import certmonger-0.79.7-14.el8

This commit is contained in:
CentOS Sources 2020-07-28 07:30:30 -04:00 committed by Stepan Oksanichenko
parent aad6b1eaa9
commit 53709b48a8
21 changed files with 8157 additions and 7 deletions

View File

@ -0,0 +1,134 @@
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 5 Sep 2019 12:45:52 -0400
Subject: [PATCH] Optimize closing open file descriptors
When forking, the code would close all unused file descriptors up
to maximum number of files. In the default case this is 1024. In
the container case this is 1048576. Huge delays in startup were
seen due to this.
Even in a default 1024 ulimit case this drastically reduces the
number of file descriptors to mark FD_CLOEXEC but in the container
default case this saves another order of magnitude of work.
This patch takes inspiration from systemd[1] and walks /proc/self/fd
if it is available to determine the list of open descriptors. It
falls back to the "close all fds we don't care about up to limit"
method.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
---
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 62 insertions(+), 9 deletions(-)
diff --git a/src/subproc.c b/src/subproc.c
index e49e3762..8df836ae 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
return argv;
}
+/* Based heavily on systemd version */
+static
+int safe_atoi(const char *s, int *ret_i) {
+ char *x = NULL;
+ long l;
+
+ errno = 0;
+ l = strtol(s, &x, 0);
+ if (errno > 0)
+ return -1;
+ if (!x || x == s || *x != 0)
+ return -1;
+ if ((long) (int) l != l)
+ return -1;
+
+ *ret_i = (int) l;
+ return 0;
+}
+
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
* except for perhaps one to three of them that are passed in by number. */
void
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
{
int i;
long l;
+ DIR *dir = NULL;
+ struct dirent *de;
+
if ((fd != STDIN_FILENO) &&
(fd2 != STDIN_FILENO) &&
(fd3 != STDIN_FILENO)) {
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
close(STDERR_FILENO);
}
}
- for (i = getdtablesize() - 1; i >= 3; i--) {
- if ((i == fd) ||
- (i == fd2) ||
- (i == fd3)) {
- continue;
+ dir = opendir("/proc/self/fd");
+ if (!dir) {
+ /* /proc isn't available, fall back to old way */
+ for (i = getdtablesize() - 1; i >= 3; i--) {
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
+ }
}
- l = fcntl(i, F_GETFD);
- if (l != -1) {
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
- cm_log(0, "Potentially leaking FD %d.\n", i);
+ } else {
+ while ((de = readdir(dir)) != NULL) {
+ int i = -1;
+
+ if (safe_atoi(de->d_name, &i) < 0) {
+ continue;
+ }
+
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+
+ if (i == dirfd(dir)) {
+ continue;
+ }
+
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
}
}
+ closedir(dir);
}
}
--
2.21.0

View File

@ -0,0 +1,33 @@
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 16:28:18 -0400
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/cadata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cadata.c b/src/cadata.c
index eb87eb76..3e916c96 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
}
return -1;
}
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

View File

@ -0,0 +1,35 @@
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Oct 2019 20:25:36 +0000
Subject: [PATCH] Don't close STDERR when submitting request
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/submit-e.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/submit-e.c b/src/submit-e.c
index d6158d7a..69b4f8e2 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
}
return -1;
}
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

View File

@ -0,0 +1,259 @@
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Aug 2019 22:01:35 +0000
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
tokens
The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.
When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.
https://pagure.io/certmonger/issue/125
---
src/casave.c | 3 +--
src/certread-n.c | 33 ++++++++++++++++-----------------
src/certsave-n.c | 5 +++++
src/dogtag.c | 3 +--
src/keygen-n.c | 5 +++++
src/keyiread-n.c | 11 ++++++++++-
src/scepgen-n.c | 5 +++++
src/submit-n.c | 5 +++++
src/toklist.c | 2 +-
9 files changed, 49 insertions(+), 23 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index bde63f99..1cf5a406 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
break;
default:
flags = NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB;
+ NSS_INIT_NOROOTINIT;
/* Sigh. Not a lot of detail. Check
* if we succeed in read-only mode,
* which we'll interpret as lack of
diff --git a/src/certread-n.c b/src/certread-n.c
index d535030b..bb61b61b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Unable to open NSS database.\n");
_exit(status);
}
+ /* Re-open the database with modules enabled */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
es = util_n_fips_hook();
if (es != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
- /* Allocate a memory pool. */
- arena = PORT_NewArena(sizeof(double));
- if (arena == NULL) {
- cm_log(1, "Error opening database '%s'.\n",
- entry->cm_cert_storage_location);
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
- cm_log(1, "Error shutting down NSS.\n");
- }
- _exit(ENOMEM);
- }
/* Find the tokens that we might use for cert storage. */
mech = CKM_RSA_X_509;
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
if (slotlist == NULL) {
cm_log(1, "Error getting list of tokens.\n");
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we need to log in in order to read certificates, do so. */
if (PK11_NeedLogin(sle->slot)) {
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
if (cm_pin_read_for_cert(entry, &pin) != 0) {
cm_log(1, "Error reading PIN for cert db, "
"skipping.\n");
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Walk the list of certificates in the slot, looking for one
* which matches the specified nickname. */
certs = PK11_ListCertsInSlot(sle->slot);
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
if (certs != NULL) {
for (node = CERT_LIST_HEAD(certs);
!CERT_LIST_EMPTY(certs) &&
!CERT_LIST_END(node, certs);
node = CERT_LIST_NEXT(node)) {
- if (strcmp(node->cert->nickname,
- entry->cm_cert_nickname) == 0) {
+ cm_log(3, "certread-n: Slot nickname %s\n",
+ node->cert->nickname);
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token, entry->cm_cert_nickname);
+ if ((strcmp(node->cert->nickname,
+ entry->cm_cert_nickname) == 0) ||
+ (strcmp(node->cert->nickname, es) == 0)) {
cm_log(3, "Located the certificate "
"\"%s\".\n",
entry->cm_cert_nickname);
@@ -321,7 +323,6 @@ next_slot:
if (cert == NULL) {
cm_log(1, "Error locating certificate.\n");
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -332,7 +333,6 @@ next_slot:
fclose(fp);
CERT_DestroyCertificate(cert);
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..eda03b34 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
} else {
/* We don't try to force FIPS mode here, as it seems to get in
* the way of saving the certificate. */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
/* Allocate a memory pool. */
arena = PORT_NewArena(sizeof(double));
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..c43664ef 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (nctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 061bd2af..e921d7ec 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 91b1be41..dc1c6092 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
cnode = CERT_LIST_NEXT(cnode)) {
nickname = entry->cm_key_nickname;
cert = cnode->cert;
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token,
+ entry->cm_cert_nickname);
if ((nickname != NULL) &&
- (strcmp(cert->nickname, nickname) == 0)) {
+ ((strcmp(cert->nickname, nickname) == 0) ||
+ (strcmp(cert->nickname, es) == 0))) {
cm_log(3, "Located a certificate with "
"the key's nickname (\"%s\").\n",
nickname);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index d6735aa7..8c67b122 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/submit-n.c b/src/submit-n.c
index b07ea23a..f27b9c7f 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
goto done;
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/toklist.c b/src/toklist.c
index a4328218..ac166722 100644
--- a/src/toklist.c
+++ b/src/toklist.c
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
/* Open the database. */
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
printf("Unable to open NSS database '%s'.\n", dbdir);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
--
2.21.0

