rpms/certmonger
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.7-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-23 21:56:58 +00:00 committed by Andrew Lukoshko
commit 81f8ea83c5
20 changed files with 3761 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.certmonger.metadata Normal file
View File

@ -0,0 +1 @@
f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/certmonger-0.79.7.tar.gz

293
SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch Normal file
View File

@ -0,0 +1,293 @@
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 23 Feb 2018 10:43:44 -0500
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
Remove keys < 2048 for the NSS tests. This affects some of the
OpenSSL tests as well where they run in a combined loop.
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
---
tests/001-keyiread-dsa/expected.out | 6 +++---
tests/001-keyiread-dsa/run.sh | 2 +-
tests/001-keyiread-rsa/expected.out | 2 --
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/expected.out | 2 --
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-rsa/expected.out | 6 ------
tests/002-keygen-rsa/run.sh | 2 +-
tests/002-keygen/expected.out | 18 ------------------
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-rsa/expected.out | 6 ------
tests/003-csrgen-rsa/run.sh | 4 ++--
tests/003-csrgen/expected.out | 8 --------
tests/003-csrgen/run.sh | 4 ++--
tests/004-selfsign-rsa/expected.out | 2 --
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/expected.out | 2 --
tests/004-selfsign/run.sh | 2 +-
18 files changed, 14 insertions(+), 60 deletions(-)
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
index b09db0ae..50643176 100644
--- a/tests/001-keyiread-dsa/expected.out
+++ b/tests/001-keyiread-dsa/expected.out
@@ -1,4 +1,4 @@
-OK (DSA:1024).
-OK (DSA:1024).
-OK (DSA:1024).
+OK (DSA:2048).
+OK (DSA:2048).
+OK (DSA:2048).
Test complete.
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
index 9f96b3bc..68f6d1c3 100755
--- a/tests/001-keyiread-dsa/run.sh
+++ b/tests/001-keyiread-dsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 ; do
+for size in 2048 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread-rsa/expected.out
+++ b/tests/001-keyiread-rsa/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c7b77686..ec31c7c7 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread/expected.out
+++ b/tests/001-keyiread/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index ce1428ed..0b31df95 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
index 3e6e9f3c..f7c146d0 100644
--- a/tests/002-keygen-rsa/expected.out
+++ b/tests/002-keygen-rsa/expected.out
@@ -1,9 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-[nss:1536]
-OK.
-OK (RSA:1536).
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
index 476f4127..c0c59249 100755
--- a/tests/002-keygen-rsa/run.sh
+++ b/tests/002-keygen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
index dcd1af06..b8fbea56 100644
--- a/tests/002-keygen/expected.out
+++ b/tests/002-keygen/expected.out
@@ -1,21 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-keyi1024
-keyi1024 (candidate (next))
-[nss:1536]
-OK.
-OK (RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-keyi1536
-keyi1536 (candidate (next))
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 08af1523..94230e6f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index c9dec729..def53fe4 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -1,10 +1,4 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
-1024 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
-1536 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
2048 OK.
Signature OK
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index 4cd84084..bb8ebecb 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -147,7 +147,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
done
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 8e6cac6e..04342c0f 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -1,13 +1,5 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
Signature OK
-minicert.openssl.1024.pem: OK
-1024 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
-minicert.openssl.1536.pem: OK
-1536 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
minicert.openssl.2048.pem: OK
2048 OK.
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index 7c169ed9..31466b5c 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -199,7 +199,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
done
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign-rsa/expected.out
+++ b/tests/004-selfsign-rsa/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index 6f9285b6..c1dd4c80 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -33,7 +33,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign/expected.out
+++ b/tests/004-selfsign/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index 7bb368ec..eb1df4ee 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -43,7 +43,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
--
2.16.2

