From d6a76863b23cf60e55241fe01ce7a3c08aac1a0a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:48:54 -0400 Subject: [PATCH] import certmonger-0.79.13-2.el8 --- .certmonger.metadata | 2 +- .gitignore | 2 +- ...t-run-the-002-keygen-tests-when-root.patch | 38 + ...y-sets-minimum-RSA-and-DSA-key-size-.patch | 293 -- .../0002-Convert-tests-to-use-python3.patch | 788 ---- ...e-certmaster-CA-from-the-028-dbus-te.patch | 195 + SOURCES/0018-clang-more-Dead-assignment.patch | 41 - SOURCES/0019-clang-more-Memory-leaks.patch | 321 -- .../0020-clang-Avoid-buffer-overflow.patch | 29 - .../0021-clang-Garbage-value-possible.patch | 43 - SOURCES/0022-Uninitialized-variable.patch | 25 - ...3-merge-into-clang-more-Memory-leaks.patch | 39 - ...-Add-missing-return-type-declaration.patch | 24 - SOURCES/0025-Discards-const-qualifier.patch | 43 - ...timize-closing-open-file-descriptors.patch | 134 - ...UT-when-calling-the-CA-fetch_roots-f.patch | 33 - ...UT-when-calling-the-CA-fetch_roots-f.patch | 35 - ...lag-flag-from-context-init-look-for-.patch | 259 - ...include-the-security-module-DB-in-ex.patch | 233 - ...to-pull-the-entire-CA-chain-from-IPA.patch | 50 - SOURCES/0032-Fix-use-after-free-issue.patch | 34 - .../0033-Improve-logging-in-SCEP-helper.patch | 931 ---- ...on-to-SCEP-CA-if-requested-in-add-sc.patch | 33 - ...-helper-curl-and-talloc-contexts-whe.patch | 422 -- ...-the-SCEP-signing-and-CA-certs-are-c.patch | 232 - ...o-allow-overriding-the-detected-SCEP.patch | 173 - ...-profile-issuer-and-MS-cert-template.patch | 53 - ...39-Fix-broken-N-option-configuration.patch | 26 - ...include-issue-discovered-by-coverity.patch | 52 - ...les-read-in-have-a-trailing-new-line.patch | 237 - ...ng-command-line-options-to-man-pages.patch | 4160 ----------------- ...dd-long-options-to-command-line-help.patch | 757 --- ...to-dbus-so-it-stops-and-restarts-wit.patch | 25 - ...CA-IDENT-with-GetCACaps-and-GetCACer.patch | 62 - SPECS/certmonger.spec | 99 +- 35 files changed, 268 insertions(+), 9655 deletions(-) create mode 100644 SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch delete mode 100644 SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch delete mode 100644 SOURCES/0002-Convert-tests-to-use-python3.patch create mode 100644 SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch delete mode 100644 SOURCES/0018-clang-more-Dead-assignment.patch delete mode 100644 SOURCES/0019-clang-more-Memory-leaks.patch delete mode 100644 SOURCES/0020-clang-Avoid-buffer-overflow.patch delete mode 100644 SOURCES/0021-clang-Garbage-value-possible.patch delete mode 100644 SOURCES/0022-Uninitialized-variable.patch delete mode 100644 SOURCES/0023-merge-into-clang-more-Memory-leaks.patch delete mode 100644 SOURCES/0024-Add-missing-return-type-declaration.patch delete mode 100644 SOURCES/0025-Discards-const-qualifier.patch delete mode 100644 SOURCES/0026-Optimize-closing-open-file-descriptors.patch delete mode 100644 SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch delete mode 100644 SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch delete mode 100644 SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch delete mode 100644 SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch delete mode 100644 SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch delete mode 100644 SOURCES/0032-Fix-use-after-free-issue.patch delete mode 100644 SOURCES/0033-Improve-logging-in-SCEP-helper.patch delete mode 100644 SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch delete mode 100644 SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch delete mode 100644 SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch delete mode 100644 SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch delete mode 100644 SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch delete mode 100644 SOURCES/0039-Fix-broken-N-option-configuration.patch delete mode 100644 SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch delete mode 100644 SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch delete mode 100644 SOURCES/0042-Add-long-command-line-options-to-man-pages.patch delete mode 100644 SOURCES/0043-Add-long-options-to-command-line-help.patch delete mode 100644 SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch delete mode 100644 SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch diff --git a/.certmonger.metadata b/.certmonger.metadata index a647082..2f88761 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz +eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz diff --git a/.gitignore b/.gitignore index fe7ff44..1202bac 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.79.7.tar.gz +SOURCES/certmonger-0.79.13.tar.gz diff --git a/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch b/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch new file mode 100644 index 0000000..8590858 --- /dev/null +++ b/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch @@ -0,0 +1,38 @@ +From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 29 Oct 2020 10:13:08 -0400 +Subject: [PATCH] Don't run the 002-keygen-* tests when root + +The permissions tests will fail. +--- + tests/002-keygen-dbm/prequal.sh | 5 +++++ + tests/002-keygen-sql/prequal.sh | 5 +++++ + 2 files changed, 10 insertions(+) + create mode 100755 tests/002-keygen-dbm/prequal.sh + create mode 100755 tests/002-keygen-sql/prequal.sh + +diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh +new file mode 100755 +index 00000000..d146a650 +--- /dev/null ++++ b/tests/002-keygen-dbm/prequal.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++if test `id -u` -eq 0 ; then ++ echo "This test won't work right if run as root." ++ exit 1 ++fi +diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh +new file mode 100755 +index 00000000..d146a650 +--- /dev/null ++++ b/tests/002-keygen-sql/prequal.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++if test `id -u` -eq 0 ; then ++ echo "This test won't work right if run as root." ++ exit 1 ++fi +-- +2.25.4 + diff --git a/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch b/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch deleted file mode 100644 index 8e19e28..0000000 --- a/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch +++ /dev/null @@ -1,293 +0,0 @@ -From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 23 Feb 2018 10:43:44 -0500 -Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048 - -Remove keys < 2048 for the NSS tests. This affects some of the -OpenSSL tests as well where they run in a combined loop. - -Where it was not invasive to do I left the 1024/1536 for OpenSSL. ---- - tests/001-keyiread-dsa/expected.out | 6 +++--- - tests/001-keyiread-dsa/run.sh | 2 +- - tests/001-keyiread-rsa/expected.out | 2 -- - tests/001-keyiread-rsa/run.sh | 2 +- - tests/001-keyiread/expected.out | 2 -- - tests/001-keyiread/run.sh | 2 +- - tests/002-keygen-rsa/expected.out | 6 ------ - tests/002-keygen-rsa/run.sh | 2 +- - tests/002-keygen/expected.out | 18 ------------------ - tests/002-keygen/run.sh | 2 +- - tests/003-csrgen-rsa/expected.out | 6 ------ - tests/003-csrgen-rsa/run.sh | 4 ++-- - tests/003-csrgen/expected.out | 8 -------- - tests/003-csrgen/run.sh | 4 ++-- - tests/004-selfsign-rsa/expected.out | 2 -- - tests/004-selfsign-rsa/run.sh | 2 +- - tests/004-selfsign/expected.out | 2 -- - tests/004-selfsign/run.sh | 2 +- - 18 files changed, 14 insertions(+), 60 deletions(-) - -diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out -index b09db0ae..50643176 100644 ---- a/tests/001-keyiread-dsa/expected.out -+++ b/tests/001-keyiread-dsa/expected.out -@@ -1,4 +1,4 @@ --OK (DSA:1024). --OK (DSA:1024). --OK (DSA:1024). -+OK (DSA:2048). -+OK (DSA:2048). -+OK (DSA:2048). - Test complete. -diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh -index 9f96b3bc..68f6d1c3 100755 ---- a/tests/001-keyiread-dsa/run.sh -+++ b/tests/001-keyiread-dsa/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 ; do -+for size in 2048 ; do - # Generate a self-signed cert. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out -index 727897d1..3daa51f2 100644 ---- a/tests/001-keyiread-rsa/expected.out -+++ b/tests/001-keyiread-rsa/expected.out -@@ -1,5 +1,3 @@ --OK (RSA:1024). --OK (RSA:1536). - OK (RSA:2048). - OK (RSA:3072). - OK (RSA:4096). -diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh -index c7b77686..ec31c7c7 100755 ---- a/tests/001-keyiread-rsa/run.sh -+++ b/tests/001-keyiread-rsa/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Generate a self-signed cert. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out -index 727897d1..3daa51f2 100644 ---- a/tests/001-keyiread/expected.out -+++ b/tests/001-keyiread/expected.out -@@ -1,5 +1,3 @@ --OK (RSA:1024). --OK (RSA:1536). - OK (RSA:2048). - OK (RSA:3072). - OK (RSA:4096). -diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh -index ce1428ed..0b31df95 100755 ---- a/tests/001-keyiread/run.sh -+++ b/tests/001-keyiread/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Generate a self-signed cert. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out -index 3e6e9f3c..f7c146d0 100644 ---- a/tests/002-keygen-rsa/expected.out -+++ b/tests/002-keygen-rsa/expected.out -@@ -1,9 +1,3 @@ --[nss:1024] --OK. --OK (RSA:1024). --[nss:1536] --OK. --OK (RSA:1536). - [nss:2048] - OK. - OK (RSA:2048). -diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh -index 476f4127..c0c59249 100755 ---- a/tests/002-keygen-rsa/run.sh -+++ b/tests/002-keygen-rsa/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - echo "[nss:$size]" - # Generate a key. - cat > entry.$size <<- EOF -diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out -index dcd1af06..b8fbea56 100644 ---- a/tests/002-keygen/expected.out -+++ b/tests/002-keygen/expected.out -@@ -1,21 +1,3 @@ --[nss:1024] --OK. --OK (RSA:1024). --OK. --OK (RSA:1024 after RSA:1024). --OK. --OK (RSA:1024 after RSA:1024). --keyi1024 --keyi1024 (candidate (next)) --[nss:1536] --OK. --OK (RSA:1536). --OK. --OK (RSA:1536 after RSA:1536). --OK. --OK (RSA:1536 after RSA:1536). --keyi1536 --keyi1536 (candidate (next)) - [nss:2048] - OK. - OK (RSA:2048). -diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh -index 08af1523..94230e6f 100755 ---- a/tests/002-keygen/run.sh -+++ b/tests/002-keygen/run.sh -@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}" - source "$srcdir"/functions - initnssdb "$scheme$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - echo "[nss:$size]" - # Generate a key. - cat > entry.$size <<- EOF -diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out -index c9dec729..def53fe4 100644 ---- a/tests/003-csrgen-rsa/expected.out -+++ b/tests/003-csrgen-rsa/expected.out -@@ -1,10 +1,4 @@ - pk12util: PKCS12 EXPORT SUCCESSFUL --1024 OK. --Signature OK --pk12util: PKCS12 EXPORT SUCCESSFUL --1536 OK. --Signature OK --pk12util: PKCS12 EXPORT SUCCESSFUL - 2048 OK. - Signature OK - pk12util: PKCS12 EXPORT SUCCESSFUL -diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh -index 4cd84084..bb8ebecb 100755 ---- a/tests/003-csrgen-rsa/run.sh -+++ b/tests/003-csrgen-rsa/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Build a self-signed certificate. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -@@ -147,7 +147,7 @@ iterate() { - - iteration=1 - --for size in 1024 ; do -+for size in 2048 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" - done - -diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out -index 8e6cac6e..04342c0f 100644 ---- a/tests/003-csrgen/expected.out -+++ b/tests/003-csrgen/expected.out -@@ -1,13 +1,5 @@ - pk12util: PKCS12 EXPORT SUCCESSFUL - Signature OK --minicert.openssl.1024.pem: OK --1024 OK. --pk12util: PKCS12 EXPORT SUCCESSFUL --Signature OK --minicert.openssl.1536.pem: OK --1536 OK. --pk12util: PKCS12 EXPORT SUCCESSFUL --Signature OK - minicert.openssl.2048.pem: OK - 2048 OK. - pk12util: PKCS12 EXPORT SUCCESSFUL -diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh -index 7c169ed9..31466b5c 100755 ---- a/tests/003-csrgen/run.sh -+++ b/tests/003-csrgen/run.sh -@@ -5,7 +5,7 @@ cd "$tmpdir" - source "$srcdir"/functions - initnssdb "$tmpdir" - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Build a self-signed certificate. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -@@ -199,7 +199,7 @@ iterate() { - - iteration=1 - --for size in 1024 ; do -+for size in 2048 ; do - iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype" - done - -diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out -index dd5029ec..0eb84ef1 100644 ---- a/tests/004-selfsign-rsa/expected.out -+++ b/tests/004-selfsign-rsa/expected.out -@@ -1,5 +1,3 @@ --1024 OK. --1536 OK. - 2048 OK. - 3072 OK. - 4096 OK. -diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh -index 6f9285b6..c1dd4c80 100755 ---- a/tests/004-selfsign-rsa/run.sh -+++ b/tests/004-selfsign-rsa/run.sh -@@ -33,7 +33,7 @@ function setupca() { - EOF - } - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Build a self-signed certificate. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ -diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out -index dd5029ec..0eb84ef1 100644 ---- a/tests/004-selfsign/expected.out -+++ b/tests/004-selfsign/expected.out -@@ -1,5 +1,3 @@ --1024 OK. --1536 OK. - 2048 OK. - 3072 OK. - 4096 OK. -diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh -index 7bb368ec..eb1df4ee 100755 ---- a/tests/004-selfsign/run.sh -+++ b/tests/004-selfsign/run.sh -@@ -43,7 +43,7 @@ function setupca() { - EOF - } - --for size in 1024 1536 2048 3072 4096 ; do -+for size in 2048 3072 4096 ; do - # Build a self-signed certificate. - run_certutil -d "$tmpdir" -S -g $size -n keyi$size \ - -s "cn=T$size" -c "cn=T$size" \ --- -2.16.2 - diff --git a/SOURCES/0002-Convert-tests-to-use-python3.patch b/SOURCES/0002-Convert-tests-to-use-python3.patch deleted file mode 100644 index b31e3ce..0000000 --- a/SOURCES/0002-Convert-tests-to-use-python3.patch +++ /dev/null @@ -1,788 +0,0 @@ -From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 31 Jul 2018 13:09:02 -0400 -Subject: [PATCH] Convert tests to use python3 - ---- - tests/028-dbus/expected.out | 32 +- - tests/028-dbus/expected.out.nodsa | 22 +- - tests/028-dbus/prequal.sh | 8 +- - tests/028-dbus/run.sh | 9 +- - tests/028-dbus/runsub.sh | 2 +- - tests/028-dbus/simpleprop.py | 14 +- - tests/028-dbus/walk.py | 392 ++++++++++---------- - tests/038-ms-v2-template/extract-extdata.py | 5 +- - 8 files changed, 243 insertions(+), 241 deletions(-) - -diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index ca3179e..1d8bec4 100644 ---- a/tests/028-dbus/expected.out -+++ b/tests/028-dbus/expected.out -@@ -1,5 +1,3 @@ --Certificate in file "${tmpdir}/test.crt" issued by CA and saved. --Certificate in file "${tmpdir}/test.crt" issued by CA and saved. - [[ getcert ]] - State MONITORING, stuck: no. - Number of certificates and requests being tracked: 1. -@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object - dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ] --dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ] --dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ] --dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ] - OK -@@ -433,19 +431,19 @@ Buddy - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] --(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) -+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] - recently - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ] --(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt')) -+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ] - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ] --(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s'))) -+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s'))) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ] - -@@ -454,19 +452,19 @@ recently - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ] --(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key')) -+(dbus.String('FILE'), dbus.String('$tmpdir/test.key')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ] --(dbus.String(u'RSA'), dbus.Int64(512L)) -+(dbus.String('RSA'), dbus.Int64(512)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ] - 1 - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ] --(dbus.String(u'stdout'), dbus.String(u'daemon.notice')) -+(dbus.String('stdout'), dbus.String('daemon.notice')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ] --(dbus.String(u'MONITORING'), dbus.Boolean(False)) -+(dbus.String('MONITORING'), dbus.Boolean(False)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ] - /org/fedorahosted/certmonger/cas/CA1 -@@ -482,7 +480,7 @@ recently - - [ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ] - 1 on /org/fedorahosted/certmonger/requests/Request2 --After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) -+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] - 1 -@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s')) - - - [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236 -+$tmpdir/cas/date - - [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ] - SelfSign -@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s')) - - - [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236-1 -+$tmpdir/cas/date-1 - - [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ] - IPA -@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s')) - - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236-2 -+$tmpdir/cas/date-2 - - [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] - certmaster -@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s')) - - - [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] --$tmpdir/cas/20180327134236-3 -+$tmpdir/cas/date-3 - - [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] - dogtag-ipa-renew-agent -diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa -index a23af40..5082ee0 100644 ---- a/tests/028-dbus/expected.out.nodsa -+++ b/tests/028-dbus/expected.out.nodsa -@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object - dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ] --dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ] --dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ] --dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s')) -+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s')) - - [ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ] - OK -@@ -432,19 +432,19 @@ Buddy - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] --(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) -+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] - recently - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ] --(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt')) -+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ] - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ] --(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s'))) -+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s'))) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ] - -@@ -453,19 +453,19 @@ recently - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ] --(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key')) -+(dbus.String('FILE'), dbus.String('$tmpdir/test.key')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ] --(dbus.String(u'RSA'), dbus.Int64(512L)) -+(dbus.String('RSA'), dbus.Int64(512)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ] - 1 - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ] --(dbus.String(u'stdout'), dbus.String(u'daemon.notice')) -+(dbus.String('stdout'), dbus.String('daemon.notice')) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ] --(dbus.String(u'MONITORING'), dbus.Boolean(False)) -+(dbus.String('MONITORING'), dbus.Boolean(False)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ] - /org/fedorahosted/certmonger/cas/CA1 -@@ -481,7 +481,7 @@ recently - - [ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ] - 1 on /org/fedorahosted/certmonger/requests/Request2 --After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) -+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ] - 1 -diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh -index e645c19..4fe79c8 100755 ---- a/tests/028-dbus/prequal.sh -+++ b/tests/028-dbus/prequal.sh -@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then - echo dbus-daemon not found - exit 1 - fi --if ! python -c 'import os' 2> /dev/null ; then -+if ! python3 -c 'import os' 2> /dev/null ; then - echo python not found - exit 1 - fi --if ! python -c 'import dbus' 2> /dev/null ; then -+if ! python3 -c 'import dbus' 2> /dev/null ; then - echo python-dbus not found - exit 1 - fi --if ! python -c 'import xml' 2> /dev/null ; then -+if ! python3 -c 'import xml' 2> /dev/null ; then - echo python-xml not found - exit 1 - fi --if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then -+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then - echo python-xml does not include etree.ElementTree - exit 1 - fi -diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh -index c468d51..ee90875 100755 ---- a/tests/028-dbus/run.sh -+++ b/tests/028-dbus/run.sh -@@ -23,7 +23,7 @@ EOF - $DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid - if test -s $tmpdir/pid ; then - env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \ -- $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh -+ $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null - fi - kill `cat $tmpdir/pid` - -@@ -33,8 +33,8 @@ now=`date +%s` - for i in `seq 240` ; do - recently=$(($now-$i)) - tomorrow=$(($now-$i+24*60*60)) -- sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \ -- -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out -+ sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \ -+ -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out - done - - cat $tmpdir/runsub.out | \ -@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \ - -e "s|$libexecdir|\$libexecdir|g" \ - -e "s|$tmpdir|\$tmpdir|g" \ - -e "s|expires:.*|expires: sometime|g" \ -- -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g' -+ -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \ -+ -e "s|cas\/[0-9]{14}|cas\/date|g" -diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh -index 3510d79..fe6766c 100755 ---- a/tests/028-dbus/runsub.sh -+++ b/tests/028-dbus/runsub.sh -@@ -22,5 +22,5 @@ echo "" - echo "[[ API ]]" - for i in ./*.py ; do - echo "[" `basename "$i"` "]" -- python $i -+ python3 $i - done -diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py -index e4f937e..35d9591 100644 ---- a/tests/028-dbus/simpleprop.py -+++ b/tests/028-dbus/simpleprop.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - import dbus - - # Get a handle for the main certmonger interface. -@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties') - - # Toggle the helper a couple of times. - ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper') --print ca_ext_h, "->", -+print(ca_ext_h, "-> ", end='') - - if ca_ext_h.split()[0] == ca_ext_h: - ca_ext_h += ' -k admin@localhost' -@@ -28,7 +28,7 @@ else: - ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h) - - ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper') --print ca_ext_h, "->", -+print(ca_ext_h, "-> ", end='') - - if ca_ext_h.split()[0] == ca_ext_h: - ca_ext_h += ' -k admin@localhost' -@@ -37,20 +37,20 @@ else: - ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h) - - ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper') --print ca_ext_h -+print(ca_ext_h) - - # Toggle the "is-default" value a couple of times. - isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default') --print isdef, "->", -+print(isdef, "-> ", end='') - - ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef) - - isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default') --print isdef, "->", -+print(isdef, "-> ", end='') - - ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef) - - isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default') --print isdef -+print(isdef) - - cm.remove_known_ca(path) -diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py -index f60ca93..683d94e 100644 ---- a/tests/028-dbus/walk.py -+++ b/tests/028-dbus/walk.