsequent requests but that it MAY be included.
|
||||||
|
|
||||||
|
This adds a new configuration option to treat the challenge password
|
||||||
|
as a one-time password (OTP) so that it will not be sent on
|
||||||
|
subsequent requests, like renewals, by removing it completely
|
||||||
|
from the tracking request.
|
||||||
|
|
||||||
|
This allows certmonger to be able to renew AD-issued SCEP certificates
|
||||||
|
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
src/certmonger.conf.5.in | 9 +++++++++
|
||||||
|
src/certsave.c | 13 +++++++++++++
|
||||||
|
src/prefs.c | 15 +++++++++++++++
|
||||||
|
src/prefs.h | 4 ++++
|
||||||
|
4 files changed, 41 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
|
||||||
|
index 6a42d3cb..1b941b9d 100644
|
||||||
|
--- a/src/certmonger.conf.5.in
|
||||||
|
+++ b/src/certmonger.conf.5.in
|
||||||
|
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
|
||||||
|
\fIselfsign\fR section, if one is set there, will be used. The default value
|
||||||
|
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
|
||||||
|
|
||||||
|
+.SH SCEP
|
||||||
|
+Within the \fIscep\fR section, these variables and values are recognized:
|
||||||
|
+
|
||||||
|
+.IP challenge_password_otp
|
||||||
|
+This controls whether the SCEP challenge password is treated as a one-time
|
||||||
|
+password. If set to yes then the challenge password and/or challenge password
|
||||||
|
+file will be removed from the tracking request after the first certificate
|
||||||
|
+issuance so will not be sent with renewal requests. The default is no.
|
||||||
|
+
|
||||||
|
.SH BUGS
|
||||||
|
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
|
||||||
|
|
||||||
|
diff --git a/src/certsave.c b/src/certsave.c
|
||||||
|
index 6eaafe59..f8503662 100644
|
||||||
|
--- a/src/certsave.c
|
||||||
|
+++ b/src/certsave.c
|
||||||
|
@@ -18,12 +18,25 @@
|
||||||
|
#include "config.h"
|
||||||
|
#include "certsave.h"
|
||||||
|
#include "certsave-int.h"
|
||||||
|
+#include "prefs.h"
|
||||||
|
#include "store-int.h"
|
||||||
|
+#include "talloc.h"
|
||||||
|
|
||||||
|
/* Start writing the certificate from the entry to the configured location. */
|
||||||
|
struct cm_certsave_state *
|
||||||
|
cm_certsave_start(struct cm_store_entry *entry)
|
||||||
|
{
|
||||||
|
+ /* If saving a SCEP certificate wipe out the challenge password */
|
||||||
|
+ if ((cm_prefs_scep_password_otp()) &&
|
||||||
|
+ (entry->cm_template_challenge_password != NULL) &&
|
||||||
|
+ (entry->cm_scep_nonce != NULL))
|
||||||
|
+ {
|
||||||
|
+ talloc_free(entry->cm_template_challenge_password);
|
||||||
|
+ entry->cm_template_challenge_password = NULL;
|
||||||
|
+ talloc_free(entry->cm_template_challenge_password_file);
|
||||||
|
+ entry->cm_template_challenge_password_file = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
switch (entry->cm_cert_storage_type) {
|
||||||
|
#ifdef HAVE_OPENSSL
|
||||||
|
case cm_cert_storage_file:
|
||||||
|
diff --git a/src/prefs.c b/src/prefs.c
|
||||||
|
index 669e8f1f..52ffc908 100644
|
||||||
|
--- a/src/prefs.c
|
||||||
|
+++ b/src/prefs.c
|
||||||
|
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
|
||||||
|
}
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+cm_prefs_scep_password_otp(void)
|
||||||
|
+{
|
||||||
|
+ static int populate = -1;
|
||||||
|
+ if (populate == -1) {
|
||||||
|
+ const char *val;
|
||||||
|
+ val = cm_prefs_config("scep", "challenge_password_otp");
|
||||||
|
+ if (val == NULL) {
|
||||||
|
+ val = "no";
|
||||||
|
+ }
|
||||||
|
+ populate = cm_prefs_yesno(val);
|
||||||
|
+ }
|
||||||
|
+ return populate != -1 ? populate : 0;
|
||||||
|
+}
|
||||||
|
diff --git a/src/prefs.h b/src/prefs.h
|
||||||
|
index 248e1016..a107fb6c 100644
|
||||||
|
--- a/src/prefs.h
|
||||||
|
+++ b/src/prefs.h
|
||||||
|
@@ -18,6 +18,8 @@
|
||||||
|
#ifndef cmprefs_h
|
||||||
|
#define cmprefs_h
|
||||||
|
|
||||||
|
+#include <time.h>
|
||||||
|
+
|
||||||
|
enum cm_prefs_cipher {
|
||||||
|
cm_prefs_aes128,
|
||||||
|
cm_prefs_aes192,
|
||||||
|
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
|
||||||
|
long long prefs_key_end_of_life(time_t ref);
|
||||||
|
long prefs_max_key_use_count(void);
|
||||||
|
|
||||||
|
+int cm_prefs_scep_password_otp(void);
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,37 @@
|
|||||||
|
From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 12 Aug 2021 16:26:09 -0400
|
||||||
|
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
|
||||||
|
|
||||||
|
cm_cadata_start_generic() creates a pipe. One half is passed
|
||||||
|
to fetch(), the function that does all helper calls,
|
||||||
|
via the cm_cadata_state variable ret. The other half is the
|
||||||
|
reader and is used to detect execution errors. There is a pair
|
||||||
|
of write/read on this descriptor which on error would be the
|
||||||
|
errno.