788
SOURCES/0002-Convert-tests-to-use-python3.patch Normal file
View File

@ -0,0 +1,788 @@
From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 31 Jul 2018 13:09:02 -0400
Subject: [PATCH] Convert tests to use python3
---
tests/028-dbus/expected.out | 32 +-
tests/028-dbus/expected.out.nodsa | 22 +-
tests/028-dbus/prequal.sh | 8 +-
tests/028-dbus/run.sh | 9 +-
tests/028-dbus/runsub.sh | 2 +-
tests/028-dbus/simpleprop.py | 14 +-
tests/028-dbus/walk.py | 392 ++++++++++----------
tests/038-ms-v2-template/extract-extdata.py | 5 +-
8 files changed, 243 insertions(+), 241 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca3179e..1d8bec4 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -1,5 +1,3 @@
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
[[ getcert ]]
State MONITORING, stuck: no.
Number of certificates and requests being tracked: 1.
@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -433,19 +431,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -454,19 +452,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -482,7 +480,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236
+$tmpdir/cas/date
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
SelfSign
@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-1
+$tmpdir/cas/date-1
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
IPA
@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/date-2
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
certmaster
@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
+$tmpdir/cas/date-3
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
dogtag-ipa-renew-agent
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
index a23af40..5082ee0 100644
--- a/tests/028-dbus/expected.out.nodsa
+++ b/tests/028-dbus/expected.out.nodsa
@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -432,19 +432,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -453,19 +453,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -481,7 +481,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh
index e645c19..4fe79c8 100755
--- a/tests/028-dbus/prequal.sh
+++ b/tests/028-dbus/prequal.sh
@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then
echo dbus-daemon not found
exit 1
fi
-if ! python -c 'import os' 2> /dev/null ; then
+if ! python3 -c 'import os' 2> /dev/null ; then
echo python not found
exit 1
fi
-if ! python -c 'import dbus' 2> /dev/null ; then
+if ! python3 -c 'import dbus' 2> /dev/null ; then
echo python-dbus not found
exit 1
fi
-if ! python -c 'import xml' 2> /dev/null ; then
+if ! python3 -c 'import xml' 2> /dev/null ; then
echo python-xml not found
exit 1
fi
-if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then
+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then
echo python-xml does not include etree.ElementTree
exit 1
fi
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index c468d51..ee90875 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -23,7 +23,7 @@ EOF
$DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid
if test -s $tmpdir/pid ; then
env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \
- $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh
+ $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null
fi
kill `cat $tmpdir/pid`
@@ -33,8 +33,8 @@ now=`date +%s`
for i in `seq 240` ; do
recently=$(($now-$i))
tomorrow=$(($now-$i+24*60*60))
- sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \
- -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out
+ sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \
+ -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out
done
cat $tmpdir/runsub.out | \
@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
-e "s|expires:.*|expires: sometime|g" \
- -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g'
+ -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
+ -e "s|cas\/[0-9]{14}|cas\/date|g"
diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh
index 3510d79..fe6766c 100755
--- a/tests/028-dbus/runsub.sh
+++ b/tests/028-dbus/runsub.sh
@@ -22,5 +22,5 @@ echo ""
echo "[[ API ]]"
for i in ./*.py ; do
echo "[" `basename "$i"` "]"
- python $i
+ python3 $i
done
diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py
index e4f937e..35d9591 100644
--- a/tests/028-dbus/simpleprop.py
+++ b/tests/028-dbus/simpleprop.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
# Get a handle for the main certmonger interface.
@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
# Toggle the helper a couple of times.
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -28,7 +28,7 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -37,20 +37,20 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h
+print(ca_ext_h)
# Toggle the "is-default" value a couple of times.
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef
+print(isdef)
cm.remove_known_ca(path)
diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py
index f60ca93..683d94e 100644
--- a/tests/028-dbus/walk.py
+++ b/tests/028-dbus/walk.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
import xml.etree.ElementTree
import os
@@ -9,217 +9,219 @@ bus = dbus.SessionBus()
# Check that reading a property directly produces the same value as reading it via GetAll().
def check_props(objpath, interface):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- props = i.GetAll(interface)
- for prop in props.keys():
- value = props[prop]
- if value != i.Get(interface, prop):
- print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ props = i.GetAll(interface)
+ for prop in props.keys():
+ value = props[prop]
+ if value != i.Get(interface, prop):
+ print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
+ return False
+ return True
# Try to call the method.
def examine_method(objpath, interface, method, idata):
- in_args = 0
- out_args = 0