View File

@ -0,0 +1,233 @@
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 27 Aug 2019 18:01:02 +0000
Subject: [PATCH] Update tests to include the security module DB in expected
output
certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).
https://pagure.io/certmonger/issue/125
---
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
tests/034-perms/expected.out | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms-dbm/expected.out
+++ b/tests/034-perms-dbm/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
index 2808e02c..c5914e02 100644
--- a/tests/034-perms-sql/expected.out
+++ b/tests/034-perms-sql/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
[rekey:sql:start]
[rekey:sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:keygen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
OK
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms/expected.out
+++ b/tests/034-perms/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
--
2.21.0

View File

@ -0,0 +1,50 @@
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 18:24:32 +0000
Subject: [PATCH] Try to pull the entire CA chain from IPA
IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.
Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
---
src/ipa.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index acd1a4e2..40a4b52c 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
LDAP *ld = NULL;
LDAPMessage *lresult = NULL, *lmsg = NULL;
char *lattrs[2] = {"caCertificate;binary", NULL};
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
struct berval **lbvalues, *lbv;
unsigned char *bv_val;
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
+ /* Fall back to the old location */
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+ lfilter, lattrs, 0, NULL, NULL, NULL,
+ LDAP_NO_LIMIT, &lresult);
+ }
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

View File

@ -0,0 +1,34 @@
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2019 15:08:54 -0500
Subject: [PATCH] Fix use-after-free issue
The basedn value was freed after the first search but a second
one could be initiated.
---
src/ipa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index 40a4b52c..41ca9081 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
/* Now look up the root certificates for the domain. */
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
}
+ free(basedn);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

View File

@ -0,0 +1,931 @@
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:50:16 -0400
Subject: [PATCH 33/39] Improve logging in SCEP helper
Always check return value of cm_pkcs7_verify_signed() and return
a unique error message.
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
so they appear by default.
Centralize logging across scep.c and pkcs7.c to reduce code
duplication.
Check the return code to cm_pkcs7_verify_signed in all cases.
Add the last available message, if any, to the error returned
via stdout to certmonger as a hint to what is going on.
---
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
src/pkcs7.h | 2 +
src/scep.c | 59 ++++++++++---------------
src/scepgen-n.c | 28 ++++++------
src/scepgen-o.c | 72 ++++++++++++++++---------------
src/scepgen.c | 2 +-
6 files changed, 140 insertions(+), 134 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 6de1775..29420b9 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
}
}
+void
+log_pkcs7_errors(int level, char *msg)
+{
+ char buf[LINE_MAX] = "";
+ long error;
+ int nss_err;
+
+ cm_log(level, "%s\n", msg);
+ while ((error = ERR_get_error()) != 0) {
+ memset(buf, '\0', sizeof(buf));
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(level, "%s\n", buf);
+ }
+ nss_err = PORT_GetError();
+ if (nss_err < 0) {
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
+ }
+}
+
int
cm_pkcs7_parsev(unsigned int flags, void *parent,
char **certleaf, char **certtop, char ***certothers,
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(encryption_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (recipient == NULL) {
- cm_log(1, "Error parsing recipient certificate.\n");
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
goto done;
}
BIO_free(in);
recipients = sk_X509_new(util_o_cert_cmp);
if (recipients == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
sk_X509_push(recipients, recipient);
in = BIO_new_mem_buf(data, dlength);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
BIO_free(in);
if (p7 == NULL) {
- cm_log(1, "Error encrypting signing request.\n");
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
goto done;
}
len = i2d_PKCS7(p7, NULL);
if (len < 0) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
dp7 = malloc(len);
if (dp7 == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dp7;
if (i2d_PKCS7(p7, &u) != len) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
*enveloped = dp7;
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(csr, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
BIO_free(in);
if (req == NULL) {
- cm_log(1, "Error parsing certificate signing request.\n");
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
goto done;
}
dlen = i2d_X509_REQ(req, NULL);
if (dlen < 0) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
dreq = malloc(dlen);
if (dreq == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dreq;
if (i2d_X509_REQ(req, &u) != dlen) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
in = BIO_new_mem_buf(cacert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (ca == NULL) {
- cm_log(1, "Error parsing CA certificate.\n");
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
goto done;
}
in = BIO_new_mem_buf(minicert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (mini == NULL) {
- cm_log(1, "Error parsing client certificate.\n");
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
goto done;
}
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
if (issuerlen < 0) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
issuer = malloc(issuerlen);
if (issuer == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = issuer;
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
if (subjectlen < 0) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ cm_log(0, "Error encoding client certificate subject name.\n");
goto done;
}
subject = malloc(subjectlen);
if (subject == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = subject;
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
goto done;
}
+ PORT_SetError(0);
+ ERR_clear_error();
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
issuerandsubject.issuer.data = issuer;
issuerandsubject.issuer.len = issuerlen;
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
issuerandsubject.subject.len = subjectlen;
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
cm_pkcs7_ias_template) != &encoded) {
- cm_log(1, "Error encoding issuer and subject names.\n");
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
goto done;
}
*ias = malloc(encoded.len);
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
u = data;
p7 = d2i_PKCS7(NULL, &u, length);
if ((p7 == NULL) || (u != data + length)) {
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
goto done;
}
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
- cm_log(1, "PKCS#7 data is not signed-data.\n");
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
goto done;
}
store = X509_STORE_new();
if (store == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
certs = sk_X509_new(util_o_cert_cmp);
if (certs == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
s = talloc_strdup(parent, roots[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
X509_STORE_add_cert(store, x);
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
s = talloc_strdup(parent, othercerts[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
sk_X509_push(certs, x);
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
out = BIO_new(BIO_s_mem());
if (out == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
if (roots != NULL) {
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; i < sk_X509_num(certs); i++) {
x = X509_dup(sk_X509_value(certs, i));
if (x == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
PKCS7_add_certificate(p7, x);
}
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
- cm_log(1, "Message failed verification.\n");
+ cm_log(0, "Message failed verification.\n");
goto done;
}
}
p7s = p7->d.sign;
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
goto done;
}
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
encapsulated = p7s->contents;
if (expected_content_type != NID_undef) {
if (encapsulated == NULL) {
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
goto done;
}
if ((encapsulated->type == NULL) ||
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
OBJ_nid2ln(expected_content_type),
encapsulated->type ?
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
if (attrs == NULL) {
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
goto done;
}
ret = 0;
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
if (*payload_length > 0) {
*payload = talloc_size(parent, *payload_length + 1);
if (*payload == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
memcpy(*payload, s, *payload_length);
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
done:
- if (ret != 0) {
- while ((error = ERR_get_error()) != 0) {
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- }
if (p7 != NULL) {
PKCS7_free(p7);
}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index 097f7ca..fae52f8 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+void log_pkcs7_errors(int level, char *msg);
+
#endif
diff --git a/src/scep.c b/src/scep.c
