diff --git a/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch new file mode 100644 index 0000000..ad64493 --- /dev/null +++ b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch @@ -0,0 +1,63 @@ +From 3cb710fbea245476a49af77d670fedb35bba16de Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 9 Jan 2018 22:07:17 -0500 +Subject: [PATCH 1/6] Perm issues in sqlite databases show up in slightly + different ways + +SQLite databases may return SEC_ERROR_READ_ONLY instead of +SEC_ERROR_BAD_DATABASE. + +If a database is opened as read-write but it fails (e.g. in a +read-only directory) it will try again to open it as read-only +and potentially fail because it doesn't exist at all. This sets +errno as ENOENT rather than the expected EACCES so treat that +as a read failure as well. + +Related: https://pagure.io/certmonger/issue/88 +--- + src/certsave-n.c | 5 ++++- + src/keygen-n.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/certsave-n.c b/src/certsave-n.c +index 67deb88b..a2c97000 100644 +--- a/src/certsave-n.c ++++ b/src/certsave-n.c +@@ -128,10 +128,13 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + NSS_INIT_NOMODDB); + ec = PORT_GetError(); + if (ctx == NULL) { +- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { ++ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { ++ ec = PR_NO_ACCESS_RIGHTS_ERROR; ++ } else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { + switch (errno) { + case EACCES: + case EPERM: ++ case ENOENT: + ec = PR_NO_ACCESS_RIGHTS_ERROR; + break; + default: +diff --git a/src/keygen-n.c b/src/keygen-n.c +index 08f00496..8078a520 100644 +--- a/src/keygen-n.c ++++ b/src/keygen-n.c +@@ -169,10 +169,14 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + NSS_INIT_NOMODDB); + ec = PORT_GetError(); + if (ctx == NULL) { +- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { ++ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { ++ ec = PR_NO_ACCESS_RIGHTS_ERROR; ++ } ++ else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { + switch (errno) { + case EACCES: + case EPERM: ++ case ENOENT: + ec = PR_NO_ACCESS_RIGHTS_ERROR; + break; + default: +-- +2.15.1 + diff --git a/0002-SQLite-databases-require-a-password-to-modify-trust-.patch b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch new file mode 100644 index 0000000..6cae47d --- /dev/null +++ b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch @@ -0,0 +1,52 @@ +From f1b7eeceef117606c060f61542754f5556739469 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 9 Jan 2018 22:13:49 -0500 +Subject: [PATCH 2/6] SQLite databases require a password to modify trust and + to sign + +This affects certutil -M and cmsutil -S. Need to add -f pinfile. + +https://pagure.io/certmonger/issue/88 +--- + tests/030-rekey/run.sh | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh +index 9b50da4a..07fea683 100755 +--- a/tests/030-rekey/run.sh ++++ b/tests/030-rekey/run.sh +@@ -140,11 +140,11 @@ for preserve in 1 0 ; do + + echo "This is the plaintext." > plain.txt + echo "NSS Signing:" +- certutil -M -d $tmpdir -n i$size -t P,P,P +- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed ++ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile ++ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile + echo "NSS Verify:" +- cmsutil -D -d $tmpdir -f pinfile -i signed +- certutil -M -d $tmpdir -n i$size -t ,, ++ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile ++ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile + + # Go and save the new certs and keys (NSS). + echo '(saving)' +@@ -163,11 +163,11 @@ for preserve in 1 0 ; do + + echo "This is the plaintext." > plain.txt + echo "NSS Signing:" +- certutil -M -d $tmpdir -n i$size -t P,P,P +- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed ++ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile ++ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile + echo "NSS Verify:" +- cmsutil -D -d $tmpdir -f pinfile -i signed +- certutil -M -d $tmpdir -n i$size -t ,, ++ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile ++ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile + + # Now generate new keys, CSRs, and certificates (OpenSSL). + echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" +-- +2.15.1 + diff --git a/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch new file mode 100644 index 0000000..401aec4 --- /dev/null +++ b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch @@ -0,0 +1,405 @@ +From 0cfefe50373cd5f7da5b49f1a1380ba8b5baf825 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 9 Jan 2018 22:14:53 -0500 +Subject: [PATCH 3/6] NSS in rawhide (F28) was switched to sqlite, fix + assumptions + +Previous releases of NSS had dbm as the default storage type. +Certain assumptions were built into the tests. Make the default +scheme more explicit, leaving it as dbm for now. + +https://pagure.io/certmonger/issue/88 +--- + tests/007-certsave-dbm/expected.out | 4 ++-- + tests/007-certsave/expected.out | 4 ++-- + tests/007-certsave/run.sh | 47 +++++++++++++++++++------------------ + tests/025-casave/run.sh | 36 ++++++++++++++-------------- + tests/034-perms/expected.out | 36 ++++++++++++++-------------- + tests/034-perms/run.sh | 2 ++ + 6 files changed, 66 insertions(+), 63 deletions(-) + +diff --git a/tests/007-certsave-dbm/expected.out b/tests/007-certsave-dbm/expected.out +index e0978c66..ed6b4ede 100644 +--- a/tests/007-certsave-dbm/expected.out ++++ b/tests/007-certsave-dbm/expected.out +@@ -37,7 +37,7 @@ Testing setting trust to C,c,p: + wrong nickname, right subject: cert ,, + wrong subject, right nickname: cert ,, + [nss:rosubdir] +-Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. ++Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. + [nss:rwsubdir] +-Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. ++Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. + Test complete. +diff --git a/tests/007-certsave/expected.out b/tests/007-certsave/expected.out +index e0978c66..ed6b4ede 100644 +--- a/tests/007-certsave/expected.out ++++ b/tests/007-certsave/expected.out +@@ -37,7 +37,7 @@ Testing setting trust to C,c,p: + wrong nickname, right subject: cert ,, + wrong subject, right nickname: cert ,, + [nss:rosubdir] +-Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. ++Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. + [nss:rwsubdir] +-Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. ++Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. + Test complete. +diff --git a/tests/007-certsave/run.sh b/tests/007-certsave/run.sh +index bea8341a..29b02152 100755 +--- a/tests/007-certsave/run.sh ++++ b/tests/007-certsave/run.sh +@@ -2,8 +2,9 @@ + + cd "$tmpdir" + ++scheme="${scheme:-dbm}" + source "$srcdir"/functions +-initnssdb ${scheme:+${scheme}:}$tmpdir ++initnssdb $scheme:$tmpdir + + wrongcert='-----BEGIN CERTIFICATE----- + MIIDQTCCAimgAwIBAgIBBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdwaWxs +@@ -50,7 +51,7 @@ echo "$wrongcert" | sed -e 's,^$,,g' -e 's,^ ,,g' > cert.wrong + echo "[nss:wrongnick]" + cat > entry.nss << EOF + cert_storage_type=NSSDB +-cert_storage_location=${scheme:+${scheme}:}$tmpdir ++cert_storage_location=$scheme:$tmpdir + cert_nickname=wrongnick + cert=$cert + EOF +@@ -59,7 +60,7 @@ $toolsdir/certsave entry.nss + echo "[nss:wrongcert]" + cat > entry.nss << EOF + cert_storage_type=NSSDB +-cert_storage_location=${scheme:+${scheme}:}$tmpdir ++cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$wrongcert + EOF +@@ -68,13 +69,13 @@ $toolsdir/certsave entry.nss + echo "[nss:right]" + cat > entry.nss << EOF + cert_storage_type=NSSDB +-cert_storage_location=${scheme:+${scheme}:}$tmpdir ++cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$cert + EOF + $toolsdir/certsave entry.nss + $toolsdir/listnicks entry.nss +-certutil -d ${scheme:+${scheme}:}$tmpdir -L -n cert -a > cert.nss ++certutil -d $scheme:$tmpdir -L -n cert -a > cert.nss + # Save the wrong certificate to the PEM file. + echo "[openssl:wrong]" + cat > entry.openssl << EOF +@@ -96,7 +97,7 @@ run_dos2unix cert.original + run_dos2unix cert.nss + run_dos2unix