|
||||||
|
|
||||||
|
This second half wasn't being closed after reading to test for
|
||||||
|
errors.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
src/cadata.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/cadata.c b/src/cadata.c
|
||||||
|
index cb9c13e2..c2764d3b 100644
|
||||||
|
--- a/src/cadata.c
|
||||||
|
+++ b/src/cadata.c
|
||||||
|
@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
|
||||||
|
ca->cm_ca_external_helper, strerror(u));
|
||||||
|
/* return the state so the process can be reaped */
|
||||||
|
}
|
||||||
|
+ close(error_fd[0]);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,80 @@
|
|||||||
|
From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Tue, 5 Oct 2021 11:04:10 -0400
|
||||||
|
Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output
|
||||||
|
|
||||||
|
OpenSSL 3.0.0 change a lot of output messages. When verifying
|
||||||
|
a certificate instead of printing just "verify OK" it prints
|
||||||
|
"Certificate request self-signature verify OK"
|
||||||
|
|
||||||
|
Modify the check to match both OpenSSL 1.x and 3.x
|
||||||
|
|
||||||
|
Related: https://pagure.io/certmonger/issue/223
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
tests/003-csrgen-ec/run.sh | 4 ++--
|
||||||
|
tests/003-csrgen-rsa/run.sh | 4 ++--
|
||||||
|
tests/003-csrgen/run.sh | 4 ++--
|
||||||
|
3 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
|
||||||
|
index 91117ec8..7c0505f8 100755
|
||||||
|
--- a/tests/003-csrgen-ec/run.sh
|
||||||
|
+++ b/tests/003-csrgen-ec/run.sh
|
||||||
|
@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
|
||||||
|
openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
|
||||||
|
# The RSA tests already verify the contents of the requests, so we really only
|
||||||
|
# need to care about the signatures passing verification.
|
||||||
|
-openssl req -verify -noout < csr.nss.$size 2>&1
|
||||||
|
-openssl req -verify -noout < csr.openssl.$size 2>&1
|
||||||
|
+openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
|
||||||
|
+openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
|
||||||
|
openssl spkac -verify -noout < spkac.nss.$size 2>&1
|
||||||
|
openssl spkac -verify -noout < spkac.openssl.$size 2>&1
|
||||||
|
openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
|
||||||
|
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
||||||
|
index bb8ebecb..4f0c0ef0 100755
|
||||||
|
--- a/tests/003-csrgen-rsa/run.sh
|
||||||
|
+++ b/tests/003-csrgen-rsa/run.sh
|
||||||
|
@@ -118,14 +118,14 @@ iterate() {
|
||||||
|
echo key_pubkey=616263 >> entry.openssl.$size
|
||||||
|
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
|
||||||
|
# Both should verify.
|
||||||
|
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
|
||||||
|
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
||||||
|
echo Signature failed for OpenSSL:
|
||||||
|
cat csr.openssl.$size
|
||||||
|
echo Private key:
|
||||||
|
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
|
||||||
|
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
||||||
|
echo Signature failed for NSS:
|
||||||
|
cat csr.nss.$size
|
||||||
|
echo Private key:
