import certmonger-0.79.7-15.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:57:34 -05:00 committed by Andrew Lukoshko
parent 09ef8f82dc
commit b377b17852
14 changed files with 7229 additions and 5 deletions

View File

@ -0,0 +1,931 @@
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:50:16 -0400
Subject: [PATCH 33/39] Improve logging in SCEP helper
Always check return value of cm_pkcs7_verify_signed() and return
a unique error message.
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
so they appear by default.
Centralize logging across scep.c and pkcs7.c to reduce code
duplication.
Check the return code to cm_pkcs7_verify_signed in all cases.
Add the last available message, if any, to the error returned
via stdout to certmonger as a hint to what is going on.
---
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
src/pkcs7.h | 2 +
src/scep.c | 59 ++++++++++---------------
src/scepgen-n.c | 28 ++++++------
src/scepgen-o.c | 72 ++++++++++++++++---------------
src/scepgen.c | 2 +-
6 files changed, 140 insertions(+), 134 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 6de1775..29420b9 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
}
}
+void
+log_pkcs7_errors(int level, char *msg)
+{
+ char buf[LINE_MAX] = "";
+ long error;
+ int nss_err;
+
+ cm_log(level, "%s\n", msg);
+ while ((error = ERR_get_error()) != 0) {
+ memset(buf, '\0', sizeof(buf));
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(level, "%s\n", buf);
+ }
+ nss_err = PORT_GetError();
+ if (nss_err < 0) {
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
+ }
+}
+
int
cm_pkcs7_parsev(unsigned int flags, void *parent,
char **certleaf, char **certtop, char ***certothers,
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(encryption_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (recipient == NULL) {
- cm_log(1, "Error parsing recipient certificate.\n");
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
goto done;
}
BIO_free(in);
recipients = sk_X509_new(util_o_cert_cmp);
if (recipients == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
sk_X509_push(recipients, recipient);
in = BIO_new_mem_buf(data, dlength);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
BIO_free(in);
if (p7 == NULL) {
- cm_log(1, "Error encrypting signing request.\n");
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
goto done;
}
len = i2d_PKCS7(p7, NULL);
if (len < 0) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
dp7 = malloc(len);
if (dp7 == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dp7;
if (i2d_PKCS7(p7, &u) != len) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
*enveloped = dp7;
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(csr, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
BIO_free(in);
if (req == NULL) {
- cm_log(1, "Error parsing certificate signing request.\n");
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
goto done;
}
dlen = i2d_X509_REQ(req, NULL);
if (dlen < 0) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
dreq = malloc(dlen);
if (dreq == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dreq;
if (i2d_X509_REQ(req, &u) != dlen) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
in = BIO_new_mem_buf(cacert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (ca == NULL) {
- cm_log(1, "Error parsing CA certificate.\n");
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
goto done;
}
in = BIO_new_mem_buf(minicert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (mini == NULL) {
- cm_log(1, "Error parsing client certificate.\n");
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
goto done;
}
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
if (issuerlen < 0) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
issuer = malloc(issuerlen);
if (issuer == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = issuer;
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
if (subjectlen < 0) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ cm_log(0, "Error encoding client certificate subject name.\n");
goto done;
}
subject = malloc(subjectlen);
if (subject == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = subject;
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
goto done;
}
+ PORT_SetError(0);
+ ERR_clear_error();
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
issuerandsubject.issuer.data = issuer;
issuerandsubject.issuer.len = issuerlen;
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
issuerandsubject.subject.len = subjectlen;
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
cm_pkcs7_ias_template) != &encoded) {
- cm_log(1, "Error encoding issuer and subject names.\n");
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
goto done;
}
*ias = malloc(encoded.len);
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
u = data;
p7 = d2i_PKCS7(NULL, &u, length);
if ((p7 == NULL) || (u != data + length)) {
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
goto done;
}
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
- cm_log(1, "PKCS#7 data is not signed-data.\n");
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
goto done;
}
store = X509_STORE_new();
if (store == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
certs = sk_X509_new(util_o_cert_cmp);
if (certs == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
s = talloc_strdup(parent, roots[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
X509_STORE_add_cert(store, x);
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
s = talloc_strdup(parent, othercerts[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
sk_X509_push(certs, x);
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
out = BIO_new(BIO_s_mem());
if (out == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
if (roots != NULL) {
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; i < sk_X509_num(certs); i++) {
x = X509_dup(sk_X509_value(certs, i));
if (x == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
PKCS7_add_certificate(p7, x);
}
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
- cm_log(1, "Message failed verification.\n");
+ cm_log(0, "Message failed verification.\n");
goto done;
}
}
p7s = p7->d.sign;
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
goto done;
}
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
encapsulated = p7s->contents;
if (expected_content_type != NID_undef) {
if (encapsulated == NULL) {
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
goto done;
}
if ((encapsulated->type == NULL) ||
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
OBJ_nid2ln(expected_content_type),
encapsulated->type ?