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, interface)
- for child in idata.getchildren():
- if child.tag == 'arg':
- if child.get('direction') != 'out':
- in_args = in_args + 1
- else:
- out_args = out_args + 1
- if in_args == 0:
- # Takes no inputs, so just call it.
- m = i.get_dbus_method(method)
- if out_args == 0:
- m()
- print("[ %s: %s.%s ]\n" % (objpath, interface, method))
- elif out_args == 1:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- else:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- elif method == 'Get' or method == 'Set' or method == 'GetAll':
- # We check on properties elsewhere.
- return True
- # Per-method exercise.
- elif method == 'add_known_ca' or method == 'remove_known_ca':
- (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
- if not result:
- print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
- return False
- result = i.remove_known_ca(path)
- if not result:
- print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'add_request' or method == 'remove_request':
- tmpdir = os.getenv('TMPDIR')
- if not tmpdir or tmpdir == '':
- tmpdir = '/tmp'
- properties = {
- 'nickname': 'foo',
- 'cert-storage': 'file',
- 'cert-file': tmpdir + "/028-certfile",
- 'key-storage': 'file',
- 'key-file': tmpdir + "/028-keyfile",
- 'template-email': ['root@localhost', 'toor@localhost'],
- }
- (result, path) = i.add_request(properties)
- if not result:
- print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
- return False
- result = i.remove_request(path)
- if not result:
- print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_ca_by_nickname':
- capath = i.find_ca_by_nickname('local')
- o = bus.get_object('org.fedorahosted.certmonger', capath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_request_by_nickname':
- reqpath = i.find_request_by_nickname('Buddy')
- o = bus.get_object('org.fedorahosted.certmonger', reqpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'modify':
- mods = {}
- propname = "template-eku"
- propval = '1.2.3.4.5.6.7.8.9.10'
- mods[propname] = [propval,]
- status, path = i.modify(mods)
- if not status:
- print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
- props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- prop = props.Get(interface, 'template-eku')
- print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
- else:
- # We're in FIXME territory.
- print('FIXME: need support for "%s"' % method)
- return False
- # If we caused things to start churning, wait for them to settle.
+ in_args = 0
+ out_args = 0
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, interface)
+ for child in idata.getchildren():
+ if child.tag == 'arg':
+ if child.get('direction') != 'out':
+ in_args = in_args + 1
+ else:
+ out_args = out_args + 1
+ if in_args == 0:
+ # Takes no inputs, so just call it.
+ m = i.get_dbus_method(method)
+ if out_args == 0:
+ m()
+ print("[ %s: %s.%s ]\n" % (objpath, interface, method))
+ elif out_args == 1:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ else:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ elif method == 'Get' or method == 'Set' or method == 'GetAll':
+ # We check on properties elsewhere.
+ return True
+ # Per-method exercise.
+ elif method == 'add_known_ca' or method == 'remove_known_ca':
+ (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
+ if not result:
+ print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_known_ca(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'add_request' or method == 'remove_request':
+ tmpdir = os.getenv('TMPDIR')
+ if not tmpdir or tmpdir == '':
+ tmpdir = '/tmp'
+ properties = {
+ 'nickname': 'foo',
+ 'cert-storage': 'file',
+ 'cert-file': tmpdir + "/028-certfile",
+ 'key-storage': 'file',
+ 'key-file': tmpdir + "/028-keyfile",
+ 'template-email': ['root@localhost', 'toor@localhost'],
+ }
+ (result, path) = i.add_request(properties)
+ if not result:
+ print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_request(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_ca_by_nickname':
+ capath = i.find_ca_by_nickname('local')
+ o = bus.get_object('org.fedorahosted.certmonger', capath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_request_by_nickname':
+ reqpath = i.find_request_by_nickname('Buddy')
+ if not reqpath:
+ return False
+ o = bus.get_object('org.fedorahosted.certmonger', reqpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'modify':
+ mods = {}
+ propname = "template-eku"
+ propval = '1.2.3.4.5.6.7.8.9.10'
+ mods[propname] = [propval,]
+ status, path = i.modify(mods)
+ if not status:
+ print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
+ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ prop = props.Get(interface, 'template-eku')
+ print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
+ else:
+ # We're in FIXME territory.
+ print('FIXME: need support for "%s"' % method)
+ return False
+ # If we caused things to start churning, wait for them to settle.
if method == 'resubmit':
props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
prop = props.Get(interface, 'status')
while prop != 'MONITORING':
time.sleep(1)
prop = props.Get(interface, 'status')
- return True
+ return True
def iget(child, proxy, interface, prop):
- value = proxy.Get(interface, prop)
- if not value:
- if child.get('type') == 'b':
- value = False
- elif child.get('type') == 'n' or child.get('type') == 'x':
- value = 0
- elif child.get('type') == 's':
- value = ''
- elif child.get('type') == 'as':
- value = ['']
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- return value
+ value = proxy.Get(interface, prop)
+ if not value:
+ if child.get('type') == 'b':
+ value = False
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ value = 0
+ elif child.get('type') == 's':
+ value = ''