index b37711c..0b8bef9 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(rekey_message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
NULL, &msgtype, NULL, NULL,
NULL, NULL,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "rekey PKCSReq.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
if ((message != NULL) && (strlen(message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
&sent_tx, &msgtype, NULL, NULL,
&sent_nonce, &sent_nonce_length,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "message.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
&payload, &payload_length);
if (i != 0) {
printf(_("Error: failed to verify signature on "
- "server response.\n"));
- cm_log(1, "Error: failed to verify signature on "
- "server response.\n");
- while ((error = ERR_get_error()) != 0) {
+ "server response. "));
+ error = ERR_peek_last_error();
+ if (error != 0) {
memset(buf, '\0', sizeof(buf));
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ printf("%s", buf);
}
+ printf("\n");
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "server response.\n");
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
p7 = d2i_PKCS7(NULL, &u, payload_length);
if (p7 == NULL) {
printf(_("Error: couldn't parse signed-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results2,
- results_length2);
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- fprintf(stderr, "Full reply:\n%s", s);
- free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
- }
- if (!PKCS7_type_is_enveloped(p7)) {
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
+ "enveloped-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
(p7->d.enveloped->enc_data->content_type == NULL) ||
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
printf(_("Error: enveloped-data payload is not data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
+ "not data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index 8c67b12..ce73c31 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
return;
}
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
- cm_log(1, "More than one signer, not sure what to do.\n");
+ cm_log(0, "More than one signer, not sure what to do.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
u = sabuf = malloc(salen);
if (sabuf == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
* that ourselves. */
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
if (l != salen) {
- cm_log(1, "Error encoding attributes.\n");
+ cm_log(0, "Error encoding attributes.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
if (sigalg == SEC_OID_UNKNOWN) {
- cm_log(1, "Unable to match digest algorithm and key.\n");
+ cm_log(0, "Unable to match digest algorithm and key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (SEC_SignData(&signature, sabuf, salen, privkey,
sigalg) != SECSuccess) {
- cm_log(1, "Error re-signing: %s.\n",
+ cm_log(0, "Error re-signing: %s.\n",
PR_ErrorToName(PORT_GetError()));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
fprintf(status, "Error opening database "
"'%s': %s.\n",
entry->cm_key_storage_location, es);
- cm_log(1, "Error opening database '%s': %s.\n",
+ cm_log(0, "Error opening database '%s': %s.\n",
entry->cm_key_storage_location, es);
} else {
fprintf(status, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
- cm_log(1, "Error opening database '%s'.\n",
+ cm_log(0, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
}
switch (ec) {
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Generating dummy key.\n");
key = EVP_PKEY_new();
if (key == NULL) {
- cm_log(1, "Error allocating new key.\n");
+ cm_log(0, "Error allocating new key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
exponent = BN_new();
if (exponent == NULL) {
- cm_log(1, "Error setting up exponent.\n");
+ cm_log(0, "Error setting up exponent.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
rsa = RSA_new();
if (rsa == NULL) {
- cm_log(1, "Error allocating new RSA key.\n");
+ cm_log(0, "Error allocating new RSA key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
retry_gen:
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
- cm_log(1, "Error generating key.\n");
+ cm_log(0, "Error generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
@@ -228,7 +228,7 @@ retry_gen:
if ((keys->privkey->keyType != rsaKey) ||
((keys->privkey_next != NULL) &&
(keys->privkey_next->keyType != rsaKey))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 010abb7..a431815 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
keyfp = fopen(filename, "r");
if (keyfp == NULL) {
if (errno != ENOENT) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (cm_pin_read_for_key(entry, &pin) != 0) {
- cm_log(1, "Internal error reading key encryption PIN.\n");
+ cm_log(0, "Internal error reading key encryption PIN.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
memset(&cb_data, 0, sizeof(cb_data));
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
cm_pin_read_for_key_ossl_cb, &cb_data);
if (pkey == NULL) {
error = errno;
- cm_log(1, "Error reading private key '%s': %s.\n",
+ cm_log(0, "Error reading private key '%s': %s.\n",
filename, strerror(error));
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
} else {
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to read private "
+ cm_log(0, "PIN was not needed to read private "
"key '%s', though one was provided. "
"Treating this as an error.\n",
filename);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
}
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
if ((pem != NULL) && (strlen(pem) > 0)) {
in = BIO_new_mem_buf(pem, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
return cert;
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
in = BIO_new_mem_buf(this->cm_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate.\n");
+ cm_log(0, "Error parsing certificate.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (sk == NULL) {
sk = sk_X509_new(util_o_cert_cmp);
if (sk == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
}
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
in = BIO_new_mem_buf(data, data_length);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
ret = PKCS7_sign(signer, key, certs, in, flags);
if (ret == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_free(in);
/* Set the digest to use for signing. */
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
- cm_log(1, "Error signing data: %d signers.\n",
+ cm_log(0, "Error signing data: %d signers.\n",
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
goto errors;
}
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
PKCS7_content_new(ret, NID_pkcs7_data);
out = PKCS7_dataInit(ret, NULL);
if (out == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_write(out, data, data_length);
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
errors:
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
util_o_init();
ERR_load_crypto_strings();
if (RAND_status() != 1) {
- cm_log(1, "PRNG not seeded for generating key.\n");
+ cm_log(0, "PRNG not seeded for generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RAND_bytes(nonce, nonce_length) == -1) {
- cm_log(1, "PRNG unable to generate nonce.\n");
+ cm_log(0, "PRNG unable to generate nonce.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
entry->cm_minicert);
if (pem == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_cert = cert_from_pem(pem, entry);
if (new_cert == NULL) {
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
cipher = cm_prefs_des;
}
else {
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
_exit(1);
}
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
digest = cm_prefs_md5;
}
else {
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
_exit(1);
}
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
entry->cm_cert,
&old_ias, &old_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
pem,
&new_ias, &new_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
entry->cm_csr,
&csr, &csr_length) != 0) {
- cm_log(1, "Error generating enveloped CSR.\n");
+ cm_log(0, "Error generating enveloped CSR.\n");
+ while ((error = ERR_get_error()) != 0) {
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(0, "%s\n", buf);
+ }
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* the matching key. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(old_cert, old_pkey);
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* if we do, we did that in another code path. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, old_pkey);
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* any previously-issued certificate won't match. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, new_pkey);
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
X509_free(new_cert);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
}
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
if (old_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
entry->cm_key_storage_location);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
filename = util_build_next_filename(entry->cm_key_storage_location,
entry->cm_key_next_marker);
if (filename == NULL) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_pkey = key_from_file(filename, entry);
if (new_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
filename);
free(filename);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen.c b/src/scepgen.c
index eaf2b7c..115446f 100644
--- a/src/scepgen.c
+++ b/src/scepgen.c
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
{
switch (entry->cm_key_storage_type) {
case cm_key_storage_none:
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
"the key, and we don't know where that is or should "
"be.\n", entry->cm_busname, entry->cm_nickname);
break;
--
2.21.1

