import certmonger-0.79.7-15.el8
This commit is contained in:
parent
09ef8f82dc
commit
b377b17852
931
SOURCES/0033-Improve-logging-in-SCEP-helper.patch
Normal file
931
SOURCES/0033-Improve-logging-in-SCEP-helper.patch
Normal file
@ -0,0 +1,931 @@
|
||||
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:50:16 -0400
|
||||
Subject: [PATCH 33/39] Improve logging in SCEP helper
|
||||
|
||||
Always check return value of cm_pkcs7_verify_signed() and return
|
||||
a unique error message.
|
||||
|
||||
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
|
||||
so they appear by default.
|
||||
|
||||
Centralize logging across scep.c and pkcs7.c to reduce code
|
||||
duplication.
|
||||
|
||||
Check the return code to cm_pkcs7_verify_signed in all cases.
|
||||
|
||||
Add the last available message, if any, to the error returned
|
||||
via stdout to certmonger as a hint to what is going on.
|
||||
---
|
||||
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
|
||||
src/pkcs7.h | 2 +
|
||||
src/scep.c | 59 ++++++++++---------------
|
||||
src/scepgen-n.c | 28 ++++++------
|
||||
src/scepgen-o.c | 72 ++++++++++++++++---------------
|
||||
src/scepgen.c | 2 +-
|
||||
6 files changed, 140 insertions(+), 134 deletions(-)
|
||||
|
||||
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
||||
index 6de1775..29420b9 100644
|
||||
--- a/src/pkcs7.c
|
||||
+++ b/src/pkcs7.c
|
||||
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+log_pkcs7_errors(int level, char *msg)
|
||||
+{
|
||||
+ char buf[LINE_MAX] = "";
|
||||
+ long error;
|
||||
+ int nss_err;
|
||||
+
|
||||
+ cm_log(level, "%s\n", msg);
|
||||
+ while ((error = ERR_get_error()) != 0) {
|
||||
+ memset(buf, '\0', sizeof(buf));
|
||||
+ ERR_error_string_n(error, buf, sizeof(buf));
|
||||
+ cm_log(level, "%s\n", buf);
|
||||
+ }
|
||||
+ nss_err = PORT_GetError();
|
||||
+ if (nss_err < 0) {
|
||||
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
int
|
||||
cm_pkcs7_parsev(unsigned int flags, void *parent,
|
||||
char **certleaf, char **certtop, char ***certothers,
|
||||
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
|
||||
in = BIO_new_mem_buf(encryption_cert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
if (recipient == NULL) {
|
||||
- cm_log(1, "Error parsing recipient certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
BIO_free(in);
|
||||
|
||||
recipients = sk_X509_new(util_o_cert_cmp);
|
||||
if (recipients == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
sk_X509_push(recipients, recipient);
|
||||
|
||||
in = BIO_new_mem_buf(data, dlength);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
|
||||
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
BIO_free(in);
|
||||
|
||||
if (p7 == NULL) {
|
||||
- cm_log(1, "Error encrypting signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
len = i2d_PKCS7(p7, NULL);
|
||||
if (len < 0) {
|
||||
- cm_log(1, "Error encoding encrypted signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
dp7 = malloc(len);
|
||||
if (dp7 == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = dp7;
|
||||
if (i2d_PKCS7(p7, &u) != len) {
|
||||
- cm_log(1, "Error encoding encrypted signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
*enveloped = dp7;
|
||||
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
|
||||
in = BIO_new_mem_buf(csr, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (req == NULL) {
|
||||
- cm_log(1, "Error parsing certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
dlen = i2d_X509_REQ(req, NULL);
|
||||
if (dlen < 0) {
|
||||
- cm_log(1, "Error encoding certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
dreq = malloc(dlen);
|
||||
if (dreq == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = dreq;
|
||||
if (i2d_X509_REQ(req, &u) != dlen) {
|
||||
- cm_log(1, "Error encoding certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
|
||||
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
||||
|
||||
in = BIO_new_mem_buf(cacert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (ca == NULL) {
|
||||
- cm_log(1, "Error parsing CA certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
in = BIO_new_mem_buf(minicert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (mini == NULL) {
|
||||
- cm_log(1, "Error parsing client certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
|
||||
if (issuerlen < 0) {
|
||||
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
||||
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
|
||||
goto done;
|
||||
}
|
||||
issuer = malloc(issuerlen);
|
||||
if (issuer == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = issuer;
|
||||
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
|
||||
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
|
||||
if (subjectlen < 0) {
|
||||
- cm_log(1, "Error encoding client certificate subject name.\n");
|
||||
+ cm_log(0, "Error encoding client certificate subject name.\n");
|
||||
goto done;
|
||||
}
|
||||
subject = malloc(subjectlen);
|
||||
if (subject == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = subject;
|
||||
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
|
||||
- cm_log(1, "Error encoding client certificate subject name.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
|
||||
goto done;
|
||||
}
|
||||
+ PORT_SetError(0);
|
||||
+ ERR_clear_error();
|
||||
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
|
||||
issuerandsubject.issuer.data = issuer;
|
||||
issuerandsubject.issuer.len = issuerlen;
|
||||
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
||||
issuerandsubject.subject.len = subjectlen;
|
||||
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
|
||||
cm_pkcs7_ias_template) != &encoded) {
|
||||
- cm_log(1, "Error encoding issuer and subject names.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
|
||||
goto done;
|
||||
}
|
||||
*ias = malloc(encoded.len);
|
||||
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
u = data;
|
||||
p7 = d2i_PKCS7(NULL, &u, length);
|
||||
if ((p7 == NULL) || (u != data + length)) {
|
||||
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
|
||||
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
|
||||
goto done;
|
||||
}
|
||||
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
|
||||
- cm_log(1, "PKCS#7 data is not signed-data.\n");
|
||||
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
|
||||
goto done;
|
||||
}
|
||||
store = X509_STORE_new();
|
||||
if (store == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
|
||||
certs = sk_X509_new(util_o_cert_cmp);
|
||||
if (certs == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
|
||||
s = talloc_strdup(parent, roots[i]);
|
||||
if (s == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
/* In case one of these is multiple PEM certificates
|
||||
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
in = BIO_new_mem_buf(p, q - p);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Error parsing chain certificate.\n");
|
||||