+ elif child.get('type') == 'as':
+ value = ['']
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ return value
def examine_interface(objpath, interface, idata):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- for child in idata.getchildren():
- if child.tag == 'property':
- prop = child.get('name')
- if child.get('access') == 'read':
- # Check that we can read it.
- value = i.Get(interface, prop)
- elif child.get('access') == 'readwrite':
- if prop == 'external-helper' or prop == 'scep-ca-identifier':
- cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
- if cai.get_type() != 'EXTERNAL':
- print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
- continue
- # Check that we can read it, tweak it, and then reset it.
- value = iget(child, i, interface, prop)
- i.Set(interface, prop, value)
- newvalue = None
- if child.get('type') == 'b':
- newvalue = not value
- elif child.get('type') == 'n' or child.get('type') == 'x':
- newvalue = value + 1
- elif child.get('type') == 's':
- newvalue = 'x' + value
- elif child.get('type') == 'as':
- newvalue = ['x'] + value
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- if newvalue:
- if newvalue == value:
- print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
- return False
- i.Set(interface, prop, newvalue)
- if newvalue != iget(child, i, interface, prop):
- print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
- return False
- i.Set(interface, prop, value)
- if value != iget(child, i, interface, prop):
- print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
- return False
- elif child.tag == 'method':
- method = child.get('name')
- if not examine_method(objpath, interface, method, child):
- return False
- elif child.tag == 'signal':
- continue
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ for child in idata.getchildren():
+ if child.tag == 'property':
+ prop = child.get('name')
+ if child.get('access') == 'read':
+ # Check that we can read it.
+ value = i.Get(interface, prop)
+ elif child.get('access') == 'readwrite':
+ if prop == 'external-helper' or prop == 'scep-ca-identifier':
+ cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
+ if cai.get_type() != 'EXTERNAL':
+ print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
+ continue
+ # Check that we can read it, tweak it, and then reset it.
+ value = iget(child, i, interface, prop)
+ i.Set(interface, prop, value)
+ newvalue = None
+ if child.get('type') == 'b':
+ newvalue = not value
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ newvalue = value + 1
+ elif child.get('type') == 's':
+ newvalue = 'x' + value
+ elif child.get('type') == 'as':
+ newvalue = ['x'] + value
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ if newvalue:
+ if newvalue == value:
+ print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
+ return False
+ i.Set(interface, prop, newvalue)
+ if newvalue != iget(child, i, interface, prop):
+ print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
+ return False
+ i.Set(interface, prop, value)
+ if value != iget(child, i, interface, prop):
+ print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
+ return False
+ elif child.tag == 'method':
+ method = child.get('name')
+ if not examine_method(objpath, interface, method, child):
+ return False
+ elif child.tag == 'signal':
+ continue
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
def examine_object(objpath):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
- idata = i.Introspect()
- x = xml.etree.ElementTree.XML(idata)
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
+ idata = i.Introspect()
+ x = xml.etree.ElementTree.XML(idata)
- # Check if the object supports properties interfaces.
- props = False
- for child in x.getchildren():
- if child.tag == 'interface':
- if child.get('name') == 'org.freedesktop.DBus.Properties':
- props = True
+ # Check if the object supports properties interfaces.
+ props = False
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if child.get('name') == 'org.freedesktop.DBus.Properties':
+ props = True
- # Look at the interfaces and child nodes.
- for child in x.getchildren():
- if child.tag == 'interface':
- if props and not check_props(objpath, child.get('name')):
- return False
- if not examine_interface(objpath, child.get('name'), child):
- return False
- elif child.tag == 'node':
- if objpath == '/':
- childpath = '/' + child.get('name')
- else:
- childpath = objpath + '/' + child.get('name')
- examine_object(childpath)
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ # Look at the interfaces and child nodes.
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if props and not check_props(objpath, child.get('name')):
+ return False
+ if not examine_interface(objpath, child.get('name'), child):
+ return False
+ elif child.tag == 'node':
+ if objpath == '/':
+ childpath = '/' + child.get('name')
+ else:
+ childpath = objpath + '/' + child.get('name')
+ examine_object(childpath)
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
if not examine_object('/'):
- sys.exit(1)
+ sys.exit(1)
sys.exit(0)
diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
index 1a845fd..9f9d910 100755
--- a/tests/038-ms-v2-template/extract-extdata.py
+++ b/tests/038-ms-v2-template/extract-extdata.py
@@ -1,10 +1,11 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
# Given `openssl asn1parse` output of a CSR, look for the V2 Template
# extension and output its data if found. Nonzero exit status if
# not found.
import binascii
+import os
import re
import sys
@@ -21,7 +22,7 @@ for line in sys.stdin:
#
if state == STATE_FOUND and 'OCTET STRING' in line:
result = re.search(r'\[HEX DUMP\]:(\w*)', line)
- sys.stdout.write(binascii.unhexlify(result.group(1)))
+ os.write(1, binascii.unhexlify(result.group(1)))
state = STATE_DONE
break
--
2.17.0