View File

@ -0,0 +1,33 @@
From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 27 Feb 2020 18:15:02 -0500
Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
add-scep-ca
This option was silently dropped from the helper arguments even
if requested on the add-scep-ca CLI and was only passed to the
dbus helper.
Add as many -v as requested though the scep helper only logs at
most at level 1.
---
src/getcert.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/getcert.c b/src/getcert.c
index 4713dd1..3d78a73 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
prefer_non_renewal ? "-n" : "");
+ for (c = 0; c < verbose; c++) {
+ command = talloc_strdup_append(command, " -v");
+ }
if (command == NULL) {
printf(_("Error building command line.\n"));
exit(1);
--
2.21.1

View File

@ -0,0 +1,422 @@
From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 14 Apr 2020 13:17:14 +0000
Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
finished
The talloc context was freed in only a few cases and the curl
context was never freed.
---
src/scep.c | 127 ++++++++++++++++++++++++++++++++-----------------
src/submit-h.c | 15 +++++-
src/submit-h.h | 1 +
3 files changed, 97 insertions(+), 46 deletions(-)
diff --git a/src/scep.c b/src/scep.c
index 0b8bef9..4d00692 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -199,7 +199,7 @@ int
main(int argc, const char **argv)
{
const char *url = NULL, *results = NULL, *results2 = NULL;
- struct cm_submit_h_context *hctx;
+ struct cm_submit_h_context *hctx = NULL;
int c, verbose = 0, results_length = 0, results_length2 = 0, i;
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
@@ -225,7 +225,8 @@ main(int argc, const char **argv)
size_t payload_length;
long error;
PKCS7 *p7;
- poptContext pctx;
+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ poptContext pctx = NULL;
struct poptOption popts[] = {
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
@@ -388,8 +389,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -408,8 +409,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -420,8 +421,8 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Check the rekey PKCSReq message, if we have one. */
@@ -505,7 +506,6 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
- free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
@@ -551,7 +551,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -576,7 +577,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -638,7 +640,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(hctx),
url);
}
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
switch (op) {
case op_unset:
@@ -651,16 +654,19 @@ main(int argc, const char **argv)
response_code, url);
if (response_code == 500) {
/* The server might recover, right? */
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
} else {
/* Maybe not? */
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
url, params);
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -685,10 +691,12 @@ main(int argc, const char **argv)
fprintf(stderr, "Result is surprisingly large, "
"suppressing it.\n");
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
printf("%s\n", results);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
break;
case op_get_ca_certs:
if ((strcasecmp(content_type,
@@ -697,7 +705,8 @@ main(int argc, const char **argv)
"application/x-x509-ca-ra-cert") != 0)) {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (racert == NULL) {
racertp = &racert;
@@ -710,7 +719,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) racert;
lengths[n_buffers] = strlen(racert);
@@ -727,7 +737,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) cacert;
lengths[n_buffers] = strlen(cacert);
@@ -741,7 +752,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results;
lengths[n_buffers] = results_length;
@@ -755,7 +767,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -850,7 +863,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -882,11 +896,11 @@ main(int argc, const char **argv)
}
}
}
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -957,42 +971,50 @@ main(int argc, const char **argv)
fprintf(stderr, "%s", s);
cm_log(1, "%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((msgtype == NULL) ||
(strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
printf(_("Error: reply was not a CertRep (%s).\n"),
msgtype ? msgtype : "none");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (tx == NULL) {
printf(_("Error: reply is missing transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sent_tx != NULL) {
if (strcmp(sent_tx, tx) != 0) {
printf(_("Error: reply contains a "
"different transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
}
if (pkistatus == NULL) {
printf(_("Error: reply is missing pkiStatus.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (recipient_nonce == NULL) {
printf(_("Error: reply is missing recipientNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((recipient_nonce_length != sent_nonce_length) ||
(memcmp(recipient_nonce, sent_nonce,
sent_nonce_length) != 0)) {
printf(_("Error: reply nonce doesn't match request.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sender_nonce == NULL) {
printf(_("Error: reply is missing senderNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
if (verbose > 0) {
@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
s = cm_store_base64_from_bin(ctx, sender_nonce,
sender_nonce_length);
printf("%s\n", s);
- return CM_SUBMIT_STATUS_WAIT;
+ rval = CM_SUBMIT_STATUS_WAIT;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
if (verbose > 0) {
@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
printf(_("Server returned failure code \"%s\".\n"),
failinfo);
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
if (verbose > 0) {
@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((p7->d.enveloped == NULL) ||
(p7->d.enveloped->enc_data == NULL) ||
@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
s = cm_store_base64_from_bin(ctx, payload,
payload_length);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
printf("%s", s);
free(s);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
if (verbose > 0) {
fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
}
printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
pkistatus);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
} else {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
printf("Full reply:\n%.*s", results_length2, results2);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
}
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+
+done:
+ if (pctx) {
+ poptFreeContext(pctx);
+ }
+ free(cainfo);
+ free(id);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+ return rval;
}
diff --git a/src/submit-h.c b/src/submit-h.c
index 33f9b39..9b507db 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
return ret;
}
+void
+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
+{
+
+ if (ctx != NULL && ctx->curl != NULL) {
+ curl_easy_cleanup(ctx->curl);
+ }
+}
+
#ifdef CM_SUBMIT_H_MAIN
int
main(int argc, const char **argv)
@@ -307,7 +316,7 @@ main(int argc, const char **argv)
enum cm_submit_h_opt_negotiate negotiate;
enum cm_submit_h_opt_delegate negotiate_delegate;
enum cm_submit_h_opt_clientauth clientauth;
- int c, fd, l, verbose = 0, length = 0;
+ int c, fd, l, verbose = 0, length = 0, rval = 0;
char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
char *pinfile;
const char *method, *url;
@@ -423,6 +432,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(ctx),
cm_submit_h_result_code_text(ctx));
}
- return cm_submit_h_result_code(ctx);
+ rval = cm_submit_h_result_code(ctx);
+ cm_submit_h_cleanup(ctx);
+ return rval;
}
#endif
diff --git a/src/submit-h.h b/src/submit-h.h
index 1283c53..931cc89 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
#endif
--
2.21.1