+ cm_log(0, "Error parsing chain certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
X509_STORE_add_cert(store, x);
|
||||
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
|
||||
s = talloc_strdup(parent, othercerts[i]);
|
||||
if (s == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
/* In case one of these is multiple PEM certificates
|
||||
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
in = BIO_new_mem_buf(p, q - p);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Error parsing chain certificate.\n");
|
||||
+ cm_log(0, "Error parsing chain certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
sk_X509_push(certs, x);
|
||||
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
out = BIO_new(BIO_s_mem());
|
||||
if (out == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
if (roots != NULL) {
|
||||
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
for (i = 0; i < sk_X509_num(certs); i++) {
|
||||
x = X509_dup(sk_X509_value(certs, i));
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
PKCS7_add_certificate(p7, x);
|
||||
}
|
||||
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
|
||||
- cm_log(1, "Message failed verification.\n");
|
||||
+ cm_log(0, "Message failed verification.\n");
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
p7s = p7->d.sign;
|
||||
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
|
||||
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
|
||||
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
|
||||
goto done;
|
||||
}
|
||||
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
|
||||
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
encapsulated = p7s->contents;
|
||||
if (expected_content_type != NID_undef) {
|
||||
if (encapsulated == NULL) {
|
||||
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
|
||||
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
|
||||
goto done;
|
||||
}
|
||||
if ((encapsulated->type == NULL) ||
|
||||
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
|
||||
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
|
||||
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
|
||||
OBJ_nid2ln(expected_content_type),
|
||||
encapsulated->type ?
|
||||
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
|
||||
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
}
|
||||
if (attrs == NULL) {
|
||||
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
|
||||
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
|
||||
goto done;
|
||||
}
|
||||
ret = 0;
|
||||
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
if (*payload_length > 0) {
|
||||
*payload = talloc_size(parent, *payload_length + 1);
|
||||
if (*payload == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
memcpy(*payload, s, *payload_length);
|
||||
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
}
|
||||
done:
|
||||
- if (ret != 0) {
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
- }
|
||||
if (p7 != NULL) {
|
||||
PKCS7_free(p7);
|
||||
}
|
||||
diff --git a/src/pkcs7.h b/src/pkcs7.h
|
||||
index 097f7ca..fae52f8 100644
|
||||
--- a/src/pkcs7.h
|
||||
+++ b/src/pkcs7.h
|
||||
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
size_t *recipient_nonce_length,
|
||||
unsigned char **payload, size_t *payload_length);
|
||||
|
||||
+void log_pkcs7_errors(int level, char *msg);
|
||||
+
|
||||
#endif
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index b37711c..0b8bef9 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
|
||||
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
|
||||
tmp1 = cm_submit_u_base64_from_text(rekey_message);
|
||||
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
||||
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
||||
NULL, &msgtype, NULL, NULL,
|
||||
NULL, NULL,
|
||||
NULL, NULL, NULL, NULL);
|
||||
+ if (i != 0) {
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "rekey PKCSReq.\n");
|
||||
+ }
|
||||
if ((msgtype == NULL) ||
|
||||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
||||
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
|
||||
if ((message != NULL) && (strlen(message) != 0)) {
|
||||
tmp1 = cm_submit_u_base64_from_text(message);
|
||||
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
||||
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
||||
&sent_tx, &msgtype, NULL, NULL,
|
||||
&sent_nonce, &sent_nonce_length,
|
||||
NULL, NULL, NULL, NULL);
|
||||
+ if (i != 0) {
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "message.\n");
|
||||
+ }
|
||||
if ((msgtype == NULL) ||
|
||||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
||||
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
|
||||
&payload, &payload_length);
|
||||
if (i != 0) {
|
||||
printf(_("Error: failed to verify signature on "
|
||||
- "server response.\n"));
|
||||
- cm_log(1, "Error: failed to verify signature on "
|
||||
- "server response.\n");
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
+ "server response. "));
|
||||
+ error = ERR_peek_last_error();
|
||||
+ if (error != 0) {
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ printf("%s", buf);
|
||||
}
|
||||
+ printf("\n");
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "server response.\n");
|
||||
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
|
||||
results_length2);
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
|
||||
p7 = d2i_PKCS7(NULL, &u, payload_length);
|
||||
if (p7 == NULL) {
|
||||
printf(_("Error: couldn't parse signed-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
- s = cm_store_base64_from_bin(ctx,
|
||||
- (unsigned char *) results2,
|
||||
- results_length2);
|
||||
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
- fprintf(stderr, "Full reply:\n%s", s);
|
||||
- free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
- }
|
||||
- if (!PKCS7_type_is_enveloped(p7)) {
|
||||
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if (!PKCS7_type_is_enveloped(p7)) {
|
||||
printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
|
||||
+ "enveloped-data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
|
||||
(p7->d.enveloped->enc_data->content_type == NULL) ||
|
||||
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
|
||||
printf(_("Error: enveloped-data payload is not data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
|
||||
+ "not data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
|
||||
index 8c67b12..ce73c31 100644
|
||||
--- a/src/scepgen-n.c
|
||||
+++ b/src/scepgen-n.c
|
||||
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
return;
|
||||
}
|
||||
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
|
||||
- cm_log(1, "More than one signer, not sure what to do.\n");
|
||||
+ cm_log(0, "More than one signer, not sure what to do.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
|
||||
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
|
||||
u = sabuf = malloc(salen);
|
||||
if (sabuf == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