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
if (attrs == NULL) {
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
goto done;
}
ret = 0;
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
if (*payload_length > 0) {
*payload = talloc_size(parent, *payload_length + 1);
if (*payload == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
memcpy(*payload, s, *payload_length);
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
done:
- if (ret != 0) {
- while ((error = ERR_get_error()) != 0) {
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- }
if (p7 != NULL) {
PKCS7_free(p7);
}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index 097f7ca..fae52f8 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+void log_pkcs7_errors(int level, char *msg);
+
#endif
diff --git a/src/scep.c b/src/scep.c
index b37711c..0b8bef9 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(rekey_message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
NULL, &msgtype, NULL, NULL,
NULL, NULL,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "rekey PKCSReq.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
if ((message != NULL) && (strlen(message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
&sent_tx, &msgtype, NULL, NULL,
&sent_nonce, &sent_nonce_length,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "message.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
&payload, &payload_length);
if (i != 0) {
printf(_("Error: failed to verify signature on "
- "server response.\n"));
- cm_log(1, "Error: failed to verify signature on "
- "server response.\n");
- while ((error = ERR_get_error()) != 0) {
+ "server response. "));
+ error = ERR_peek_last_error();
+ if (error != 0) {
memset(buf, '\0', sizeof(buf));
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ printf("%s", buf);
}
+ printf("\n");
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "server response.\n");
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
p7 = d2i_PKCS7(NULL, &u, payload_length);
if (p7 == NULL) {
printf(_("Error: couldn't parse signed-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results2,
- results_length2);
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- fprintf(stderr, "Full reply:\n%s", s);
- free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
- }
- if (!PKCS7_type_is_enveloped(p7)) {
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
+ "enveloped-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
(p7->d.enveloped->enc_data->content_type == NULL) ||
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
printf(_("Error: enveloped-data payload is not data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
+ "not data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index 8c67b12..ce73c31 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
return;
}
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
- cm_log(1, "More than one signer, not sure what to do.\n");
+ cm_log(0, "More than one signer, not sure what to do.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
u = sabuf = malloc(salen);
if (sabuf == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
* that ourselves. */
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
if (l != salen) {
- cm_log(1, "Error encoding attributes.\n");
+ cm_log(0, "Error encoding attributes.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
if (sigalg == SEC_OID_UNKNOWN) {
- cm_log(1, "Unable to match digest algorithm and key.\n");
+ cm_log(0, "Unable to match digest algorithm and key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (SEC_SignData(&signature, sabuf, salen, privkey,
sigalg) != SECSuccess) {
- cm_log(1, "Error re-signing: %s.\n",
+ cm_log(0, "Error re-signing: %s.\n",
PR_ErrorToName(PORT_GetError()));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
fprintf(status, "Error opening database "
"'%s': %s.\n",
entry->cm_key_storage_location, es);
- cm_log(1, "Error opening database '%s': %s.\n",
+ cm_log(0, "Error opening database '%s': %s.\n",
entry->cm_key_storage_location, es);
} else {
fprintf(status, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
- cm_log(1, "Error opening database '%s'.\n",
+ cm_log(0, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
}
switch (ec) {
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Generating dummy key.\n");
key = EVP_PKEY_new();
if (key == NULL) {
- cm_log(1, "Error allocating new key.\n");
+ cm_log(0, "Error allocating new key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
exponent = BN_new();
if (exponent == NULL) {
- cm_log(1, "Error setting up exponent.\n");
+ cm_log(0, "Error setting up exponent.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
rsa = RSA_new();
if (rsa == NULL) {
- cm_log(1, "Error allocating new RSA key.\n");
+ cm_log(0, "Error allocating new RSA key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
retry_gen:
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
- cm_log(1, "Error generating key.\n");
+ cm_log(0, "Error generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
@@ -228,7 +228,7 @@ retry_gen:
if ((keys->privkey->keyType != rsaKey) ||
((keys->privkey_next != NULL) &&
(keys->privkey_next->keyType != rsaKey))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 010abb7..a431815 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
keyfp = fopen(filename, "r");
if (keyfp == NULL) {
if (errno != ENOENT) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (cm_pin_read_for_key(entry, &pin) != 0) {