41
SOURCES/0018-clang-more-Dead-assignment.patch Normal file
View File

@ -0,0 +1,41 @@
From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:48:41 -0400
Subject: [PATCH 18/25] clang: more Dead assignment
---
src/submit-x.c | 5 ++---
src/tdbus.c | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/submit-x.c b/src/submit-x.c
index fa81e9aa..abebc610 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -914,9 +914,8 @@ main(int argc, const char **argv)
/* Maybe we need a ccache. */
if (k5 || (kpname != NULL) || (ktname != NULL)) {
- if (!make_ccache ||
- (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) {
- k5 = TRUE;
+ if (make_ccache) {
+ cm_submit_x_make_ccache(ktname, kpname, NULL);
}
}
diff --git a/src/tdbus.c b/src/tdbus.c
index cb0a8ad7..a81b5349 100644
--- a/src/tdbus.c
+++ b/src/tdbus.c
@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
/* Connect to the right bus. */
bus_desc = NULL;
conn = NULL;
- exit_on_disconnect = TRUE;
if (error != NULL) {
dbus_error_init(error);
}
--
2.21.0

321
SOURCES/0019-clang-more-Memory-leaks.patch Normal file
View File

@ -0,0 +1,321 @@
From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:53:57 -0400
Subject: [PATCH 19/25] clang: more Memory leaks
Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
---
src/dogtag.c | 17 +++++++++++++----
src/getcert.c | 3 ++-
src/store-files.c | 1 +
src/submit-d.c | 6 ++++++
src/submit-x.c | 39 ++++++++++-----------------------------
tests/tools/addcinfo.c | 8 +++++---
6 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..8e3890a5 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,7 +117,7 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *serial = NULL, *template = NULL;
+ const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
char *poptarg;
@@ -127,7 +127,7 @@ main(int argc, const char **argv)
} *aoptions = NULL, *soptions = NULL;
size_t num_aoptions = 0, num_soptions = 0, j;
char *savedstate = NULL;
- char *p, *q, *params = NULL, *params2 = NULL;
+ char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL;
const char *lasturl = NULL, *lastparams = NULL;
const char *tmp = NULL, *results = NULL;
struct cm_submit_h_context *hctx;
@@ -537,16 +537,19 @@ main(int argc, const char **argv)
}
poptPrintUsage(pctx, stdout, 0);
free(csr);
+ free(p);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- csr = cm_submit_u_url_encode(csr);
+ csre = cm_submit_u_url_encode(csr);
params = talloc_asprintf(ctx,
"profileId=%s&"
"cert_request_type=pkcs10&"
"cert_request=%s&"
"xml=true",
template,
- csr);
+ csre);
+ free(csr);
+ free(csre);
}
/* Check for creds specified as options. */
for (j = 0; j < num_soptions; j++) {
@@ -608,12 +611,16 @@ main(int argc, const char **argv)
printf(_("No agent URL (-A) given, and no default "
"known.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
if ((sslcert == NULL) || (strlen(sslcert) == 0)) {
printf(_("No agent credentials (-n) given, but they "
"are needed.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Reading profile defaults for this certificate, then applying
@@ -778,12 +785,14 @@ main(int argc, const char **argv)
lasturl);
}
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
lasturl, lastparams);
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_REJECTED;
}
switch (op) {
diff --git a/src/getcert.c b/src/getcert.c
index ddb28de2..0d527ab0 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits)
}
u = malloc(length);
if (u == NULL) {
+ free(t);
goto done;
}
length = cm_store_base64_to_bin(t, -1, u, length);
+ free(t);
if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) {
- free(t);
t = malloc(bits / 4 + howmany(bits, 32));
if (t != NULL) {
ret = t;
diff --git a/src/store-files.c b/src/store-files.c
index b97ba5ff..4e57ae16 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp)
lines = tlines;
}
}
+ free(buf);
return lines;
}
diff --git a/src/submit-d.c b/src/submit-d.c
index 5a4edb3f..36cc9828 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1204,6 +1204,9 @@ restart:
} else {
printf("Error %d.\n", c);
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 1;
}
result = cm_submit_h_results(hctx, NULL) ?: "";
@@ -1365,6 +1368,9 @@ restart:
/* never reached */
break;
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 0;
}
#endif
diff --git a/src/submit-x.c b/src/submit-x.c
index abebc610..58d007ef 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode)
{
const char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
- ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
- if (ret == NULL) {
- ret = error_message(kcode);
+ if (ctx) {
+ const char *msg = krb5_get_error_message(ctx, kcode);
+ ret = strdup(msg);
+ krb5_free_error_message(ctx, msg);
+ } else {
+ ret = strdup(error_message(kcode));
}
#else
- ret = error_message(kcode);
+ ret = strdup(error_message(kcode));
#endif
- return strdup(ret);
+ return ret;
}
char *
@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg)
if (data == NULL) {
fprintf(stderr, "Error retrieving principal realm.\n");
if (msg != NULL) {
- *msg = "Error retrieving principal realm.\n";
+ *msg = strdup("Error retrieving principal realm.\n");
}
return NULL;
}
@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg)
if (ret == NULL) {
fprintf(stderr, "Out of memory for principal realm.\n");
if (msg != NULL) {
- *msg = "Out of memory for principal realm.\n";
+ *msg = strdup("Out of memory for principal realm.\n");
}
return NULL;
}
@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index 939005c2..e34612a5 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -63,7 +63,7 @@ content_info_template[] = {
int
main(int argc, char **argv)
{
- unsigned char *buffer = NULL, buf[BUFSIZ];
+ unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ];
int i, n = 0;
unsigned int j;
SECItem encoded;
@@ -73,11 +73,13 @@ main(int argc, char **argv)
cm_log_set_method(cm_log_stderr);
cm_log_set_level(3);
while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) {
- buffer = realloc(buffer, n + i);
- if (buffer == NULL) {
+ newbuffer = realloc(buffer, n + i);
+ if (newbuffer == NULL) {
+ free(buffer);
cm_log(0, "Out of memory.\n");
return 1;
}
+ buffer = newbuffer;
memcpy(buffer + n, buf, i);
n += i;
}
--
2.21.0