|
||||
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
* that ourselves. */
|
||||
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
|
||||
if (l != salen) {
|
||||
- cm_log(1, "Error encoding attributes.\n");
|
||||
+ cm_log(0, "Error encoding attributes.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
|
||||
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
|
||||
if (sigalg == SEC_OID_UNKNOWN) {
|
||||
- cm_log(1, "Unable to match digest algorithm and key.\n");
|
||||
+ cm_log(0, "Unable to match digest algorithm and key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (SEC_SignData(&signature, sabuf, salen, privkey,
|
||||
sigalg) != SECSuccess) {
|
||||
- cm_log(1, "Error re-signing: %s.\n",
|
||||
+ cm_log(0, "Error re-signing: %s.\n",
|
||||
PR_ErrorToName(PORT_GetError()));
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
|
||||
if (ca->cm_ca_encryption_cert == NULL) {
|
||||
- cm_log(1, "Can't generate new SCEP request data without "
|
||||
+ cm_log(0, "Can't generate new SCEP request data without "
|
||||
"the RA/CA encryption certificate.\n");
|
||||
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
||||
}
|
||||
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
fprintf(status, "Error opening database "
|
||||
"'%s': %s.\n",
|
||||
entry->cm_key_storage_location, es);
|
||||
- cm_log(1, "Error opening database '%s': %s.\n",
|
||||
+ cm_log(0, "Error opening database '%s': %s.\n",
|
||||
entry->cm_key_storage_location, es);
|
||||
} else {
|
||||
fprintf(status, "Error opening database '%s'.\n",
|
||||
entry->cm_key_storage_location);
|
||||
- cm_log(1, "Error opening database '%s'.\n",
|
||||
+ cm_log(0, "Error opening database '%s'.\n",
|
||||
entry->cm_key_storage_location);
|
||||
}
|
||||
switch (ec) {
|
||||
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
}
|
||||
|
||||
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cm_log(1, "Generating dummy key.\n");
|
||||
key = EVP_PKEY_new();
|
||||
if (key == NULL) {
|
||||
- cm_log(1, "Error allocating new key.\n");
|
||||
+ cm_log(0, "Error allocating new key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
exponent = BN_new();
|
||||
if (exponent == NULL) {
|
||||
- cm_log(1, "Error setting up exponent.\n");
|
||||
+ cm_log(0, "Error setting up exponent.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL) {
|
||||
- cm_log(1, "Error allocating new RSA key.\n");
|
||||
+ cm_log(0, "Error allocating new RSA key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
retry_gen:
|
||||
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
|
||||
- cm_log(1, "Error generating key.\n");
|
||||
+ cm_log(0, "Error generating key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
|
||||
@@ -228,7 +228,7 @@ retry_gen:
|
||||
if ((keys->privkey->keyType != rsaKey) ||
|
||||
((keys->privkey_next != NULL) &&
|
||||
(keys->privkey_next->keyType != rsaKey))) {
|
||||
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
||||
}
|
||||
|
||||
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
|
||||
index 010abb7..a431815 100644
|
||||
--- a/src/scepgen-o.c
|
||||
+++ b/src/scepgen-o.c
|
||||
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
||||
keyfp = fopen(filename, "r");
|
||||
if (keyfp == NULL) {
|
||||
if (errno != ENOENT) {
|
||||
- cm_log(1, "Error opening key file \"%s\" "
|
||||
+ cm_log(0, "Error opening key file \"%s\" "
|
||||
"for reading: %s.\n",
|
||||
filename, strerror(errno));
|
||||
}
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (cm_pin_read_for_key(entry, &pin) != 0) {
|
||||
- cm_log(1, "Internal error reading key encryption PIN.\n");
|
||||
+ cm_log(0, "Internal error reading key encryption PIN.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
||||
}
|
||||
memset(&cb_data, 0, sizeof(cb_data));
|
||||
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
||||
cm_pin_read_for_key_ossl_cb, &cb_data);
|
||||
if (pkey == NULL) {
|
||||
error = errno;
|
||||
- cm_log(1, "Error reading private key '%s': %s.\n",
|
||||
+ cm_log(0, "Error reading private key '%s': %s.\n",
|
||||
filename, strerror(error));
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
||||
} else {
|
||||
if ((pin != NULL) &&
|
||||
(strlen(pin) > 0) &&
|
||||
(cb_data.n_attempts == 0)) {
|
||||
- cm_log(1, "PIN was not needed to read private "
|
||||
+ cm_log(0, "PIN was not needed to read private "
|
||||
"key '%s', though one was provided. "
|
||||
"Treating this as an error.\n",
|
||||
filename);
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
||||
}
|
||||
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
|
||||
if ((pem != NULL) && (strlen(pem) > 0)) {
|
||||
in = BIO_new_mem_buf(pem, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (cert == NULL) {
|
||||
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
|
||||
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
return cert;
|
||||
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
|
||||
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
|
||||
in = BIO_new_mem_buf(this->cm_cert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (cert == NULL) {
|
||||
- cm_log(1, "Error parsing certificate.\n");
|
||||
+ cm_log(0, "Error parsing certificate.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (sk == NULL) {
|
||||
sk = sk_X509_new(util_o_cert_cmp);
|
||||
if (sk == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
}
|
||||
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
|
||||
in = BIO_new_mem_buf(data, data_length);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
ret = PKCS7_sign(signer, key, certs, in, flags);
|
||||
if (ret == NULL) {
|
||||
- cm_log(1, "Error signing data.\n");
|
||||
+ cm_log(0, "Error signing data.\n");
|
||||
goto errors;
|
||||
}
|
||||
BIO_free(in);
|
||||
|
||||
/* Set the digest to use for signing. */
|
||||
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
|
||||
- cm_log(1, "Error signing data: %d signers.\n",
|
||||
+ cm_log(0, "Error signing data: %d signers.\n",
|
||||
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
|
||||
goto errors;
|
||||
}
|
||||
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
PKCS7_content_new(ret, NID_pkcs7_data);
|
||||
out = PKCS7_dataInit(ret, NULL);
|
||||
if (out == NULL) {
|
||||
- cm_log(1, "Error signing data.\n");
|
||||
+ cm_log(0, "Error signing data.\n");
|
||||
goto errors;
|
||||
}
|
||||
BIO_write(out, data, data_length);
|
||||
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
errors:
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
util_o_init();
|
||||
ERR_load_crypto_strings();
|
||||
if (RAND_status() != 1) {
|
||||
- cm_log(1, "PRNG not seeded for generating key.\n");
|
||||
+ cm_log(0, "PRNG not seeded for generating key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (RAND_bytes(nonce, nonce_length) == -1) {
|
||||
- cm_log(1, "PRNG unable to generate nonce.\n");
|
||||
+ cm_log(0, "PRNG unable to generate nonce.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