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - import dbus - import xml.etree.ElementTree - import os -@@ -9,217 +9,219 @@ bus = dbus.SessionBus() - - # Check that reading a property directly produces the same value as reading it via GetAll(). - def check_props(objpath, interface): -- o = bus.get_object('org.fedorahosted.certmonger', objpath) -- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -- props = i.GetAll(interface) -- for prop in props.keys(): -- value = props[prop] -- if value != i.Get(interface, prop): -- print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop))) -- return False -- return True -+ o = bus.get_object('org.fedorahosted.certmonger', objpath) -+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -+ props = i.GetAll(interface) -+ for prop in props.keys(): -+ value = props[prop] -+ if value != i.Get(interface, prop): -+ print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop))) -+ return False -+ return True - - # Try to call the method. - def examine_method(objpath, interface, method, idata): -- in_args = 0 -- out_args = 0 -- o = bus.get_object('org.fedorahosted.certmonger', objpath) -- i = dbus.Interface(o, interface) -- for child in idata.getchildren(): -- if child.tag == 'arg': -- if child.get('direction') != 'out': -- in_args = in_args + 1 -- else: -- out_args = out_args + 1 -- if in_args == 0: -- # Takes no inputs, so just call it. -- m = i.get_dbus_method(method) -- if out_args == 0: -- m() -- print("[ %s: %s.%s ]\n" % (objpath, interface, method)) -- elif out_args == 1: -- result = m() -- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result)) -- else: -- result = m() -- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result)) -- elif method == 'Get' or method == 'Set' or method == 'GetAll': -- # We check on properties elsewhere. -- return True -- # Per-method exercise. -- elif method == 'add_known_ca' or method == 'remove_known_ca': -- (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', []) -- if not result: -- print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method)) -- return False -- result = i.remove_known_ca(path) -- if not result: -- print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method)) -- return False -- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -- elif method == 'add_request' or method == 'remove_request': -- tmpdir = os.getenv('TMPDIR') -- if not tmpdir or tmpdir == '': -- tmpdir = '/tmp' -- properties = { -- 'nickname': 'foo', -- 'cert-storage': 'file', -- 'cert-file': tmpdir + "/028-certfile", -- 'key-storage': 'file', -- 'key-file': tmpdir + "/028-keyfile", -- 'template-email': ['root@localhost', 'toor@localhost'], -- } -- (result, path) = i.add_request(properties) -- if not result: -- print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method)) -- return False -- result = i.remove_request(path) -- if not result: -- print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method)) -- return False -- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -- elif method == 'find_ca_by_nickname': -- capath = i.find_ca_by_nickname('local') -- o = bus.get_object('org.fedorahosted.certmonger', capath) -- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -- if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local': -- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname'))) -- return False -- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -- elif method == 'find_request_by_nickname': -- reqpath = i.find_request_by_nickname('Buddy') -- o = bus.get_object('org.fedorahosted.certmonger', reqpath) -- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -- if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy': -- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname'))) -- return False -- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -- elif method == 'modify': -- mods = {} -- propname = "template-eku" -- propval = '1.2.3.4.5.6.7.8.9.10' -- mods[propname] = [propval,] -- status, path = i.modify(mods) -- if not status: -- print("[ %s : %s.%s ] error\n" % (objpath, interface, method)) -- return False -- print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path)) -- props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -- prop = props.Get(interface, 'template-eku') -- print("After setting %s to %s, we got %s\n" % (propname, propval, prop)) -- else: -- # We're in FIXME territory. -- print('FIXME: need support for "%s"' % method) -- return False -- # If we caused things to start churning, wait for them to settle. -+ in_args = 0 -+ out_args = 0 -+ o = bus.get_object('org.fedorahosted.certmonger', objpath) -+ i = dbus.Interface(o, interface) -+ for child in idata.getchildren(): -+ if child.tag == 'arg': -+ if child.get('direction') != 'out': -+ in_args = in_args + 1 -+ else: -+ out_args = out_args + 1 -+ if in_args == 0: -+ # Takes no inputs, so just call it. -+ m = i.get_dbus_method(method) -+ if out_args == 0: -+ m() -+ print("[ %s: %s.%s ]\n" % (objpath, interface, method)) -+ elif out_args == 1: -+ result = m() -+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result)) -+ else: -+ result = m() -+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result)) -+ elif method == 'Get' or method == 'Set' or method == 'GetAll': -+ # We check on properties elsewhere. -+ return True -+ # Per-method exercise. -+ elif method == 'add_known_ca' or method == 'remove_known_ca': -+ (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', []) -+ if not result: -+ print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method)) -+ return False -+ result = i.remove_known_ca(path) -+ if not result: -+ print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method)) -+ return False -+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -+ elif method == 'add_request' or method == 'remove_request': -+ tmpdir = os.getenv('TMPDIR') -+ if not tmpdir or tmpdir == '': -+ tmpdir = '/tmp' -+ properties = { -+ 'nickname': 'foo', -+ 'cert-storage': 'file', -+ 'cert-file': tmpdir + "/028-certfile", -+ 'key-storage': 'file', -+ 'key-file': tmpdir + "/028-keyfile", -+ 'template-email': ['root@localhost', 'toor@localhost'], -+ } -+ (result, path) = i.add_request(properties) -+ if not result: -+ print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method)) -+ return False -+ result = i.remove_request(path) -+ if not result: -+ print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method)) -+ return False -+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -+ elif method == 'find_ca_by_nickname': -+ capath = i.find_ca_by_nickname('local') -+ o = bus.get_object('org.fedorahosted.certmonger', capath) -+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -+ if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local': -+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname'))) -+ return False -+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -+ elif method == 'find_request_by_nickname': -+ reqpath = i.find_request_by_nickname('Buddy') -+ if not reqpath: -+ return False -+ o = bus.get_object('org.fedorahosted.certmonger', reqpath) -+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -+ if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy': -+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname'))) -+ return False -+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method)) -+ elif method == 'modify': -+ mods = {} -+ propname = "template-eku" -+ propval = '1.2.3.4.5.6.7.8.9.10' -+ mods[propname] = [propval,] -+ status, path = i.modify(mods) -+ if not status: -+ print("[ %s : %s.%s ] error\n" % (objpath, interface, method)) -+ return False -+ print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path)) -+ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -+ prop = props.Get(interface, 'template-eku') -+ print("After setting %s to %s, we got %s\n" % (propname, propval, prop)) -+ else: -+ # We're in FIXME territory. -+ print('FIXME: need support for "%s"' % method) -+ return False -+ # If we caused things to start churning, wait for them to settle. - if method == 'resubmit': - props = dbus.Interface(o, 'org.freedesktop.DBus.Properties') - prop = props.Get(interface, 'status') - while prop != 'MONITORING': - time.sleep(1) - prop = props.Get(interface, 'status') -- return True -+ return True - - def iget(child, proxy, interface, prop): -- value = proxy.Get(interface, prop) -- if not value: -- if child.get('type') == 'b': -- value = False -- elif child.get('type') == 'n' or child.get('type') == 'x': -- value = 0 -- elif child.get('type') == 's': -- value = '' -- elif child.get('type') == 'as': -- value = [''] -- else: -- print("%s.%s: %s" % (interface, prop, child.get('type'))) -- return False -- return value -+ value = proxy.Get(interface, prop) -+ if not value: -+ if child.get('type') == 'b': -+ value = False -+ elif child.get('type') == 'n' or child.get('type') == 'x': -+ value = 0 -+ elif child.get('type') == 's': -+ value = '' -+ elif child.get('type') == 'as': -+ value = [''] -+ else: -+ print("%s.%s: %s" % (interface, prop, child.get('type'))) -+ return False -+ return value - - def examine_interface(objpath, interface, idata): -- o = bus.get_object('org.fedorahosted.certmonger', objpath) -- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -- for child in idata.getchildren(): -- if child.tag == 'property': -- prop = child.get('name') -- if child.get('access') == 'read': -- # Check that we can read it. -- value = i.Get(interface, prop) -- elif child.get('access') == 'readwrite': -- if prop == 'external-helper' or prop == 'scep-ca-identifier': -- cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca') -- if cai.get_type() != 'EXTERNAL': -- print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop)) -- continue -- # Check that we can read it, tweak it, and then reset it. -- value = iget(child, i, interface, prop) -- i.Set(interface, prop, value) -- newvalue = None -- if child.get('type') == 'b': -- newvalue = not value -- elif child.get('type') == 'n' or child.get('type') == 'x': -- newvalue = value + 1 -- elif child.get('type') == 's': -- newvalue = 'x' + value -- elif child.get('type') == 'as': -- newvalue = ['x'] + value -- else: -- print("%s.%s: %s" % (interface, prop, child.get('type'))) -- return False -- if newvalue: -- if newvalue == value: -- print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value)) -- return False -- i.Set(interface, prop, newvalue) -- if newvalue != iget(child, i, interface, prop): -- print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue)) -- return False -- i.Set(interface, prop, value) -- if value != iget(child, i, interface, prop): -- print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value)) -- return False -- elif child.tag == 'method': -- method = child.get('name') -- if not examine_method(objpath, interface, method, child): -- return False -- elif child.tag == 'signal': -- continue -- else: -- print "FIXME: handle child tag %s" % child.tag -- return False -- return True -+ o = bus.get_object('org.fedorahosted.certmonger', objpath) -+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties') -+ for child in idata.getchildren(): -+ if child.tag == 'property': -+ prop = child.get('name') -+ if child.get('access') == 'read': -+ # Check that we can read it. -+ value = i.Get(interface, prop) -+ elif child.get('access') == 'readwrite': -+ if prop == 'external-helper' or prop == 'scep-ca-identifier': -+ cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca') -+ if cai.get_type() != 'EXTERNAL': -+ print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop)) -+ continue -+ # Check that we can read it, tweak it, and then reset it. -+ value = iget(child, i, interface, prop) -+ i.Set(interface, prop, value) -+ newvalue = None -+ if child.get('type') == 'b': -+ newvalue = not value -+ elif child.get('type') == 'n' or child.get('type') == 'x': -+ newvalue = value + 1 -+ elif child.get('type') == 's': -+ newvalue = 'x' + value -+ elif child.get('type') == 'as': -+ newvalue = ['x'] + value -+ else: -+ print("%s.%s: %s" % (interface, prop, child.get('type'))) -+ return False -+ if newvalue: -+ if newvalue == value: -+ print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value)) -+ return False -+ i.Set(interface, prop, newvalue) -+ if newvalue != iget(child, i, interface, prop): -+ print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue)) -+ return False -+ i.Set(interface, prop, value) -+ if value != iget(child, i, interface, prop): -+ print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value)) -+ return False -+ elif child.tag == 'method': -+ method = child.get('name') -+ if not examine_method(objpath, interface, method, child): -+ return False -+ elif child.tag == 'signal': -+ continue -+ else: -+ print("FIXME: handle child tag %s" % child.tag) -+ return False -+ return True - - def examine_object(objpath): -- o = bus.get_object('org.fedorahosted.certmonger', objpath) -- i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable') -- idata = i.Introspect() -- x = xml.etree.ElementTree.XML(idata) -+ o = bus.get_object('org.fedorahosted.certmonger', objpath) -+ i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable') -+ idata = i.Introspect() -+ x = xml.etree.ElementTree.XML(idata) - -- # Check if the object supports properties interfaces. -- props = False -- for child in x.getchildren(): -- if child.tag == 'interface': -- if child.get('name') == 'org.freedesktop.DBus.Properties': -- props = True -+ # Check if the object supports properties interfaces. -+ props = False -+ for child in x.getchildren(): -+ if child.tag == 'interface': -+ if child.get('name') == 'org.freedesktop.DBus.Properties': -+ props = True - -- # Look at the interfaces and child nodes. -- for child in x.getchildren(): -- if child.tag == 'interface': -- if props and not check_props(objpath, child.get('name')): -- return False -- if not examine_interface(objpath, child.get('name'), child): -- return False -- elif child.tag == 'node': -- if objpath == '/': -- childpath = '/' + child.get('name') -- else: -- childpath = objpath + '/' + child.get('name') -- examine_object(childpath) -- else: -- print "FIXME: handle child tag %s" % child.tag -- return False -- return True -+ # Look at the interfaces and child nodes. -+ for child in x.getchildren(): -+ if child.tag == 'interface': -+ if props and not check_props(objpath, child.get('name')): -+ return False -+ if not examine_interface(objpath, child.get('name'), child): -+ return False -+ elif child.tag == 'node': -+ if objpath == '/': -+ childpath = '/' + child.get('name') -+ else: -+ childpath = objpath + '/' + child.get('name') -+ examine_object(childpath) -+ else: -+ print("FIXME: handle child tag %s" % child.tag) -+ return False -+ return True - - if not examine_object('/'): -- sys.exit(1) -+ sys.exit(1) - sys.exit(0) -diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py -index 1a845fd..9f9d910 100755 ---- a/tests/038-ms-v2-template/extract-extdata.py -+++ b/tests/038-ms-v2-template/extract-extdata.py -@@ -1,10 +1,11 @@ --#!/usr/bin/python2 -+#!/usr/bin/python3 - - # Given `openssl asn1parse` output of a CSR, look for the V2 Template - # extension and output its data if found. Nonzero exit status if - # not found. - - import binascii -+import os - import re - import sys - -@@ -21,7 +22,7 @@ for line in sys.stdin: - # - if state == STATE_FOUND and 'OCTET STRING' in line: - result = re.search(r'\[HEX DUMP\]:(\w*)', line) -- sys.stdout.write(binascii.unhexlify(result.group(1))) -+ os.write(1, binascii.unhexlify(result.group(1))) - state = STATE_DONE - break - --- -2.17.0 - diff --git a/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch b/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch new file mode 100644 index 0000000..528271a --- /dev/null +++ b/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch @@ -0,0 +1,195 @@ +From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 10 Nov 2020 18:48:05 -0500 +Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test" + +This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28. +--- + tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 124 insertions(+), 6 deletions(-) + +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index ca7de34f..4d6a9a59 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -34,6 +34,10 @@ CA 'IPA': + is-default: no + ca-type: EXTERNAL + helper-location: $libexecdir/ipa-submit ++CA 'certmaster': ++ is-default: no ++ ca-type: EXTERNAL ++ helper-location: $libexecdir/certmaster-submit + CA 'dogtag-ipa-renew-agent': + is-default: no + ca-type: EXTERNAL +@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent': + + [[ API ]] + [ simpleprop.py ] +-/org/fedorahosted/certmonger/cas/CA5 +-/org/fedorahosted/certmonger/cas/CA5 ++/org/fedorahosted/certmonger/cas/CA6 ++/org/fedorahosted/certmonger/cas/CA6 + : -> : -k admin@localhost -> : + 0 -> 1 -> 0 + [ walk.py ] +@@ -178,7 +182,7 @@ OK + OK + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] +-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o')) ++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o')) + + [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] + dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) +@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri + + + ++ + + + [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] +@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s')) + + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] +-$tmpdir/cas/20180327134236-3 ++$tmpdir/cas/20180327134236-2 + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ] +-dogtag-ipa-renew-agent ++certmaster + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] + 0 +@@ -952,7 +957,7 @@ EXTERNAL + None + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] +-$libexecdir/dogtag-ipa-renew-agent-submit ++$libexecdir/certmaster-submit + + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] + dbus.Array([], signature=dbus.Signature('s')) +@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s')) + [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] + 1 + ++[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ] ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ] ++$tmpdir/cas/20180327134236-3 ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ] ++dogtag-ipa-renew-agent ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ] ++0 ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ] ++EXTERNAL ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ] ++None ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ] ++$libexecdir/dogtag-ipa-renew-agent-submit ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ] ++dbus.Array([], signature=dbus.Signature('s')) ++ ++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ] ++1 ++ +-- +2.25.4 + diff --git a/SOURCES/0018-clang-more-Dead-assignment.patch b/SOURCES/0018-clang-more-Dead-assignment.patch deleted file mode 100644 index 951841b..0000000 --- a/SOURCES/0018-clang-more-Dead-assignment.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 12:48:41 -0400 -Subject: [PATCH 18/25] clang: more Dead assignment - ---- - src/submit-x.c | 5 ++--- - src/tdbus.c | 1 - - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/submit-x.c b/src/submit-x.c -index fa81e9aa..abebc610 100644 ---- a/src/submit-x.c -+++ b/src/submit-x.c -@@ -914,9 +914,8 @@ main(int argc, const char **argv) - - /* Maybe we need a ccache. */ - if (k5 || (kpname != NULL) || (ktname != NULL)) { -- if (!make_ccache || -- (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) { -- k5 = TRUE; -+ if (make_ccache) { -+ cm_submit_x_make_ccache(ktname, kpname, NULL); - } - } - -diff --git a/src/tdbus.c b/src/tdbus.c -index cb0a8ad7..a81b5349 100644 ---- a/src/tdbus.c -+++ b/src/tdbus.c -@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type, - /* Connect to the right bus. */ - bus_desc = NULL; - conn = NULL; -- exit_on_disconnect = TRUE; - if (error != NULL) { - dbus_error_init(error); - } --- -2.21.0 - diff --git a/SOURCES/0019-clang-more-Memory-leaks.patch b/SOURCES/0019-clang-more-Memory-leaks.patch deleted file mode 100644 index 2434547..0000000 --- a/SOURCES/0019-clang-more-Memory-leaks.patch +++ /dev/null @@ -1,321 +0,0 @@ -From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 12:53:57 -0400 -Subject: [PATCH 19/25] clang: more Memory leaks - -Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c ---- - src/dogtag.c | 17 +++++++++++++---- - src/getcert.c | 3 ++- - src/store-files.c | 1 + - src/submit-d.c | 6 ++++++ - src/submit-x.c | 39 ++++++++++----------------------------- - tests/tools/addcinfo.c | 8 +++++--- - 6 files changed, 37 insertions(+), 37 deletions(-) - -diff --git a/src/dogtag.c b/src/dogtag.c -index 55607f3d..8e3890a5 100644 ---- a/src/dogtag.c -+++ b/src/dogtag.c -@@ -117,7 +117,7 @@ main(int argc, const char **argv) - const char *ssldir = NULL, *cainfo = NULL, *capath = NULL; - const char *sslcert = NULL, *sslkey = NULL; - const char *sslpin = NULL, *sslpinfile = NULL; -- const char *csr = NULL, *serial = NULL, *template = NULL; -+ const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL; - const char *uid = NULL, *pwd = NULL, *pwdfile = NULL; - const char *udn = NULL, *pin = NULL, *pinfile = NULL; - char *poptarg; -@@ -127,7 +127,7 @@ main(int argc, const char **argv) - } *aoptions = NULL, *soptions = NULL; - size_t num_aoptions = 0, num_soptions = 0, j; - char *savedstate = NULL; -- char *p, *q, *params = NULL, *params2 = NULL; -+ char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL; - const char *lasturl = NULL, *lastparams = NULL; - const char *tmp = NULL, *results = NULL; - struct cm_submit_h_context *hctx; -@@ -537,16 +537,19 @@ main(int argc, const char **argv) - } - poptPrintUsage(pctx, stdout, 0); - free(csr); -+ free(p); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } -- csr = cm_submit_u_url_encode(csr); -+ csre = cm_submit_u_url_encode(csr); - params = talloc_asprintf(ctx, - "profileId=%s&" - "cert_request_type=pkcs10&" - "cert_request=%s&" - "xml=true", - template, -- csr); -+ csre); -+ free(csr); -+ free(csre); - } - /* Check for creds specified as options. */ - for (j = 0; j < num_soptions; j++) { -@@ -608,12 +611,16 @@ main(int argc, const char **argv) - printf(_("No agent URL (-A) given, and no default " - "known.\n")); - poptPrintUsage(pctx, stdout, 0); -+ free(p); -+ free(q); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - if ((sslcert == NULL) || (strlen(sslcert) == 0)) { - printf(_("No agent credentials (-n) given, but they " - "are needed.\n")); - poptPrintUsage(pctx, stdout, 0); -+ free(p); -+ free(q); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - /* Reading profile defaults for this certificate, then applying -@@ -778,12 +785,14 @@ main(int argc, const char **argv) - lasturl); - } - talloc_free(ctx); -+ free(p); - return CM_SUBMIT_STATUS_UNREACHABLE; - } - if (results == NULL) { - printf(_("Internal error: no response to \"%s?%s\".\n"), - lasturl, lastparams); - talloc_free(ctx); -+ free(p); - return CM_SUBMIT_STATUS_REJECTED; - } - switch (op) { -diff --git a/src/getcert.c b/src/getcert.c -index ddb28de2..0d527ab0 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits) - } - u = malloc(length); - if (u == NULL) { -+ free(t); - goto done; - } - length = cm_store_base64_to_bin(t, -1, u, length); -+ free(t); - if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) { -- free(t); - t = malloc(bits / 4 + howmany(bits, 32)); - if (t != NULL) { - ret = t; -diff --git a/src/store-files.c b/src/store-files.c -index b97ba5ff..4e57ae16 100644 ---- a/src/store-files.c -+++ b/src/store-files.c -@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp) - lines = tlines; - } - } -+ free(buf); - return lines; - } - -diff --git a/src/submit-d.c b/src/submit-d.c -index 5a4edb3f..36cc9828 100644 ---- a/src/submit-d.c -+++ b/src/submit-d.c -@@ -1204,6 +1204,9 @@ restart: - } else { - printf("Error %d.\n", c); - } -+ if (defaults != nodefault) { -+ free(defaults); -+ } - return 1; - } - result = cm_submit_h_results(hctx, NULL) ?: ""; -@@ -1365,6 +1368,9 @@ restart: - /* never reached */ - break; - } -+ if (defaults != nodefault) { -+ free(defaults); -+ } - return 0; - } - #endif -diff --git a/src/submit-x.c b/src/submit-x.c -index abebc610..58d007ef 100644 ---- a/src/submit-x.c -+++ b/src/submit-x.c -@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode) - { - const char *ret; - #ifdef HAVE_KRB5_GET_ERROR_MESSAGE -- ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL; -- if (ret == NULL) { -- ret = error_message(kcode); -+ if (ctx) { -+ const char *msg = krb5_get_error_message(ctx, kcode); -+ ret = strdup(msg); -+ krb5_free_error_message(ctx, msg); -+ } else { -+ ret = strdup(error_message(kcode)); - } - #else -- ret = error_message(kcode); -+ ret = strdup(error_message(kcode)); - #endif -- return strdup(ret); -+ return ret; - } - - char * -@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return NULL; - } -@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return NULL; - } -@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return NULL; - } -@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg) - if (data == NULL) { - fprintf(stderr, "Error retrieving principal realm.