cert.openssl + if ! cmp cert.original cert.nss ; then +- echo Original and NSS disagree "(${scheme:+${scheme}:}$tmpdir)". ++ echo Original and NSS disagree "($scheme:$tmpdir)". + cat cert.original cert.nss + exit 1 + fi +@@ -137,62 +138,62 @@ $toolsdir/certsave entry.openssl || true + for trust in ,, P,, ,P, CT,C, C,c,p ; do + echo Testing setting trust to "$trust": + # Save the right certificate to NSS's database and read it back. +- initnssdb ${scheme:+${scheme}:}$tmpdir ++ initnssdb $scheme:$tmpdir + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=${scheme:+${scheme}:}$tmpdir ++ cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$cert + EOF + $toolsdir/certsave entry.nss +- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust ++ certutil -d $scheme:$tmpdir -M -n cert -t $trust + echo -n " baseline: " +- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' ++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + $toolsdir/certsave entry.nss + echo -n " right nickname, right subject: " +- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' ++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + # Save the right certificate to NSS's database with the wrong nickname. +- initnssdb ${scheme:+${scheme}:}$tmpdir ++ initnssdb $scheme:$tmpdir + $toolsdir/certsave entry.nss + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=${scheme:+${scheme}:}$tmpdir ++ cert_storage_location=$scheme:$tmpdir + cert_nickname=wrongnick + cert=$cert + EOF + $toolsdir/certsave entry.nss +- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n wrongnick -t $trust ++ certutil -d $scheme:$tmpdir -M -n wrongnick -t $trust + # Save the right certificate to NSS's database and read it back. + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=${scheme:+${scheme}:}$tmpdir ++ cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$cert + EOF + $toolsdir/certsave entry.nss + echo -n " wrong nickname, right subject: " +- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' ++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + # Save the wrong certificate to NSS's database with the right nickname. +- initnssdb ${scheme:+${scheme}:}$tmpdir ++ initnssdb $scheme:$tmpdir + $toolsdir/certsave entry.nss + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=${scheme:+${scheme}:}$tmpdir ++ cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$wrongcert + EOF + $toolsdir/certsave entry.nss +- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust ++ certutil -d $scheme:$tmpdir -M -n cert -t $trust + # Save the right certificate to NSS's database and read it back. + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=${scheme:+${scheme}:}$tmpdir ++ cert_storage_location=$scheme:$tmpdir + cert_nickname=cert + cert=$cert + EOF + $toolsdir/certsave entry.nss + echo -n " wrong subject, right nickname: " +- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' ++ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' + done + + if test "$scheme" = sql ; then +@@ -202,7 +203,7 @@ else + echo "[nss:rosubdir]" + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=$tmpdir/rosubdir ++ cert_storage_location=$scheme:$tmpdir/rosubdir + cert_nickname=cert + cert=$cert + EOF +@@ -216,7 +217,7 @@ else + echo "[nss:rwsubdir]" + cat > entry.nss <<- EOF + cert_storage_type=NSSDB +- cert_storage_location=$tmpdir/rwsubdir ++ cert_storage_location=$scheme:$tmpdir/rwsubdir + cert_nickname=cert + cert=$cert + EOF +diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh +index 44a08b06..aff1e6d9 100755 +--- a/tests/025-casave/run.sh ++++ b/tests/025-casave/run.sh +@@ -196,7 +196,7 @@ id=EntryD1 + root_cert_files= + other_root_cert_files= + other_cert_files= +-root_cert_dbs=$tmpdir/db1,$tmpdir/dba ++root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba + other_root_cert_dbs= + other_cert_dbs= + cert_roots=Per-certificate Signing Authority D1 +@@ -229,7 +229,7 @@ root_cert_files= + other_root_cert_files= + other_cert_files= + root_cert_dbs= +-other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba ++other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba + other_cert_dbs= + EOF + cat > $tmpdir/entryd3 <<- EOF +@@ -239,7 +239,7 @@ other_root_cert_files= + other_cert_files= + root_cert_dbs= + other_root_cert_dbs= +-other_cert_dbs=$tmpdir/db3,$tmpdir/dba ++other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba + cert_chain=Per-certificate Signing Authority D3 + -----BEGIN CERTIFICATE----- + MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw +@@ -300,7 +300,7 @@ ca_name=CAD1 + root_cert_files= + other_root_cert_files= + other_cert_files= +-root_cert_dbs=$tmpdir/db1,$tmpdir/dba ++root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba + other_root_cert_dbs= + other_cert_dbs= + EOF +@@ -311,7 +311,7 @@ root_cert_files= + other_root_cert_files= + other_cert_files= + root_cert_dbs= +-other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba ++other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba + other_cert_dbs= + EOF + cat > $tmpdir/entrycad3 <<- EOF +@@ -322,7 +322,7 @@ other_root_cert_files= + other_cert_files= + root_cert_dbs= + other_root_cert_dbs= +-other_cert_dbs=$tmpdir/db3,$tmpdir/dba ++other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba + EOF + + cat > $tmpdir/cab1 <<- EOF +@@ -564,9 +564,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh + ca_root_cert_files= + ca_other_root_cert_files= + ca_other_cert_files= +-ca_root_cert_dbs=$tmpdir/db1,$tmpdir/dba +-ca_other_root_cert_dbs=$tmpdir/dba +-ca_other_cert_dbs=$tmpdir/dba ++ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba ++ca_other_root_cert_dbs=dbm:$tmpdir/dba ++ca_other_cert_dbs=dbm:$tmpdir/dba + ca_root_certs=Root Certificate D1 + -----BEGIN CERTIFICATE----- + MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ +@@ -639,9 +639,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh + ca_root_cert_files= + ca_other_root_cert_files= + ca_other_cert_files= +-ca_root_cert_dbs=$tmpdir/dba +-ca_other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba +-ca_other_cert_dbs=$tmpdir/dba ++ca_root_cert_dbs=dbm:$tmpdir/dba ++ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba ++ca_other_cert_dbs=dbm:$tmpdir/dba + ca_root_certs=Root Certificate D2 + -----BEGIN CERTIFICATE----- + MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET +@@ -722,9 +722,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh + ca_root_cert_files= + ca_other_root_cert_files= + ca_other_cert_files= +-ca_root_cert_dbs=,$tmpdir/dba +-ca_other_root_cert_dbs=,$tmpdir/dba, +-ca_other_cert_dbs=$tmpdir/db3,$tmpdir/dba ++ca_root_cert_dbs=,dbm:$tmpdir/dba ++ca_other_root_cert_dbs=,dbm:$tmpdir/dba, ++ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba + ca_root_certs=Root Certificate D3 + -----BEGIN CERTIFICATE----- + MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL +@@ -796,9 +796,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh + ca_root_cert_files=$tmpdir/bundle-all + ca_other_root_cert_files= + ca_other_cert_files= +-ca_root_cert_dbs=$tmpdir/dba +-ca_other_root_cert_dbs=,$tmpdir/dba +-ca_other_cert_dbs=,$tmpdir/dba ++ca_root_cert_dbs=dbm:$tmpdir/dba ++ca_other_root_cert_dbs=,dbm:$tmpdir/dba ++ca_other_cert_dbs=,dbm:$tmpdir/dba + ca_root_certs=Root Certificate DA + -----BEGIN CERTIFICATE----- + MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL +diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out +index 4e2fbd71..c062d409 100644 +--- a/tests/034-perms/expected.out ++++ b/tests/034-perms/expected.out +@@ -41,54 +41,54 @@ $owner:$group|0755|ee.key.MARKER.key + $owner:$group|0662|ee.crt + $owner:$group|0620|ee.key + +-[start] +-[keygen] ++[dbm:start] ++[dbm:keygen] + $owner:$group|0600|cert8.db + $owner:$group|0620|key3.db +-[reset] ++[dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[csrgen] ++[dbm:csrgen] + $owner:$group|0755|cert8.db + $owner:$group|0620|key3.db +-[reset] ++[dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[submit] ++[dbm:submit] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[reset] ++[dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[save] ++[dbm:save] + $owner:$group|0662|cert8.db + $owner:$group|0620|key3.db +-[rekey:start] +-[rekey:keygen] ++[rekey:dbm:start] ++[rekey:dbm:keygen] + $owner:$group|0600|cert8.db + $owner:$group|0620|key3.db +-[rekey:reset] ++[rekey:dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[rekey:keygen] ++[rekey:dbm:keygen] + $owner:$group|0755|cert8.db + $owner:$group|0620|key3.db +-[rekey:reset] ++[rekey:dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[rekey:csrgen] ++[rekey:dbm:csrgen] + $owner:$group|0755|cert8.db + $owner:$group|0620|key3.db +-[rekey:reset] ++[rekey:dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[rekey:submit] ++[rekey:dbm:submit] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[rekey:reset] ++[rekey:dbm:reset] + $owner:$group|0755|cert8.db + $owner:$group|0755|key3.db +-[rekey:save] ++[rekey:dbm:save] + $owner:$group|0662|cert8.db + $owner:$group|0620|key3.db + OK +diff --git a/tests/034-perms/run.sh b/tests/034-perms/run.sh +index 7f349d3b..88eae19f 100755 +--- a/tests/034-perms/run.sh ++++ b/tests/034-perms/run.sh +@@ -1,6 +1,8 @@ + #!/bin/bash + cd "$tmpdir" + ++scheme="${scheme:-dbm:}" ++ + function list() { + $toolsdir/ls *.* | sed -e "s~^$owner:$group|~\$owner:\$group|~g" + } +-- +2.15.1 + diff --git a/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch new file mode 100644 index 0000000..a4df8db --- /dev/null +++ b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch @@ -0,0 +1,48 @@ +From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 9 Jan 2018 22:18:58 -0500 +Subject: [PATCH 4/6] Workaround NSS bug in associating private key to + certificate + +If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete +internal state (the cert isn't associated with the private key, +and calling PK11_FindKeyByAnyCert returns no result). + +As a workaround, we import the cert again using PK11_ImportCert +which magically fixes the issue. + +See rhbz#1532188 + +Related: https://pagure.io/certmonger/issue/88 +--- + src/certsave-n.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/certsave-n.c b/src/certsave-n.c +index a2c97000..8e15a18a 100644 +--- a/src/certsave-n.c ++++ b/src/certsave-n.c +@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + PR_FALSE, + entry->cm_cert_nickname); + ec = PORT_GetError(); ++ if (error == SECSuccess) { ++ /* If NSS uses SQL DB storage, CERT_ImportCerts creates ++ * an incomplete internal state (the cert isn't ++ * associated with the private key, and calling ++ * PK11_FindKeyByAnyCert returns no result). ++ * As a workaround, we import the cert again using ++ * PK11_ImportCert, which magically fixes the issue. ++ * See rhbz#1532188 */ ++ error = PK11_ImportCert(PK11_GetInternalKeySlot(), ++ returned[0], ++ CK_INVALID_HANDLE, ++ returned[0]->nickname, ++ PR_FALSE); ++ } + if (error == SECSuccess) { + cm_log(1, "Imported certificate \"%s\", got " + "nickname \"%s\".\n", +-- +2.15.1 + diff --git a/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch new file mode 100644 index 0000000..3ab6046 --- /dev/null +++ b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch @@ -0,0 +1,314 @@ +From 920572235f82eb3a88a3b8dd274f809baee31c67 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 9 Jan 2018 22:54:06 -0500 +Subject: [PATCH 5/6] Run key generation tests against both dbm and sqlite + databases + +Related: https://pagure.io/certmonger/issue/88 +--- + tests/002-keygen-dbm/expected.out | 99 +++++++++++++++++++++++++++++++++++++++ + tests/002-keygen-dbm/run.sh | 2 + + tests/002-keygen-sql/expected.out | 99 +++++++++++++++++++++++++++++++++++++++ + tests/002-keygen-sql/run.sh | 2 + + tests/002-keygen/expected.out | 4 +- + tests/002-keygen/run.sh | 12 +++-- + 6 files changed, 211 insertions(+), 7 deletions(-) + create mode 100644 tests/002-keygen-dbm/expected.out + create mode 100755 tests/002-keygen-dbm/run.sh + create mode 100644 tests/002-keygen-sql/expected.out + create mode 100755 tests/002-keygen-sql/run.sh + +diff --git a/tests/002-keygen-dbm/expected.out b/tests/002-keygen-dbm/expected.out +new file mode 