|
||||||
|
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
||||||
|
index d3dfbaf0..093beabf 100755
|
||||||
|
--- a/tests/003-csrgen/run.sh
|
||||||
|
+++ b/tests/003-csrgen/run.sh
|
||||||
|
@@ -170,14 +170,14 @@ iterate() {
|
||||||
|
echo key_pubkey=616263 >> entry.openssl.$size
|
||||||
|
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
|
||||||
|
# Both should verify.
|
||||||
|
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
|
||||||
|
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
||||||
|
echo Signature failed for OpenSSL:
|
||||||
|
cat csr.openssl.$size
|
||||||
|
echo Private key:
|
||||||
|
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
|
||||||
|
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
|
||||||
|
echo Signature failed for NSS:
|
||||||
|
cat csr.nss.$size
|
||||||
|
echo Private key:
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
280
SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch
Normal file
280
SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch
Normal file
@ -0,0 +1,280 @@
|
|||||||
|
From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 4 Oct 2021 18:52:53 +0200
|
||||||
|
Subject: [PATCH] Use implicit, empty FALSE for extensions
|
||||||
|
|
||||||
|
Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
|
||||||
|
It was encoding extension's critical element even for default value FALSE.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/certmonger/issue/223
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
src/certext.c | 7 +-
|
||||||
|
tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------
|
||||||
|
tests/003-csrgen/expected.out | 110 +++++++++++++-----------------
|
||||||
|
3 files changed, 91 insertions(+), 108 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certext.c b/src/certext.c
|
||||||
|
index 0d66971e..e5e0b4dc 100644
|
||||||
|
--- a/src/certext.c
|
||||||
|
+++ b/src/certext.c
|
||||||
|
@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
|
||||||
|
CERTCertExtension ext[13], *exts[14], **exts_ptr;
|
||||||
|
SECOidData *oid;
|
||||||
|
SECItem *item, encoded;
|
||||||
|
+ /* X509v3 extension's critical element has an implicit default,
|
||||||
|
+ * see https://pagure.io/certmonger/issue/223
|
||||||
|
+ */
|
||||||
|
SECItem der_false = {
|
||||||
|
- .len = 1,
|
||||||
|
- .data = (unsigned char *) "\000",
|
||||||
|
+ .len = 0,
|
||||||
|
+ .data = NULL,
|
||||||
|
};
|
||||||
|
SECItem der_true = {
|
||||||
|
.len = 1,
|
||||||
|
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
|
||||||
|
index def53fe4..0fb88323 100644
|
||||||
|
--- a/tests/003-csrgen-rsa/expected.out
|
||||||
|
+++ b/tests/003-csrgen-rsa/expected.out
|
||||||
|
@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||||
|
4096 OK.
|
||||||
|
Signature OK
|
||||||
|
The last CSR (the one with everything) was:
|
||||||
|
- 0:d=0 hl=4 l=1413 cons: SEQUENCE
|
||||||
|
- 4:d=1 hl=4 l=1133 cons: SEQUENCE
|
||||||
|
+ 0:d=0 hl=4 l=1389 cons: SEQUENCE
|
||||||
|
+ 4:d=1 hl=4 l=1109 cons: SEQUENCE
|
||||||
|
8:d=2 hl=2 l= 1 prim: INTEGER :00
|
||||||
|
11:d=2 hl=2 l= 22 cons: SEQUENCE
|
||||||
|
13:d=3 hl=2 l= 20 cons: SET
|
||||||
|
@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
|
||||||
|
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
|
||||||
|
52:d=4 hl=2 l= 0 prim: NULL
|
||||||
|
54:d=3 hl=4 l= 271 prim: BIT STRING
|
||||||
|
- 329:d=2 hl=4 l= 808 cons: cont [ 0 ]
|
||||||
|
+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ]
|
||||||
|
333:d=3 hl=2 l= 52 cons: SEQUENCE
|
||||||
|
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
|
||||||
|
346:d=4 hl=2 l= 39 cons: SET
|
||||||
|
@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
|
||||||
|
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
|
||||||
|
400:d=4 hl=2 l= 48 cons: SET
|
||||||
|
402:d=5 hl=2 l= 46 prim: BMPSTRING
|
||||||
|
- 450:d=3 hl=4 l= 687 cons: SEQUENCE
|
||||||
|
+ 450:d=3 hl=4 l= 663 cons: SEQUENCE
|
||||||
|