\n"); - if (msg != NULL) { -- *msg = "Error retrieving principal realm.\n"; -+ *msg = strdup("Error retrieving principal realm.\n"); - } - return NULL; - } -@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg) - if (ret == NULL) { - fprintf(stderr, "Out of memory for principal realm.\n"); - if (msg != NULL) { -- *msg = "Out of memory for principal realm.\n"; -+ *msg = strdup("Out of memory for principal realm.\n"); - } - return NULL; - } -@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - fprintf(stderr, "Error initializing Kerberos: %s.\n", ret); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - principal, ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg) - ret = get_error_message(ctx, kret)); - if (msg != NULL) { - *msg = ret; -- } else { -- free(ret); - } - return kret; - } -diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c -index 939005c2..e34612a5 100644 ---- a/tests/tools/addcinfo.c -+++ b/tests/tools/addcinfo.c -@@ -63,7 +63,7 @@ content_info_template[] = { - int - main(int argc, char **argv) - { -- unsigned char *buffer = NULL, buf[BUFSIZ]; -+ unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ]; - int i, n = 0; - unsigned int j; - SECItem encoded; -@@ -73,11 +73,13 @@ main(int argc, char **argv) - cm_log_set_method(cm_log_stderr); - cm_log_set_level(3); - while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) { -- buffer = realloc(buffer, n + i); -- if (buffer == NULL) { -+ newbuffer = realloc(buffer, n + i); -+ if (newbuffer == NULL) { -+ free(buffer); - cm_log(0, "Out of memory.\n"); - return 1; - } -+ buffer = newbuffer; - memcpy(buffer + n, buf, i); - n += i; - } --- -2.21.0 - diff --git a/SOURCES/0020-clang-Avoid-buffer-overflow.patch b/SOURCES/0020-clang-Avoid-buffer-overflow.patch deleted file mode 100644 index 8c4607c..0000000 --- a/SOURCES/0020-clang-Avoid-buffer-overflow.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 13:16:08 -0400 -Subject: [PATCH 20/25] clang: Avoid buffer overflow - -This shouldn't be possible because the caller would never allow -it all to be passed in but quiet static analyzers. ---- - src/getcert.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/getcert.c b/src/getcert.c -index 0d527ab0..bbc45479 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category, - enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; - DBusMessage *req, *rep; - const char *request, *capath; -- struct cm_tdbusm_dict param[28]; -- const struct cm_tdbusm_dict *params[29]; -+ struct cm_tdbusm_dict param[30]; -+ const struct cm_tdbusm_dict *params[30]; - char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL; - char **anchor_dbs = NULL, **anchor_files = NULL; - char *id = NULL, *new_id = NULL, *new_request; --- -2.21.0 - diff --git a/SOURCES/0021-clang-Garbage-value-possible.patch b/SOURCES/0021-clang-Garbage-value-possible.patch deleted file mode 100644 index 622072e..0000000 --- a/SOURCES/0021-clang-Garbage-value-possible.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 14:44:05 -0400 -Subject: [PATCH 21/25] clang: Garbage value possible - -Need to add guard so that error was only considered if the -certificate was decodable and an import was attempted. ---- - src/certsave-n.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 972a1dfa..30e242c1 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - } - /* Import the certificate. */ -+ error = SECFailure; - newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len); - if (newcert != NULL) { - error = PK11_ImportCert(sle->slot, -@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - entry->cm_cert_nickname, - PR_FALSE); - } -- if (error == SECSuccess) { -+ if ((newcert != NULL) && (error == SECSuccess)) { - cm_log(1, "Imported certificate with " - "nickname \"%s\".\n", - entry->cm_cert_nickname); -@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - CERT_DestroyCertList(certlist); - } - } else { -+ ec = PORT_GetError(); - if (ec != 0) { - es = PR_ErrorToName(ec); - } else { --- -2.21.0 - diff --git a/SOURCES/0022-Uninitialized-variable.patch b/SOURCES/0022-Uninitialized-variable.patch deleted file mode 100644 index f6ba508..0000000 --- a/SOURCES/0022-Uninitialized-variable.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 14:48:43 -0400 -Subject: [PATCH 22/25] Uninitialized variable - ---- - src/csrgen-o.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/csrgen-o.c b/src/csrgen-o.c -index 402284ff..41b4f014 100644 ---- a/src/csrgen-o.c -+++ b/src/csrgen-o.c -@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - BIGNUM *serialbn; - char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename; - unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX]; -- char *spkidec, *mcb64, *nows; -+ char *spkidec = NULL, *mcb64, *nows; - const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL; - const unsigned char *nametmp; - struct tm *now; --- -2.21.0 - diff --git a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch b/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch deleted file mode 100644 index ff1606d..0000000 --- a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 15:43:02 -0400 -Subject: [PATCH 23/25] merge into clang: more Memory leaks - ---- - src/getcert.c | 2 +- - src/submit-x.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/getcert.c b/src/getcert.c -index bbc45479..4713dd15 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits) - if (length == 0) { - goto done; - } -- u = malloc(length); -+ u = malloc(length+1); - if (u == NULL) { - free(t); - goto done; -diff --git a/src/submit-x.c b/src/submit-x.c -index 58d007ef..467e67e4 100644 ---- a/src/submit-x.c -+++ b/src/submit-x.c -@@ -43,7 +43,7 @@ - static char * - get_error_message(krb5_context ctx, krb5_error_code kcode) - { -- const char *ret; -+ char *ret; - #ifdef HAVE_KRB5_GET_ERROR_MESSAGE - if (ctx) { - const char *msg = krb5_get_error_message(ctx, kcode); --- -2.21.0 - diff --git a/SOURCES/0024-Add-missing-return-type-declaration.patch b/SOURCES/0024-Add-missing-return-type-declaration.patch deleted file mode 100644 index e434c8b..0000000 --- a/SOURCES/0024-Add-missing-return-type-declaration.patch +++ /dev/null @@ -1,24 +0,0 @@ -From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 15:44:07 -0400 -Subject: [PATCH 24/25] Add missing return type declaration - ---- - src/tdbush.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/tdbush.c b/src/tdbush.c -index d1bbe4da..a10a1aff 100644 ---- a/src/tdbush.c -+++ b/src/tdbush.c -@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg, - } - - /* org.fedorahosted.certonger.ca.get_config_file_path */ -+static DBusHandlerResult - ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg, - struct cm_client_info *ci, struct cm_context *ctx) - { --- -2.21.0 - diff --git a/SOURCES/0025-Discards-const-qualifier.patch b/SOURCES/0025-Discards-const-qualifier.patch deleted file mode 100644 index dafefa2..0000000 --- a/SOURCES/0025-Discards-const-qualifier.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 8 Oct 2018 15:46:50 -0400 -Subject: [PATCH 25/25] Discards const qualifier - ---- - src/dogtag.c | 3 ++- - src/scep.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/dogtag.c b/src/dogtag.c -index 8e3890a5..962a8bf4 100644 ---- a/src/dogtag.c -+++ b/src/dogtag.c -@@ -117,9 +117,10 @@ main(int argc, const char **argv) - const char *ssldir = NULL, *cainfo = NULL, *capath = NULL; - const char *sslcert = NULL, *sslkey = NULL; - const char *sslpin = NULL, *sslpinfile = NULL; -- const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL; -+ const char *serial = NULL, *template = NULL; - const char *uid = NULL, *pwd = NULL, *pwdfile = NULL; - const char *udn = NULL, *pin = NULL, *pinfile = NULL; -+ char *csr = NULL, *csre = NULL; - char *poptarg; - struct { - char *name; -diff --git a/src/scep.c b/src/scep.c -index b0bd214b..b37711cf 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -204,7 +204,8 @@ main(int argc, const char **argv) - int prefer_non_renewal = 0, can_renewal = 0; - int response_code = 0, response_code2 = 0; - enum known_ops op = op_unset; -- const char *id = NULL, *cainfo = NULL; -+ const char *id = NULL; -+ char *cainfo = NULL; - char *poptarg; - char *message = NULL, *rekey_message = NULL; - const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; --- -2.21.0 - diff --git a/SOURCES/0026-Optimize-closing-open-file-descriptors.patch b/SOURCES/0026-Optimize-closing-open-file-descriptors.patch deleted file mode 100644 index c94fa0c..0000000 --- a/SOURCES/0026-Optimize-closing-open-file-descriptors.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 5 Sep 2019 12:45:52 -0400 -Subject: [PATCH] Optimize closing open file descriptors - -When forking, the code would close all unused file descriptors up -to maximum number of files. In the default case this is 1024. In -the container case this is 1048576. Huge delays in startup were -seen due to this. - -Even in a default 1024 ulimit case this drastically reduces the -number of file descriptors to mark FD_CLOEXEC but in the container -default case this saves another order of magnitude of work. - -This patch takes inspiration from systemd[1] and walks /proc/self/fd -if it is available to determine the list of open descriptors. It -falls back to the "close all fds we don't care about up to limit" -method. - -https://bugzilla.redhat.com/show_bug.cgi?id=1656519 - -[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217 ---- - src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 62 insertions(+), 9 deletions(-) - -diff --git a/src/subproc.c b/src/subproc.c -index e49e3762..8df836ae 100644 ---- a/src/subproc.c -+++ b/src/subproc.c -@@ -19,6 +19,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error) - return argv; - } - -+/* Based heavily on systemd version */ -+static -+int safe_atoi(const char *s, int *ret_i) { -+ char *x = NULL; -+ long l; -+ -+ errno = 0; -+ l = strtol(s, &x, 0); -+ if (errno > 0) -+ return -1; -+ if (!x || x == s || *x != 0) -+ return -1; -+ if ((long) (int) l != l) -+ return -1; -+ -+ *ret_i = (int) l; -+ return 0; -+} -+ - /* Redirect stdio to /dev/null, and mark everything else as close-on-exec, - * except for perhaps one to three of them that are passed in by number. */ - void -@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3) - { - int i; - long l; -+ DIR *dir = NULL; -+ struct dirent *de; -+ - if ((fd != STDIN_FILENO) && - (fd2 != STDIN_FILENO) && - (fd3 != STDIN_FILENO)) { -@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3) - close(STDERR_FILENO); - } - } -- for (i = getdtablesize() - 1; i >= 3; i--) { -- if ((i == fd) || -- (i == fd2) || -- (i == fd3)) { -- continue; -+ dir = opendir("/proc/self/fd"); -+ if (!dir) { -+ /* /proc isn't available, fall back to old way */ -+ for (i = getdtablesize() - 1; i >= 3; i--) { -+ if ((i == fd) || -+ (i == fd2) || -+ (i == fd3)) { -+ continue; -+ } -+ l = fcntl(i, F_GETFD); -+ if (l != -1) { -+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) { -+ cm_log(0, "Potentially leaking FD %d.\n", i); -+ } -+ } - } -- l = fcntl(i, F_GETFD); -- if (l != -1) { -- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) { -- cm_log(0, "Potentially leaking FD %d.\n", i); -+ } else { -+ while ((de = readdir(dir)) != NULL) { -+ int i = -1; -+ -+ if (safe_atoi(de->d_name, &i) < 0) { -+ continue; -+ } -+ -+ if ((i == fd) || -+ (i == fd2) || -+ (i == fd3)) { -+ continue; -+ } -+ -+ if (i == dirfd(dir)) { -+ continue; -+ } -+ -+ l = fcntl(i, F_GETFD); -+ if (l != -1) { -+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) { -+ cm_log(0, "Potentially leaking FD %d.\n", i); -+ } - } - } -+ closedir(dir); - } - } --- -2.21.0 - diff --git a/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch b/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch deleted file mode 100644 index e1e6a23..0000000 --- a/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch +++ /dev/null @@ -1,33 +0,0 @@ -From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 10 Oct 2019 16:28:18 -0400 -Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function - -cm_subproc_mark_most_cloexec() now closes all open file -descriptors except for up to three requested for stdin, stdout -and stderr. Before the optimization those three were always -left open. - -This was causing errors in the IPA helper ipa-server-guard -because it tries to display the contents of stderr which was -always being closed, causing ipa-server-guard to blow up. ---- - src/cadata.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cadata.c b/src/cadata.c -index eb87eb76..3e916c96 100644 ---- a/src/cadata.c -+++ b/src/cadata.c -@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data) - } - return -1; - } -- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1); -+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1); - cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]); - execvp(argv[0], argv); - u = errno; --- -2.21.0 - diff --git a/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch b/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch deleted file mode 100644 index a0c100f..0000000 --- a/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 25 Oct 2019 20:25:36 +0000 -Subject: [PATCH] Don't close STDERR when submitting request - -cm_subproc_mark_most_cloexec() now closes all open file -descriptors except for up to three requested for stdin, stdout -and stderr. Before the optimization those three were always -left open. - -This was causing errors in the IPA helper ipa-server-guard -because it tries to display the contents of stderr which was -always being closed, causing ipa-server-guard to blow up. ---- - src/submit-e.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/submit-e.c b/src/submit-e.c -index d6158d7a..69b4f8e2 100644 ---- a/src/submit-e.c -+++ b/src/submit-e.c -@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca, - } - return -1; - } -- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]); -- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1); -+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]); -+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1); - cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]); - execvp(argv[0], argv); - u = errno; --- -2.21.0 - diff --git a/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch b/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch deleted file mode 100644 index f3f77a2..0000000 --- a/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch +++ /dev/null @@ -1,259 +0,0 @@ -From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 26 Aug 2019 22:01:35 +0000 -Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full - tokens - -The NSS databases were almost universally initialized with the -NOMODDB flag. I'm not sure if something changed in NSS but the -PKCS#11 modules were not being initialized. Adding this back after -permission checks are done results in tokens working again. - -When looking for certs and keys try the full token:nickname string -as well as just nickname when comparing values. - -https://pagure.io/certmonger/issue/125 ---- - src/casave.c | 3 +-- - src/certread-n.c | 33 ++++++++++++++++----------------- - src/certsave-n.c | 5 +++++ - src/dogtag.c | 3 +-- - src/keygen-n.c | 5 +++++ - src/keyiread-n.c | 11 ++++++++++- - src/scepgen-n.c | 5 +++++ - src/submit-n.c | 5 +++++ - src/toklist.c | 2 +- - 9 files changed, 49 insertions(+), 23 deletions(-) - -diff --git a/src/casave.c b/src/casave.c -index bde63f99..1cf5a406 100644 ---- a/src/casave.c -+++ b/src/casave.c -@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e, - break; - default: - flags = NSS_INIT_READONLY | -- NSS_INIT_NOROOTINIT | -- NSS_INIT_NOMODDB; -+ NSS_INIT_NOROOTINIT; - /* Sigh. Not a lot of detail. Check - * if we succeed in read-only mode, - * which we'll interpret as lack of -diff --git a/src/certread-n.c b/src/certread-n.c -index d535030b..bb61b61b 100644 ---- a/src/certread-n.c -+++ b/src/certread-n.c -@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - cm_log(1, "Unable to open NSS database.\n"); - _exit(status); - } -+ /* Re-open the database with modules enabled */ -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(entry->cm_cert_storage_location, -+ NULL, NULL, NULL, NULL, -+ (readwrite ? 0 : NSS_INIT_READONLY) | -+ NSS_INIT_NOROOTINIT); - es = util_n_fips_hook(); - if (es != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", es); - _exit(CM_SUB_STATUS_ERROR_INITIALIZING); - } -- /* Allocate a memory pool. */ -- arena = PORT_NewArena(sizeof(double)); -- if (arena == NULL) { -- cm_log(1, "Error opening database '%s'.\n", -- entry->cm_cert_storage_location); -- if (NSS_ShutdownContext(ctx) != SECSuccess) { -- cm_log(1, "Error shutting down NSS.\n"); -- } -- _exit(ENOMEM); -- } - /* Find the tokens that we might use for cert storage. */ - mech = CKM_RSA_X_509; - slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL); - if (slotlist == NULL) { - cm_log(1, "Error getting list of tokens.\n"); -- PORT_FreeArena(arena, PR_TRUE); - if (NSS_ShutdownContext(ctx) != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - /* If we need to log in in order to read certificates, do so. */ - if (PK11_NeedLogin(sle->slot)) { -+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot)); - if (cm_pin_read_for_cert(entry, &pin) != 0) { - cm_log(1, "Error reading PIN for cert db, " - "skipping.\n"); -@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - /* Walk the list of certificates in the slot, looking for one - * which matches the specified nickname. */ - certs = PK11_ListCertsInSlot(sle->slot); -+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname); - if (certs != NULL) { - for (node = CERT_LIST_HEAD(certs); - !CERT_LIST_EMPTY(certs) && - !CERT_LIST_END(node, certs); - node = CERT_LIST_NEXT(node)) { -- if (strcmp(node->cert->nickname, -- entry->cm_cert_nickname) == 0) { -+ cm_log(3, "certread-n: Slot nickname %s\n", -+ node->cert->nickname); -+ es = talloc_asprintf(entry, "%s:%s", -+ entry->cm_cert_token, entry->cm_cert_nickname); -+ if ((strcmp(node->cert->nickname, -+ entry->cm_cert_nickname) == 0) || -+ (strcmp(node->cert->nickname, es) == 0)) { - cm_log(3, "Located the certificate " - "\"%s\".\n", - entry->cm_cert_nickname); -@@ -321,7 +323,6 @@ next_slot: - if (cert == NULL) { - cm_log(1, "Error locating certificate.\n"); - PK11_FreeSlotList(slotlist); -- PORT_FreeArena(arena, PR_TRUE); - if (NSS_ShutdownContext(ctx) != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -@@ -332,7 +333,6 @@ next_slot: - fclose(fp); - CERT_DestroyCertificate(cert); - PK11_FreeSlotList(slotlist); -- PORT_FreeArena(arena, PR_TRUE); - if (NSS_ShutdownContext(ctx) != SECSuccess) { - cm_log(1, "Error shutting down NSS.\n"); - } -@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry, - NULL, NULL, NULL, NULL, - NSS_INIT_NOCERTDB | - NSS_INIT_READONLY | -- NSS_INIT_NOROOTINIT | -- NSS_INIT_NOMODDB); -+ NSS_INIT_NOROOTINIT); - if (ctx == NULL) { - cm_log(1, "Unable to initialize NSS.\n"); - _exit(1); -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 972a1dfa..eda03b34 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } else { - /* We don't try to force FIPS mode here, as it seems to get in - * the way of saving the certificate. */ -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(entry->cm_cert_storage_location, -+ NULL, NULL, NULL, NULL, -+ (readwrite ? 0 : NSS_INIT_READONLY) | -+ NSS_INIT_NOROOTINIT); - - /* Allocate a memory pool. */ - arena = PORT_NewArena(sizeof(double)); -diff --git a/src/dogtag.c b/src/dogtag.c -index 55607f3d..c43664ef 100644 ---- a/src/dogtag.c -+++ b/src/dogtag.c -@@ -306,8 +306,7 @@ main(int argc, const char **argv) - NULL, NULL, NULL, NULL, - NSS_INIT_NOCERTDB | - NSS_INIT_READONLY | -- NSS_INIT_NOROOTINIT | -- NSS_INIT_NOMODDB); -+ NSS_INIT_NOROOTINIT); - if (nctx == NULL) { - cm_log(1, "Unable to initialize NSS.\n"); - _exit(1); -diff --git a/src/keygen-n.c b/src/keygen-n.c -index 061bd2af..e921d7ec 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - break; - } - } -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(entry->cm_key_storage_location, -+ NULL, NULL, NULL, NULL, -+ (readwrite ? 0 : NSS_INIT_READONLY) | -+ NSS_INIT_NOROOTINIT); - reason = util_n_fips_hook(); - if (reason != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); -diff --git a/src/keyiread-n.c b/src/keyiread-n.c -index 91b1be41..dc1c6092 100644 ---- a/src/keyiread-n.c -+++ b/src/keyiread-n.c -@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) - break; - } - } -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(entry->cm_key_storage_location, -+ NULL, NULL, NULL, NULL, -+ (readwrite ? 0 : NSS_INIT_READONLY) | -+ NSS_INIT_NOROOTINIT); - reason = util_n_fips_hook(); - if (reason != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); -@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) - cnode = CERT_LIST_NEXT(cnode)) { - nickname = entry->cm_key_nickname; - cert = cnode->cert; -+ es = talloc_asprintf(entry, "%s:%s", -+ entry->cm_cert_token, -+ entry->cm_cert_nickname); - if ((nickname != NULL) && -- (strcmp(cert->nickname, nickname) == 0)) { -+ ((strcmp(cert->nickname, nickname) == 0) || -+ (strcmp(cert->nickname, es) == 0))) { - cm_log(3, "Located a certificate with " - "the key's nickname (\"%s\").\n", - nickname); -diff --git a/src/scepgen-n.c b/src/scepgen-n.c -index d6735aa7..8c67b122 100644 ---- a/src/scepgen-n.c -+++ b/src/scepgen-n.c -@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - break; - } - } -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(entry->cm_key_storage_location, -+ NULL, NULL, NULL, NULL, -+ NSS_INIT_READONLY | -+ NSS_INIT_NOROOTINIT); - reason = util_n_fips_hook(); - if (reason != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); -diff --git a/src/submit-n.c b/src/submit-n.c -index b07ea23a..f27b9c7f 100644 ---- a/src/submit-n.c -+++ b/src/submit-n.c -@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, - } - goto done; - } -+ NSS_ShutdownContext(ctx); -+ ctx = NSS_InitContext(args->entry->cm_key_storage_location, -+ NULL, NULL, NULL, NULL, -+ NSS_INIT_READONLY | -+ NSS_INIT_NOROOTINIT); - reason = util_n_fips_hook(); - if (reason != NULL) { - cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); -diff --git a/src/toklist.c b/src/toklist.c -index a4328218..ac166722 100644 ---- a/src/toklist.c -+++ b/src/toklist.c -@@ -79,7 +79,7 @@ main(int argc, const char **argv) - - /* Open the database. */ - ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL, -- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB); -+ NSS_INIT_NOROOTINIT); - if (ctx == NULL) { - printf("Unable to open NSS database '%s'.