|
||||
entry->cm_minicert);
|
||||
if (pem == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
new_cert = cert_from_pem(pem, entry);
|
||||
if (new_cert == NULL) {
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cipher = cm_prefs_des;
|
||||
}
|
||||
else {
|
||||
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
||||
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
digest = cm_prefs_md5;
|
||||
}
|
||||
else {
|
||||
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
||||
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
ca->cm_ca_encryption_issuer_cert,
|
||||
entry->cm_cert,
|
||||
&old_ias, &old_ias_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
||||
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
ca->cm_ca_encryption_issuer_cert,
|
||||
pem,
|
||||
&new_ias, &new_ias_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
||||
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
|
||||
entry->cm_csr,
|
||||
&csr, &csr_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped CSR.\n");
|
||||
+ cm_log(0, "Error generating enveloped CSR.\n");
|
||||
+ while ((error = ERR_get_error()) != 0) {
|
||||
+ ERR_error_string_n(error, buf, sizeof(buf));
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
+ }
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* the matching key. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(old_cert, old_pkey);
|
||||
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* if we do, we did that in another code path. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(new_cert, old_pkey);
|
||||
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* any previously-issued certificate won't match. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(new_cert, new_pkey);
|
||||
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
X509_free(new_cert);
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
|
||||
if (ca->cm_ca_encryption_cert == NULL) {
|
||||
- cm_log(1, "Can't generate new SCEP request data without "
|
||||
+ cm_log(0, "Can't generate new SCEP request data without "
|
||||
"the RA/CA encryption certificate.\n");
|
||||
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
||||
}
|
||||
|
||||
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
|
||||
if (old_pkey == NULL) {
|
||||
- cm_log(1, "Error reading key from file \"%s\".\n",
|
||||
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
||||
entry->cm_key_storage_location);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
filename = util_build_next_filename(entry->cm_key_storage_location,
|
||||
entry->cm_key_next_marker);
|
||||
if (filename == NULL) {
|
||||
- cm_log(1, "Error opening key file \"%s\" "
|
||||
+ cm_log(0, "Error opening key file \"%s\" "
|
||||
"for reading: %s.\n",
|
||||
filename, strerror(errno));
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
new_pkey = key_from_file(filename, entry);
|
||||
if (new_pkey == NULL) {
|
||||
- cm_log(1, "Error reading key from file \"%s\".\n",
|
||||
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
||||
filename);
|
||||
free(filename);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
|
||||
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
|
||||
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
||||
}
|
||||
|
||||
diff --git a/src/scepgen.c b/src/scepgen.c
|
||||
index eaf2b7c..115446f 100644
|
||||
--- a/src/scepgen.c
|
||||
+++ b/src/scepgen.c
|
||||
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
|
||||
{
|
||||
switch (entry->cm_key_storage_type) {
|
||||
case cm_key_storage_none:
|
||||
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
|
||||
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
|
||||
"the key, and we don't know where that is or should "
|
||||
"be.\n", entry->cm_busname, entry->cm_nickname);
|
||||
break;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,33 @@
|
||||
From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 18:15:02 -0500
|
||||
Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
|
||||
add-scep-ca
|
||||
|
||||
This option was silently dropped from the helper arguments even
|
||||
if requested on the add-scep-ca CLI and was only passed to the
|
||||
dbus helper.
|
||||
|
||||
Add as many -v as requested though the scep helper only logs at
|
||||
most at level 1.
|
||||
---
|
||||
src/getcert.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 4713dd1..3d78a73 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
certs ? "-I" : "",
|
||||
certs ? shell_escape(globals.tctx, certs) : "",
|
||||
prefer_non_renewal ? "-n" : "");
|
||||
+ for (c = 0; c < verbose; c++) {
|
||||
+ command = talloc_strdup_append(command, " -v");
|
||||
+ }
|
||||
if (command == NULL) {
|
||||
printf(_("Error building command line.\n"));
|
||||
exit(1);
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,422 @@
|
||||
From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
|
||||
From: Your Name <you@example.com>
|
||||
Date: Tue, 14 Apr 2020 13:17:14 +0000
|
||||
Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
|
||||
finished
|
||||
|
||||
The talloc context was freed in only a few cases and the curl
|
||||
context was never freed.
|
||||
---
|
||||
src/scep.c | 127 ++++++++++++++++++++++++++++++++-----------------
|
||||
src/submit-h.c | 15 +++++-
|
||||
src/submit-h.h | 1 +
|
||||
3 files changed, 97 insertions(+), 46 deletions(-)
|
||||
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 0b8bef9..4d00692 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -199,7 +199,7 @@ int
|
||||
main(int argc, const char **argv)
|
||||
{
|
||||
const char *url = NULL, *results = NULL, *results2 = NULL;
|
||||
- struct cm_submit_h_context *hctx;
|
||||
+ struct cm_submit_h_context *hctx = NULL;
|
||||
int c, verbose = 0, results_length = 0, results_length2 = 0, i;
|
||||
int prefer_non_renewal = 0, can_renewal = 0;
|
||||
int response_code = 0, response_code2 = 0;
|
||||
@@ -225,7 +225,8 @@ main(int argc, const char **argv)
|
||||
size_t payload_length;
|
||||
long error;
|
||||
PKCS7 *p7;
|
||||
- poptContext pctx;
|
||||
+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ poptContext pctx = NULL;
|
||||
struct poptOption popts[] = {
|
||||
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
|
||||
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
|
||||
@@ -388,8 +389,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((message == NULL) || (strlen(message) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
@@ -408,8 +409,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((message == NULL) || (strlen(message) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
@@ -420,8 +421,8 @@ main(int argc, const char **argv)
|
||||
/* Supply help output, if it's needed. */
|
||||
if (missing_args) {
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
/* Check the rekey PKCSReq message, if we have one. */
|
||||
@@ -505,7 +506,6 @@ main(int argc, const char **argv)
|
||||
verbose > 1 ?