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
|
||||||
|
- 465:d=4 hl=4 l= 672 cons: SET
|
||||||
|
- 469:d=5 hl=4 l= 668 cons: SEQUENCE
|
||||||
|
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
|
||||||
|
+ 465:d=4 hl=4 l= 648 cons: SET
|
||||||
|
+ 469:d=5 hl=4 l= 644 cons: SEQUENCE
|
||||||
|
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
|
||||||
|
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
|
||||||
|
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
|
||||||
|
- 489:d=6 hl=4 l= 264 cons: SEQUENCE
|
||||||
|
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
|
||||||
|
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
|
||||||
|
- 757:d=6 hl=2 l= 32 cons: SEQUENCE
|
||||||
|
- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
|
||||||
|
- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
|
||||||
|
- 791:d=6 hl=2 l= 18 cons: SEQUENCE
|
||||||
|
- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
|
||||||
|
- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255
|
||||||
|
- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
|
||||||
|
- 811:d=6 hl=2 l= 34 cons: SEQUENCE
|
||||||
|
- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
|
||||||
|
- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
- 847:d=6 hl=2 l= 32 cons: SEQUENCE
|
||||||
|
- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
|
||||||
|
- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
- 881:d=6 hl=2 l= 107 cons: SEQUENCE
|
||||||
|
- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
|
||||||
|
- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
|
||||||
|
- 990:d=6 hl=2 l= 96 cons: SEQUENCE
|
||||||
|
- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
|
||||||
|
- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
|
||||||
|
- 1088:d=6 hl=2 l= 51 cons: SEQUENCE
|
||||||
|
- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
|
||||||
|
- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
|
||||||
|
- 1141:d=1 hl=2 l= 13 cons: SEQUENCE
|
||||||
|
- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
|
||||||
|
- 1154:d=2 hl=2 l= 0 prim: NULL
|
||||||
|
- 1156:d=1 hl=4 l= 257 prim: BIT STRING
|
||||||
|
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
|
||||||
|
+ 486:d=6 hl=4 l= 261 cons: SEQUENCE
|
||||||
|
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
|
||||||
|
+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
|
||||||
|
+ 751:d=6 hl=2 l= 29 cons: SEQUENCE
|
||||||
|
+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
|
||||||
|
+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
|
||||||
|
+ 782:d=6 hl=2 l= 18 cons: SEQUENCE
|
||||||
|
+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
|
||||||
|
+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255
|
||||||
|
+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
|
||||||
|
+ 802:d=6 hl=2 l= 31 cons: SEQUENCE
|
||||||
|
+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
|
||||||
|
+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
+ 835:d=6 hl=2 l= 29 cons: SEQUENCE
|
||||||
|
+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
|
||||||
|
+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
+ 866:d=6 hl=2 l= 104 cons: SEQUENCE
|
||||||
|
+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
|
||||||
|
+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
|
||||||
|
+ 972:d=6 hl=2 l= 93 cons: SEQUENCE
|
||||||
|
+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
|
||||||
|
+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
|
||||||
|
+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE
|
||||||
|
+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
|
||||||
|
+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
|
||||||
|
+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE
|
||||||
|
+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
|
||||||
|
+ 1130:d=2 hl=2 l= 0 prim: NULL
|
||||||
|
+ 1132:d=1 hl=4 l= 257 prim: BIT STRING
|
||||||
|
Test complete (32 combinations).