\n", dbdir); - _exit(CM_SUB_STATUS_ERROR_INITIALIZING); --- -2.21.0 - diff --git a/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch b/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch deleted file mode 100644 index 9cbdfe9..0000000 --- a/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 27 Aug 2019 18:01:02 +0000 -Subject: [PATCH] Update tests to include the security module DB in expected - output - -certmonger was previously always initializing the databases with -the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't -seem to initialize external modules (tested with SoftHSM2). - -https://pagure.io/certmonger/issue/125 ---- - tests/034-perms-dbm/expected.out | 16 ++++++++++++++++ - tests/034-perms-sql/expected.out | 16 ++++++++++++++++ - tests/034-perms/expected.out | 16 ++++++++++++++++ - 3 files changed, 48 insertions(+) - -diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out -index c062d409..7bf23a37 100644 ---- a/tests/034-perms-dbm/expected.out -+++ b/tests/034-perms-dbm/expected.out -@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key - [dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0600|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0662|secmod.db - [rekey:dbm:start] - [rekey:dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0600|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:keygen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0662|secmod.db - OK -diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out -index 2808e02c..c5914e02 100644 ---- a/tests/034-perms-sql/expected.out -+++ b/tests/034-perms-sql/expected.out -@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key - [sql:keygen] - $owner:$group|0600|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0600|pkcs11.txt - [sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [sql:csrgen] - $owner:$group|0755|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0755|pkcs11.txt - [sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [sql:submit] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [sql:save] - $owner:$group|0662|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0662|pkcs11.txt - [rekey:sql:start] - [rekey:sql:keygen] - $owner:$group|0600|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0600|pkcs11.txt - [rekey:sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:keygen] - $owner:$group|0755|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:csrgen] - $owner:$group|0755|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:submit] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:reset] - $owner:$group|0755|cert9.db - $owner:$group|0755|key4.db -+$owner:$group|0755|pkcs11.txt - [rekey:sql:save] - $owner:$group|0662|cert9.db - $owner:$group|0620|key4.db -+$owner:$group|0662|pkcs11.txt - OK -diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out -index c062d409..7bf23a37 100644 ---- a/tests/034-perms/expected.out -+++ b/tests/034-perms/expected.out -@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key - [dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0600|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0662|secmod.db - [rekey:dbm:start] - [rekey:dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0600|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:keygen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db -+$owner:$group|0755|secmod.db - [rekey:dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db -+$owner:$group|0662|secmod.db - OK --- -2.21.0 - diff --git a/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch b/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch deleted file mode 100644 index 5c9978d..0000000 --- a/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 10 Oct 2019 18:24:32 +0000 -Subject: [PATCH] Try to pull the entire CA chain from IPA - -IPA originally stored a single cert in cn=cacert which is -what certmonger has always retrieved in fetch_roots. It was -replaced to store cn=certificates as separate entries in order -to more easily support chains and to include additional -metadata about certificates. - -Try to pull the chain from that location first and fall back -to cn=cacert if no entries are found. - -https://bugzilla.redhat.com/show_bug.cgi?id=1710632 ---- - src/ipa.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/ipa.c b/src/ipa.c -index acd1a4e2..40a4b52c 100644 ---- a/src/ipa.c -+++ b/src/ipa.c -@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, - LDAP *ld = NULL; - LDAPMessage *lresult = NULL, *lmsg = NULL; - char *lattrs[2] = {"caCertificate;binary", NULL}; -- const char *relativedn = "cn=cacert,cn=ipa,cn=etc"; -+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc"; -+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc"; - char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL; - struct berval **lbvalues, *lbv; - unsigned char *bv_val; -@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, - rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, - lfilter, lattrs, 0, NULL, NULL, NULL, - LDAP_NO_LIMIT, &lresult); -+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) { -+ /* Fall back to the old location */ -+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn); -+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, -+ lfilter, lattrs, 0, NULL, NULL, NULL, -+ LDAP_NO_LIMIT, &lresult); -+ } - if (rc != LDAP_SUCCESS) { - fprintf(stderr, "Error searching '%s': %s.\n", - ldn, ldap_err2string(rc)); --- -2.21.0 - diff --git a/SOURCES/0032-Fix-use-after-free-issue.patch b/SOURCES/0032-Fix-use-after-free-issue.patch deleted file mode 100644 index 06b0940..0000000 --- a/SOURCES/0032-Fix-use-after-free-issue.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 2 Dec 2019 15:08:54 -0500 -Subject: [PATCH] Fix use-after-free issue - -The basedn value was freed after the first search but a second -one could be initiated. ---- - src/ipa.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ipa.c b/src/ipa.c -index 40a4b52c..41ca9081 100644 ---- a/src/ipa.c -+++ b/src/ipa.c -@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, - /* Now look up the root certificates for the domain. */ - snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]); - snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn); -- free(basedn); - rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, - lfilter, lattrs, 0, NULL, NULL, NULL, - LDAP_NO_LIMIT, &lresult); -@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, - lfilter, lattrs, 0, NULL, NULL, NULL, - LDAP_NO_LIMIT, &lresult); - } -+ free(basedn); - if (rc != LDAP_SUCCESS) { - fprintf(stderr, "Error searching '%s': %s.\n", - ldn, ldap_err2string(rc)); --- -2.21.0 - diff --git a/SOURCES/0033-Improve-logging-in-SCEP-helper.patch b/SOURCES/0033-Improve-logging-in-SCEP-helper.patch deleted file mode 100644 index 571d2c0..0000000 --- a/SOURCES/0033-Improve-logging-in-SCEP-helper.patch +++ /dev/null @@ -1,931 +0,0 @@ -From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Apr 2020 16:50:16 -0400 -Subject: [PATCH 33/39] Improve logging in SCEP helper - -Always check return value of cm_pkcs7_verify_signed() and return -a unique error message. - -Change log level from 1 to 0 for all errors in scep.c and pkcs7.c -so they appear by default. - -Centralize logging across scep.c and pkcs7.c to reduce code -duplication. - -Check the return code to cm_pkcs7_verify_signed in all cases. - -Add the last available message, if any, to the error returned -via stdout to certmonger as a hint to what is going on. ---- - src/pkcs7.c | 111 +++++++++++++++++++++++++++--------------------- - src/pkcs7.h | 2 + - src/scep.c | 59 ++++++++++--------------- - src/scepgen-n.c | 28 ++++++------ - src/scepgen-o.c | 72 ++++++++++++++++--------------- - src/scepgen.c | 2 +- - 6 files changed, 140 insertions(+), 134 deletions(-) - -diff --git a/src/pkcs7.c b/src/pkcs7.c -index 6de1775..29420b9 100644 ---- a/src/pkcs7.c -+++ b/src/pkcs7.c -@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length, - } - } - -+void -+log_pkcs7_errors(int level, char *msg) -+{ -+ char buf[LINE_MAX] = ""; -+ long error; -+ int nss_err; -+ -+ cm_log(level, "%s\n", msg); -+ while ((error = ERR_get_error()) != 0) { -+ memset(buf, '\0', sizeof(buf)); -+ ERR_error_string_n(error, buf, sizeof(buf)); -+ cm_log(level, "%s\n", buf); -+ } -+ nss_err = PORT_GetError(); -+ if (nss_err < 0) { -+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0)); -+ } -+} -+ - int - cm_pkcs7_parsev(unsigned int flags, void *parent, - char **certleaf, char **certtop, char ***certothers, -@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher, - - in = BIO_new_mem_buf(encryption_cert, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - recipient = PEM_read_bio_X509(in, NULL, NULL, NULL); - if (recipient == NULL) { -- cm_log(1, "Error parsing recipient certificate.\n"); -+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n"); - goto done; - } - BIO_free(in); - - recipients = sk_X509_new(util_o_cert_cmp); - if (recipients == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - sk_X509_push(recipients, recipient); - - in = BIO_new_mem_buf(data, dlength); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher), -@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher, - BIO_free(in); - - if (p7 == NULL) { -- cm_log(1, "Error encrypting signing request.\n"); -+ log_pkcs7_errors(0, "Error encrypting signing request.\n"); - goto done; - } - len = i2d_PKCS7(p7, NULL); - if (len < 0) { -- cm_log(1, "Error encoding encrypted signing request.\n"); -+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n"); - goto done; - } - dp7 = malloc(len); - if (dp7 == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - u = dp7; - if (i2d_PKCS7(p7, &u) != len) { -- cm_log(1, "Error encoding encrypted signing request.\n"); -+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n"); - goto done; - } - *enveloped = dp7; -@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher, - - in = BIO_new_mem_buf(csr, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); - BIO_free(in); - if (req == NULL) { -- cm_log(1, "Error parsing certificate signing request.\n"); -+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n"); - goto done; - } - - dlen = i2d_X509_REQ(req, NULL); - if (dlen < 0) { -- cm_log(1, "Error encoding certificate signing request.\n"); -+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n"); - goto done; - } - dreq = malloc(dlen); - if (dreq == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - u = dreq; - if (i2d_X509_REQ(req, &u) != dlen) { -- cm_log(1, "Error encoding certificate signing request.\n"); -+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n"); - goto done; - } - ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen, -@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert, - - in = BIO_new_mem_buf(cacert, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - ca = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (ca == NULL) { -- cm_log(1, "Error parsing CA certificate.\n"); -+ log_pkcs7_errors(0, "Error parsing CA certificate.\n"); - goto done; - } - - in = BIO_new_mem_buf(minicert, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - mini = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (mini == NULL) { -- cm_log(1, "Error parsing client certificate.\n"); -+ log_pkcs7_errors(0, "Error parsing client certificate.\n"); - goto done; - } - - issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL); - if (issuerlen < 0) { -- cm_log(1, "Error encoding CA certificate issuer name.\n"); -+ cm_log(0, "Error encoding CA certificate issuer name.\n"); - goto done; - } - issuer = malloc(issuerlen); - if (issuer == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - u = issuer; - if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) { -- cm_log(1, "Error encoding CA certificate issuer name.\n"); -+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n"); - goto done; - } - - subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL); - if (subjectlen < 0) { -- cm_log(1, "Error encoding client certificate subject name.\n"); -+ cm_log(0, "Error encoding client certificate subject name.\n"); - goto done; - } - subject = malloc(subjectlen); - if (subject == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - u = subject; - if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) { -- cm_log(1, "Error encoding client certificate subject name.\n"); -+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n"); - goto done; - } -+ PORT_SetError(0); -+ ERR_clear_error(); - memset(&issuerandsubject, 0, sizeof(issuerandsubject)); - issuerandsubject.issuer.data = issuer; - issuerandsubject.issuer.len = issuerlen; -@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert, - issuerandsubject.subject.len = subjectlen; - if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject, - cm_pkcs7_ias_template) != &encoded) { -- cm_log(1, "Error encoding issuer and subject names.\n"); -+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n"); - goto done; - } - *ias = malloc(encoded.len); -@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - u = data; - p7 = d2i_PKCS7(NULL, &u, length); - if ((p7 == NULL) || (u != data + length)) { -- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n"); -+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n"); - goto done; - } - if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) { -- cm_log(1, "PKCS#7 data is not signed-data.\n"); -+ cm_log(0, "PKCS#7 data is not signed-data.\n"); - goto done; - } - store = X509_STORE_new(); - if (store == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors); - certs = sk_X509_new(util_o_cert_cmp); - if (certs == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) { - s = talloc_strdup(parent, roots[i]); - if (s == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - /* In case one of these is multiple PEM certificates -@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - } - in = BIO_new_mem_buf(p, q - p); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - x = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (x == NULL) { -- cm_log(1, "Error parsing chain certificate.\n"); -+ cm_log(0, "Error parsing chain certificate.\n"); - goto done; - } - X509_STORE_add_cert(store, x); -@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) { - s = talloc_strdup(parent, othercerts[i]); - if (s == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - /* In case one of these is multiple PEM certificates -@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - } - in = BIO_new_mem_buf(p, q - p); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - x = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (x == NULL) { -- cm_log(1, "Error parsing chain certificate.\n"); -+ cm_log(0, "Error parsing chain certificate.\n"); - goto done; - } - sk_X509_push(certs, x); -@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - } - out = BIO_new(BIO_s_mem()); - if (out == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - if (roots != NULL) { -@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - for (i = 0; i < sk_X509_num(certs); i++) { - x = X509_dup(sk_X509_value(certs, i)); - if (x == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - PKCS7_add_certificate(p7, x); - } - if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) { -- cm_log(1, "Message failed verification.\n"); -+ cm_log(0, "Message failed verification.\n"); - goto done; - } - } - p7s = p7->d.sign; - if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) { -- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n"); -+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n"); - goto done; - } - si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0); -@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - encapsulated = p7s->contents; - if (expected_content_type != NID_undef) { - if (encapsulated == NULL) { -- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n"); -+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n"); - goto done; - } - if ((encapsulated->type == NULL) || - (OBJ_obj2nid(encapsulated->type) != expected_content_type)) { -- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n", -+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n", - OBJ_nid2ln(expected_content_type), - encapsulated->type ? - OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) : -@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - } - } - if (attrs == NULL) { -- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n"); -+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n"); - goto done; - } - ret = 0; -@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - if (*payload_length > 0) { - *payload = talloc_size(parent, *payload_length + 1); - if (*payload == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - goto done; - } - memcpy(*payload, s, *payload_length); -@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - } - } - done: -- if (ret != 0) { -- while ((error = ERR_get_error()) != 0) { -- ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -- } -- } - if (p7 != NULL) { - PKCS7_free(p7); - } -diff --git a/src/pkcs7.h b/src/pkcs7.h -index 097f7ca..fae52f8 100644 ---- a/src/pkcs7.h -+++ b/src/pkcs7.h -@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length, - size_t *recipient_nonce_length, - unsigned char **payload, size_t *payload_length); - -+void log_pkcs7_errors(int level, char *msg); -+ - #endif -diff --git a/src/scep.c b/src/scep.c -index b37711c..0b8bef9 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -428,11 +428,15 @@ main(int argc, const char **argv) - if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) { - tmp1 = cm_submit_u_base64_from_text(rekey_message); - tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c); -- cm_pkcs7_verify_signed((unsigned char *) tmp2, c, -+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c, - NULL, NULL, NID_pkcs7_data, ctx, NULL, - NULL, &msgtype, NULL, NULL, - NULL, NULL, - NULL, NULL, NULL, NULL); -+ if (i != 0) { -+ log_pkcs7_errors(0, "Error: failed to verify signature on " -+ "rekey PKCSReq.\n"); -+ } - if ((msgtype == NULL) || - ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) && - (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) { -@@ -454,11 +458,15 @@ main(int argc, const char **argv) - if ((message != NULL) && (strlen(message) != 0)) { - tmp1 = cm_submit_u_base64_from_text(message); - tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c); -- cm_pkcs7_verify_signed((unsigned char *) tmp2, c, -+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c, - NULL, NULL, NID_pkcs7_data, ctx, NULL, - &sent_tx, &msgtype, NULL, NULL, - &sent_nonce, &sent_nonce_length, - NULL, NULL, NULL, NULL); -+ if (i != 0) { -+ log_pkcs7_errors(0, "Error: failed to verify signature on " -+ "message.\n"); -+ } - if ((msgtype == NULL) || - ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) && - (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) { -@@ -933,14 +941,16 @@ main(int argc, const char **argv) - &payload, &payload_length); - if (i != 0) { - printf(_("Error: failed to verify signature on " -- "server response.\n")); -- cm_log(1, "Error: failed to verify signature on " -- "server response.\n"); -- while ((error = ERR_get_error()) != 0) { -+ "server response. ")); -+ error = ERR_peek_last_error(); -+ if (error != 0) { - memset(buf, '\0', sizeof(buf)); - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ printf("%s", buf); - } -+ printf("\n"); -+ log_pkcs7_errors(0, "Error: failed to verify signature on " -+ "server response.\n"); - s = cm_store_base64_from_bin(ctx, (unsigned char *) results2, - results_length2); - s = cm_submit_u_pem_from_base64("PKCS7", 0, s); -@@ -1050,26 +1060,7 @@ main(int argc, const char **argv) - p7 = d2i_PKCS7(NULL, &u, payload_length); - if (p7 == NULL) { - printf(_("Error: couldn't parse signed-data.\n")); -- while ((error = ERR_get_error()) != 0) { -- memset(buf, '\0', sizeof(buf)); -- ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -- } -- s = cm_store_base64_from_bin(ctx, -- (unsigned char *) results2, -- results_length2); -- s = cm_submit_u_pem_from_base64("PKCS7", 0, s); -- fprintf(stderr, "Full reply:\n%s", s); -- free(s); -- return CM_SUBMIT_STATUS_UNREACHABLE; -- } -- if (!PKCS7_type_is_enveloped(p7)) { -- printf(_("Error: signed-data payload is not enveloped-data.\n")); -- while ((error = ERR_get_error()) != 0) { -- memset(buf, '\0', sizeof(buf)); -- ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -- } -+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n"); - s = cm_store_base64_from_bin(ctx, - (unsigned char *) results2, - results_length2); -@@ -1080,11 +1071,8 @@ main(int argc, const char **argv) - } - if (!PKCS7_type_is_enveloped(p7)) { - printf(_("Error: signed-data payload is not enveloped-data.\n")); -- while ((error = ERR_get_error()) != 0) { -- memset(buf, '\0', sizeof(buf)); -- ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -- } -+ log_pkcs7_errors(0, "Error: signed-data payload is not " -+ "enveloped-data.\n"); - s = cm_store_base64_from_bin(ctx, - (unsigned char *) results2, - results_length2); -@@ -1098,11 +1086,8 @@ main(int argc, const char **argv) - (p7->d.enveloped->enc_data->content_type == NULL) || - (OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) { - printf(_("Error: enveloped-data payload is not data.\n")); -- while ((error = ERR_get_error()) != 0) { -- memset(buf, '\0', sizeof(buf)); -- ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -- } -+ log_pkcs7_errors(0, "Error: enveloped-data payload is " -+ "not data.\n"); - s = cm_store_base64_from_bin(ctx, - (unsigned char *) results2, - results_length2); -diff --git a/src/scepgen-n.c b/src/scepgen-n.c -index 8c67b12..ce73c31 100644 ---- a/src/scepgen-n.c -+++ b/src/scepgen-n.c -@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) - return; - } - if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) { -- cm_log(1, "More than one signer, not sure what to do.\n"); -+ cm_log(0, "More than one signer, not sure what to do.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); - salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it); - u = sabuf = malloc(salen); - if (sabuf == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - /* ASN1_item_i2d doesn't actually modify the passed-in pointer, which -@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) - * that ourselves. */ - l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it); - if (l != salen) { -- cm_log(1, "Error encoding attributes.\n"); -+ cm_log(0, "Error encoding attributes.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - -@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) - digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm)); - sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg); - if (sigalg == SEC_OID_UNKNOWN) { -- cm_log(1, "Unable to match digest algorithm and key.\n"); -+ cm_log(0, "Unable to match digest algorithm and key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - if (SEC_SignData(&signature, sabuf, salen, privkey, - sigalg) != SECSuccess) { -- cm_log(1, "Error re-signing: %s.\n", -+ cm_log(0, "Error re-signing: %s.\n", - PR_ErrorToName(PORT_GetError())); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } -@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - - if (ca->cm_ca_encryption_cert == NULL) { -- cm_log(1, "Can't generate new SCEP request data without " -+ cm_log(0, "Can't generate new SCEP request data without " - "the RA/CA encryption certificate.\n"); - _exit(CM_SUB_STATUS_NEED_SCEP_DATA); - } -@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - fprintf(status, "Error opening database " - "'%s': %s.\n", - entry->cm_key_storage_location, es); -- cm_log(1, "Error opening database '%s': %s.\n", -+ cm_log(0, "Error opening database '%s': %s.\n", - entry->cm_key_storage_location, es); - } else { - fprintf(status, "Error opening database '%s'.\n", - entry->cm_key_storage_location); -- cm_log(1, "Error opening database '%s'.\n", -+ cm_log(0, "Error opening database '%s'.\n", - entry->cm_key_storage_location); - } - switch (ec) { -@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - NSS_INIT_NOROOTINIT); - reason = util_n_fips_hook(); - if (reason != NULL) { -- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); -+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason); - _exit(CM_SUB_STATUS_ERROR_INITIALIZING); - } - -@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - cm_log(1, "Generating dummy key.\n"); - key = EVP_PKEY_new(); - if (key == NULL) { -- cm_log(1, "Error allocating new key.\n"); -+ cm_log(0, "Error allocating new key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - exponent = BN_new(); - if (exponent == NULL) { -- cm_log(1, "Error setting up exponent.\n"); -+ cm_log(0, "Error setting up exponent.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT); - rsa = RSA_new(); - if (rsa == NULL) { -- cm_log(1, "Error allocating new RSA key.\n"); -+ cm_log(0, "Error allocating new RSA key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - retry_gen: - if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) { -- cm_log(1, "Error generating key.\n"); -+ cm_log(0, "Error generating key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - if (RSA_check_key(rsa) != 1) { /* should be unnecessary */ -@@ -228,7 +228,7 @@ retry_gen: - if ((keys->privkey->keyType != rsaKey) || - ((keys->privkey_next != NULL) && - (keys->privkey_next->keyType != rsaKey))) { -- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); -+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n"); - _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); - } - -diff --git a/src/scepgen-o.c b/src/scepgen-o.c -index 010abb7..a431815 100644 ---- a/src/scepgen-o.c -+++ b/src/scepgen-o.c -@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry) - keyfp = fopen(filename, "r"); - if (keyfp == NULL) { - if (errno != ENOENT) { -- cm_log(1, "Error opening key file \"%s\" " -+ cm_log(0, "Error opening key file \"%s\" " - "for reading: %s.\n", - filename, strerror(errno)); - } - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - if (cm_pin_read_for_key(entry, &pin) != 0) { -- cm_log(1, "Internal error reading key encryption PIN.\n"); -+ cm_log(0, "Internal error reading key encryption PIN.