View File

@ -0,0 +1,232 @@
From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 15 Apr 2020 17:16:42 -0400
Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
collected
Put cacert into the ca store, the racert at the top of the
othercerts list. Then we parse certs, placing all ca certs
we find into the ca store, and all other certs we find after
the racert.
Variables are renamed to match the cm_pkcs7_parse() and
cm_pkcs7_verify_signed() calls.
A special case for IPA (dogtag) was added because dogtag
uses its CA cert to sign the PKCS7 so it is both an RA cert
and a CA cert. If a self-signed CA is detected and no other
certs are provided then the CA is treated as the RA.
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
Graham Leggett did the majority of the work on this patch.
---
src/pkcs7.c | 18 +++++++++
src/pkcs7.h | 1 +
src/scep.c | 104 +++++++++++++++++++++++++++++++++++-----------------
3 files changed, 89 insertions(+), 34 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 29420b9..f81174f 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -1189,3 +1189,21 @@ done:
}
return ret;
}
+
+/* Return 0 if we think "issuer" could have issued "issued", which includes
+ * self-signing. */
+int
+cm_selfsigned(char *cert)
+{
+ BIO *in;
+ X509 *c;
+
+ in = BIO_new_mem_buf(cert, -1);
+ if (in == NULL) {
+ cm_log(0, "Out of memory.\n");
+ return 1;
+ }
+ c = PEM_read_bio_X509(in, NULL, NULL, NULL);
+ BIO_free(in);
+ return(issuerissued(c, c));
+}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index fae52f8..cbde1bc 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
unsigned char **recipient_nonce,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+int cm_selfsigned(char *cert);
void log_pkcs7_errors(int level, char *msg);
diff --git a/src/scep.c b/src/scep.c
index 4d00692..b80278e 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -211,12 +211,12 @@ main(int argc, const char **argv)
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
char buf[LINE_MAX] = "";
const unsigned char **buffers = NULL;
size_t n_buffers = 0, *lengths = NULL, j;
- const char *cacerts[3], **racerts;
+ const char *root[3], **othercerts;
dbus_bool_t missing_args = FALSE;
char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
@@ -871,27 +871,27 @@ main(int argc, const char **argv)
n_buffers++;
}
if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
- racertp, cacertp, &othercerts,
+ racertp, cacertp, &certothers,
NULL, NULL,
n_buffers, buffers, lengths) == 0) {
if (racert != NULL) {
printf("%s", racert);
if (cacert != NULL) {
printf("%s", cacert);
- if (othercerts != NULL) {
+ if (certothers != NULL) {
for (c = 0;
- othercerts[c] != NULL;
+ certothers[c] != NULL;
c++) {
printf("%s",
- othercerts[c]);
+ certothers[c]);
}
}
if ((dracert != NULL) &&
- (cert_among(dracert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dracert, racert, cacert, certothers) != 0)) {
printf("%s", dracert);
}
if ((dcacert != NULL) &&
- (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dcacert, racert, cacert, certothers) != 0)) {
printf("%s", dcacert);
}
}
@@ -907,47 +907,83 @@ main(int argc, const char **argv)
case op_pkcsreq:
if ((content_type2 != NULL) && (strcasecmp(content_type2,
"application/x-pki-message") == 0)) {
- memset(&cacerts, 0, sizeof(cacerts));
- cacerts[0] = cacert ? cacert : racert;
- cacerts[1] = cacert ? racert : NULL;
- cacerts[2] = NULL;
- racerts = NULL;
+ /*
+ * At this point, we have:
+ * - zero or more ra certs; and
+ * - zero or more ca certificates; and
+ * - zero or more other certificates; that
+ * need to be reordered so that the leaf
+ * certificates go first, the ca certificates
+ * are separated into a seperate certificate
+ * store, and the other certificates go after
+ * the leaf certificates.
+ *
+ * To do this we put cacert into the ca store,
+ * the racert at the top of the othercerts list.
+ * Then we parse certs, placing all ca certs
+ * we find into the ca store, and all other
+ * certs we find after the racert.
+ *
+ * As a limitation of cm_pkcs7_parse(), we
+ * can only isolate one ca certificate in the
+ * list of other certificates.
+ */
+ /* handle the other certs */
if ((certs != NULL) &&
(cm_pkcs7_parse(0, ctx,
- &cert1, &cert2, &othercerts,
+ &certleaf, &certtop, &certothers,
NULL, NULL,
(const unsigned char *) certs,
strlen(certs), NULL) == 0)) {
- for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
- c++) {
- continue;
+ /* Special case for IPA which uses dogtag which signs SCEP
+ * certs using the CA cert and the typical way to get
+ * verification to work is to use -I /etc/ipa/ca.crt.
+ * Because cm_pkcs7_parse explicitly doesn't allow
+ * certleaf to equal certtop we end up with no CAs so verification
+ * fails.
+ *
+ * So if cacert and certleaf are both NULL and certtop is
+ * self-signed then assume the IPA case and set certtop equal
+ * to certleaf.
+ */
+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
+ if (cm_selfsigned(certleaf) == 0) {
+ certtop = certleaf;
+ }
}
- racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
+ memset(&root, 0, sizeof(root));
+ root[0] = cacert ? cacert : certtop ? certtop : NULL;
+ root[1] = cacert ? certtop : NULL;
+ root[2] = NULL;
for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
+ (certothers != NULL) &&
+ (certothers[c] != NULL);
c++) {
- racerts[c] = othercerts[c];
- }
- if (cacert != NULL) {
- racerts[c++] = cacert;
+ continue;
}
- if (cert1 != NULL) {
- racerts[c++] = cert1;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
+ c = 0;
+ if (racert != NULL) {
+ othercerts[c++] = racert;
}
- if (cert2 != NULL) {
- racerts[c++] = cert2;
+ if (certleaf != NULL) {
+ othercerts[c++] = certleaf;
}
- if (racert != NULL) {
- racerts[c++] = racert;
+ while (certothers != NULL && *certothers != NULL) {
+ othercerts[c++] = *certothers++;
}
- racerts[c++] = NULL;
+ othercerts[c++] = NULL;
+ }
+ else {
+ root[0] = cacert;
+ root[1] = NULL;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
+ othercerts[0] = racert ? racert : NULL;
+ othercerts[1] = NULL;
}
ERR_clear_error();
i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
- cacerts, racerts,
+ root, othercerts,
NID_pkcs7_data, ctx, NULL,
&tx, &msgtype, &pkistatus, &failinfo,
&sender_nonce, &sender_nonce_length,
--
2.21.1

View File

@ -0,0 +1,173 @@
From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:29:50 -0400
Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
chain
The -R option was doing double-duty for the SCEP CA.
1. It was required if the SCEP URL used TLS
2. It override the CA certificate downloaded from the SCEP server
If the chains were different then validating the SCEP responses would
fail.
https://bugzilla.redhat.com/show_bug.cgi?id=1808613
---
src/certmonger-scep-submit.8.in | 14 +++++++++-----
src/getcert-add-scep-ca.1.in | 12 ++++++++----
src/getcert.c | 6 +++++-
src/scep.c | 13 ++++++-------
4 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
index 95d674a..42ffcd6 100644
--- a/src/certmonger-scep-submit.8.in
+++ b/src/certmonger-scep-submit.8.in
@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
[-r ra-cert-file]
[-R ca-cert-file]
[-I other-certs-file]
+[-N ca-cert-file]
[-i ca-identifier]
[-v]
[-n]
@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
always required.
.TP
\fB\-R\fR CA-certificate-file
-The location of the SCEP server's CA certificate, which was used to
-issue the SCEP server's certificate, or the SCEP server's own
-certificate, if it is self-signed, in PEM form. If the URL specified
-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
-required.
+The location of the CA certificate which was used to issue the SCEP web
+server's certificate in PEM form. If the URL specified with the
+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
+.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
.TP
\fB\-r\fR RA-certificate-file
The location of the SCEP server's RA certificate, which is expected to
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index 11ab4ce..bf07306 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be
specified.
.TP
\fB\-R\fR ca-certificate-file
-The location of a PEM-formatted copy of the SCEP server's CA's certificate.
-A discovered value is supplied by the certmonger daemon for use in verifying
-the signature on data returned by the SCEP server, but it is not used for
-verifying HTTPS server certificates.
+The location of a PEM-formatted copy of the CA's certificate used to verify
+the TLS connection the SCEP server.
+
This option must be specified if the URL is an \fIhttps\fR location.
.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
+.TP
\fB\-r\fR ra-certificate-file
The location of a PEM-formatted copy of the SCEP server's RA's certificate.
A discovered value is normally supplied by the certmonger daemon, but one can
diff --git a/src/getcert.c b/src/getcert.c
index 3d78a73..493771f 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
+ char *signingca = NULL;
const char *err;
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
command = talloc_asprintf(globals.tctx,
- "%s -u %s %s %s %s %s %s %s %s",
+ "%s -u %s %s %s %s %s %s %s %s %s %s",
shell_escape(globals.tctx,
CM_SCEP_HELPER_PATH),
shell_escape(globals.tctx, url),
@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
racert ? shell_escape(globals.tctx, racert) : "",
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
+ signingca ? "-N" : "",
+ signingca ? shell_escape(globals.tctx, signingca) : "",
prefer_non_renewal ? "-n" : "");
for (c = 0; c < verbose; c++) {
command = talloc_strdup_append(command, " -v");
diff --git a/src/scep.c b/src/scep.c
index b80278e..4294cda 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -206,7 +206,6 @@ main(int argc, const char **argv)
enum known_ops op = op_unset;
const char *id = NULL;
char *cainfo = NULL;
- char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
@@ -235,8 +234,9 @@ main(int argc, const char **argv)
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
POPT_AUTOHELP
@@ -329,9 +329,10 @@ main(int argc, const char **argv)
racert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'R':
- poptarg = poptGetOptArg(pctx);
- cainfo = strdup(poptarg);
- cacert = cm_submit_u_from_file(poptarg);
+ cainfo = poptGetOptArg(pctx);
+ break;
+ case 'N':
+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'I':
certs = cm_submit_u_from_file(poptGetOptArg(pctx));
@@ -340,7 +341,6 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -1189,7 +1189,6 @@ done:
if (pctx) {
poptFreeContext(pctx);
}
- free(cainfo);
free(id);
cm_submit_h_cleanup(hctx);
talloc_free(ctx);
--
2.21.1