|
||||
cm_submit_h_curl_verbose_on :
|
||||
cm_submit_h_curl_verbose_off);
|
||||
- free(cainfo);
|
||||
cm_submit_h_run(hctx);
|
||||
content_type = cm_submit_h_result_type(hctx);
|
||||
if (content_type == NULL) {
|
||||
@@ -551,7 +551,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
} else
|
||||
if (verbose > 0) {
|
||||
if (tmp2 == rekey_message) {
|
||||
@@ -576,7 +577,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
} else
|
||||
if (verbose > 0) {
|
||||
if (tmp2 == rekey_message) {
|
||||
@@ -638,7 +640,8 @@ main(int argc, const char **argv)
|
||||
cm_submit_h_result_code(hctx),
|
||||
url);
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
switch (op) {
|
||||
case op_unset:
|
||||
@@ -651,16 +654,19 @@ main(int argc, const char **argv)
|
||||
response_code, url);
|
||||
if (response_code == 500) {
|
||||
/* The server might recover, right? */
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
} else {
|
||||
/* Maybe not? */
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
if (results == NULL) {
|
||||
printf(_("Internal error: no response to \"%s?%s\".\n"),
|
||||
url, params);
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
case op_get_cert_initial:
|
||||
@@ -685,10 +691,12 @@ main(int argc, const char **argv)
|
||||
fprintf(stderr, "Result is surprisingly large, "
|
||||
"suppressing it.\n");
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
printf("%s\n", results);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
break;
|
||||
case op_get_ca_certs:
|
||||
if ((strcasecmp(content_type,
|
||||
@@ -697,7 +705,8 @@ main(int argc, const char **argv)
|
||||
"application/x-x509-ca-ra-cert") != 0)) {
|
||||
printf(_("Server reply was of unexpected MIME type "
|
||||
"\"%s\".\n"), content_type);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (racert == NULL) {
|
||||
racertp = &racert;
|
||||
@@ -710,7 +719,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) racert;
|
||||
lengths[n_buffers] = strlen(racert);
|
||||
@@ -727,7 +737,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) cacert;
|
||||
lengths[n_buffers] = strlen(cacert);
|
||||
@@ -741,7 +752,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results;
|
||||
lengths[n_buffers] = results_length;
|
||||
@@ -755,7 +767,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results2;
|
||||
lengths[n_buffers] = results_length2;
|
||||
@@ -850,7 +863,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results2;
|
||||
lengths[n_buffers] = results_length2;
|
||||
@@ -882,11 +896,11 @@ main(int argc, const char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- talloc_free(ctx);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
} else {
|
||||
- talloc_free(ctx);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
case op_get_cert_initial:
|
||||
@@ -957,42 +971,50 @@ main(int argc, const char **argv)
|
||||
fprintf(stderr, "%s", s);
|
||||
cm_log(1, "%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((msgtype == NULL) ||
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
|
||||
printf(_("Error: reply was not a CertRep (%s).\n"),
|
||||
msgtype ? msgtype : "none");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (tx == NULL) {
|
||||
printf(_("Error: reply is missing transactionId.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (sent_tx != NULL) {
|
||||
if (strcmp(sent_tx, tx) != 0) {
|
||||
printf(_("Error: reply contains a "
|
||||
"different transactionId.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
if (pkistatus == NULL) {
|
||||
printf(_("Error: reply is missing pkiStatus.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (recipient_nonce == NULL) {
|
||||
printf(_("Error: reply is missing recipientNonce.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((recipient_nonce_length != sent_nonce_length) ||
|
||||
(memcmp(recipient_nonce, sent_nonce,
|
||||
sent_nonce_length) != 0)) {
|
||||
printf(_("Error: reply nonce doesn't match request.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (sender_nonce == NULL) {
|
||||
printf(_("Error: reply is missing senderNonce.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
|
||||
s = cm_store_base64_from_bin(ctx, sender_nonce,
|
||||
sender_nonce_length);
|
||||
printf("%s\n", s);
|
||||
- return CM_SUBMIT_STATUS_WAIT;
|
||||
+ rval = CM_SUBMIT_STATUS_WAIT;
|
||||
+ goto done;
|
||||
} else
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
|
||||
printf(_("Server returned failure code \"%s\".\n"),
|
||||
failinfo);
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
} else
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (!PKCS7_type_is_enveloped(p7)) {
|
||||
printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((p7->d.enveloped == NULL) ||
|
||||
(p7->d.enveloped->enc_data == NULL) ||
|
||||
@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
s = cm_store_base64_from_bin(ctx, payload,
|
||||
payload_length);
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
printf("%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
} else {
|
||||
if (verbose > 0) {
|
||||
fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
|
||||
}
|
||||
printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
|
||||
pkistatus);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
} else {
|
||||
printf(_("Server reply was of unexpected MIME type "
|
||||
"\"%s\".\n"), content_type);
|
||||
printf("Full reply:\n%.*s", results_length2, results2);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+
|
||||
+done:
|
||||
+ if (pctx) {
|
||||
+ poptFreeContext(pctx);
|
||||
+ }
|
||||
+ free(cainfo);
|
||||
+ free(id);
|
||||
+ cm_submit_h_cleanup(hctx);
|
||||
+ talloc_free(ctx);
|
||||
+ return rval;
|
||||
}
|
||||
diff --git a/src/submit-h.c b/src/submit-h.c
|
||||
index 33f9b39..9b507db 100644
|
||||
--- a/src/submit-h.c
|
||||
+++ b/src/submit-h.c
|
||||
@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+void
|
||||
+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
|
||||
+{
|
||||
+
|
||||
+ if (ctx != NULL && ctx->curl != NULL) {
|
||||
+ curl_easy_cleanup(ctx->curl);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#ifdef CM_SUBMIT_H_MAIN
|
||||
int
|
||||
main(int argc, const char **argv)
|
||||