\n"); - _exit(CM_SUB_STATUS_ERROR_AUTH); - } - memset(&cb_data, 0, sizeof(cb_data)); -@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry) - cm_pin_read_for_key_ossl_cb, &cb_data); - if (pkey == NULL) { - error = errno; -- cm_log(1, "Error reading private key '%s': %s.\n", -+ cm_log(0, "Error reading private key '%s': %s.\n", - filename, strerror(error)); - while ((error = ERR_get_error()) != 0) { - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ cm_log(0, "%s\n", buf); - } - _exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */ - } else { - if ((pin != NULL) && - (strlen(pin) > 0) && - (cb_data.n_attempts == 0)) { -- cm_log(1, "PIN was not needed to read private " -+ cm_log(0, "PIN was not needed to read private " - "key '%s', though one was provided. " - "Treating this as an error.\n", - filename); - while ((error = ERR_get_error()) != 0) { - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ cm_log(0, "%s\n", buf); - } - _exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */ - } -@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry) - if ((pem != NULL) && (strlen(pem) > 0)) { - in = BIO_new_mem_buf(pem, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - cert = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (cert == NULL) { -- cm_log(1, "Error parsing certificate \"%s\".\n", pem); -+ cm_log(0, "Error parsing certificate \"%s\".\n", pem); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - return cert; -@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list) - if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) { - in = BIO_new_mem_buf(this->cm_cert, -1); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - cert = PEM_read_bio_X509(in, NULL, NULL, NULL); - BIO_free(in); - if (cert == NULL) { -- cm_log(1, "Error parsing certificate.\n"); -+ cm_log(0, "Error parsing certificate.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - if (sk == NULL) { - sk = sk_X509_new(util_o_cert_cmp); - if (sk == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - } -@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, - - in = BIO_new_mem_buf(data, data_length); - if (in == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - ret = PKCS7_sign(signer, key, certs, in, flags); - if (ret == NULL) { -- cm_log(1, "Error signing data.\n"); -+ cm_log(0, "Error signing data.\n"); - goto errors; - } - BIO_free(in); - - /* Set the digest to use for signing. */ - if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) { -- cm_log(1, "Error signing data: %d signers.\n", -+ cm_log(0, "Error signing data: %d signers.\n", - sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info)); - goto errors; - } -@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, - PKCS7_content_new(ret, NID_pkcs7_data); - out = PKCS7_dataInit(ret, NULL); - if (out == NULL) { -- cm_log(1, "Error signing data.\n"); -+ cm_log(0, "Error signing data.\n"); - goto errors; - } - BIO_write(out, data, data_length); -@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, - errors: - while ((error = ERR_get_error()) != 0) { - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ cm_log(0, "%s\n", buf); - } - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } -@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - util_o_init(); - ERR_load_crypto_strings(); - if (RAND_status() != 1) { -- cm_log(1, "PRNG not seeded for generating key.\n"); -+ cm_log(0, "PRNG not seeded for generating key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - if (RAND_bytes(nonce, nonce_length) == -1) { -- cm_log(1, "PRNG unable to generate nonce.\n"); -+ cm_log(0, "PRNG unable to generate nonce.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - -@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0, - entry->cm_minicert); - if (pem == NULL) { -- cm_log(1, "Out of memory.\n"); -+ cm_log(0, "Out of memory.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - new_cert = cert_from_pem(pem, entry); - if (new_cert == NULL) { - while ((error = ERR_get_error()) != 0) { - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ cm_log(0, "%s\n", buf); - } - free(pem); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); -@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - cipher = cm_prefs_des; - } - else { -- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); -+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); - _exit(1); - } - -@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - digest = cm_prefs_md5; - } - else { -- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); -+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); - _exit(1); - } - -@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - ca->cm_ca_encryption_issuer_cert, - entry->cm_cert, - &old_ias, &old_ias_length) != 0) { -- cm_log(1, "Error generating enveloped issuer-and-subject.\n"); -+ cm_log(0, "Error generating enveloped issuer-and-subject.\n"); - free(pem); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } -@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - ca->cm_ca_encryption_issuer_cert, - pem, - &new_ias, &new_ias_length) != 0) { -- cm_log(1, "Error generating enveloped issuer-and-subject.\n"); -+ cm_log(0, "Error generating enveloped issuer-and-subject.\n"); - free(pem); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } -@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher, - entry->cm_csr, - &csr, &csr_length) != 0) { -- cm_log(1, "Error generating enveloped CSR.\n"); -+ cm_log(0, "Error generating enveloped CSR.\n"); -+ while ((error = ERR_get_error()) != 0) { -+ ERR_error_string_n(error, buf, sizeof(buf)); -+ cm_log(0, "%s\n", buf); -+ } - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - -@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - * the matching key. */ - pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert)); - if (pubkey == NULL) { -- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n"); -+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - util_X509_set_pubkey(old_cert, old_pkey); -@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - * if we do, we did that in another code path. */ - pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert)); - if (pubkey == NULL) { -- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n"); -+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - util_X509_set_pubkey(new_cert, old_pkey); -@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - * any previously-issued certificate won't match. */ - pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert)); - if (pubkey == NULL) { -- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n"); -+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n"); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - util_X509_set_pubkey(new_cert, new_pkey); -@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, - X509_free(new_cert); - while ((error = ERR_get_error()) != 0) { - ERR_error_string_n(error, buf, sizeof(buf)); -- cm_log(1, "%s\n", buf); -+ cm_log(0, "%s\n", buf); - } - } - -@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - - if (ca->cm_ca_encryption_cert == NULL) { -- cm_log(1, "Can't generate new SCEP request data without " -+ cm_log(0, "Can't generate new SCEP request data without " - "the RA/CA encryption certificate.\n"); - _exit(CM_SUB_STATUS_NEED_SCEP_DATA); - } - - old_pkey = key_from_file(entry->cm_key_storage_location, entry); - if (old_pkey == NULL) { -- cm_log(1, "Error reading key from file \"%s\".\n", -+ cm_log(0, "Error reading key from file \"%s\".\n", - entry->cm_key_storage_location); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } -@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - filename = util_build_next_filename(entry->cm_key_storage_location, - entry->cm_key_next_marker); - if (filename == NULL) { -- cm_log(1, "Error opening key file \"%s\" " -+ cm_log(0, "Error opening key file \"%s\" " - "for reading: %s.\n", - filename, strerror(errno)); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); - } - new_pkey = key_from_file(filename, entry); - if (new_pkey == NULL) { -- cm_log(1, "Error reading key from file \"%s\".\n", -+ cm_log(0, "Error reading key from file \"%s\".\n", - filename); - free(filename); - _exit(CM_SUB_STATUS_INTERNAL_ERROR); -@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - } - if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) || - ((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) { -- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); -+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n"); - _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); - } - -diff --git a/src/scepgen.c b/src/scepgen.c -index eaf2b7c..115446f 100644 ---- a/src/scepgen.c -+++ b/src/scepgen.c -@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry) - { - switch (entry->cm_key_storage_type) { - case cm_key_storage_none: -- cm_log(1, "Can't generate new SCEP data for %s('%s') without " -+ cm_log(0, "Can't generate new SCEP data for %s('%s') without " - "the key, and we don't know where that is or should " - "be.\n", entry->cm_busname, entry->cm_nickname); - break; --- -2.21.1 - diff --git a/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch b/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch deleted file mode 100644 index b43e285..0000000 --- a/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 27 Feb 2020 18:15:02 -0500 -Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in - add-scep-ca - -This option was silently dropped from the helper arguments even -if requested on the add-scep-ca CLI and was only passed to the -dbus helper. - -Add as many -v as requested though the scep helper only logs at -most at level 1. ---- - src/getcert.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/getcert.c b/src/getcert.c -index 4713dd1..3d78a73 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - certs ? "-I" : "", - certs ? shell_escape(globals.tctx, certs) : "", - prefer_non_renewal ? "-n" : ""); -+ for (c = 0; c < verbose; c++) { -+ command = talloc_strdup_append(command, " -v"); -+ } - if (command == NULL) { - printf(_("Error building command line.\n")); - exit(1); --- -2.21.1 - diff --git a/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch b/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch deleted file mode 100644 index 07fe0f4..0000000 --- a/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch +++ /dev/null @@ -1,422 +0,0 @@ -From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001 -From: Your Name -Date: Tue, 14 Apr 2020 13:17:14 +0000 -Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when - finished - -The talloc context was freed in only a few cases and the curl -context was never freed. ---- - src/scep.c | 127 ++++++++++++++++++++++++++++++++----------------- - src/submit-h.c | 15 +++++- - src/submit-h.h | 1 + - 3 files changed, 97 insertions(+), 46 deletions(-) - -diff --git a/src/scep.c b/src/scep.c -index 0b8bef9..4d00692 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -199,7 +199,7 @@ int - main(int argc, const char **argv) - { - const char *url = NULL, *results = NULL, *results2 = NULL; -- struct cm_submit_h_context *hctx; -+ struct cm_submit_h_context *hctx = NULL; - int c, verbose = 0, results_length = 0, results_length2 = 0, i; - int prefer_non_renewal = 0, can_renewal = 0; - int response_code = 0, response_code2 = 0; -@@ -225,7 +225,8 @@ main(int argc, const char **argv) - size_t payload_length; - long error; - PKCS7 *p7; -- poptContext pctx; -+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED; -+ poptContext pctx = NULL; - struct poptOption popts[] = { - {"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"}, - {"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"}, -@@ -388,8 +389,8 @@ main(int argc, const char **argv) - } - if ((message == NULL) || (strlen(message) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); -- free(cainfo); -- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ goto done; - } - /* First step: read capabilities for our use. */ - params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); -@@ -408,8 +409,8 @@ main(int argc, const char **argv) - } - if ((message == NULL) || (strlen(message) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n")); -- free(cainfo); -- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ goto done; - } - /* First step: read capabilities for our use. */ - params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); -@@ -420,8 +421,8 @@ main(int argc, const char **argv) - /* Supply help output, if it's needed. */ - if (missing_args) { - poptPrintUsage(pctx, stdout, 0); -- free(cainfo); -- return CM_SUBMIT_STATUS_UNCONFIGURED; -+ rval = CM_SUBMIT_STATUS_UNCONFIGURED; -+ goto done; - } - - /* Check the rekey PKCSReq message, if we have one. */ -@@ -505,7 +506,6 @@ main(int argc, const char **argv) - verbose > 1 ? - cm_submit_h_curl_verbose_on : - cm_submit_h_curl_verbose_off); -- free(cainfo); - cm_submit_h_run(hctx); - content_type = cm_submit_h_result_type(hctx); - if (content_type == NULL) { -@@ -551,7 +551,8 @@ main(int argc, const char **argv) - } - if ((tmp2 == NULL) || (strlen(tmp2) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); -- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ goto done; - } else - if (verbose > 0) { - if (tmp2 == rekey_message) { -@@ -576,7 +577,8 @@ main(int argc, const char **argv) - } - if ((tmp2 == NULL) || (strlen(tmp2) == 0)) { - printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n")); -- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; -+ goto done; - } else - if (verbose > 0) { - if (tmp2 == rekey_message) { -@@ -638,7 +640,8 @@ main(int argc, const char **argv) - cm_submit_h_result_code(hctx), - url); - } -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - switch (op) { - case op_unset: -@@ -651,16 +654,19 @@ main(int argc, const char **argv) - response_code, url); - if (response_code == 500) { - /* The server might recover, right? */ -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } else { - /* Maybe not? */ -- return CM_SUBMIT_STATUS_REJECTED; -+ rval = CM_SUBMIT_STATUS_REJECTED; -+ goto done; - } - } - if (results == NULL) { - printf(_("Internal error: no response to \"%s?%s\".\n"), - url, params); -- return CM_SUBMIT_STATUS_REJECTED; -+ rval = CM_SUBMIT_STATUS_REJECTED; -+ goto done; - } - break; - case op_get_cert_initial: -@@ -685,10 +691,12 @@ main(int argc, const char **argv) - fprintf(stderr, "Result is surprisingly large, " - "suppressing it.\n"); - } -- return CM_SUBMIT_STATUS_REJECTED; -+ rval = CM_SUBMIT_STATUS_REJECTED; -+ goto done; - } - printf("%s\n", results); -- return CM_SUBMIT_STATUS_ISSUED; -+ rval = CM_SUBMIT_STATUS_ISSUED; -+ goto done; - break; - case op_get_ca_certs: - if ((strcasecmp(content_type, -@@ -697,7 +705,8 @@ main(int argc, const char **argv) - "application/x-x509-ca-ra-cert") != 0)) { - printf(_("Server reply was of unexpected MIME type " - "\"%s\".\n"), content_type); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (racert == NULL) { - racertp = &racert; -@@ -710,7 +719,8 @@ main(int argc, const char **argv) - n_buffers + 1); - if ((buffers == NULL) || (lengths == NULL)) { - fprintf(stderr, "Out of memory.\n"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - buffers[n_buffers] = (unsigned char *) racert; - lengths[n_buffers] = strlen(racert); -@@ -727,7 +737,8 @@ main(int argc, const char **argv) - n_buffers + 1); - if ((buffers == NULL) || (lengths == NULL)) { - fprintf(stderr, "Out of memory.\n"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - buffers[n_buffers] = (unsigned char *) cacert; - lengths[n_buffers] = strlen(cacert); -@@ -741,7 +752,8 @@ main(int argc, const char **argv) - n_buffers + 1); - if ((buffers == NULL) || (lengths == NULL)) { - fprintf(stderr, "Out of memory.\n"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - buffers[n_buffers] = (unsigned char *) results; - lengths[n_buffers] = results_length; -@@ -755,7 +767,8 @@ main(int argc, const char **argv) - n_buffers + 1); - if ((buffers == NULL) || (lengths == NULL)) { - fprintf(stderr, "Out of memory.\n"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - buffers[n_buffers] = (unsigned char *) results2; - lengths[n_buffers] = results_length2; -@@ -850,7 +863,8 @@ main(int argc, const char **argv) - n_buffers + 1); - if ((buffers == NULL) || (lengths == NULL)) { - fprintf(stderr, "Out of memory.\n"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - buffers[n_buffers] = (unsigned char *) results2; - lengths[n_buffers] = results_length2; -@@ -882,11 +896,11 @@ main(int argc, const char **argv) - } - } - } -- talloc_free(ctx); -- return CM_SUBMIT_STATUS_ISSUED; -+ rval = CM_SUBMIT_STATUS_ISSUED; -+ goto done; - } else { -- talloc_free(ctx); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - break; - case op_get_cert_initial: -@@ -957,42 +971,50 @@ main(int argc, const char **argv) - fprintf(stderr, "%s", s); - cm_log(1, "%s", s); - free(s); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if ((msgtype == NULL) || - (strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) { - printf(_("Error: reply was not a CertRep (%s).\n"), - msgtype ? msgtype : "none"); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (tx == NULL) { - printf(_("Error: reply is missing transactionId.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (sent_tx != NULL) { - if (strcmp(sent_tx, tx) != 0) { - printf(_("Error: reply contains a " - "different transactionId.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - } - if (pkistatus == NULL) { - printf(_("Error: reply is missing pkiStatus.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (recipient_nonce == NULL) { - printf(_("Error: reply is missing recipientNonce.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if ((recipient_nonce_length != sent_nonce_length) || - (memcmp(recipient_nonce, sent_nonce, - sent_nonce_length) != 0)) { - printf(_("Error: reply nonce doesn't match request.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (sender_nonce == NULL) { - printf(_("Error: reply is missing senderNonce.\n")); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) { - if (verbose > 0) { -@@ -1002,7 +1024,8 @@ main(int argc, const char **argv) - s = cm_store_base64_from_bin(ctx, sender_nonce, - sender_nonce_length); - printf("%s\n", s); -- return CM_SUBMIT_STATUS_WAIT; -+ rval = CM_SUBMIT_STATUS_WAIT; -+ goto done; - } else - if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) { - if (verbose > 0) { -@@ -1050,7 +1073,8 @@ main(int argc, const char **argv) - printf(_("Server returned failure code \"%s\".\n"), - failinfo); - } -- return CM_SUBMIT_STATUS_REJECTED; -+ rval = CM_SUBMIT_STATUS_REJECTED; -+ goto done; - } else - if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) { - if (verbose > 0) { -@@ -1067,7 +1091,8 @@ main(int argc, const char **argv) - s = cm_submit_u_pem_from_base64("PKCS7", 0, s); - fprintf(stderr, "Full reply:\n%s", s); - free(s); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if (!PKCS7_type_is_enveloped(p7)) { - printf(_("Error: signed-data payload is not enveloped-data.\n")); -@@ -1079,7 +1104,8 @@ main(int argc, const char **argv) - s = cm_submit_u_pem_from_base64("PKCS7", 0, s); - fprintf(stderr, "Full reply:\n%s", s); - free(s); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - if ((p7->d.enveloped == NULL) || - (p7->d.enveloped->enc_data == NULL) || -@@ -1094,29 +1120,42 @@ main(int argc, const char **argv) - s = cm_submit_u_pem_from_base64("PKCS7", 0, s); - fprintf(stderr, "Full reply:\n%s", s); - free(s); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - s = cm_store_base64_from_bin(ctx, payload, - payload_length); - s = cm_submit_u_pem_from_base64("PKCS7", 0, s); - printf("%s", s); - free(s); -- return CM_SUBMIT_STATUS_ISSUED; -+ rval = CM_SUBMIT_STATUS_ISSUED; -+ goto done; - } else { - if (verbose > 0) { - fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus); - } - printf(_("Error: pkiStatus \"%s\" not recognized.\n"), - pkistatus); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - } else { - printf(_("Server reply was of unexpected MIME type " - "\"%s\".\n"), content_type); - printf("Full reply:\n%.*s", results_length2, results2); -- return CM_SUBMIT_STATUS_UNREACHABLE; -+ rval = CM_SUBMIT_STATUS_UNREACHABLE; -+ goto done; - } - break; - } -- return CM_SUBMIT_STATUS_UNCONFIGURED; -+ -+done: -+ if (pctx) { -+ poptFreeContext(pctx); -+ } -+ free(cainfo); -+ free(id); -+ cm_submit_h_cleanup(hctx); -+ talloc_free(ctx); -+ return rval; - } -diff --git a/src/submit-h.c b/src/submit-h.c -index 33f9b39..9b507db 100644 ---- a/src/submit-h.c -+++ b/src/submit-h.c -@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx) - return ret; - } - -+void -+cm_submit_h_cleanup(struct cm_submit_h_context *ctx) -+{ -+ -+ if (ctx != NULL && ctx->curl != NULL) { -+ curl_easy_cleanup(ctx->curl); -+ } -+} -+ - #ifdef CM_SUBMIT_H_MAIN - int - main(int argc, const char **argv) -@@ -307,7 +316,7 @@ main(int argc, const char **argv) - enum cm_submit_h_opt_negotiate negotiate; - enum cm_submit_h_opt_delegate negotiate_delegate; - enum cm_submit_h_opt_clientauth clientauth; -- int c, fd, l, verbose = 0, length = 0; -+ int c, fd, l, verbose = 0, length = 0, rval = 0; - char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass; - char *pinfile; - const char *method, *url; -@@ -423,6 +432,8 @@ main(int argc, const char **argv) - cm_submit_h_result_code(ctx), - cm_submit_h_result_code_text(ctx)); - } -- return cm_submit_h_result_code(ctx); -+ rval = cm_submit_h_result_code(ctx); -+ cm_submit_h_cleanup(ctx); -+ return rval; - } - #endif -diff --git a/src/submit-h.h b/src/submit-h.h -index 1283c53..931cc89 100644 ---- a/src/submit-h.h -+++ b/src/submit-h.h -@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx); - const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx); - const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length); - const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx); -+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx); - - #endif --- -2.21.1 - diff --git a/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch b/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch deleted file mode 100644 index 6ae4b78..0000000 --- a/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch +++ /dev/null @@ -1,232 +0,0 @@ -From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 15 Apr 2020 17:16:42 -0400 -Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are - collected - -Put cacert into the ca store, the racert at the top of the -othercerts list. Then we parse certs, placing all ca certs -we find into the ca store, and all other certs we find after -the racert. - -Variables are renamed to match the cm_pkcs7_parse() and -cm_pkcs7_verify_signed() calls. - -A special case for IPA (dogtag) was added because dogtag -uses its CA cert to sign the PKCS7 so it is both an RA cert -and a CA cert. If a self-signed CA is detected and no other -certs are provided then the CA is treated as the RA. - -https://bugzilla.redhat.com/show_bug.cgi?id=1808052 - -Graham Leggett did the majority of the work on this patch. ---- - src/pkcs7.c | 18 +++++++++ - src/pkcs7.h | 1 + - src/scep.c | 104 +++++++++++++++++++++++++++++++++++----------------- - 3 files changed, 89 insertions(+), 34 deletions(-) - -diff --git a/src/pkcs7.c b/src/pkcs7.c -index 29420b9..f81174f 100644 ---- a/src/pkcs7.c -+++ b/src/pkcs7.c -@@ -1189,3 +1189,21 @@ done: - } - return ret; - } -+ -+/* Return 0 if we think "issuer" could have issued "issued", which includes -+ * self-signing. */ -+int -+cm_selfsigned(char *cert) -+{ -+ BIO *in; -+ X509 *c; -+ -+ in = BIO_new_mem_buf(cert, -1); -+ if (in == NULL) { -+ cm_log(0, "Out of memory.