- cm_log(1, "Internal error reading key encryption PIN.\n");
+ cm_log(0, "Internal error reading key encryption PIN.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
memset(&cb_data, 0, sizeof(cb_data));
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
cm_pin_read_for_key_ossl_cb, &cb_data);
if (pkey == NULL) {
error = errno;
- cm_log(1, "Error reading private key '%s': %s.\n",
+ cm_log(0, "Error reading private key '%s': %s.\n",
filename, strerror(error));
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
} else {
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to read private "
+ cm_log(0, "PIN was not needed to read private "
"key '%s', though one was provided. "
"Treating this as an error.\n",
filename);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
}
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
if ((pem != NULL) && (strlen(pem) > 0)) {
in = BIO_new_mem_buf(pem, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
return cert;
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
in = BIO_new_mem_buf(this->cm_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate.\n");
+ cm_log(0, "Error parsing certificate.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (sk == NULL) {
sk = sk_X509_new(util_o_cert_cmp);
if (sk == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
}
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
in = BIO_new_mem_buf(data, data_length);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
ret = PKCS7_sign(signer, key, certs, in, flags);
if (ret == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_free(in);
/* Set the digest to use for signing. */
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
- cm_log(1, "Error signing data: %d signers.\n",
+ cm_log(0, "Error signing data: %d signers.\n",
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
goto errors;
}
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
PKCS7_content_new(ret, NID_pkcs7_data);
out = PKCS7_dataInit(ret, NULL);
if (out == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_write(out, data, data_length);
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
errors:
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
util_o_init();
ERR_load_crypto_strings();
if (RAND_status() != 1) {
- cm_log(1, "PRNG not seeded for generating key.\n");
+ cm_log(0, "PRNG not seeded for generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RAND_bytes(nonce, nonce_length) == -1) {
- cm_log(1, "PRNG unable to generate nonce.\n");
+ cm_log(0, "PRNG unable to generate nonce.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
entry->cm_minicert);
if (pem == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_cert = cert_from_pem(pem, entry);
if (new_cert == NULL) {
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
cipher = cm_prefs_des;
}
else {
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
_exit(1);
}
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
digest = cm_prefs_md5;
}
else {
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
_exit(1);
}
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
entry->cm_cert,
&old_ias, &old_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
pem,
&new_ias, &new_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
entry->cm_csr,
&csr, &csr_length) != 0) {
- cm_log(1, "Error generating enveloped CSR.\n");
+ cm_log(0, "Error generating enveloped CSR.\n");
+ while ((error = ERR_get_error()) != 0) {
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(0, "%s\n", buf);
+ }
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* the matching key. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(old_cert, old_pkey);
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* if we do, we did that in another code path. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, old_pkey);
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* any previously-issued certificate won't match. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, new_pkey);
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
X509_free(new_cert);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
}
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
if (old_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
entry->cm_key_storage_location);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
filename = util_build_next_filename(entry->cm_key_storage_location,
entry->cm_key_next_marker);
if (filename == NULL) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_pkey = key_from_file(filename, entry);
if (new_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
filename);
free(filename);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen.c b/src/scepgen.c
index eaf2b7c..115446f 100644
--- a/src/scepgen.c
+++ b/src/scepgen.c
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
{
switch (entry->cm_key_storage_type) {
case cm_key_storage_none:
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
"the key, and we don't know where that is or should "
"be.\n", entry->cm_busname, entry->cm_nickname);
break;
--
2.21.1

View File

@ -0,0 +1,33 @@
From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 27 Feb 2020 18:15:02 -0500
Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
add-scep-ca
This option was silently dropped from the helper arguments even
if requested on the add-scep-ca CLI and was only passed to the
dbus helper.