29
SOURCES/0020-clang-Avoid-buffer-overflow.patch Normal file
View File

@ -0,0 +1,29 @@
From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 13:16:08 -0400
Subject: [PATCH 20/25] clang: Avoid buffer overflow
This shouldn't be possible because the caller would never allow
it all to be passed in but quiet static analyzers.
---
src/getcert.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 0d527ab0..bbc45479 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category,
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
DBusMessage *req, *rep;
const char *request, *capath;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
char **anchor_dbs = NULL, **anchor_files = NULL;
char *id = NULL, *new_id = NULL, *new_request;
--
2.21.0

43
SOURCES/0021-clang-Garbage-value-possible.patch Normal file
View File

@ -0,0 +1,43 @@
From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:44:05 -0400
Subject: [PATCH 21/25] clang: Garbage value possible
Need to add guard so that error was only considered if the
certificate was decodable and an import was attempted.
---
src/certsave-n.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..30e242c1 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
+ error = SECFailure;
newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
entry->cm_cert_nickname,
PR_FALSE);
}
- if (error == SECSuccess) {
+ if ((newcert != NULL) && (error == SECSuccess)) {
cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
entry->cm_cert_nickname);
@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
CERT_DestroyCertList(certlist);
}
} else {
+ ec = PORT_GetError();
if (ec != 0) {
es = PR_ErrorToName(ec);
} else {
--
2.21.0

25
SOURCES/0022-Uninitialized-variable.patch Normal file
View File

@ -0,0 +1,25 @@
From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:48:43 -0400
Subject: [PATCH 22/25] Uninitialized variable
---
src/csrgen-o.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
index 402284ff..41b4f014 100644
--- a/src/csrgen-o.c
+++ b/src/csrgen-o.c
@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
BIGNUM *serialbn;
char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename;
unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
- char *spkidec, *mcb64, *nows;
+ char *spkidec = NULL, *mcb64, *nows;
const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL;
const unsigned char *nametmp;
struct tm *now;
--
2.21.0

39
SOURCES/0023-merge-into-clang-more-Memory-leaks.patch Normal file
View File

@ -0,0 +1,39 @@
From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:43:02 -0400
Subject: [PATCH 23/25] merge into clang: more Memory leaks
---
src/getcert.c | 2 +-
src/submit-x.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index bbc45479..4713dd15 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits)
if (length == 0) {
goto done;
}
- u = malloc(length);
+ u = malloc(length+1);
if (u == NULL) {
free(t);
goto done;
diff --git a/src/submit-x.c b/src/submit-x.c
index 58d007ef..467e67e4 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -43,7 +43,7 @@
static char *
get_error_message(krb5_context ctx, krb5_error_code kcode)
{
- const char *ret;
+ char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
if (ctx) {
const char *msg = krb5_get_error_message(ctx, kcode);
--
2.21.0

24
SOURCES/0024-Add-missing-return-type-declaration.patch Normal file
View File

@ -0,0 +1,24 @@
From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:44:07 -0400
Subject: [PATCH 24/25] Add missing return type declaration
---
src/tdbush.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tdbush.c b/src/tdbush.c
index d1bbe4da..a10a1aff 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
}
/* org.fedorahosted.certonger.ca.get_config_file_path */
+static DBusHandlerResult
ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
struct cm_client_info *ci, struct cm_context *ctx)
{
--
2.21.0

43
SOURCES/0025-Discards-const-qualifier.patch Normal file
View File

@ -0,0 +1,43 @@
From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:46:50 -0400
Subject: [PATCH 25/25] Discards const qualifier
---
src/dogtag.c | 3 ++-
src/scep.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 8e3890a5..962a8bf4 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,9 +117,10 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
+ const char *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
+ char *csr = NULL, *csre = NULL;
char *poptarg;
struct {
char *name;
diff --git a/src/scep.c b/src/scep.c
index b0bd214b..b37711cf 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -204,7 +204,8 @@ main(int argc, const char **argv)
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
enum known_ops op = op_unset;
- const char *id = NULL, *cainfo = NULL;
+ const char *id = NULL;
+ char *cainfo = NULL;
char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
--
2.21.0