\n"); -+ return 1; -+ } -+ c = PEM_read_bio_X509(in, NULL, NULL, NULL); -+ BIO_free(in); -+ return(issuerissued(c, c)); -+} -diff --git a/src/pkcs7.h b/src/pkcs7.h -index fae52f8..cbde1bc 100644 ---- a/src/pkcs7.h -+++ b/src/pkcs7.h -@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length, - unsigned char **recipient_nonce, - size_t *recipient_nonce_length, - unsigned char **payload, size_t *payload_length); -+int cm_selfsigned(char *cert); - - void log_pkcs7_errors(int level, char *msg); - -diff --git a/src/scep.c b/src/scep.c -index 4d00692..b80278e 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -211,12 +211,12 @@ main(int argc, const char **argv) - const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; - void *ctx; - char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL; -- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL; -+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL; - char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL; - char buf[LINE_MAX] = ""; - const unsigned char **buffers = NULL; - size_t n_buffers = 0, *lengths = NULL, j; -- const char *cacerts[3], **racerts; -+ const char *root[3], **othercerts; - dbus_bool_t missing_args = FALSE; - char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2; - unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload; -@@ -871,27 +871,27 @@ main(int argc, const char **argv) - n_buffers++; - } - if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx, -- racertp, cacertp, &othercerts, -+ racertp, cacertp, &certothers, - NULL, NULL, - n_buffers, buffers, lengths) == 0) { - if (racert != NULL) { - printf("%s", racert); - if (cacert != NULL) { - printf("%s", cacert); -- if (othercerts != NULL) { -+ if (certothers != NULL) { - for (c = 0; -- othercerts[c] != NULL; -+ certothers[c] != NULL; - c++) { - printf("%s", -- othercerts[c]); -+ certothers[c]); - } - } - if ((dracert != NULL) && -- (cert_among(dracert, racert, cacert, othercerts) != 0)) { -+ (cert_among(dracert, racert, cacert, certothers) != 0)) { - printf("%s", dracert); - } - if ((dcacert != NULL) && -- (cert_among(dcacert, racert, cacert, othercerts) != 0)) { -+ (cert_among(dcacert, racert, cacert, certothers) != 0)) { - printf("%s", dcacert); - } - } -@@ -907,47 +907,83 @@ main(int argc, const char **argv) - case op_pkcsreq: - if ((content_type2 != NULL) && (strcasecmp(content_type2, - "application/x-pki-message") == 0)) { -- memset(&cacerts, 0, sizeof(cacerts)); -- cacerts[0] = cacert ? cacert : racert; -- cacerts[1] = cacert ? racert : NULL; -- cacerts[2] = NULL; -- racerts = NULL; -+ /* -+ * At this point, we have: -+ * - zero or more ra certs; and -+ * - zero or more ca certificates; and -+ * - zero or more other certificates; that -+ * need to be reordered so that the leaf -+ * certificates go first, the ca certificates -+ * are separated into a seperate certificate -+ * store, and the other certificates go after -+ * the leaf certificates. -+ * -+ * To do this we put cacert into the ca store, -+ * the racert at the top of the othercerts list. -+ * Then we parse certs, placing all ca certs -+ * we find into the ca store, and all other -+ * certs we find after the racert. -+ * -+ * As a limitation of cm_pkcs7_parse(), we -+ * can only isolate one ca certificate in the -+ * list of other certificates. -+ */ -+ /* handle the other certs */ - if ((certs != NULL) && - (cm_pkcs7_parse(0, ctx, -- &cert1, &cert2, &othercerts, -+ &certleaf, &certtop, &certothers, - NULL, NULL, - (const unsigned char *) certs, - strlen(certs), NULL) == 0)) { -- for (c = 0; -- (othercerts != NULL) && -- (othercerts[c] != NULL); -- c++) { -- continue; -+ /* Special case for IPA which uses dogtag which signs SCEP -+ * certs using the CA cert and the typical way to get -+ * verification to work is to use -I /etc/ipa/ca.crt. -+ * Because cm_pkcs7_parse explicitly doesn't allow -+ * certleaf to equal certtop we end up with no CAs so verification -+ * fails. -+ * -+ * So if cacert and certleaf are both NULL and certtop is -+ * self-signed then assume the IPA case and set certtop equal -+ * to certleaf. -+ */ -+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) { -+ if (cm_selfsigned(certleaf) == 0) { -+ certtop = certleaf; -+ } - } -- racerts = talloc_array_ptrtype(ctx, racerts, c + 5); -+ memset(&root, 0, sizeof(root)); -+ root[0] = cacert ? cacert : certtop ? certtop : NULL; -+ root[1] = cacert ? certtop : NULL; -+ root[2] = NULL; - for (c = 0; -- (othercerts != NULL) && -- (othercerts[c] != NULL); -+ (certothers != NULL) && -+ (certothers[c] != NULL); - c++) { -- racerts[c] = othercerts[c]; -- } -- if (cacert != NULL) { -- racerts[c++] = cacert; -+ continue; - } -- if (cert1 != NULL) { -- racerts[c++] = cert1; -+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3); -+ c = 0; -+ if (racert != NULL) { -+ othercerts[c++] = racert; - } -- if (cert2 != NULL) { -- racerts[c++] = cert2; -+ if (certleaf != NULL) { -+ othercerts[c++] = certleaf; - } -- if (racert != NULL) { -- racerts[c++] = racert; -+ while (certothers != NULL && *certothers != NULL) { -+ othercerts[c++] = *certothers++; - } -- racerts[c++] = NULL; -+ othercerts[c++] = NULL; -+ } -+ else { -+ root[0] = cacert; -+ root[1] = NULL; -+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2); -+ othercerts[0] = racert ? racert : NULL; -+ othercerts[1] = NULL; - } - ERR_clear_error(); - i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2, -- cacerts, racerts, -+ root, othercerts, - NID_pkcs7_data, ctx, NULL, - &tx, &msgtype, &pkistatus, &failinfo, - &sender_nonce, &sender_nonce_length, --- -2.21.1 - diff --git a/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch b/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch deleted file mode 100644 index 300bbfc..0000000 --- a/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Apr 2020 16:29:50 -0400 -Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA - chain - -The -R option was doing double-duty for the SCEP CA. - -1. It was required if the SCEP URL used TLS -2. It override the CA certificate downloaded from the SCEP server - -If the chains were different then validating the SCEP responses would -fail. - -https://bugzilla.redhat.com/show_bug.cgi?id=1808613 ---- - src/certmonger-scep-submit.8.in | 14 +++++++++----- - src/getcert-add-scep-ca.1.in | 12 ++++++++---- - src/getcert.c | 6 +++++- - src/scep.c | 13 ++++++------- - 4 files changed, 28 insertions(+), 17 deletions(-) - -diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in -index 95d674a..42ffcd6 100644 ---- a/src/certmonger-scep-submit.8.in -+++ b/src/certmonger-scep-submit.8.in -@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL - [-r ra-cert-file] - [-R ca-cert-file] - [-I other-certs-file] -+[-N ca-cert-file] - [-i ca-identifier] - [-v] - [-n] -@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or - always required. - .TP - \fB\-R\fR CA-certificate-file --The location of the SCEP server's CA certificate, which was used to --issue the SCEP server's certificate, or the SCEP server's own --certificate, if it is self-signed, in PEM form. If the URL specified --with the \fB-u\fR option is an \fIhttps\fR URL, then this option is --required. -+The location of the CA certificate which was used to issue the SCEP web -+server's certificate in PEM form. If the URL specified with the -+\fB-u\fR option is an \fIhttps\fR URL, then this option is required. -+.TP -+\fB\-N\fR ca-certificate-file -+The location of a PEM-formatted copy of the SCEP server's CA certificate. -+A discovered value is normally supplied by the certmonger daemon, but one can -+be specified for troubleshooting purposes. - .TP - \fB\-r\fR RA-certificate-file - The location of the SCEP server's RA certificate, which is expected to -diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in -index 11ab4ce..bf07306 100644 ---- a/src/getcert-add-scep-ca.1.in -+++ b/src/getcert-add-scep-ca.1.in -@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be - specified. - .TP - \fB\-R\fR ca-certificate-file --The location of a PEM-formatted copy of the SCEP server's CA's certificate. --A discovered value is supplied by the certmonger daemon for use in verifying --the signature on data returned by the SCEP server, but it is not used for --verifying HTTPS server certificates. -+The location of a PEM-formatted copy of the CA's certificate used to verify -+the TLS connection the SCEP server. -+ - This option must be specified if the URL is an \fIhttps\fR location. - .TP -+\fB\-N\fR ca-certificate-file -+The location of a PEM-formatted copy of the SCEP server's CA certificate. -+A discovered value is normally supplied by the certmonger daemon, but one can -+be specified for troubleshooting purposes. -+.TP - \fB\-r\fR ra-certificate-file - The location of a PEM-formatted copy of the SCEP server's RA's certificate. - A discovered value is normally supplied by the certmonger daemon, but one can -diff --git a/src/getcert.c b/src/getcert.c -index 3d78a73..493771f 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; - char *caname = NULL, *url = NULL, *path = NULL, *id = NULL; - char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command; -+ char *signingca = NULL; - const char *err; - int c, prefer_non_renewal = 0, verbose = 0; - dbus_bool_t b; -@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, - {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, - {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, -+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, - {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, - {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, - {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, -@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - return 1; - } - command = talloc_asprintf(globals.tctx, -- "%s -u %s %s %s %s %s %s %s %s", -+ "%s -u %s %s %s %s %s %s %s %s %s %s", - shell_escape(globals.tctx, - CM_SCEP_HELPER_PATH), - shell_escape(globals.tctx, url), -@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - racert ? shell_escape(globals.tctx, racert) : "", - certs ? "-I" : "", - certs ? shell_escape(globals.tctx, certs) : "", -+ signingca ? "-N" : "", -+ signingca ? shell_escape(globals.tctx, signingca) : "", - prefer_non_renewal ? "-n" : ""); - for (c = 0; c < verbose; c++) { - command = talloc_strdup_append(command, " -v"); -diff --git a/src/scep.c b/src/scep.c -index b80278e..4294cda 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -206,7 +206,6 @@ main(int argc, const char **argv) - enum known_ops op = op_unset; - const char *id = NULL; - char *cainfo = NULL; -- char *poptarg; - char *message = NULL, *rekey_message = NULL; - const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; - void *ctx; -@@ -235,8 +234,9 @@ main(int argc, const char **argv) - {"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL}, - {"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL}, - {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, -- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, -+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"}, - {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, -+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"}, - {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, - {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, - POPT_AUTOHELP -@@ -329,9 +329,10 @@ main(int argc, const char **argv) - racert = cm_submit_u_from_file(poptGetOptArg(pctx)); - break; - case 'R': -- poptarg = poptGetOptArg(pctx); -- cainfo = strdup(poptarg); -- cacert = cm_submit_u_from_file(poptarg); -+ cainfo = poptGetOptArg(pctx); -+ break; -+ case 'N': -+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx)); - break; - case 'I': - certs = cm_submit_u_from_file(poptGetOptArg(pctx)); -@@ -340,7 +341,6 @@ main(int argc, const char **argv) - } - if (c != -1) { - poptPrintUsage(pctx, stdout, 0); -- free(cainfo); - return CM_SUBMIT_STATUS_UNCONFIGURED; - } - -@@ -1189,7 +1189,6 @@ done: - if (pctx) { - poptFreeContext(pctx); - } -- free(cainfo); - free(id); - cm_submit_h_cleanup(hctx); - talloc_free(ctx); --- -2.21.1 - diff --git a/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch b/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch deleted file mode 100644 index 70f75aa..0000000 --- a/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Apr 2020 16:33:35 -0400 -Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template - in output - ---- - src/getcert.c | 16 ++++++++++++++++ - tests/028-dbus/expected.out | 1 + - 2 files changed, 17 insertions(+) - -diff --git a/src/getcert.c b/src/getcert.c -index 493771f..42281af 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv) - printf("\t\t%s\n", as[j]); - } - } -+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, -+ CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx); -+ if (s1 != NULL && strlen(s1) > 0) { -+ printf(_("\tprofile: %s\n"), s1); -+ } -+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, -+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, -+ verbose, globals.tctx); -+ if (s1 != NULL && strlen(s1) > 0) { -+ printf(_("\tms v2 template: %s\n"), s1); -+ } -+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, -+ CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx); -+ if (s1 != NULL && strlen(s1) > 0) { -+ printf(_("\tissuer template: %s\n"), s1); -+ } - printf(_("\tpre-save command: %s\n"), - query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, - CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx)); -diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index 1d8bec4..a25eb34 100644 ---- a/tests/028-dbus/expected.out -+++ b/tests/028-dbus/expected.out -@@ -15,6 +15,7 @@ Request ID 'Buddy': - key usage: digitalSignature,dataEncipherment - eku: id-kp-serverAuth - certificate template/profile: SomeProfileName -+ profile: SomeProfileName - pre-save command: echo Pre - post-save command: echo Post - track: yes --- -2.21.1 - diff --git a/SOURCES/0039-Fix-broken-N-option-configuration.patch b/SOURCES/0039-Fix-broken-N-option-configuration.patch deleted file mode 100644 index 3717bb6..0000000 --- a/SOURCES/0039-Fix-broken-N-option-configuration.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Apr 2020 16:34:53 -0400 -Subject: [PATCH 39/39] Fix broken -N option configuration - -There was an extra NULL value which caused it to not work. ---- - src/getcert.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/getcert.c b/src/getcert.c -index 42281af..5c8dc94 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) - {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, - {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, - {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, -- {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, -+ {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, - {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, - {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, - {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, --- -2.21.1 - diff --git a/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch b/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch deleted file mode 100644 index 37e80b3..0000000 --- a/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 30 Apr 2020 12:46:41 -0400 -Subject: [PATCH] Address an include issue discovered by coverity - -nspr.h isn't included so use PORT_ErrorToString() instead -of PR_ErrorToString(), and remain consistent with the -other PORT calls even though they directly translate -to their NSPR equivalents. - -Also remove a couple of unused variables in pkcs7.c ---- - src/pkcs7.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/pkcs7.c b/src/pkcs7.c -index f81174f..a569256 100644 ---- a/src/pkcs7.c -+++ b/src/pkcs7.c -@@ -57,6 +57,9 @@ - #define _(_text) (_text) - #endif - -+/* taken from nspr4.h */ -+#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */ -+ - /* Return 0 if we think "issuer" could have issued "issued", which includes - * self-signing. */ - static int -@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg) - } - nss_err = PORT_GetError(); - if (nss_err < 0) { -- cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0)); -+ cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err)); - } - } - -@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, - PKCS7_SIGNER_INFO *si; - BIO *in, *out = NULL; - const unsigned char *u; -- char *s, buf[LINE_MAX], *p, *q; -+ char *s, *p, *q; - int ret = -1, i; -- long error; - - if (digest != NULL) { - *digest = NULL; --- -2.21.1 - diff --git a/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch b/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch deleted file mode 100644 index b445f6e..0000000 --- a/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch +++ /dev/null @@ -1,237 +0,0 @@ -From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Apr 2020 13:26:14 -0400 -Subject: [PATCH] Ensure that files read in have a trailing new-line - -In SCEP when retrieving the CA chain the certificates passed in -on the command-line (RA agent and CA cert) area printed along with -the contents of what was retrieved remotely. - -If one of the filesystem certificates lacks a newline then the -output will be jumbled like: - ------END CERTIFICATE----------BEGIN CERTIFICATE-----\n - -https://bugzilla.redhat.com/show_bug.cgi?id=1814976 ---- - src/submit-u.c | 11 +++++++ - tests/039-fromfile/expected.out | 4 +++ - tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++ - tests/Makefile.am | 10 ++++-- - tests/tools/Makefile.am | 6 +++- - tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++ - 6 files changed, 134 insertions(+), 4 deletions(-) - create mode 100644 tests/039-fromfile/expected.out - create mode 100755 tests/039-fromfile/run.sh - create mode 100644 tests/tools/fromfile.c - -diff --git a/src/submit-u.c b/src/submit-u.c -index b0b45ba..dca23a7 100644 ---- a/src/submit-u.c -+++ b/src/submit-u.c -@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename) - } - if (csr == NULL) { - csr = strdup(""); -+ } else { -+ int length = strlen(csr); -+ if (csr[length-1] != '\n') { -+ length += 1; -+ csr = realloc(csr, length + 1); -+ if (csr == NULL) { -+ return NULL; -+ } -+ csr[length - 1] = '\n'; -+ csr[length] = '\0'; -+ } - } - return csr; - } -diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out -new file mode 100644 -index 0000000..9191a57 ---- /dev/null -+++ b/tests/039-fromfile/expected.out -@@ -0,0 +1,4 @@ -+[trailing_nl] -+Ok -+[no_trailing_nl] -+Ok -diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh -new file mode 100755 -index 0000000..8bae773 ---- /dev/null -+++ b/tests/039-fromfile/run.sh -@@ -0,0 +1,55 @@ -+#!/bin/bash -e -+ -+cd $tmpdir -+ -+cat > $tmpdir/trailing_nl <<- EOF -+-----BEGIN CERTIFICATE----- -+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw -+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk -+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 -+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo -+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 -+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy -+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 -+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs -+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N -+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE -+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd -+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS -+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO -+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j -+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ -+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 -+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D -+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 -+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS -+8gM= -+-----END CERTIFICATE----- -+EOF -+cat > $tmpdir/no_trailing_nl <<- EOF -+-----BEGIN CERTIFICATE----- -+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw -+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk -+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 -+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo -+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 -+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy -+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 -+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs -+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N -+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE -+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd -+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS -+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO -+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j -+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ -+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 -+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D -+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 -+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS -+8gM= -+EOF -+echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl -+ -+$toolsdir/fromfile trailing_nl -+$toolsdir/fromfile no_trailing_nl -diff --git a/tests/Makefile.am b/tests/Makefile.am -index fe368dc..1552c48 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -127,7 +127,9 @@ CLEANFILES = \ - 037-rekey2/actual.out \ - 037-rekey2/actual.err \ - 038-ms-v2-template/actual.out \ -- 038-ms-v2-template/actual.err -+ 038-ms-v2-template/actual.err \ -+ 039-fromfile/actual.out \ -+ 039-fromfile/actual.err - EXTRA_DIST = \ - run-tests.sh functions certmonger.conf tools/cachain.sh \ - 001-keyiread/run.sh \ -@@ -349,7 +351,8 @@ EXTRA_DIST = \ - 037-rekey2/run.sh \ - 038-ms-v2-template/expected.out \ - 038-ms-v2-template/extract-extdata.py \ -- 038-ms-v2-template/run.sh -+ 038-ms-v2-template/run.sh \ -+ 039-fromfile/run.sh - - subdirs = \ - 001-keyiread \ -@@ -392,7 +395,8 @@ subdirs = \ - 035-json \ - 036-getcert \ - 037-rekey2 \ -- 038-ms-v2-template -+ 038-ms-v2-template \ -+ 039-fromfile - - if HAVE_DBM_NSSDB - subdirs += \ -diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am -index 39fa954..e0d2f08 100644 ---- a/tests/tools/Makefile.am -+++ b/tests/tools/Makefile.am -@@ -16,7 +16,7 @@ endif - noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ - name2oid iterate prefs dates listnicks pem2base base2pem \ - dparse payload checksig base64 cadata citerate casave hooks \ -- libexecdir canon srv addcinfo ls json json-utf8 printenv -+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile - noinst_LIBRARIES = libtools.a - if HAVE_OPENSSL - noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt -@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD) - - srv_SOURCES = srv.c - srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD) -+ -+fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) -+fromfile_SOURCES = fromfile.c -+fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS) -diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c -new file mode 100644 -index 0000000..bb70507 ---- /dev/null -+++ b/tests/tools/fromfile.c -@@ -0,0 +1,52 @@ -+/* -+ * Copyright (C) 2020 Red Hat, Inc. -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include "../../src/config.h" -+ -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include "../../src/submit-u.h" -+#include "../../src/submit-u.c" -+ -+int -+main(int argc, char **argv) -+{ -+ int i, result = 0; -+ char *cert; -+ -+ for (i = 1; i < argc; i++) { -+ printf("[%s]\n", argv[i]); -+ cert = cm_submit_u_from_file(argv[i]); -+ if (cert == NULL) { -+ printf("OOM error\n"); -+ result = 1; -+ } -+ else if (cert[strlen(cert) - 1] != '\n') { -+ printf("Missing trailing newline\n"); -+ result = 1; -+ } else { -+ printf("Ok\n"); -+ } -+ free(cert); -+ } -+ return result; -+} --- -2.18.4 - diff --git a/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch b/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch deleted file mode 100644 index 9feaf01..0000000 --- a/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch +++ /dev/null @@ -1,4160 +0,0 @@ -From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 14 May 2020 14:15:17 -0400 -Subject: [PATCH 42/43] Add long command-line options to man pages - -The man pages almost universally only documented the short -options even though the long options were all defined in -the popt configuration. - -Also do a bit of minor bit of reformatting and added a lint -option. I'm not going to require mandoc as a requirement as -the linting is pretty minor at the moment but it's better than -nothing. - -https://bugzilla.redhat.com/show_bug.cgi?id=1782838 ---- - src/Makefile.am | 6 + - src/certmaster-getcert.1.in | 72 ++--- - src/certmonger-certmaster-submit.8.in | 59 ++-- - ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++------- - src/certmonger-dogtag-submit.8.in | 252 ++++++++------- - src/certmonger-ipa-submit.8.in | 115 ++++--- - src/certmonger-local-submit.8.in | 62 ++-- - src/certmonger-scep-submit.8.in | 124 ++++---- - src/certmonger.8.in | 86 +++--- - src/certmonger.conf.5.in | 20 +- - src/getcert-add-ca.1.in | 48 +-- - src/getcert-add-scep-ca.1.in | 80 ++--- - src/getcert-list-cas.1.in | 44 +-- - src/getcert-list.1.in | 84 ++--- - src/getcert-modify-ca.1.in | 46 +-- - src/getcert-refresh-ca.1.in | 50 +-- - src/getcert-refresh.1.in | 52 ++-- - src/getcert-rekey.1.in | 107 ++++--- - src/getcert-remove-ca.1.in | 44 +-- - src/getcert-request.1.in | 157 ++++++---- - src/getcert-resubmit.1.in | 112 ++++--- - src/getcert-start-tracking.1.in | 134 ++++---- - src/getcert-status.1.in | 54 ++-- - src/getcert-stop-tracking.1.in | 65 ++-- - src/getcert.1.in | 54 ++-- - src/ipa-getcert.1.in | 74 ++--- - src/local-getcert.1.in | 76 ++--- - src/selfsign-getcert.1.in | 74 ++--- - 28 files changed, 1321 insertions(+), 1118 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index fe3b235..5343dbc 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN - submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h - submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \ - $(POPT_LIBS) -+ -+.PHONY: manlint -+manlint: $(man_MANS) -+ for page in $(MANS); do \ -+ mandoc -T lint $${page}; \ -+ done -diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in -index ef1c14a..7a038f9 100644 ---- a/src/certmaster-getcert.1.in -+++ b/src/certmaster-getcert.1.in -@@ -1,20 +1,20 @@ --.TH certmonger 1 "23 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual" - - .SH NAME --certmaster-getcert -+certmaster\-getcert - - .SH SYNOPSIS -- certmaster-getcert request [options] -- certmaster-getcert resubmit [options] -- certmaster-getcert start-tracking [options] -- certmaster-getcert status [options] -- certmaster-getcert stop-tracking [options] -- certmaster-getcert list [options] -- certmaster-getcert list-cas [options] -- certmaster-getcert refresh-cas [options] -+ certmaster\-getcert request [options] -+ certmaster\-getcert resubmit [options] -+ certmaster\-getcert start\-tracking [options] -+ certmaster\-getcert status [options] -+ certmaster\-getcert stop\-tracking [options] -+ certmaster\-getcert list [options] -+ certmaster\-getcert list\-cas [options] -+ certmaster\-getcert refresh\-cas [options] - - .SH DESCRIPTION --The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@ -+The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ - service on behalf of the invoking user. It can ask the service to begin - enrollment, optionally generating a key pair to use, it can ask the - service to begin monitoring a certificate in a specified location for -@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can - list the set of certificates that the service is already monitoring, or - it can list the set of CAs that the service is capable of using. - --If no command is given as the first command-line argument, --\fIcertmaster-getcert\fR will print short usage information for each of -+If no command is given as the first command\-line argument, -+\fIcertmaster\-getcert\fR will print short usage information for each of - its functions. - --The \fIcertmaster-getcert\fR tool behaves identically to the generic --\fIgetcert\fR tool when it is used with the \fB-c -+The \fIcertmaster\-getcert\fR tool behaves identically to the generic -+\fIgetcert\fR tool when it is used with the \fB\-c - \fI@CM_CERTMASTER_CA_NAME@\fR option. - - There is no standard authenticated method for obtaining the root certificate - from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust --information from them. While the \fB-F\fR and \fB-a\fR options will still -+information from them. While the \fB\-F\fR and \fB\-a\fR options will still - be recognized, they will effectively be ignored. - - .SH BUGS -@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in -index aec8b83..e3e990f 100644 ---- a/src/certmonger-certmaster-submit.8.in -+++ b/src/certmonger-certmaster-submit.8.in -@@ -1,17 +1,17 @@ --.TH certmonger 8 "7 June 2010" "certmonger Manual" -+.