Add as many -v as requested though the scep helper only logs at
most at level 1.
---
src/getcert.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/getcert.c b/src/getcert.c
index 4713dd1..3d78a73 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
prefer_non_renewal ? "-n" : "");
+ for (c = 0; c < verbose; c++) {
+ command = talloc_strdup_append(command, " -v");
+ }
if (command == NULL) {
printf(_("Error building command line.\n"));
exit(1);
--
2.21.1

View File

@ -0,0 +1,422 @@
From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 14 Apr 2020 13:17:14 +0000
Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
finished
The talloc context was freed in only a few cases and the curl
context was never freed.
---
src/scep.c | 127 ++++++++++++++++++++++++++++++++-----------------
src/submit-h.c | 15 +++++-
src/submit-h.h | 1 +
3 files changed, 97 insertions(+), 46 deletions(-)
diff --git a/src/scep.c b/src/scep.c
index 0b8bef9..4d00692 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -199,7 +199,7 @@ int
main(int argc, const char **argv)
{
const char *url = NULL, *results = NULL, *results2 = NULL;
- struct cm_submit_h_context *hctx;
+ struct cm_submit_h_context *hctx = NULL;
int c, verbose = 0, results_length = 0, results_length2 = 0, i;
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
@@ -225,7 +225,8 @@ main(int argc, const char **argv)
size_t payload_length;
long error;
PKCS7 *p7;
- poptContext pctx;
+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ poptContext pctx = NULL;
struct poptOption popts[] = {
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
@@ -388,8 +389,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -408,8 +409,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -420,8 +421,8 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Check the rekey PKCSReq message, if we have one. */
@@ -505,7 +506,6 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
- free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
@@ -551,7 +551,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -576,7 +577,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -638,7 +640,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(hctx),
url);
}
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
switch (op) {
case op_unset:
@@ -651,16 +654,19 @@ main(int argc, const char **argv)
response_code, url);
if (response_code == 500) {
/* The server might recover, right? */
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
} else {
/* Maybe not? */
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
url, params);
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -685,10 +691,12 @@ main(int argc, const char **argv)
fprintf(stderr, "Result is surprisingly large, "
"suppressing it.\n");
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
printf("%s\n", results);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
break;
case op_get_ca_certs:
if ((strcasecmp(content_type,
@@ -697,7 +705,8 @@ main(int argc, const char **argv)
"application/x-x509-ca-ra-cert") != 0)) {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (racert == NULL) {
racertp = &racert;
@@ -710,7 +719,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) racert;
lengths[n_buffers] = strlen(racert);
@@ -727,7 +737,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) cacert;
lengths[n_buffers] = strlen(cacert);
@@ -741,7 +752,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results;
lengths[n_buffers] = results_length;
@@ -755,7 +767,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -850,7 +863,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -882,11 +896,11 @@ main(int argc, const char **argv)
}
}
}
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -957,42 +971,50 @@ main(int argc, const char **argv)
fprintf(stderr, "%s", s);
cm_log(1, "%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((msgtype == NULL) ||
(strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
printf(_("Error: reply was not a CertRep (%s).\n"),
msgtype ? msgtype : "none");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (tx == NULL) {
printf(_("Error: reply is missing transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sent_tx != NULL) {
if (strcmp(sent_tx, tx) != 0) {
printf(_("Error: reply contains a "
"different transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
}
if (pkistatus == NULL) {
printf(_("Error: reply is missing pkiStatus.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (recipient_nonce == NULL) {
printf(_("Error: reply is missing recipientNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((recipient_nonce_length != sent_nonce_length) ||