100644 +index 00000000..dcd1af06 +--- /dev/null ++++ b/tests/002-keygen-dbm/expected.out +@@ -0,0 +1,99 @@ ++[nss:1024] ++OK. ++OK (RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++keyi1024 ++keyi1024 (candidate (next)) ++[nss:1536] ++OK. ++OK (RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++keyi1536 ++keyi1536 (candidate (next)) ++[nss:2048] ++OK. ++OK (RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++keyi2048 ++keyi2048 (candidate (next)) ++[nss:3072] ++OK. ++OK (RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++keyi3072 ++keyi3072 (candidate (next)) ++[nss:4096] ++OK. ++OK (RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++keyi4096 ++keyi4096 (candidate (next)) ++[nss:rosubdir] ++Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. ++[nss:rwsubdir] ++Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. ++[openssl:1024] ++OK. ++OK (RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++${tmpdir}/sample.1024 ++${tmpdir}/sample.1024.(next).key ++[openssl:1536] ++OK. ++OK (RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++${tmpdir}/sample.1536 ++${tmpdir}/sample.1536.(next).key ++[openssl:2048] ++OK. ++OK (RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++${tmpdir}/sample.2048 ++${tmpdir}/sample.2048.(next).key ++[openssl:3072] ++OK. ++OK (RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++${tmpdir}/sample.3072 ++${tmpdir}/sample.3072.(next).key ++[openssl:4096] ++OK. ++OK (RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++${tmpdir}/sample.4096 ++${tmpdir}/sample.4096.(next).key ++[openssl:rosubdir] ++Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. ++[openssl:rwsubdir] ++Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. ++Test complete. +diff --git a/tests/002-keygen-dbm/run.sh b/tests/002-keygen-dbm/run.sh +new file mode 100755 +index 00000000..36323947 +--- /dev/null ++++ b/tests/002-keygen-dbm/run.sh +@@ -0,0 +1,2 @@ ++#!/bin/bash -e ++exec env scheme=dbm: ../002-keygen/run.sh +diff --git a/tests/002-keygen-sql/expected.out b/tests/002-keygen-sql/expected.out +new file mode 100644 +index 00000000..178f1b3a +--- /dev/null ++++ b/tests/002-keygen-sql/expected.out +@@ -0,0 +1,99 @@ ++[nss:1024] ++OK. ++OK (RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++keyi1024 ++keyi1024 (candidate (next)) ++[nss:1536] ++OK. ++OK (RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++keyi1536 ++keyi1536 (candidate (next)) ++[nss:2048] ++OK. ++OK (RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++keyi2048 ++keyi2048 (candidate (next)) ++[nss:3072] ++OK. ++OK (RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++keyi3072 ++keyi3072 (candidate (next)) ++[nss:4096] ++OK. ++OK (RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++keyi4096 ++keyi4096 (candidate (next)) ++[nss:rosubdir] ++Failed to save NSS:sql:${tmpdir}/rosubdir: need fs permissions. ++[nss:rwsubdir] ++Failed to save NSS:sql:${tmpdir}/rwsubdir: need fs permissions. ++[openssl:1024] ++OK. ++OK (RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++OK. ++OK (RSA:1024 after RSA:1024). ++${tmpdir}/sample.1024 ++${tmpdir}/sample.1024.(next).key ++[openssl:1536] ++OK. ++OK (RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++OK. ++OK (RSA:1536 after RSA:1536). ++${tmpdir}/sample.1536 ++${tmpdir}/sample.1536.(next).key ++[openssl:2048] ++OK. ++OK (RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++OK. ++OK (RSA:2048 after RSA:2048). ++${tmpdir}/sample.2048 ++${tmpdir}/sample.2048.(next).key ++[openssl:3072] ++OK. ++OK (RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++OK. ++OK (RSA:3072 after RSA:3072). ++${tmpdir}/sample.3072 ++${tmpdir}/sample.3072.(next).key ++[openssl:4096] ++OK. ++OK (RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++OK. ++OK (RSA:4096 after RSA:4096). ++${tmpdir}/sample.4096 ++${tmpdir}/sample.4096.(next).key ++[openssl:rosubdir] ++Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. ++[openssl:rwsubdir] ++Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. ++Test complete. +diff --git a/tests/002-keygen-sql/run.sh b/tests/002-keygen-sql/run.sh +new file mode 100755 +index 00000000..cd5bc978 +--- /dev/null ++++ b/tests/002-keygen-sql/run.sh +@@ -0,0 +1,2 @@ ++#!