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual" - - .SH NAME --certmaster-submit -+certmaster\-submit - - .SH SYNOPSIS --certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile] -+certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile] - - .SH DESCRIPTION --\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make --requests to certmaster-based CAs. It is not normally run interactively, -+\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make -+requests to certmaster\-based CAs. It is not normally run interactively, - but it can be for troubleshooting purposes. The signing request which is - to be submitted should either be in a file whose name is given as an argument, --or fed into \fIcertmaster-submit\fR via stdin. -+or fed into \fIcertmaster\-submit\fR via stdin. - - There is no standard authenticated method for obtaining the root certificate - from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust -@@ -19,21 +19,24 @@ information from them. - - .SH OPTIONS - .TP --\fB\-h\fR serverHost -+\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR - Submit the request to the certmaster instance running on the named host. The - default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR - is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR - if that file is not found. - .TP --\fB\-c\fR cafile -+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR - Submit the request over HTTPS instead of HTTP, and only trust the server - if its certificate was issued by the CA whose certificate is in the named file. - .TP --\fB\-C\fR capath -+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR - Submit the request over HTTPS instead of HTTP, and only trust the server - if its certificate was issued by a CA whose certificate is in a file in - the named directory. -- -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR -+Be verbose about errors. Normally, the details of an error received from -+the daemon will be suppressed if the client can make a diagnostic suggestion. - .SH EXIT STATUS - .TP - 0 -@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -index 84c8b0d..33e0648 100644 ---- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in -@@ -1,44 +1,51 @@ --.TH certmonger 8 "27 Oct 2015" "certmonger Manual" -+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual" - - .SH NAME --dogtag-ipa-renew-agent-submit -+dogtag\-ipa\-renew\-agent\-submit - - .SH SYNOPSIS --dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL --[-d dbdir] --[-n nickname] --[-i cainfo] --[-C capath] --[-c certfile] --[-k keyfile] --[-p pinfile] --[-P pin] --[-s serial (hex)] --[-D serial (decimal)] --[-S state] --[-T profile] --[-O param=value] --[-N | -R] --[-t] --[-o option=value] --[-v] -+dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL -+[\-d dbdir] -+[\-n nickname] -+[\-i cainfo] -+[\-C capath] -+[\-c certfile] -+[\-k keyfile] -+[\-p pinfile] -+[\-P pin] -+[\-s serial (hex)] -+[\-D serial (decimal)] -+[\-S state] -+[\-T profile] -+[\-O param=value] -+[\-N | \-R] -+[\-t] -+[\-o option=value] -+[\-a] -+[\-u uid] -+[\-U udn] -+[\-W pwd] -+[\-w pwdfile] -+[\-Y pin] -+[\-y pinfile] - [csrfile] - -+ - .SH DESCRIPTION --\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses -+\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses - to make certificate renewal requests to Dogtag instances running on IPA - servers. It is not normally run interactively, but it can be for - troubleshooting purposes. - --The preferred option is to request a renewal of an already-issued certificate, --using its serial number, which can be read from a PEM-formatted certificate -+The preferred option is to request a renewal of an already\-issued certificate, -+using its serial number, which can be read from a PEM\-formatted certificate - provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the --\fB-s\fR or \fB-D\fR option on the command line. If no serial number is -+\fB\-s\fR or \fB\-D\fR option on the command line. If no serial number is - provided, then the client will attempt to obtain a new certificate by - submitting a signing request to the CA. - - The signing request which is to be submitted should either be in a file whose --name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR -+name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR - via stdin. - - \fBcertmonger\fR does not yet support retrieving trust information from Dogtag -@@ -46,8 +53,8 @@ CAs. - - .SH OPTIONS - .TP --\fB\-E\fR EE-URL --The top-level URL for the end-entity interface provided by the CA. In IPA -+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR -+The top\-level URL for the end\-entity interface provided by the CA. In IPA - installations, this is typically - \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR. - If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in -@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the - if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will - be set to 8080. Otherwise it will be 9180. - .TP --\fB\-A\fR AGENT-URL --The top-level URL for the agent interface provided by the CA. In IPA -+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR -+The top\-level URL for the agent interface provided by the CA. In IPA - installations, this is typically - \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR. - If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in -@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the - if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will - be set to 8443. Otherwise it will be 9443. - .TP --\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile --The location of the key and certificate which the client should use to --authenticate to the CA's agent interface. Exactly which values are --meaningful depend on which cryptography library your copy of libcurl was --linked with. -- --If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR, --\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is --used: -- \fB-i\fR \fI/etc/ipa/ca.crt\fR -- \fB-d\fR \fI/etc/httpd/alias\fR -- \fB-n\fR \fIipaCert\fR -- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR --.TP --\fB\-p\fR pinfile --The name of a file which contains a PIN/password which will be needed in --order to make use of the agent credentials. -- --If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR, --\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set --of defaults is used: -- \fB-i\fR \fI/etc/ipa/ca.crt\fR -- \fB-d\fR \fI/etc/httpd/alias\fR -- \fB-n\fR \fIipaCert\fR -- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR --.TP --\fB\-i\fR cainfo \fB\-C\fR capath -+\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR - The location of a file containing a copy of the CA's certificate, against which --the CA server's certificate will be verified, or a directory containing, among --other things, such a file. -- --If these options are not specified, and none of the \fB-d\fR, \fB-n\fR, --\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set --of defaults is used: -- \fB-i\fR \fI/etc/ipa/ca.crt\fR -- \fB-d\fR \fI/etc/httpd/alias\fR -- \fB-n\fR \fIipaCert\fR -- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR --.TP --\fB-s\fR serial --The serial number of an already-issued certificate for which the client should --attempt to obtain a new certificate, in hexadecimal form, if one can not be -+the CA server's certificate will be verified. The default is -+\fB/etc/ipa/ca.crt\fR. -+.TP -+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR -+The location of a directory containing a copy of the CA's certificate, -+against which the CA server's certificate will be verified. -+.TP -+\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB -+The serial number of an already\-issued certificate for which the client should -+attempt to obtain a new certificate, in hexidecimal form, if one can not be - read from the \fICERTMONGER_CERTIFICATE\fR environment variable. - .TP --\fB-D\fR serial --The serial number of an already-issued certificate for which the client should -+\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB -+The serial number of an already\-issued certificate for which the client should - attempt to obtain a new certificate, in decimal form, if one can not be - read from the \fICERTMONGER_CERTIFICATE\fR environment variable. - .TP --\fB-S\fR state -+\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR - A cookie value provided by a previous instance of this helper, if the helper --is being asked to continue a multi-step enrollment process. If the -+is being asked to continue a multi\-step enrollment process. If the - \fICERTMONGER_COOKIE\fR environment variable is set, its value is used. - .TP --\fB-T\fR profile/template -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - The name of the type of certificate which the client should request from the CA --if it is not renewing a certificate (per the \fB-s\fR option above). If the -+if it is not renewing a certificate (per the \fB\-s\fR option above). If the - \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used. - Otherwise, the default value is \fBcaServerCert\fP. - .TP --\fB-O\fR param=value -+\fB\-t\fR, \fB\-\-profile\-list\fR -+Instead of attempting to obtain a new certificate, query the server for a list -+of the enabled enrollment profiles. -+.TP -+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR - An additional parameter to pass to the server when approving the signing --request using the agent's credentials. By default, any server-supplied default -+request using the agent's credentials. By default, any server\-supplied default - settings are applied. This option can be used either to override a --server-supplied default setting, or to supply one which would otherwise have -+server\-supplied default setting, or to supply one which would otherwise have - not been used. - .TP --\fB-N\fR --Even if an already-issued certificate is available in the -+\fB\-N\fR, \fB\-\-force\-new\fR -+Even if an already\-issued certificate is available in the - \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been - provided, don't attempt to renew a certificate using its serial number. - Instead, attempt to obtain a new certificate using the signing request. - The default behavior is to request a renewal if possible. - .TP --\fB-R\fR --Negates the effect of the \fB-N\fR flag. --.TP --\fB-t\fR --Instead of attempting to obtain a new certificate, query the server for a list --of the enabled enrollment profiles. -+\fB\-R\fR, \fB\-\-force\-renew\fR -+Negates the effect of the \fB\-N\fR flag. - .TP --\fB-o\fR param=value -+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR - When initially submitting a request to the CA, add the specified parameter and - value along with any request parameters which would otherwise be sent. This - option is not typically used. - .TP --\fB-v\fR -+\fB\-a\fR, \fB\-\-agent\-submit\fR -+Use agent credentials, specified using some combination of the \fB\-d\fR, -+\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when -+initially submitting a request to the CA or retrieving the list of enabled -+enrollment profiles. -+This is typically required when the enrollment profile being used uses -+\fIAgentCertAuth\fR\-based -+authentication, -+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL, -+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL. -+.TP -+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR -+When initially submitting a request to the CA, supply the specified value as a user name. -+This is typically required when the enrollment profile being used uses -+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based -+authentication..TP -+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR -+When initially submitting a request to the CA, supply the specified value as the DN -+(distinguished name) of the user's entry in a directory server which the CA is -+configured to use for checking the user's password. -+This is typically required when the enrollment profile being used uses -+\fIUdnPwdDirAuth\fR\-based -+authentication. -+.TP -+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR -+When initially submitting a request to the CA, supply the specified value as the password -+for the user whose name is specified with the \fB\-u\fR option, or whose DN is -+specified with the \fB\-U\fR option. -+This is typically only required when the enrollment profile being used uses -+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based -+authentication. -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value -+will not be encrypted. -+.TP -+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR -+When initially submitting a request to the CA, read from the specified file a -+password to supply for the user whose name is specified with the \fB\-u\fR -+option, or whose DN is specified with the \fB\-U\fR option. -+This is typically only required when the enrollment profile being used uses -+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based -+authentication. -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value -+will not be encrypted. -+.TP -+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR -+When initially submitting a request to the CA, supply the specified value as the PIN -+for the user whose name is specified with the \fB\-u\fR option, or whose DN is -+specified with the \fB\-U\fR option. -+This is typically only required when the enrollment profile being used uses -+\fIUidPwdPinDirAuth\fR\-based -+authentication. -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value -+will not be encrypted. -+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR -+When initially submitting a request to the CA, read from the specified file a -+PIN to supply for the user whose name is specified with the \fB\-u\fR -+option, or whose DN is specified with the \fB\-U\fR option. -+This is typically only required when the enrollment profile being used uses -+\fIUidPwdPinDirAuth\fR\-based -+authentication. If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value -+will not be encrypted. -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR - Increases the logging level. Use twice for more logging. This option is mainly - useful for troubleshooting. -- -+.SH AGENT KEY AND CERTIFICATE OPTIONS -+Options that provide the location for the private key and public certificate -+which the client should use to authenticate to the CA's agent interface. -+The values to use depend on which cryptography library your copy of libcurl -+was linked with. -+.TP -+If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used: -+ \fB\-i\fR \fI/etc/ipa/ca.crt\fR -+ \fB\-d\fR \fI/etc/httpd/alias\fR -+ \fB\-n\fR \fIipaCert\fR -+ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR -+.TP -+\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR -+Use an NSS database in the specified directory for this certificate -+and key. Only valid with \-n. -+.TP -+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR -+Use the NSS key with this nickname. Only valid with \-d. -+.TP -+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR -+The PEM file that contains the public certificate. Only valid with \-k. -+.TP -+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR -+The PEM file that contains the private certificate. Only valid with \-c. -+.TP -+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR -+The name of a file which contains a PIN/password which will be needed in -+order to make use of the agent credentials. -+.TP -+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR -+The name of a file which contains a PIN/password which will be needed in -+order to make use of the agent credentials. - .SH EXIT STATUS - .TP - 0 -@@ -189,7 +259,7 @@ pair. - .TP - .I /etc/ipa/default.conf - is the IPA client configuration file. This file is consulted to determine --the URL for the Dogtag server's end-entity and agent interfaces if they are -+the URL for the Dogtag server's end\-entity and agent interfaces if they are - not supplied as arguments. - - .SH BUGS -@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in -index 19ecab7..e92de67 100644 ---- a/src/certmonger-dogtag-submit.8.in -+++ b/src/certmonger-dogtag-submit.8.in -@@ -1,196 +1,214 @@ --.TH certmonger 8 "27 Oct 2015" "certmonger Manual" -+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual" - - .SH NAME --dogtag-submit -+dogtag\-submit - - .SH SYNOPSIS --dogtag-submit -E EE-URL -A AGENT-URL --[-d dbdir] --[-n nickname] --[-i cainfo] --[-C capath] --[-c certfile] --[-k keyfile] --[-p pinfile] --[-P pin] --[-s serial (hex)] --[-D serial (decimal)] --[-S state] --[-T profile] --[-O param=value] --[-N | -R] --[-t] --[-o option=value] --[-a ] --[-u username] --[-U userdn] --[-W userpassword] --[-w userpasswordfile] --[-Y userpin] --[-y userpinfile] --[-v] -+dogtag\-submit \-E EE\-URL \-A AGENT\-URL -+[\-d DIR] -+[\-n NAME] -+[\-i FILE] -+[\-C DIR] -+[\-c FILE] -+[\-k FILE] -+[\-p FILE] -+[\-P PIN] -+[\-s serial (hex)] -+[\-D serial (decimal)] -+[\-S state] -+[\-T profile] -+[\-O param=value] -+[\-N | \-R] -+[\-t] -+[\-o option=value] -+[\-a] -+[\-u username] -+[\-U userdn] -+[\-W PASSWORD] -+[\-w FILE] -+[\-Y PIN] -+[\-y FILE] -+[\-v] - [csrfile] - - .SH DESCRIPTION --\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make -+\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make - certificate enrollment and renewal requests to Dogtag servers. It is not - normally run interactively, but it can be for troubleshooting purposes. - --The preferred option is to request a renewal of an already-issued certificate, --using its serial number, which can be read from a PEM-formatted certificate -+The preferred option is to request a renewal of an already\-issued certificate, -+using its serial number, which can be read from a PEM\-formatted certificate - provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the --\fB-s\fR or \fB-D\fR option on the command line. If no serial number is -+\fB\-s\fR or \fB\-D\fR option on the command line. If no serial number is - provided, then the client will attempt to obtain a new certificate by - submitting a signing request to the CA. - - The signing request which is to be submitted should either be in a file whose --name is given as an argument, or fed into \fIdogtag-submit\fR via stdin. -+name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin. - - \fBcertmonger\fR does not yet support retrieving trust information from Dogtag - CAs. - - .SH OPTIONS - .TP --\fB\-E\fR EE-URL --The top-level URL for the end-entity interface provided by the CA, through -+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR -+The top\-level URL for the end\-entity interface provided by the CA, through - which the initial enrollment request will be submitted. This is typically - \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR. - .TP --\fB\-A\fR AGENT-URL --The top-level URL for the agent interface provided by the CA, through which the -+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR -+The top\-level URL for the agent interface provided by the CA, through which the - request can be approved using agent credentials. This is typically - \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR. - .TP --\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile --The location of the key and certificate which the client should use to --authenticate to the CA's agent interface. Exactly which values are --meaningful depend on which cryptography library your copy of libcurl was --linked with. --.TP --\fB\-p\fR pinfile --The name of a file which contains a PIN/password which will be needed in --order to make use of the agent credentials. --.TP --\fB\-i\fR cainfo \fB\-C\fR capath -+\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR - The location of a file containing a copy of the CA's certificate, against which --the CA server's certificate will be verified, or a directory containing, among --other things, such a file. -+the CA server's certificate will be verified. - .TP --\fB-s\fR serial --The serial number of an already-issued certificate for which the client should --attempt to obtain a new certificate, in hexadecimal form, if one can not be --read from the \fICERTMONGER_CERTIFICATE\fR environment variable. -+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR -+The location of a directory containing a copy of the CA's certificate(s), -+against which the CA server's certificate will be verified. - .TP --\fB-D\fR serial --The serial number of an already-issued certificate for which the client should -+\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR -+The serial number of an already\-issued certificate for which the client should - attempt to obtain a new certificate, in decimal form, if one can not be - read from the \fICERTMONGER_CERTIFICATE\fR environment variable. - .TP --\fB-S\fR state -+\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR -+The serial number of an already\-issued certificate for which the client should -+attempt to obtain a new certificate, in hexadecimal form, if one can not be -+read from the \fICERTMONGER_CERTIFICATE\fR