(memcmp(recipient_nonce, sent_nonce,
sent_nonce_length) != 0)) {
printf(_("Error: reply nonce doesn't match request.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sender_nonce == NULL) {
printf(_("Error: reply is missing senderNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
if (verbose > 0) {
@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
s = cm_store_base64_from_bin(ctx, sender_nonce,
sender_nonce_length);
printf("%s\n", s);
- return CM_SUBMIT_STATUS_WAIT;
+ rval = CM_SUBMIT_STATUS_WAIT;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
if (verbose > 0) {
@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
printf(_("Server returned failure code \"%s\".\n"),
failinfo);
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
if (verbose > 0) {
@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((p7->d.enveloped == NULL) ||
(p7->d.enveloped->enc_data == NULL) ||
@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
s = cm_store_base64_from_bin(ctx, payload,
payload_length);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
printf("%s", s);
free(s);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
if (verbose > 0) {
fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
}
printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
pkistatus);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
} else {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
printf("Full reply:\n%.*s", results_length2, results2);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
}
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+
+done:
+ if (pctx) {
+ poptFreeContext(pctx);
+ }
+ free(cainfo);
+ free(id);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+ return rval;
}
diff --git a/src/submit-h.c b/src/submit-h.c
index 33f9b39..9b507db 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
return ret;
}
+void
+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
+{
+
+ if (ctx != NULL && ctx->curl != NULL) {
+ curl_easy_cleanup(ctx->curl);
+ }
+}
+
#ifdef CM_SUBMIT_H_MAIN
int
main(int argc, const char **argv)
@@ -307,7 +316,7 @@ main(int argc, const char **argv)
enum cm_submit_h_opt_negotiate negotiate;
enum cm_submit_h_opt_delegate negotiate_delegate;
enum cm_submit_h_opt_clientauth clientauth;
- int c, fd, l, verbose = 0, length = 0;
+ int c, fd, l, verbose = 0, length = 0, rval = 0;
char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
char *pinfile;
const char *method, *url;
@@ -423,6 +432,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(ctx),
cm_submit_h_result_code_text(ctx));
}
- return cm_submit_h_result_code(ctx);
+ rval = cm_submit_h_result_code(ctx);
+ cm_submit_h_cleanup(ctx);
+ return rval;
}
#endif
diff --git a/src/submit-h.h b/src/submit-h.h
index 1283c53..931cc89 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
#endif
--
2.21.1

View File

@ -0,0 +1,232 @@
From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 15 Apr 2020 17:16:42 -0400
Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
collected
Put cacert into the ca store, the racert at the top of the
othercerts list. Then we parse certs, placing all ca certs
we find into the ca store, and all other certs we find after
the racert.
Variables are renamed to match the cm_pkcs7_parse() and
cm_pkcs7_verify_signed() calls.
A special case for IPA (dogtag) was added because dogtag
uses its CA cert to sign the PKCS7 so it is both an RA cert
and a CA cert. If a self-signed CA is detected and no other
certs are provided then the CA is treated as the RA.
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
Graham Leggett did the majority of the work on this patch.
---
src/pkcs7.c | 18 +++++++++
src/pkcs7.h | 1 +
src/scep.c | 104 +++++++++++++++++++++++++++++++++++-----------------
3 files changed, 89 insertions(+), 34 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 29420b9..f81174f 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -1189,3 +1189,21 @@ done:
}
return ret;
}
+
+/* Return 0 if we think "issuer" could have issued "issued", which includes
+ * self-signing. */
+int
+cm_selfsigned(char *cert)
+{
+ BIO *in;
+ X509 *c;
+
+ in = BIO_new_mem_buf(cert, -1);
+ if (in == NULL) {
+ cm_log(0, "Out of memory.\n");
+ return 1;
+ }
+ c = PEM_read_bio_X509(in, NULL, NULL, NULL);
+ BIO_free(in);
+ return(issuerissued(c, c));
+}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index fae52f8..cbde1bc 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
unsigned char **recipient_nonce,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+int cm_selfsigned(char *cert);
void log_pkcs7_errors(int level, char *msg);
diff --git a/src/scep.c b/src/scep.c