View File

@ -0,0 +1,53 @@
From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:33:35 -0400
Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template
in output
---
src/getcert.c | 16 ++++++++++++++++
tests/028-dbus/expected.out | 1 +
2 files changed, 17 insertions(+)
diff --git a/src/getcert.c b/src/getcert.c
index 493771f..42281af 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv)
printf("\t\t%s\n", as[j]);
}
}
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tprofile: %s\n"), s1);
+ }
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
+ verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tms v2 template: %s\n"), s1);
+ }
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tissuer template: %s\n"), s1);
+ }
printf(_("\tpre-save command: %s\n"),
query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx));
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 1d8bec4..a25eb34 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -15,6 +15,7 @@ Request ID 'Buddy':
key usage: digitalSignature,dataEncipherment
eku: id-kp-serverAuth
certificate template/profile: SomeProfileName
+ profile: SomeProfileName
pre-save command: echo Pre
post-save command: echo Post
track: yes
--
2.21.1

View File

@ -0,0 +1,26 @@
From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:34:53 -0400
Subject: [PATCH 39/39] Fix broken -N option configuration
There was an extra NULL value which caused it to not work.
---
src/getcert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/getcert.c b/src/getcert.c
index 42281af..5c8dc94 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
- {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
--
2.21.1

View File

@ -0,0 +1,52 @@
From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 30 Apr 2020 12:46:41 -0400
Subject: [PATCH] Address an include issue discovered by coverity
nspr.h isn't included so use PORT_ErrorToString() instead
of PR_ErrorToString(), and remain consistent with the
other PORT calls even though they directly translate
to their NSPR equivalents.
Also remove a couple of unused variables in pkcs7.c
---
src/pkcs7.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index f81174f..a569256 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -57,6 +57,9 @@
#define _(_text) (_text)
#endif
+/* taken from nspr4.h */
+#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */
+
/* Return 0 if we think "issuer" could have issued "issued", which includes
* self-signing. */
static int
@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg)
}
nss_err = PORT_GetError();
if (nss_err < 0) {
- cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
+ cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err));
}
}
@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
PKCS7_SIGNER_INFO *si;
BIO *in, *out = NULL;
const unsigned char *u;
- char *s, buf[LINE_MAX], *p, *q;
+ char *s, *p, *q;
int ret = -1, i;
- long error;
if (digest != NULL) {
*digest = NULL;
--
2.21.1

View File

@ -0,0 +1,237 @@
From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 13:26:14 -0400
Subject: [PATCH] Ensure that files read in have a trailing new-line
In SCEP when retrieving the CA chain the certificates passed in
on the command-line (RA agent and CA cert) area printed along with
the contents of what was retrieved remotely.
If one of the filesystem certificates lacks a newline then the
output will be jumbled like:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----\n
https://bugzilla.redhat.com/show_bug.cgi?id=1814976
---
src/submit-u.c | 11 +++++++
tests/039-fromfile/expected.out | 4 +++
tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++
tests/Makefile.am | 10 ++++--
tests/tools/Makefile.am | 6 +++-
tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++
6 files changed, 134 insertions(+), 4 deletions(-)
create mode 100644 tests/039-fromfile/expected.out
create mode 100755 tests/039-fromfile/run.sh
create mode 100644 tests/tools/fromfile.c
diff --git a/src/submit-u.c b/src/submit-u.c
index b0b45ba..dca23a7 100644
--- a/src/submit-u.c
+++ b/src/submit-u.c
@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename)
}
if (csr == NULL) {
csr = strdup("");
+ } else {
+ int length = strlen(csr);
+ if (csr[length-1] != '\n') {
+ length += 1;
+ csr = realloc(csr, length + 1);
+ if (csr == NULL) {
+ return NULL;
+ }
+ csr[length - 1] = '\n';
+ csr[length] = '\0';
+ }
}
return csr;
}
diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out
new file mode 100644
index 0000000..9191a57
--- /dev/null
+++ b/tests/039-fromfile/expected.out
@@ -0,0 +1,4 @@
+[trailing_nl]
+Ok
+[no_trailing_nl]
+Ok
diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh
new file mode 100755
index 0000000..8bae773
--- /dev/null
+++ b/tests/039-fromfile/run.sh
@@ -0,0 +1,55 @@
+#!/bin/bash -e
+
+cd $tmpdir
+
+cat > $tmpdir/trailing_nl <<- EOF
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
+8gM=
+-----END CERTIFICATE-----
+EOF
+cat > $tmpdir/no_trailing_nl <<- EOF
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
+8gM=
+EOF
+echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl
+
+$toolsdir/fromfile trailing_nl
+$toolsdir/fromfile no_trailing_nl
diff --git a/tests/Makefile.am b/tests/Makefile.am
index fe368dc..1552c48 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -127,7 +127,9 @@ CLEANFILES = \
037-rekey2/actual.out \
037-rekey2/actual.err \
038-ms-v2-template/actual.out \
- 038-ms-v2-template/actual.err
+ 038-ms-v2-template/actual.err \
+ 039-fromfile/actual.out \
+ 039-fromfile/actual.err
EXTRA_DIST = \
run-tests.sh functions certmonger.conf tools/cachain.sh \
001-keyiread/run.sh \
@@ -349,7 +351,8 @@ EXTRA_DIST = \
037-rekey2/run.sh \
038-ms-v2-template/expected.out \
038-ms-v2-template/extract-extdata.py \
- 038-ms-v2-template/run.sh
+ 038-ms-v2-template/run.sh \
+ 039-fromfile/run.sh
subdirs = \
001-keyiread \
@@ -392,7 +395,8 @@ subdirs = \
035-json \
036-getcert \
037-rekey2 \
- 038-ms-v2-template
+ 038-ms-v2-template \
+ 039-fromfile
if HAVE_DBM_NSSDB
subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 39fa954..e0d2f08 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,7 @@ endif
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
name2oid iterate prefs dates listnicks pem2base base2pem \
dparse payload checksig base64 cadata citerate casave hooks \
- libexecdir canon srv addcinfo ls json json-utf8 printenv
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
noinst_LIBRARIES = libtools.a
if HAVE_OPENSSL
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD)
srv_SOURCES = srv.c
srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD)
+
+fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS)
+fromfile_SOURCES = fromfile.c
+fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS)
diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c
new file mode 100644
index 0000000..bb70507
--- /dev/null
+++ b/tests/tools/fromfile.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <krb5.h>
+
+#include "../../src/submit-u.h"
+#include "../../src/submit-u.c"
+
+int
+main(int argc, char **argv)
+{
+ int i, result = 0;
+ char *cert;
+
+ for (i = 1; i < argc; i++) {
+ printf("[%s]\n", argv[i]);
+ cert = cm_submit_u_from_file(argv[i]);
+ if (cert == NULL) {
+ printf("OOM error\n");
+ result = 1;
+ }
+ else if (cert[strlen(cert) - 1] != '\n') {
+ printf("Missing trailing newline\n");
+ result = 1;
+ } else {
+ printf("Ok\n");
+ }
+ free(cert);
+ }
+ return result;
+}
--
2.18.4