@@ -307,7 +316,7 @@ main(int argc, const char **argv)
|
||||
enum cm_submit_h_opt_negotiate negotiate;
|
||||
enum cm_submit_h_opt_delegate negotiate_delegate;
|
||||
enum cm_submit_h_opt_clientauth clientauth;
|
||||
- int c, fd, l, verbose = 0, length = 0;
|
||||
+ int c, fd, l, verbose = 0, length = 0, rval = 0;
|
||||
char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
|
||||
char *pinfile;
|
||||
const char *method, *url;
|
||||
@@ -423,6 +432,8 @@ main(int argc, const char **argv)
|
||||
cm_submit_h_result_code(ctx),
|
||||
cm_submit_h_result_code_text(ctx));
|
||||
}
|
||||
- return cm_submit_h_result_code(ctx);
|
||||
+ rval = cm_submit_h_result_code(ctx);
|
||||
+ cm_submit_h_cleanup(ctx);
|
||||
+ return rval;
|
||||
}
|
||||
#endif
|
||||
diff --git a/src/submit-h.h b/src/submit-h.h
|
||||
index 1283c53..931cc89 100644
|
||||
--- a/src/submit-h.h
|
||||
+++ b/src/submit-h.h
|
||||
@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
|
||||
const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
|
||||
const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
|
||||
const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
|
||||
+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
|
||||
|
||||
#endif
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,232 @@
|
||||
From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 15 Apr 2020 17:16:42 -0400
|
||||
Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
|
||||
collected
|
||||
|
||||
Put cacert into the ca store, the racert at the top of the
|
||||
othercerts list. Then we parse certs, placing all ca certs
|
||||
we find into the ca store, and all other certs we find after
|
||||
the racert.
|
||||
|
||||
Variables are renamed to match the cm_pkcs7_parse() and
|
||||
cm_pkcs7_verify_signed() calls.
|
||||
|
||||
A special case for IPA (dogtag) was added because dogtag
|
||||
uses its CA cert to sign the PKCS7 so it is both an RA cert
|
||||
and a CA cert. If a self-signed CA is detected and no other
|
||||
certs are provided then the CA is treated as the RA.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
|
||||
|
||||
Graham Leggett did the majority of the work on this patch.
|
||||
---
|
||||
src/pkcs7.c | 18 +++++++++
|
||||
src/pkcs7.h | 1 +
|
||||
src/scep.c | 104 +++++++++++++++++++++++++++++++++++-----------------
|
||||
3 files changed, 89 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
||||
index 29420b9..f81174f 100644
|
||||
--- a/src/pkcs7.c
|
||||
+++ b/src/pkcs7.c
|
||||
@@ -1189,3 +1189,21 @@ done:
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+/* Return 0 if we think "issuer" could have issued "issued", which includes
|
||||
+ * self-signing. */
|
||||
+int
|
||||
+cm_selfsigned(char *cert)
|
||||
+{
|
||||
+ BIO *in;
|
||||
+ X509 *c;
|
||||
+
|
||||
+ in = BIO_new_mem_buf(cert, -1);
|
||||
+ if (in == NULL) {
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ c = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
+ BIO_free(in);
|
||||
+ return(issuerissued(c, c));
|
||||
+}
|
||||
diff --git a/src/pkcs7.h b/src/pkcs7.h
|
||||
index fae52f8..cbde1bc 100644
|
||||
--- a/src/pkcs7.h
|
||||
+++ b/src/pkcs7.h
|
||||
@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
unsigned char **recipient_nonce,
|
||||
size_t *recipient_nonce_length,
|
||||
unsigned char **payload, size_t *payload_length);
|
||||
+int cm_selfsigned(char *cert);
|
||||
|
||||
void log_pkcs7_errors(int level, char *msg);
|
||||
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 4d00692..b80278e 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -211,12 +211,12 @@ main(int argc, const char **argv)
|
||||
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
|
||||
void *ctx;
|
||||
char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
|
||||
- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
|
||||
+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
|
||||
char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
|
||||
char buf[LINE_MAX] = "";
|
||||
const unsigned char **buffers = NULL;
|
||||
size_t n_buffers = 0, *lengths = NULL, j;
|
||||
- const char *cacerts[3], **racerts;
|
||||
+ const char *root[3], **othercerts;
|
||||
dbus_bool_t missing_args = FALSE;
|
||||
char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
|
||||
unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
|
||||
@@ -871,27 +871,27 @@ main(int argc, const char **argv)
|
||||
n_buffers++;
|
||||
}
|
||||
if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
|
||||
- racertp, cacertp, &othercerts,
|
||||
+ racertp, cacertp, &certothers,
|
||||
NULL, NULL,
|
||||
n_buffers, buffers, lengths) == 0) {
|
||||
if (racert != NULL) {
|
||||
printf("%s", racert);
|
||||
if (cacert != NULL) {
|
||||
printf("%s", cacert);
|
||||
- if (othercerts != NULL) {
|
||||
+ if (certothers != NULL) {
|
||||
for (c = 0;
|
||||
- othercerts[c] != NULL;
|
||||
+ certothers[c] != NULL;
|
||||
c++) {
|
||||
printf("%s",
|
||||
- othercerts[c]);
|
||||
+ certothers[c]);
|
||||
}
|
||||
}
|
||||
if ((dracert != NULL) &&
|
||||
- (cert_among(dracert, racert, cacert, othercerts) != 0)) {
|
||||
+ (cert_among(dracert, racert, cacert, certothers) != 0)) {
|
||||
printf("%s", dracert);
|
||||
}
|
||||
if ((dcacert != NULL) &&
|
||||
- (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
|
||||
+ (cert_among(dcacert, racert, cacert, certothers) != 0)) {
|
||||
printf("%s", dcacert);
|
||||
}
|
||||
}
|
||||
@@ -907,47 +907,83 @@ main(int argc, const char **argv)
|
||||
case op_pkcsreq:
|
||||
if ((content_type2 != NULL) && (strcasecmp(content_type2,
|
||||
"application/x-pki-message") == 0)) {
|
||||
- memset(&cacerts, 0, sizeof(cacerts));
|
||||
- cacerts[0] = cacert ? cacert : racert;
|
||||
- cacerts[1] = cacert ? racert : NULL;
|
||||
- cacerts[2] = NULL;
|
||||
- racerts = NULL;
|
||||
+ /*
|
||||
+ * At this point, we have:
|
||||
+ * - zero or more ra certs; and
|
||||
+ * - zero or more ca certificates; and
|
||||
+ * - zero or more other certificates; that
|
||||
+ * need to be reordered so that the leaf
|
||||
+ * certificates go first, the ca certificates
|
||||
+ * are separated into a seperate certificate
|
||||
+ * store, and the other certificates go after
|
||||
+ * the leaf certificates.