|
||||||
|
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
|
||||||
|
index 46e010cf..1081a678 100644
|
||||||
|
--- a/tests/003-csrgen/expected.out
|
||||||
|
+++ b/tests/003-csrgen/expected.out
|
||||||
|
@@ -11,8 +11,8 @@ Signature OK
|
||||||
|
minicert.openssl.4096.pem: OK
|
||||||
|
4096 OK.
|
||||||
|
The last CSR (the one with everything) was:
|
||||||
|
- 0:d=0 hl=4 l=1635 cons: SEQUENCE
|
||||||
|
- 4:d=1 hl=4 l=1355 cons: SEQUENCE
|
||||||
|
+ 0:d=0 hl=4 l=1599 cons: SEQUENCE
|
||||||
|
+ 4:d=1 hl=4 l=1319 cons: SEQUENCE
|
||||||
|
8:d=2 hl=2 l= 1 prim: INTEGER :00
|
||||||
|
11:d=2 hl=2 l= 22 cons: SEQUENCE
|
||||||
|
13:d=3 hl=2 l= 20 cons: SET
|
||||||
|
@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
|
||||||
|
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
|
||||||
|
52:d=4 hl=2 l= 0 prim: NULL
|
||||||
|
54:d=3 hl=4 l= 271 prim: BIT STRING
|
||||||
|
- 329:d=2 hl=4 l=1030 cons: cont [ 0 ]
|
||||||
|
+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ]
|
||||||
|
333:d=3 hl=2 l= 52 cons: SEQUENCE
|
||||||
|
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
|
||||||
|
346:d=4 hl=2 l= 39 cons: SET
|
||||||
|
@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
|
||||||
|
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
|
||||||
|
400:d=4 hl=2 l= 48 cons: SET
|
||||||
|
402:d=5 hl=2 l= 46 prim: BMPSTRING
|
||||||
|
- 450:d=3 hl=4 l= 909 cons: SEQUENCE
|
||||||
|
+ 450:d=3 hl=4 l= 873 cons: SEQUENCE
|
||||||
|
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
|
||||||
|
- 465:d=4 hl=4 l= 894 cons: SET
|
||||||
|
- 469:d=5 hl=4 l= 890 cons: SEQUENCE
|
||||||
|
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
|
||||||
|
+ 465:d=4 hl=4 l= 858 cons: SET
|
||||||
|
+ 469:d=5 hl=4 l= 854 cons: SEQUENCE
|
||||||
|
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
|
||||||
|
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
|
||||||
|
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
|
||||||
|
- 489:d=6 hl=4 l= 290 cons: SEQUENCE
|
||||||
|
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
|
||||||
|
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
|
||||||
|
- 783:d=6 hl=2 l= 32 cons: SEQUENCE
|
||||||
|
- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
|
||||||
|
- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
|
||||||
|
- 817:d=6 hl=2 l= 18 cons: SEQUENCE
|
||||||
|
- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
|
||||||
|
- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255
|
||||||
|
- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
|
||||||
|
- 837:d=6 hl=2 l= 34 cons: SEQUENCE
|
||||||
|
- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
|
||||||
|
- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
- 873:d=6 hl=2 l= 32 cons: SEQUENCE
|
||||||
|
- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
|
||||||
|
- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
- 907:d=6 hl=2 l= 107 cons: SEQUENCE
|
||||||
|
- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
|
||||||
|
- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
|
||||||
|
- 1016:d=6 hl=2 l= 96 cons: SEQUENCE
|
||||||
|
- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
|
||||||
|
- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
|
||||||
|
- 1114:d=6 hl=2 l= 106 cons: SEQUENCE
|
||||||
|
- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
|
||||||
|
- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
|
||||||
|
- 1222:d=6 hl=2 l= 51 cons: SEQUENCE
|
||||||
|
- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
|
||||||
|
- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
|
||||||
|
- 1275:d=6 hl=2 l= 18 cons: SEQUENCE
|
||||||
|
- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
|
||||||
|
- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
|
||||||
|
- 1295:d=6 hl=2 l= 44 cons: SEQUENCE
|
||||||
|
- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
|
||||||
|
- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
|
||||||
|
- 1341:d=6 hl=2 l= 20 cons: SEQUENCE
|
||||||
|
- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
|
||||||
|
- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0
|
||||||
|
- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
|
||||||
|
- 1363:d=1 hl=2 l= 13 cons: SEQUENCE
|
||||||
|
- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
|
||||||
|
- 1376:d=2 hl=2 l= 0 prim: NULL
|
||||||
|
- 1378:d=1 hl=4 l= 257 prim: BIT STRING
|
||||||
|
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
|
||||||
|
+ 486:d=6 hl=4 l= 287 cons: SEQUENCE
|
||||||
|
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
|
||||||
|
+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
|
||||||
|
+ 777:d=6 hl=2 l= 29 cons: SEQUENCE
|
||||||
|
+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
|
||||||
|
+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
|
||||||
|
+ 808:d=6 hl=2 l= 18 cons: SEQUENCE
|
||||||
|
+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
|
||||||
|
+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255
|
||||||
|
+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
|
||||||
|
+ 828:d=6 hl=2 l= 31 cons: SEQUENCE
|
||||||
|
+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
|
||||||
|
+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
+ 861:d=6 hl=2 l= 29 cons: SEQUENCE
|
||||||
|
+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
|
||||||
|
+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
|
||||||
|
+ 892:d=6 hl=2 l= 104 cons: SEQUENCE
|
||||||
|
+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
|
||||||
|
+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
|
||||||
|
+ 998:d=6 hl=2 l= 93 cons: SEQUENCE
|
||||||
|
+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
|
||||||
|
+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
|
||||||
|
+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE
|
||||||
|
+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
|
||||||
|
+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
|
||||||
|
+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE
|
||||||
|
+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
|
||||||
|
+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
|
||||||
|
+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE
|
||||||
|
+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
|
||||||
|
+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
|
||||||
|
+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE
|
||||||
|
+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
|
||||||
|
+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
|
||||||
|
+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE
|
||||||
|
+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
|
||||||
|
+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
|
||||||
|
+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE
|
||||||
|
+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
|
||||||
|
+ 1340:d=2 hl=2 l= 0 prim: NULL
|
||||||
|
+ 1342:d=1 hl=4 l= 257 prim: BIT STRING
|
||||||
|
Test complete (69 combinations).