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,757 @@
From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 14 May 2020 14:37:31 -0400
Subject: [PATCH 43/43] Add long options to command-line help
The command-line help mostly consisted of only the short options.
Add the long-option and clean up some of the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1782838
---
src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------
src/scep.c | 2 +-
2 files changed, 345 insertions(+), 193 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 5c8dc94..84e0bf3 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
N_("* If keys are to be encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME nickname to assign to the request\n"),
- N_(" -G TYPE type of key to be generated if one is not already in place\n"),
- N_(" -g SIZE size of key to be generated if one is not already in place\n"),
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" new nickname to give to tracking request\n"),
+ N_(" -G TYPE, --key-type=TYPE\n"),
+ N_(" type of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -g BITS, --key-size=BITS\n"),
+ N_(" size of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -r, --renew attempt to renew the certificate when\n"),
+ N_(" expiration nears (default)\n"),
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
+ N_(" expiration nears\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the default\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Parameters for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *start_tracking_help[] = {
@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* If modifying an existing request:\n"),
- N_(" -i NAME nickname of an existing tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname of an existing tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME nickname to give to tracking request\n"),
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" nickname to give to tracking request\n"),
+ N_(" -r, --renew attempt to renew the certificate when\n"),
+ N_(" expiration nears (default)\n"),
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
+ N_(" expiration nears\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the default\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Parameters for the signing request at renewal time:\n"),
- N_(" -U EXTUSAGE override requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME override requested principal name\n"),
- N_(" -D DNSNAME override requested DNS name\n"),
- N_(" -E EMAIL override requested email address\n"),
- N_(" -A ADDRESS override requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *stop_tracking_help[] = {
@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
+ "\n",
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *resubmit_help[] = {
@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
N_(" -f FILE PEM file for certificate\n"),
"\n",
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("* New parameter values for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME new nickname to give to tracking request\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" nickname to give to tracking request\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the current one\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *rekey_help[] = {
@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE PEM file for certificate\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate\n"),
"\n",
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("* New parameter values for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME new nickname to give to tracking request\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" new nickname to give to tracking request\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the current one\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
- N_(" -G TYPE type of new key to be generated\n"),
- N_(" -g SIZE size of new key to be generated\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
+ N_(" -G TYPE, --key-type=TYPE\n"),
+ N_(" type of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -g BITS, --key-size=BITS\n"),
+ N_(" size of key to be generated if one is not already\n"),
+ N_(" in place\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *list_help[] = {
@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
N_("* General options:\n"),
#ifndef FORCE_CA
- N_(" -c CA list only requests and certs associated with this CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -r list only information about outstanding requests\n"),
- N_(" -t list only information about tracked certificates\n"),
- N_(" -u display times in UTC instead of local time\n"),
+ N_(" -r, --requests-only list only information about outstanding requests\n"),
+ N_(" -t, --tracking-only list only information about tracked certificates\n"),
+ N_(" -u, --utc display times in UTC instead of local time\n"),
N_("* If selecting a specific request:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR only list requests and certs which use this NSS database\n"),
- N_(" -n NAME only list requests and certs which use this nickname\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE only list requests and certs stored in this PEM file\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" only list requests and certs stored in this PEM file\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *refresh_help[] = {
N_("Usage: %s refresh [options]\n"),
"\n",
N_("* General options:\n"),
- N_(" -a refresh information about all outstanding requests\n"),
+ N_(" -a, --all refresh information about all outstanding requests\n"),
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE PEM file for certificate\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
+ N_("* Other options:\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *status_help[] = {
@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* Selecting a specific request:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* When using an NSS database for storage:\n"),
- N_(" -d DIR return status for the request in this NSS database\n"),
- N_(" -n NAME return status for cert which uses this nickname\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* When using files for storage:\n"),
- N_(" -f FILE return status for cert stored in this PEM file\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" return status for cert stored in this PEM file\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *list_cas_help[] = {
@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
#ifndef FORCE_CA
N_("* General options:\n"),
- N_(" -c CA list only information about the CA with this name\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *refresh_ca_help[] = {
@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
#ifndef FORCE_CA
N_("* General options:\n"),
- N_(" -c CA refresh information about the CA with this name\n"),
- N_(" -a refresh information about all known CAs\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -a, --all refresh information about all known CAs\n"),
#endif
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
#ifndef FORCE_CA
@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname to give to the new CA configuration\n"),
- N_(" -e CMD helper command to run to communicate with CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *add_scep_ca_help[] = {
@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname to give to the new CA configuration\n"),
- N_(" -u URL location of SCEP server\n"),
- N_(" -i ID CA identifier\n"),
- N_(" -R FILE file containing CA's certificate\n"),
- N_(" -r FILE file containing RA's certificate\n"),
- N_(" -I FILE file containing certificates in RA's certifying chain\n"),
- N_(" -n prefer not to use the SCEP Renewal feature\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -u URL, --URL URL location of SCEP server\n"),
+ N_(" -i ID, --id ID CA identifier\n"),
+ N_(" -R FILE, --cacert=FILE\n"),
+ N_(" file containing web server's certificate\n"),
+ N_(" -r FILE, --racert=FILE\n"),
+ N_(" file containing RA's certificate\n"),
+ N_(" -N FILE, --signingca=FILE\n"),
+ N_(" file containing CA's certificate\n"),
+ N_(" -I FILE, --other-certs=FILE\n"),
+ N_(" file containing certificates in RA's certifying chain\n"),
+ N_(" -n, --non-renewal prefer not to use the SCEP Renewal feature\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *modify_ca_help[] = {
@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname of the CA configuration\n"),
- N_(" -e CMD updated helper command to run to communicate with CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *remove_ca_help[] = {
@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname of CA configuration to remove\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
#endif
diff --git a/src/scep.c b/src/scep.c
index 4294cda..4dde1ce 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -230,7 +230,7 @@ main(int argc, const char **argv)
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
{"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL},
- {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL},
+ {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL},
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
--
2.21.1