|
||||
+ *
|
||||
+ * To do this we put cacert into the ca store,
|
||||
+ * the racert at the top of the othercerts list.
|
||||
+ * Then we parse certs, placing all ca certs
|
||||
+ * we find into the ca store, and all other
|
||||
+ * certs we find after the racert.
|
||||
+ *
|
||||
+ * As a limitation of cm_pkcs7_parse(), we
|
||||
+ * can only isolate one ca certificate in the
|
||||
+ * list of other certificates.
|
||||
+ */
|
||||
+ /* handle the other certs */
|
||||
if ((certs != NULL) &&
|
||||
(cm_pkcs7_parse(0, ctx,
|
||||
- &cert1, &cert2, &othercerts,
|
||||
+ &certleaf, &certtop, &certothers,
|
||||
NULL, NULL,
|
||||
(const unsigned char *) certs,
|
||||
strlen(certs), NULL) == 0)) {
|
||||
- for (c = 0;
|
||||
- (othercerts != NULL) &&
|
||||
- (othercerts[c] != NULL);
|
||||
- c++) {
|
||||
- continue;
|
||||
+ /* Special case for IPA which uses dogtag which signs SCEP
|
||||
+ * certs using the CA cert and the typical way to get
|
||||
+ * verification to work is to use -I /etc/ipa/ca.crt.
|
||||
+ * Because cm_pkcs7_parse explicitly doesn't allow
|
||||
+ * certleaf to equal certtop we end up with no CAs so verification
|
||||
+ * fails.
|
||||
+ *
|
||||
+ * So if cacert and certleaf are both NULL and certtop is
|
||||
+ * self-signed then assume the IPA case and set certtop equal
|
||||
+ * to certleaf.
|
||||
+ */
|
||||
+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
|
||||
+ if (cm_selfsigned(certleaf) == 0) {
|
||||
+ certtop = certleaf;
|
||||
+ }
|
||||
}
|
||||
- racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
|
||||
+ memset(&root, 0, sizeof(root));
|
||||
+ root[0] = cacert ? cacert : certtop ? certtop : NULL;
|
||||
+ root[1] = cacert ? certtop : NULL;
|
||||
+ root[2] = NULL;
|
||||
for (c = 0;
|
||||
- (othercerts != NULL) &&
|
||||
- (othercerts[c] != NULL);
|
||||
+ (certothers != NULL) &&
|
||||
+ (certothers[c] != NULL);
|
||||
c++) {
|
||||
- racerts[c] = othercerts[c];
|
||||
- }
|
||||
- if (cacert != NULL) {
|
||||
- racerts[c++] = cacert;
|
||||
+ continue;
|
||||
}
|
||||
- if (cert1 != NULL) {
|
||||
- racerts[c++] = cert1;
|
||||
+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
|
||||
+ c = 0;
|
||||
+ if (racert != NULL) {
|
||||
+ othercerts[c++] = racert;
|
||||
}
|
||||
- if (cert2 != NULL) {
|
||||
- racerts[c++] = cert2;
|
||||
+ if (certleaf != NULL) {
|
||||
+ othercerts[c++] = certleaf;
|
||||
}
|
||||
- if (racert != NULL) {
|
||||
- racerts[c++] = racert;
|
||||
+ while (certothers != NULL && *certothers != NULL) {
|
||||
+ othercerts[c++] = *certothers++;
|
||||
}
|
||||
- racerts[c++] = NULL;
|
||||
+ othercerts[c++] = NULL;
|
||||
+ }
|
||||
+ else {
|
||||
+ root[0] = cacert;
|
||||
+ root[1] = NULL;
|
||||
+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
|
||||
+ othercerts[0] = racert ? racert : NULL;
|
||||
+ othercerts[1] = NULL;
|
||||
}
|
||||
ERR_clear_error();
|
||||
i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
|
||||
- cacerts, racerts,
|
||||
+ root, othercerts,
|
||||
NID_pkcs7_data, ctx, NULL,
|
||||
&tx, &msgtype, &pkistatus, &failinfo,
|
||||
&sender_nonce, &sender_nonce_length,
|
||||
--
|
||||
2.21.1
|
||||
|
@ -0,0 +1,173 @@
|
||||
From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:29:50 -0400
|
||||
Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
|
||||
chain
|
||||
|
||||
The -R option was doing double-duty for the SCEP CA.