/bin/bash -e ++exec env scheme=sql: ../002-keygen/run.sh +diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out +index ff56372a..dcd1af06 100644 +--- a/tests/002-keygen/expected.out ++++ b/tests/002-keygen/expected.out +@@ -44,9 +44,9 @@ OK (RSA:4096 after RSA:4096). + keyi4096 + keyi4096 (candidate (next)) + [nss:rosubdir] +-Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. ++Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. + [nss:rwsubdir] +-Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. ++Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. + [openssl:1024] + OK. + OK (RSA:1024). +diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh +index f550feeb..08af1523 100755 +--- a/tests/002-keygen/run.sh ++++ b/tests/002-keygen/run.sh +@@ -2,15 +2,17 @@ + + cd "$tmpdir" + ++scheme="${scheme:-dbm:}" ++ + source "$srcdir"/functions +-initnssdb "$tmpdir" ++initnssdb "$scheme$tmpdir" + + for size in 1024 1536 2048 3072 4096 ; do + echo "[nss:$size]" + # Generate a key. + cat > entry.$size <<- EOF + key_storage_type=NSSDB +- key_storage_location=$tmpdir ++ key_storage_location=$scheme$tmpdir + key_nickname=keyi$size + key_gen_size=$size + EOF +@@ -28,13 +30,13 @@ for size in 1024 1536 2048 3072 4096 ; do + # Extract the marker. + marker=`grep ^key_next_marker= entry.$size | cut -f2- -d=` + # Make sure we're clean. +- run_certutil -K -d "$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort ++ run_certutil -K -d "$scheme$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort + done + + echo "[nss:rosubdir]" + cat > entry.$size <<- EOF + key_storage_type=NSSDB +-key_storage_location=$tmpdir/rosubdir ++key_storage_location=$scheme$tmpdir/rosubdir + key_nickname=keyi$size + key_gen_size=$size + EOF +@@ -43,7 +45,7 @@ $toolsdir/keygen entry.$size || true + echo "[nss:rwsubdir]" + cat > entry.$size <<- EOF + key_storage_type=NSSDB +-key_storage_location=$tmpdir/rwsubdir ++key_storage_location=$scheme$tmpdir/rwsubdir + key_nickname=keyi$size + key_gen_size=$size + EOF +-- +2.15.1 + diff --git a/certmonger.spec b/certmonger.spec index 15604b0..2896194 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.79.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -51,16 +51,15 @@ BuildRequires: libcurl-devel BuildRequires: curl-devel %endif BuildRequires: libxml2-devel, xmlrpc-c-devel -%if 0%{?rhel} < 6 +%if 0%{?rhel} && 0%{?rhel} < 6 BuildRequires: bind-libbind-devel +BuildRequires: mktemp %endif # Required for 'make check': # for diff and cmp BuildRequires: diffutils # for expect BuildRequires: expect -# for mktemp, which was absorbed into coreutils at some point -BuildRequires: mktemp # for certutil and pk12util BuildRequires: nss-tools # for openssl @@ -108,12 +107,24 @@ Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed Conflicts: libtevent < 0.9.13 %endif +Patch1: 0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch +Patch2: 0002-SQLite-databases-require-a-password-to-modify-trust-.patch +Patch3: 0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch +Patch4: 0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch +Patch5: 0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch + %description Certmonger is a service which is primarily concerned with getting your system enrolled with a certificate authority (CA) and keeping it enrolled. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + %if 0%{?rhel} > 0 # Enabled by default for RHEL for bug #765600, still disabled by default for # Fedora pending a similar bug report there. @@ -243,6 +254,11 @@ exit 0 %endif %changelog +* Wed Jan 10 2018 Rob Crittenden 0.79.5-3 +- Remove BR on mktemp. It is now provided by coreutils. +- Patch to fix NSS handling of keys in sqlite databases +- Patches to fix tests now that sqlite is the NSS default. + * Wed Oct 4 2017 Rob Crittenden 0.79.5-2 - Switch BR from /usr/include/popt.h to popt-devel