View File

@ -0,0 +1,151 @@
From bf409dbab5f5910de6c2691f978bb8644532728a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 18 May 2020 15:01:02 -0400
Subject: [PATCH] Adapt to the new behavior of disconnect in dbus-broker
The dbus server was replaced in Fedora-29 to use dbus-broker.
This server does not allow reconnects on a disconnect. certmonger
was crashing as a result.
The only way to directly pass a message between the dbus queue and
the main tevent handle is via a signal. So when a disconnect is
detected send a SIGTERM to getpid() in order to force a graceful
shutdown.
https://bugzilla.redhat.com/show_bug.cgi?id=1687698
---
src/tdbus.c | 61 ++++++++++-------------------------------------------
1 file changed, 11 insertions(+), 50 deletions(-)
diff --git a/src/tdbus.c b/src/tdbus.c
index a81b534..402022e 100644
--- a/src/tdbus.c
+++ b/src/tdbus.c
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <signal.h>
#include <talloc.h>
#include <tevent.h>
@@ -522,60 +523,24 @@ cm_tdbus_timeout_cleanup(void *data)
}
static void
-cm_tdbus_reconnect(struct tevent_context *ec, struct tevent_timer *timer,
+cm_tdbus_disconnected(struct tevent_context *ec, struct tevent_timer *timer,
struct timeval current_time, void *pvt)
{
- const char *bus_desc;
struct tdbus_connection *tdb;
- struct timeval later;
- dbus_bool_t exit_on_disconnect = TRUE;
+ pid_t pid;
tdb = pvt;
talloc_free(timer);
if ((tdb->conn == NULL) ||
!dbus_connection_get_is_connected(tdb->conn)) {
- /* Close the current connection and open a new one. */
+ /* Close the current connection and exit. */
if (tdb->conn != NULL) {
dbus_connection_unref(tdb->conn);
tdb->conn = NULL;
}
- bus_desc = NULL;
- switch (tdb->conn_type) {
- case cm_tdbus_system:
- cm_log(1, "Attempting to reconnect to system bus.\n");
- tdb->conn = dbus_bus_get(DBUS_BUS_SYSTEM, NULL);
- cm_set_conn_ptr(tdb->data, tdb->conn);
- /* Don't exit if we get disconnected. */
- exit_on_disconnect = FALSE;
- bus_desc = "system";
- break;
- case cm_tdbus_session:
- cm_log(1, "Attempting to reconnect to session bus.\n");
- tdb->conn = dbus_bus_get(DBUS_BUS_SESSION, NULL);
- cm_set_conn_ptr(tdb->data, tdb->conn);
- /* Exit if we get disconnected. */
- exit_on_disconnect = TRUE;
- bus_desc = "session";
- break;
- case cm_tdbus_private:
- abort();
- break;
- }
- if ((tdb->conn != NULL) &&
- dbus_connection_get_is_connected(tdb->conn)) {
- /* We're reconnected; reset our handlers. */
- cm_log(1, "Reconnected to %s bus.\n", bus_desc);
- dbus_connection_set_exit_on_disconnect(tdb->conn,
- exit_on_disconnect);
- cm_tdbus_setup_public_connection(tdb, tdb->conn,
- bus_desc, NULL);
- } else {
- /* Try reconnecting again later. */
- later = tevent_timeval_current_ofs(CM_DBUS_RECONNECT_TIMEOUT, 0),
- tevent_add_timer(ec, tdb, later,
- cm_tdbus_reconnect,
- tdb);
- }
+ pid = getpid();
+ cm_log(0, "Disconnected from dbus, exiting with SIGTERM.\n");
+ kill(pid, SIGTERM);
}
}
@@ -585,12 +550,12 @@ cm_tdbus_filter(DBusConnection *conn, DBusMessage *dmessage, void *data)
struct tdbus_connection *tdb = data;
const char *destination, *unique_name, *path, *interface, *member;
- /* If we're disconnected, queue a reconnect. */
+ /* If we're disconnected, queue an exit. */
if ((tdb->conn_type != cm_tdbus_private) &&
!dbus_connection_get_is_connected(conn)) {
tevent_add_timer(talloc_parent(tdb), tdb,
tevent_timeval_current(),
- cm_tdbus_reconnect,
+ cm_tdbus_disconnected,
tdb);
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
@@ -745,7 +710,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
DBusError err;
const char *bus_desc;
struct tdbus_connection *tdb;
- dbus_bool_t exit_on_disconnect;
/* Build our own context. */
tdb = talloc_ptrtype(ec, tdb);
@@ -764,15 +728,11 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
case cm_tdbus_system:
conn = dbus_bus_get(DBUS_BUS_SYSTEM, error);
cm_set_conn_ptr(data, conn);
- /* Don't exit if we get disconnected. */
- exit_on_disconnect = FALSE;
bus_desc = "system";
break;
case cm_tdbus_session:
conn = dbus_bus_get(DBUS_BUS_SESSION, error);
cm_set_conn_ptr(data, conn);
- /* Exit if we get disconnected. */
- exit_on_disconnect = TRUE;
bus_desc = "session";
break;
case cm_tdbus_private:
@@ -784,7 +744,8 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
talloc_free(tdb);
return -1;
}
- dbus_connection_set_exit_on_disconnect(conn, exit_on_disconnect);
+ /* Exit on disconnect is handled in cm_tdbus_disconnected(). */
+ dbus_connection_set_exit_on_disconnect(conn, FALSE);
tdb->conn = conn;
tdb->conn_type = bus_type;
tdb->data = data;
--
2.21.1

View File

@ -0,0 +1,62 @@
From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 22 May 2020 12:58:44 -0400
Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert
requests
The guttman spec is quite unclear on this and in the GetCACaps
section doesn't mention &message at all. It only appears in the
generic GET requests section 4.1
The nourse spec is clearer and requires &message=CA-IDENT on
GetCACaps requests.
AD 2012 R2 servers also require message on GetCACert requests.
This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242
https://bugzilla.redhat.com/show_bug.cgi?id=1839181
https://pagure.io/certmonger/issue/103
---
src/scep.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/scep.c b/src/scep.c
index 4dde1ce..11ebd6f 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -370,11 +370,11 @@ main(int argc, const char **argv)
break;
case op_get_ca_caps:
/* Only step: read capabilities for the daemon. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
break;
case op_get_ca_certs:
/* First step: get the root certificate. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id);
break;
case op_get_cert_initial:
if ((racert == NULL) || (strlen(racert) == 0)) {
@@ -393,7 +393,7 @@ main(int argc, const char **argv)
goto done;
}
/* First step: read capabilities for our use. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
}
break;
case op_pkcsreq:
@@ -413,7 +413,7 @@ main(int argc, const char **argv)
goto done;
}
/* First step: read capabilities for our use. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
}
break;
}
--
2.25.4

View File

@ -9,7 +9,7 @@
Name: certmonger
Version: 0.79.7
Release: 3%{?dist}
Release: 14%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@ -90,6 +90,27 @@ Patch22: 0022-Uninitialized-variable.patch
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
Patch24: 0024-Add-missing-return-type-declaration.patch
Patch25: 0025-Discards-const-qualifier.patch
Patch26: 0026-Optimize-closing-open-file-descriptors.patch
Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
Patch32: 0032-Fix-use-after-free-issue.patch
Patch33: 0033-Improve-logging-in-SCEP-helper.patch
Patch34: 0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
Patch35: 0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
Patch36: 0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
Patch37: 0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
Patch38: 0038-Include-template-profile-issuer-and-MS-cert-template.patch
Patch39: 0039-Fix-broken-N-option-configuration.patch
Patch40: 0040-Address-an-include-issue-discovered-by-coverity.patch
Patch41: 0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
Patch42: 0042-Add-long-command-line-options-to-man-pages.patch
Patch43: 0043-Add-long-options-to-command-line-help.patch
Patch44: 0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
Patch45: 0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
%description
Certmonger is a service which is primarily concerned with getting your
@ -107,6 +128,26 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%build
autoreconf -i -f
@ -120,8 +161,8 @@ autoreconf -i -f
%if %{tmpfiles}
--enable-tmpfiles \
%endif
--with-homedir=/var/run/certmonger \
--with-tmpdir=/var/run/certmonger --enable-pie --enable-now
--with-homedir=/run/certmonger \
--with-tmpdir=/run/certmonger --enable-pie --enable-now
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
# tell us about libxmlrpc_client, but we need more. Work around.
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
@ -130,7 +171,7 @@ make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}
install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger
install -m755 -d $RPM_BUILD_ROOT/run/certmonger
%{find_lang} %{name}
%check
@ -215,7 +256,7 @@ exit 0
%{_datadir}/dbus-1/services/*
%dir %{_sysconfdir}/certmonger
%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
%dir /var/run/certmonger
%dir /run/certmonger
%{_bindir}/*
%{_sbindir}/certmonger
%{_mandir}/man*/*
@ -233,6 +274,48 @@ exit 0
%endif
%changelog
* Tue Jun 2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
- Exit gracefully if dbus is restarted (#1687698)
* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12
- Add long command-line options to man pages and help output (#1782838)
* Mon May 4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11
- Fix test failure in 039-fromfile
* Mon May 4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10
- Ensure that files read in have a trailing new-line (#1829490)
* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9
- Call the secport equivalent of PR_ErrorToString
- Remove a couple of unused varaibles found by coverity
* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8
- Move systemd tmpfiles from /var/run to /run (#1804928)
- Improve logging in the SCEP helper (#1807691)
- Fix sort order of certificates passed into PKCS7_verify (#1808052)
- Add -N option to SCEP helper to separate web server chain from
SCEP issuer chain (#1808613)
- Add template profile, MS v2 template and issuer to getcert list
output (#1734451)
* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7
- Update gating requirements
* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
- Rebuild
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
- Fix use-after-free issue when retrieving CA chain (#1710632)
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
- Optimize closing of file descriptors on fork (#1763745)
- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
- Retrieve full IPA CA chain (#1710632)
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
- Rebuild for new annobin (#1708095)