|
||||
|
||||
1. It was required if the SCEP URL used TLS
|
||||
2. It override the CA certificate downloaded from the SCEP server
|
||||
|
||||
If the chains were different then validating the SCEP responses would
|
||||
fail.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1808613
|
||||
---
|
||||
src/certmonger-scep-submit.8.in | 14 +++++++++-----
|
||||
src/getcert-add-scep-ca.1.in | 12 ++++++++----
|
||||
src/getcert.c | 6 +++++-
|
||||
src/scep.c | 13 ++++++-------
|
||||
4 files changed, 28 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
|
||||
index 95d674a..42ffcd6 100644
|
||||
--- a/src/certmonger-scep-submit.8.in
|
||||
+++ b/src/certmonger-scep-submit.8.in
|
||||
@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
|
||||
[-r ra-cert-file]
|
||||
[-R ca-cert-file]
|
||||
[-I other-certs-file]
|
||||
+[-N ca-cert-file]
|
||||
[-i ca-identifier]
|
||||
[-v]
|
||||
[-n]
|
||||
@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
|
||||
always required.
|
||||
.TP
|
||||
\fB\-R\fR CA-certificate-file
|
||||
-The location of the SCEP server's CA certificate, which was used to
|
||||
-issue the SCEP server's certificate, or the SCEP server's own
|
||||
-certificate, if it is self-signed, in PEM form. If the URL specified
|
||||
-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
|
||||
-required.
|
||||
+The location of the CA certificate which was used to issue the SCEP web
|
||||
+server's certificate in PEM form. If the URL specified with the
|
||||
+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
|
||||
+.TP
|
||||
+\fB\-N\fR ca-certificate-file
|
||||
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
|
||||
+A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
+be specified for troubleshooting purposes.
|
||||
.TP
|
||||
\fB\-r\fR RA-certificate-file
|
||||
The location of the SCEP server's RA certificate, which is expected to
|
||||
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
|
||||
index 11ab4ce..bf07306 100644
|
||||
--- a/src/getcert-add-scep-ca.1.in
|
||||
+++ b/src/getcert-add-scep-ca.1.in
|
||||
@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be
|
||||
specified.
|
||||
.TP
|
||||
\fB\-R\fR ca-certificate-file
|
||||
-The location of a PEM-formatted copy of the SCEP server's CA's certificate.
|
||||
-A discovered value is supplied by the certmonger daemon for use in verifying
|
||||
-the signature on data returned by the SCEP server, but it is not used for
|
||||
-verifying HTTPS server certificates.
|
||||
+The location of a PEM-formatted copy of the CA's certificate used to verify
|
||||
+the TLS connection the SCEP server.
|
||||
+
|
||||
This option must be specified if the URL is an \fIhttps\fR location.
|
||||
.TP
|
||||
+\fB\-N\fR ca-certificate-file
|
||||
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
|
||||
+A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
+be specified for troubleshooting purposes.
|
||||
+.TP
|
||||
\fB\-r\fR ra-certificate-file
|
||||
The location of a PEM-formatted copy of the SCEP server's RA's certificate.
|
||||
A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 3d78a73..493771f 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
|
||||
char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
|
||||
char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
|
||||
+ char *signingca = NULL;
|
||||
const char *err;
|
||||
int c, prefer_non_renewal = 0, verbose = 0;
|
||||
dbus_bool_t b;
|
||||
@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
|
||||
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
|
||||
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
|
||||
@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
return 1;
|
||||
}
|
||||
command = talloc_asprintf(globals.tctx,
|
||||
- "%s -u %s %s %s %s %s %s %s %s",
|
||||
+ "%s -u %s %s %s %s %s %s %s %s %s %s",
|
||||
shell_escape(globals.tctx,
|
||||
CM_SCEP_HELPER_PATH),
|
||||
shell_escape(globals.tctx, url),
|
||||
@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
racert ? shell_escape(globals.tctx, racert) : "",
|
||||
certs ? "-I" : "",
|
||||
certs ? shell_escape(globals.tctx, certs) : "",
|
||||
+ signingca ? "-N" : "",
|
||||
+ signingca ? shell_escape(globals.tctx, signingca) : "",
|
||||
prefer_non_renewal ? "-n" : "");
|
||||
for (c = 0; c < verbose; c++) {
|
||||
command = talloc_strdup_append(command, " -v");
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index b80278e..4294cda 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -206,7 +206,6 @@ main(int argc, const char **argv)
|
||||
enum known_ops op = op_unset;
|
||||
const char *id = NULL;
|
||||
char *cainfo = NULL;
|
||||
- char *poptarg;
|
||||
char *message = NULL, *rekey_message = NULL;
|
||||
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
|
||||
void *ctx;
|
||||
@@ -235,8 +234,9 @@ main(int argc, const char **argv)
|
||||
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
|
||||
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
|
||||
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
|
||||
- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
|
||||
+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
|
||||
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
|
||||
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
|
||||
POPT_AUTOHELP
|
||||
@@ -329,9 +329,10 @@ main(int argc, const char **argv)
|
||||
racert = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
break;
|
||||
case 'R':
|
||||
- poptarg = poptGetOptArg(pctx);
|
||||
- cainfo = strdup(poptarg);
|
||||
- cacert = cm_submit_u_from_file(poptarg);
|
||||
+ cainfo = poptGetOptArg(pctx);
|
||||
+ break;
|
||||
+ case 'N':
|
||||
+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
break;
|
||||
case 'I':
|
||||
certs = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
@@ -340,7 +341,6 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if (c != -1) {
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
- free(cainfo);
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
}
|
||||
|
||||
@@ -1189,7 +1189,6 @@ done:
|
||||
if (pctx) {
|
||||
poptFreeContext(pctx);
|
||||
}
|
||||
- free(cainfo);
|
||||
free(id);
|
||||
cm_submit_h_cleanup(hctx);
|
||||
talloc_free(ctx);
|
||||
--
|
||||
2.21.1
|
||||
|