134
SOURCES/0026-Optimize-closing-open-file-descriptors.patch Normal file
View File

@ -0,0 +1,134 @@
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 5 Sep 2019 12:45:52 -0400
Subject: [PATCH] Optimize closing open file descriptors
When forking, the code would close all unused file descriptors up
to maximum number of files. In the default case this is 1024. In
the container case this is 1048576. Huge delays in startup were
seen due to this.
Even in a default 1024 ulimit case this drastically reduces the
number of file descriptors to mark FD_CLOEXEC but in the container
default case this saves another order of magnitude of work.
This patch takes inspiration from systemd[1] and walks /proc/self/fd
if it is available to determine the list of open descriptors. It
falls back to the "close all fds we don't care about up to limit"
method.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
---
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 62 insertions(+), 9 deletions(-)
diff --git a/src/subproc.c b/src/subproc.c
index e49e3762..8df836ae 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
return argv;
}
+/* Based heavily on systemd version */
+static
+int safe_atoi(const char *s, int *ret_i) {
+ char *x = NULL;
+ long l;
+
+ errno = 0;
+ l = strtol(s, &x, 0);
+ if (errno > 0)
+ return -1;
+ if (!x || x == s || *x != 0)
+ return -1;
+ if ((long) (int) l != l)
+ return -1;
+
+ *ret_i = (int) l;
+ return 0;
+}
+
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
* except for perhaps one to three of them that are passed in by number. */
void
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
{
int i;
long l;
+ DIR *dir = NULL;
+ struct dirent *de;
+
if ((fd != STDIN_FILENO) &&
(fd2 != STDIN_FILENO) &&
(fd3 != STDIN_FILENO)) {
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
close(STDERR_FILENO);
}
}
- for (i = getdtablesize() - 1; i >= 3; i--) {
- if ((i == fd) ||
- (i == fd2) ||
- (i == fd3)) {
- continue;
+ dir = opendir("/proc/self/fd");
+ if (!dir) {
+ /* /proc isn't available, fall back to old way */
+ for (i = getdtablesize() - 1; i >= 3; i--) {
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
+ }
}
- l = fcntl(i, F_GETFD);
- if (l != -1) {
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
- cm_log(0, "Potentially leaking FD %d.\n", i);
+ } else {
+ while ((de = readdir(dir)) != NULL) {
+ int i = -1;
+
+ if (safe_atoi(de->d_name, &i) < 0) {
+ continue;
+ }
+
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+
+ if (i == dirfd(dir)) {
+ continue;
+ }
+
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
}
}
+ closedir(dir);
}
}
--
2.21.0

33
SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch Normal file
View File

@ -0,0 +1,33 @@
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 16:28:18 -0400
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/cadata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cadata.c b/src/cadata.c
index eb87eb76..3e916c96 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
}
return -1;
}
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

35
SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch Normal file
View File

@ -0,0 +1,35 @@
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Oct 2019 20:25:36 +0000
Subject: [PATCH] Don't close STDERR when submitting request
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/submit-e.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/submit-e.c b/src/submit-e.c
index d6158d7a..69b4f8e2 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
}
return -1;
}
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