index 4d00692..b80278e 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -211,12 +211,12 @@ main(int argc, const char **argv)
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
char buf[LINE_MAX] = "";
const unsigned char **buffers = NULL;
size_t n_buffers = 0, *lengths = NULL, j;
- const char *cacerts[3], **racerts;
+ const char *root[3], **othercerts;
dbus_bool_t missing_args = FALSE;
char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
@@ -871,27 +871,27 @@ main(int argc, const char **argv)
n_buffers++;
}
if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
- racertp, cacertp, &othercerts,
+ racertp, cacertp, &certothers,
NULL, NULL,
n_buffers, buffers, lengths) == 0) {
if (racert != NULL) {
printf("%s", racert);
if (cacert != NULL) {
printf("%s", cacert);
- if (othercerts != NULL) {
+ if (certothers != NULL) {
for (c = 0;
- othercerts[c] != NULL;
+ certothers[c] != NULL;
c++) {
printf("%s",
- othercerts[c]);
+ certothers[c]);
}
}
if ((dracert != NULL) &&
- (cert_among(dracert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dracert, racert, cacert, certothers) != 0)) {
printf("%s", dracert);
}
if ((dcacert != NULL) &&
- (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dcacert, racert, cacert, certothers) != 0)) {
printf("%s", dcacert);
}
}
@@ -907,47 +907,83 @@ main(int argc, const char **argv)
case op_pkcsreq:
if ((content_type2 != NULL) && (strcasecmp(content_type2,
"application/x-pki-message") == 0)) {
- memset(&cacerts, 0, sizeof(cacerts));
- cacerts[0] = cacert ? cacert : racert;
- cacerts[1] = cacert ? racert : NULL;
- cacerts[2] = NULL;
- racerts = NULL;
+ /*
+ * At this point, we have:
+ * - zero or more ra certs; and
+ * - zero or more ca certificates; and
+ * - zero or more other certificates; that
+ * need to be reordered so that the leaf
+ * certificates go first, the ca certificates
+ * are separated into a seperate certificate
+ * store, and the other certificates go after
+ * the leaf certificates.
+ *
+ * To do this we put cacert into the ca store,
+ * the racert at the top of the othercerts list.
+ * Then we parse certs, placing all ca certs
+ * we find into the ca store, and all other
+ * certs we find after the racert.
+ *
+ * As a limitation of cm_pkcs7_parse(), we
+ * can only isolate one ca certificate in the
+ * list of other certificates.
+ */
+ /* handle the other certs */
if ((certs != NULL) &&
(cm_pkcs7_parse(0, ctx,
- &cert1, &cert2, &othercerts,
+ &certleaf, &certtop, &certothers,
NULL, NULL,
(const unsigned char *) certs,
strlen(certs), NULL) == 0)) {
- for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
- c++) {
- continue;
+ /* Special case for IPA which uses dogtag which signs SCEP
+ * certs using the CA cert and the typical way to get
+ * verification to work is to use -I /etc/ipa/ca.crt.
+ * Because cm_pkcs7_parse explicitly doesn't allow
+ * certleaf to equal certtop we end up with no CAs so verification
+ * fails.
+ *
+ * So if cacert and certleaf are both NULL and certtop is
+ * self-signed then assume the IPA case and set certtop equal
+ * to certleaf.
+ */
+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
+ if (cm_selfsigned(certleaf) == 0) {
+ certtop = certleaf;
+ }
}
- racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
+ memset(&root, 0, sizeof(root));
+ root[0] = cacert ? cacert : certtop ? certtop : NULL;
+ root[1] = cacert ? certtop : NULL;
+ root[2] = NULL;
for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
+ (certothers != NULL) &&
+ (certothers[c] != NULL);
c++) {
- racerts[c] = othercerts[c];
- }
- if (cacert != NULL) {
- racerts[c++] = cacert;
+ continue;
}
- if (cert1 != NULL) {
- racerts[c++] = cert1;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
+ c = 0;
+ if (racert != NULL) {
+ othercerts[c++] = racert;
}
- if (cert2 != NULL) {
- racerts[c++] = cert2;
+ if (certleaf != NULL) {
+ othercerts[c++] = certleaf;
}
- if (racert != NULL) {
- racerts[c++] = racert;
+ while (certothers != NULL && *certothers != NULL) {
+ othercerts[c++] = *certothers++;
}
- racerts[c++] = NULL;
+ othercerts[c++] = NULL;
+ }
+ else {
+ root[0] = cacert;
+ root[1] = NULL;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
+ othercerts[0] = racert ? racert : NULL;
+ othercerts[1] = NULL;
}
ERR_clear_error();
i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
- cacerts, racerts,
+ root, othercerts,
NID_pkcs7_data, ctx, NULL,
&tx, &msgtype, &pkistatus, &failinfo,
&sender_nonce, &sender_nonce_length,
--
2.21.1

View File

@ -0,0 +1,173 @@
From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:29:50 -0400
Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
chain
The -R option was doing double-duty for the SCEP CA.