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
80
SOURCES/0009-Use-extensions-template-from-NSS.patch
Normal file
80
SOURCES/0009-Use-extensions-template-from-NSS.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 4 Oct 2021 15:55:44 +0200
|
||||||
|
Subject: [PATCH] Use extensions template from NSS
|
||||||
|
|
||||||
|
Drop certmonger's custom extension template and use the sequence of X509v3
|
||||||
|
extensions template from NSS.
|
||||||
|
|
||||||
|
The certmonger template had a bug that caused certmonger to create CSRs
|
||||||
|
with invalid DER. It was encoding extension's critical element even for
|
||||||
|
default value FALSE.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/certmonger/issue/223
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
src/certext.c | 41 +----------------------------------------
|
||||||
|
1 file changed, 1 insertion(+), 40 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certext.c b/src/certext.c
|
||||||
|
index be536987..0d66971e 100644
|
||||||
|
--- a/src/certext.c
|
||||||
|
+++ b/src/certext.c
|
||||||
|
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
|
||||||
|
{0, 0, NULL, 0},
|
||||||
|
};
|
||||||
|
|
||||||
|
-/* RFC 5280, 4.1 */
|
||||||
|
-const SEC_ASN1Template
|
||||||
|
-cm_certext_cert_extension_template[] = {
|
||||||
|
- {
|
||||||
|
- .kind = SEC_ASN1_SEQUENCE,
|
||||||
|
- .offset = 0,
|
||||||
|
- .sub = NULL,
|
||||||
|
- .size = sizeof(CERTCertExtension),
|
||||||
|
- },
|
||||||
|
- {
|
||||||
|
- .kind = SEC_ASN1_OBJECT_ID,
|
||||||
|
- .offset = offsetof(CERTCertExtension, id),
|
||||||
|
- .sub = NULL,
|
||||||
|
- .size = sizeof(SECItem),
|
||||||
|
- },
|
||||||
|
- {
|
||||||
|
- .kind = SEC_ASN1_BOOLEAN,
|
||||||
|
- .offset = offsetof(CERTCertExtension, critical),
|
||||||
|
- .sub = NULL,
|
||||||
|
- .size = sizeof(SECItem),
|
||||||
|
- },
|
||||||
|
- {
|
||||||
|
- .kind = SEC_ASN1_OCTET_STRING,
|
||||||
|
- .offset = offsetof(CERTCertExtension, value),
|
||||||
|
- .sub = NULL,
|
||||||
|
- .size = sizeof(SECItem),
|
||||||
|
- },
|
||||||
|
- {0, 0, NULL, 0},
|
||||||
|
-};
|
||||||
|
-const SEC_ASN1Template
|
||||||
|
-cm_certext_sequence_of_cert_extension_template[] = {
|
||||||
|
- {
|
||||||
|
- .kind = SEC_ASN1_SEQUENCE_OF,
|
||||||
|
- .offset = 0,
|
||||||
|
- .sub = cm_certext_cert_extension_template,
|
||||||
|
- .size = sizeof(CERTCertExtension **),
|
||||||
|
- },
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
/* Windows 2000-style UPN */
|
||||||
|
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
|
||||||
|
static const SECOidData oid_ms_upn_name = {
|
||||||
|
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
|
||||||
|
/* Encode the sequence. */
|
||||||
|
memset(&encoded, 0, sizeof(encoded));
|
||||||
|
if (i > 1) {
|
||||||
|
- template = cm_certext_sequence_of_cert_extension_template;
|
||||||
|
+ template = CERT_SequenceOfCertExtensionTemplate;
|
||||||
|
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
|
||||||
|
template) == &encoded) {
|
||||||
|
*extensions = talloc_memdup(entry, encoded.data,
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
1428
SPECS/certmonger.spec
Normal file
1428
SPECS/certmonger.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user