259
SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch Normal file
View File

@ -0,0 +1,259 @@
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Aug 2019 22:01:35 +0000
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
tokens
The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.
When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.
https://pagure.io/certmonger/issue/125
---
src/casave.c | 3 +--
src/certread-n.c | 33 ++++++++++++++++-----------------
src/certsave-n.c | 5 +++++
src/dogtag.c | 3 +--
src/keygen-n.c | 5 +++++
src/keyiread-n.c | 11 ++++++++++-
src/scepgen-n.c | 5 +++++
src/submit-n.c | 5 +++++
src/toklist.c | 2 +-
9 files changed, 49 insertions(+), 23 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index bde63f99..1cf5a406 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
break;
default:
flags = NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB;
+ NSS_INIT_NOROOTINIT;
/* Sigh. Not a lot of detail. Check
* if we succeed in read-only mode,
* which we'll interpret as lack of
diff --git a/src/certread-n.c b/src/certread-n.c
index d535030b..bb61b61b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Unable to open NSS database.\n");
_exit(status);
}
+ /* Re-open the database with modules enabled */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
es = util_n_fips_hook();
if (es != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
- /* Allocate a memory pool. */
- arena = PORT_NewArena(sizeof(double));
- if (arena == NULL) {
- cm_log(1, "Error opening database '%s'.\n",
- entry->cm_cert_storage_location);
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
- cm_log(1, "Error shutting down NSS.\n");
- }
- _exit(ENOMEM);
- }
/* Find the tokens that we might use for cert storage. */
mech = CKM_RSA_X_509;
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
if (slotlist == NULL) {
cm_log(1, "Error getting list of tokens.\n");
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we need to log in in order to read certificates, do so. */
if (PK11_NeedLogin(sle->slot)) {
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
if (cm_pin_read_for_cert(entry, &pin) != 0) {
cm_log(1, "Error reading PIN for cert db, "
"skipping.\n");
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Walk the list of certificates in the slot, looking for one
* which matches the specified nickname. */
certs = PK11_ListCertsInSlot(sle->slot);
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
if (certs != NULL) {
for (node = CERT_LIST_HEAD(certs);
!CERT_LIST_EMPTY(certs) &&
!CERT_LIST_END(node, certs);
node = CERT_LIST_NEXT(node)) {
- if (strcmp(node->cert->nickname,
- entry->cm_cert_nickname) == 0) {
+ cm_log(3, "certread-n: Slot nickname %s\n",
+ node->cert->nickname);
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token, entry->cm_cert_nickname);
+ if ((strcmp(node->cert->nickname,
+ entry->cm_cert_nickname) == 0) ||
+ (strcmp(node->cert->nickname, es) == 0)) {
cm_log(3, "Located the certificate "
"\"%s\".\n",
entry->cm_cert_nickname);
@@ -321,7 +323,6 @@ next_slot:
if (cert == NULL) {
cm_log(1, "Error locating certificate.\n");
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -332,7 +333,6 @@ next_slot:
fclose(fp);
CERT_DestroyCertificate(cert);
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..eda03b34 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
} else {
/* We don't try to force FIPS mode here, as it seems to get in
* the way of saving the certificate. */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
/* Allocate a memory pool. */
arena = PORT_NewArena(sizeof(double));
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..c43664ef 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (nctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 061bd2af..e921d7ec 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 91b1be41..dc1c6092 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
cnode = CERT_LIST_NEXT(cnode)) {
nickname = entry->cm_key_nickname;
cert = cnode->cert;
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token,
+ entry->cm_cert_nickname);
if ((nickname != NULL) &&
- (strcmp(cert->nickname, nickname) == 0)) {
+ ((strcmp(cert->nickname, nickname) == 0) ||
+ (strcmp(cert->nickname, es) == 0))) {
cm_log(3, "Located a certificate with "
"the key's nickname (\"%s\").\n",
nickname);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index d6735aa7..8c67b122 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/submit-n.c b/src/submit-n.c
index b07ea23a..f27b9c7f 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
goto done;
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/toklist.c b/src/toklist.c
index a4328218..ac166722 100644
--- a/src/toklist.c
+++ b/src/toklist.c
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
/* Open the database. */
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
printf("Unable to open NSS database '%s'.\n", dbdir);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
--
2.21.0

233
SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch Normal file
View File

@ -0,0 +1,233 @@
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 27 Aug 2019 18:01:02 +0000
Subject: [PATCH] Update tests to include the security module DB in expected
output
certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).
https://pagure.io/certmonger/issue/125
---
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
tests/034-perms/expected.out | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms-dbm/expected.out
+++ b/tests/034-perms-dbm/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
index 2808e02c..c5914e02 100644
--- a/tests/034-perms-sql/expected.out
+++ b/tests/034-perms-sql/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
[rekey:sql:start]
[rekey:sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:keygen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
OK
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms/expected.out
+++ b/tests/034-perms/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
--
2.21.0

50
SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch Normal file
View File

@ -0,0 +1,50 @@
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 18:24:32 +0000
Subject: [PATCH] Try to pull the entire CA chain from IPA
IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.
Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
---
src/ipa.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index acd1a4e2..40a4b52c 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
LDAP *ld = NULL;
LDAPMessage *lresult = NULL, *lmsg = NULL;
char *lattrs[2] = {"caCertificate;binary", NULL};
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
struct berval **lbvalues, *lbv;
unsigned char *bv_val;
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
+ /* Fall back to the old location */
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+ lfilter, lattrs, 0, NULL, NULL, NULL,
+ LDAP_NO_LIMIT, &lresult);
+ }
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

34
SOURCES/0032-Fix-use-after-free-issue.patch Normal file
View File

@ -0,0 +1,34 @@
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2019 15:08:54 -0500
Subject: [PATCH] Fix use-after-free issue
The basedn value was freed after the first search but a second
one could be initiated.
---
src/ipa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index 40a4b52c..41ca9081 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
/* Now look up the root certificates for the domain. */
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
}
+ free(basedn);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

1335
SPECS/certmonger.spec Normal file
View File

File diff suppressed because it is too large Load Diff