1. It was required if the SCEP URL used TLS
2. It override the CA certificate downloaded from the SCEP server
If the chains were different then validating the SCEP responses would
fail.
https://bugzilla.redhat.com/show_bug.cgi?id=1808613
---
src/certmonger-scep-submit.8.in | 14 +++++++++-----
src/getcert-add-scep-ca.1.in | 12 ++++++++----
src/getcert.c | 6 +++++-
src/scep.c | 13 ++++++-------
4 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
index 95d674a..42ffcd6 100644
--- a/src/certmonger-scep-submit.8.in
+++ b/src/certmonger-scep-submit.8.in
@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
[-r ra-cert-file]
[-R ca-cert-file]
[-I other-certs-file]
+[-N ca-cert-file]
[-i ca-identifier]
[-v]
[-n]
@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
always required.
.TP
\fB\-R\fR CA-certificate-file
-The location of the SCEP server's CA certificate, which was used to
-issue the SCEP server's certificate, or the SCEP server's own
-certificate, if it is self-signed, in PEM form. If the URL specified
-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
-required.
+The location of the CA certificate which was used to issue the SCEP web
+server's certificate in PEM form. If the URL specified with the
+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
+.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
.TP
\fB\-r\fR RA-certificate-file
The location of the SCEP server's RA certificate, which is expected to
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index 11ab4ce..bf07306 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be
specified.
.TP
\fB\-R\fR ca-certificate-file
-The location of a PEM-formatted copy of the SCEP server's CA's certificate.
-A discovered value is supplied by the certmonger daemon for use in verifying
-the signature on data returned by the SCEP server, but it is not used for
-verifying HTTPS server certificates.
+The location of a PEM-formatted copy of the CA's certificate used to verify
+the TLS connection the SCEP server.
+
This option must be specified if the URL is an \fIhttps\fR location.
.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
+.TP
\fB\-r\fR ra-certificate-file
The location of a PEM-formatted copy of the SCEP server's RA's certificate.
A discovered value is normally supplied by the certmonger daemon, but one can
diff --git a/src/getcert.c b/src/getcert.c
index 3d78a73..493771f 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
+ char *signingca = NULL;
const char *err;
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
command = talloc_asprintf(globals.tctx,
- "%s -u %s %s %s %s %s %s %s %s",
+ "%s -u %s %s %s %s %s %s %s %s %s %s",
shell_escape(globals.tctx,
CM_SCEP_HELPER_PATH),
shell_escape(globals.tctx, url),
@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
racert ? shell_escape(globals.tctx, racert) : "",
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
+ signingca ? "-N" : "",
+ signingca ? shell_escape(globals.tctx, signingca) : "",
prefer_non_renewal ? "-n" : "");
for (c = 0; c < verbose; c++) {
command = talloc_strdup_append(command, " -v");
diff --git a/src/scep.c b/src/scep.c
index b80278e..4294cda 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -206,7 +206,6 @@ main(int argc, const char **argv)
enum known_ops op = op_unset;
const char *id = NULL;
char *cainfo = NULL;
- char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
@@ -235,8 +234,9 @@ main(int argc, const char **argv)
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
POPT_AUTOHELP
@@ -329,9 +329,10 @@ main(int argc, const char **argv)
racert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'R':
- poptarg = poptGetOptArg(pctx);
- cainfo = strdup(poptarg);
- cacert = cm_submit_u_from_file(poptarg);
+ cainfo = poptGetOptArg(pctx);
+ break;
+ case 'N':
+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'I':
certs = cm_submit_u_from_file(poptGetOptArg(pctx));
@@ -340,7 +341,6 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -1189,7 +1189,6 @@ done:
if (pctx) {
poptFreeContext(pctx);
}
- free(cainfo);
free(id);
cm_submit_h_cleanup(hctx);
talloc_free(ctx);
--
2.21.1