environment variable. -+.TP -+\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR - A cookie value provided by a previous instance of this helper, if the helper --is being asked to continue a multi-step enrollment process. If the -+is being asked to continue a multi\-step enrollment process. If the - \fICERTMONGER_COOKIE\fR environment variable is set, its value is used. - .TP --\fB-T\fR profile/template -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - The name of the type of certificate which the client should request from the CA --if it is not renewing a certificate (per the \fB-s\fR option above). If the -+if it is not renewing a certificate (per the \fB\-s\fR option above). If the - \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used. - Otherwise, the default value is \fBcaServerCert\fP. - .TP --\fB-O\fR param=value -+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR - An additional parameter to pass to the server when approving the signing --request using agent credentials. By default, any server-supplied default -+request using agent credentials. By default, any server\-supplied default - settings are applied. This option can be used either to override a --server-supplied default setting, or to supply one which would otherwise have --not been used. Requires the \fB-A\fR option. -+server\-supplied default setting, or to supply one which would otherwise have -+not been used. Requires the \fB\-A\fR option. - .TP --\fB-N\fR --Even if an already-issued certificate is available in the -+\fB\-N\fR, \fB\-\-force\-new\fR -+Even if an already\-issued certificate is available in the - \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been - provided, don't attempt to renew a certificate using its serial number. - Instead, attempt to obtain a new certificate using the signing request. - The default behavior is to request a renewal if possible. - .TP --\fB-R\fR --Negates the effect of the \fB-N\fR flag. -+\fB\-R\fR, \fB\-\-force\-renew\fR -+Negates the effect of the \fB\-N\fR flag. - .TP --\fB-t\fR -+\fB\-t\fR, \fB\-\-profile\-list\fR - Instead of attempting to obtain a new certificate, query the server for a list - of the enabled enrollment profiles. - .TP --\fB-o\fR param=value -+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR - When initially submitting a request to the CA, add the specified parameter and - value along with any request parameters which would otherwise be sent. - .TP --\fB-a\fR -+\fB\-a\fR, \fB\-\-agent\-submit\fR - Use agent credentials, specified using some combination of the \fB\-d\fR, - \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when - initially submitting a request to the CA or retrieving the list of enabled - enrollment profiles. - This is typically required when the enrollment profile being used uses --\fIAgentCertAuth\fR-based -+\fIAgentCertAuth\fR\-based - authentication, --and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL, --or when the URL specified using the \fB-E\fR flag is an HTTPS URL. -+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL, -+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL. - .TP --\fB-u username\fR -+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR - When initially submitting a request to the CA, supply the specified value as a user name. - This is typically required when the enrollment profile being used uses --\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based -+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based - authentication. - .TP --\fB-U userdn\fR -+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR - When initially submitting a request to the CA, supply the specified value as the DN - (distinguished name) of the user's entry in a directory server which the CA is - configured to use for checking the user's password. - This is typically required when the enrollment profile being used uses --\fIUdnPwdDirAuth\fR-based -+\fIUdnPwdDirAuth\fR\-based - authentication. - .TP --\fB-W userpassword\fR -+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR - When initially submitting a request to the CA, supply the specified value as the password --for the user whose name is specified with the \fB-u\fR option, or whose DN is --specified with the \fB-U\fR option. -+for the user whose name is specified with the \fB\-u\fR option, or whose DN is -+specified with the \fB\-U\fR option. - This is typically only required when the enrollment profile being used uses --\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based -+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based - authentication. --If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value - will not be encrypted. - .TP --\fB-w userpasswordfile\fR -+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR - When initially submitting a request to the CA, read from the specified file a --password to supply for the user whose name is specified with the \fB-u\fR --option, or whose DN is specified with the \fB-U\fR option. -+password to supply for the user whose name is specified with the \fB\-u\fR -+option, or whose DN is specified with the \fB\-U\fR option. - This is typically only required when the enrollment profile being used uses --\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based -+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based - authentication. --If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value - will not be encrypted. - .TP --\fB-Y userpin\fR -+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR - When initially submitting a request to the CA, supply the specified value as the PIN --for the user whose name is specified with the \fB-u\fR option, or whose DN is --specified with the \fB-U\fR option. -+for the user whose name is specified with the \fB\-u\fR option, or whose DN is -+specified with the \fB\-U\fR option. - This is typically only required when the enrollment profile being used uses --\fIUidPwdPinDirAuth\fR-based -+\fIUidPwdPinDirAuth\fR\-based - authentication. --If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value - will not be encrypted. - .TP --\fB-y userpinfile\fR -+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR - When initially submitting a request to the CA, read from the specified file a --PIN to supply for the user whose name is specified with the \fB-u\fR --option, or whose DN is specified with the \fB-U\fR option. -+PIN to supply for the user whose name is specified with the \fB\-u\fR -+option, or whose DN is specified with the \fB\-U\fR option. - This is typically only required when the enrollment profile being used uses --\fIUidPwdPinDirAuth\fR-based -+\fIUidPwdPinDirAuth\fR\-based - authentication. --If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value -+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value - will not be encrypted. - .TP --\fB-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Increases the logging level. Use twice for more logging. This option is mainly - useful for troubleshooting. -- -+.SH AGENT KEY AND CERTIFICATE OPTIONS -+Options that provide the location for the private key and public certificate -+which the client should use to authenticate to the CA's agent interface. -+The values to use depend on which cryptography library your copy of libcurl -+was linked with. -+.TP -+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR -+Use an NSS database in the specified directory for this certificate -+and key. Only valid with \-n. -+.TP -+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR -+Use the NSS key with this nickname. Only valid with \-d. -+.TP -+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR -+The PEM file that contains the public certificate. Only valid with \-k. -+.TP -+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR -+The PEM file that contains the private certificate. Only valid with \-c. -+.TP -+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR -+The name of a file which contains a PIN/password which will be needed in -+order to make use of the agent credentials. -+.TP -+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR -+The name of a file which contains a PIN/password which will be needed in -+order to make use of the agent credentials. - .SH EXIT STATUS - .TP - 0 -@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in -index 7915142..0e1c90f 100644 ---- a/src/certmonger-ipa-submit.8.in -+++ b/src/certmonger-ipa-submit.8.in -@@ -1,21 +1,23 @@ --.TH certmonger 8 "16 April 2015" "certmonger Manual" -+.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual" - - .SH NAME --ipa-submit -+ipa\-submit - - .SH SYNOPSIS --ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] --[[-K] | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile] -+ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn] -+[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]] -+[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile] -+[\-X issuer] [csrfile] - - .SH DESCRIPTION --\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make --requests to IPA-based CAs. It is not normally run interactively, -+\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make -+requests to IPA\-based CAs. It is not normally run interactively, - but it can be for troubleshooting purposes. The signing request which is - to be submitted should either be in a file whose name is given as an argument, --or fed into \fIipa-submit\fR via stdin. -+or fed into \fIipa\-submit\fR via stdin. - - \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs. See --\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about -+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about - specifying where those certificates should be stored on the local system. - Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of - entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA -@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the - - .SH OPTIONS - .TP --\fB\-P\fR csrPrincipal -+\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR - Identifies the principal name of the service for which the certificate is being - issued. This setting is required by IPA and must always be specified. - .TP --\fB\-X\fR issuer -+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR - Requests that the certificate be processed by the specified certificate issuer. - By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR - variable is set in the environment, then the value of the environment variable - will be used. This setting is optional, and if a server returns error 3005, - indicating that it does not understand multiple profiles, the request will be --re-submitted without specifying an issuer name. -+re\-submitted without specifying an issuer name. - .TP --\fB\-T\fR profile -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - Requests that the certificate be processed using the specified certificate profile. - By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR - variable is set in the environment, then the value of the environment variable - will be used. This setting is optional, and if a server returns error 3005, - indicating that it does not understand multiple profiles, the request will be --re-submitted without specifying a profile. -+re\-submitted without specifying a profile. - .TP --\fB\-h\fR serverHost -+\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR - Submit the request to the IPA server running on the named host. The default is - to read the location of the host from \fB/etc/ipa/default.conf\fR. - If no server is configured, or the configured server cannot be reached, the -@@ -53,7 +55,7 @@ domain. If servers are found, they will be searched for entries pointing to - IPA masters running the "CA" service, and the client will attempt to contact - each of those in turn. - .TP --\fB\-H\fR serverURL -+\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR - Submit the request to the IPA server at the specified location. The default is - to read the location of the host from \fB/etc/ipa/default.conf\fR. - If no server is configured, or the configured server cannot be reached, the -@@ -62,49 +64,64 @@ domain. If servers are found, they will be searched for entries pointing to - IPA masters running the "CA" service, and the client will attempt to contact - each of those in turn. - .TP --\fB\-c\fR cafile -+\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR -+Provide the IPA LDAP service location rather than using DNS discovery. -+The default is to read the location of the host from -+\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of -+_ldap._tcp.DOMAIN values and pick one for use. -+.TP -+\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR -+Use this domain when doing DNS discovery to locate LDAP servers for the IPA -+installation. The default is to read the location of the host from -+\fB/etc/ipa/default.conf\fR. -+.TP -+\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR -+Use this basedn to search for an IPA installation in LDAP. The default is to -+read the location of the host from \fB/etc/ipa/default.conf\fR. -+.TP -+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR - The server's certificate was issued by the CA whose certificate is in the named - file. The default value is \fI/etc/ipa/ca.crt\fR. - .TP --\fB\-C\fR capath -+\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR - Trust the server if its certificate was issued by a CA whose certificate is in - a file in the named directory. There is no default for this option, and it - is not expected to be necessary. - .TP --\fB\-t\fR keytab -+\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR - Authenticate to the IPA server using Kerberos with credentials derived from - keys stored in the named keytab. The default value can vary, but it is usually - \fI/etc/krb5.keytab\fR. --This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR -+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR - options. - .TP --\fB\-k\fR authPrincipal -+\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR - Authenticate to the IPA server using Kerberos with credentials derived from - keys stored in the named keytab for this principal name. The default value is - the \fBhost\fR service for the local host in the local realm. --This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR -+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR - options. - .TP --\fB\-K\fR -+\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR - Authenticate to the IPA server using Kerberos with credentials derived from the - default credential cache rather than a keytab. --This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR -+This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR - options. - .TP --\fB\-u\fR uid -+\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR - Authenticate to the IPA server using a user name and password, using the - specified value as the user name. --This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options. -+This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options. - .TP --\fB\-W\fR pwd -+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR - Authenticate to the IPA server using a user name and password, using the - specified value as the password. --This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options. -+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options. - .TP --\fB\-w\fR pwdfile -+\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR - Authenticate to the IPA server using a user name and password, reading the - password from the specified file. --This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options. -+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options. - - .SH EXIT STATUS - .TP -@@ -131,7 +148,7 @@ pair. - .TP - .I /etc/ipa/default.conf - is the IPA client configuration file. This file is consulted to determine --the URL for the IPA server's XML-RPC interface. -+the URL for the IPA server's XML\-RPC interface. - - .SH BUGS - Please file tickets for any that you find at https://fedorahosted.org/certmonger/ -@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in -index 59ed245..b68ffc3 100644 ---- a/src/certmonger-local-submit.8.in -+++ b/src/certmonger-local-submit.8.in -@@ -1,35 +1,35 @@ --.TH certmonger 8 "7 June 2014" "certmonger Manual" -+.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual" - - .SH NAME --local-submit -+local\-submit - - .SH SYNOPSIS --local-submit [-d state-directory] [-v] [csrfile] -+local\-submit [\-d state\-directory] [\-v] [csrfile] - - .SH DESCRIPTION --\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement -+\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement - its local signer. It is not normally run interactively, but it can be for - troubleshooting purposes. The signing request which is to be submitted - should either be in a file whose name is given as an argument, or fed into --\fIlocal-submit\fR via stdin. -+\fIlocal\-submit\fR via stdin. - --The local signer is currently hard-coded to generate and use a --@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based -+The local signer is currently hard\-coded to generate and use a -+@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based - on a UUID, replacing that key and certificate at roughly the midpoint of their - useful lifetime. - --\fBcertmonger\fR supports retrieving the list of current and previously-used --local CA certificates. See \fBgetcert-request\fR(1) and --\fBgetcert-resubmit\fR(1) for information about specifying where those -+\fBcertmonger\fR supports retrieving the list of current and previously\-used -+local CA certificates. See \fBgetcert\-request\fR(1) and -+\fBgetcert\-resubmit\fR(1) for information about specifying where those - certificates should be stored. - - .SH OPTIONS - .TP --\fB\-d\fR state-directory -+\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR - Identifies the directory which contains the local signer's private key, - certificates, and other data used by the local signer. - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Increases the verbosity of the tool's diagnostic logging. - - .SH EXIT STATUS -@@ -47,7 +47,7 @@ if critical configuration information is missing. An error message may be print - .TP - .I creds - is currently a PKCS#12 bundle containing the local signer's current signing key --and current and previously-used signer certificates. It should not be modified -+and current and previously\-used signer certificates. It should not be modified - except by the local signer. A new key is currently generated when ever a new - signer certificate is needed. - .TP -@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in -index 42ffcd6..5b8b917 100644 ---- a/src/certmonger-scep-submit.8.in -+++ b/src/certmonger-scep-submit.8.in -@@ -1,98 +1,98 @@ --.TH certmonger 8 "20 June 2015" "certmonger Manual" -+.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual" - - .SH NAME --scep-submit -+scep\-submit - - .SH SYNOPSIS --scep-submit -u SERVER-URL --[-r ra-cert-file] --[-R ca-cert-file] --[-I other-certs-file] --[-N ca-cert-file] --[-i ca-identifier] --[-v] --[-n] --[-c|-C|-g|-p] --[pkimessage-filename] -+scep\-submit \-u SERVER\-URL -+[\-r ra\-cert\-file] -+[\-R ca\-cert\-file] -+[\-I other\-certs\-file] -+[\-N ca\-cert\-file] -+[\-i ca\-identifier] -+[\-v] -+[\-n] -+[\-c|\-C|\-g|\-p] -+[pkimessage\-filename] - - .SH DESCRIPTION --\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to -+\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to - transmit certificate enrollment and renewal requests to servers using - SCEP. It is not normally run interactively, but it can be for - troubleshooting purposes. - --The request which is to be submitted should be a PEM-encoded SCEP -+The request which is to be submitted should be a PEM\-encoded SCEP - pkiMessage either in a file whose name is given as an argument, or fed --into \fIscep-submit\fR via stdin. -+into \fIscep\-submit\fR via stdin. - - .SH MODES - .TP --\fB\-c\fR -+\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR - \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and - print the results. - .TP --\fB\-C\fR --\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR --requests to the server, parse the responses, and then print, in order, -+\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR -+\fIscep-submit\fR will issue a \fIGetCACert\fR -+request to the server, parse the response, and then print, in order, - the RA certificate, the CA certificate, and any additional certificates. - .TP --\fB\-p\fR --\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server --using the passed-in message as the message content. It will parse the -+\fB\-p\fR, \fB\-\-pki\-message\fR -+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server -+using the passed\-in message as the message content. It will parse the - server's response, verify the signature, and if the response includes an - issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM - format. If the response indicates an error, it will print the error. - .TP --\fB\-g\fR --\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server --using the passed-in message as the message content. It will parse the -+\fB\-g\fR, \fB\-\-get\-initial\-cert\fR -+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server -+using the passed\-in message as the message content. It will parse the - server's response, verify the signature, and if the response includes an - issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM - format. If the response indicates an error, it will print the error. - .SH OPTIONS - .TP --\fB\-u\fR SERVER-URL -+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR - The location of the SCEP interface provided by the CA. This is --typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or -+typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or - \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR. This option is - always required. - .TP --\fB\-R\fR CA-certificate-file -+\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR - The location of the CA certificate which was used to issue the SCEP web - server's certificate in PEM form. If the URL specified with the --\fB-u\fR option is an \fIhttps\fR URL, then this option is required. -+\fB\-u\fR option is an \fIhttps\fR URL, then this option is required. - .TP --\fB\-N\fR ca-certificate-file --The location of a PEM-formatted copy of the SCEP server's CA certificate. -+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR -+The location of a PEM\-formatted copy of the SCEP server's CA certificate. - A discovered value is normally supplied by the certmonger daemon, but one can - be specified for troubleshooting purposes. - .TP --\fB\-r\fR RA-certificate-file -+\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR - The location of the SCEP server's RA certificate, which is expected to - be used for signing responses sent by the SCEP server back to the --client. This option is required when either the \fB-g\fR flag or the --\fB-p\fR flag is specified. -+client. This option is required when either the \fB\-g\fR flag or the -+\fB\-p\fR flag is specified. - .TP --\fB\-I\fR other-certificates-file --The location of a file containing other PEM-formatted certificates which -+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR -+The location of a file containing other PEM\-formatted certificates which - may be needed in order to properly verify signed responses sent by the - SCEP server back to the client. This option may be necessary when --either the \fB-g\fR flag or the \fB-p\fR flag is specified. -+either the \fB\-g\fR flag or the \fB\-p\fR flag is specified. - .TP --\fB\-i\fR ca-identifier --When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to -+\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR -+When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to - specify the CA identifier which is passed to the server as part of the client's - request. The default is "0". - .TP --\fB\-n\fR --The SCEP Renewal feature allows a client with a previously-issued certificate -+\fB\-n\fR, \fB\-\-non\-renewal\fR -+The SCEP Renewal feature allows a client with a previously\-issued certificate - to use that certificate and the associated private key to request a new - certificate for a different key pair, and can be used to support - \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for --it. This option forces the \fIscep-submit\fR helper to prefer to issue -+it. This option forces the \fIscep\-submit\fR helper to prefer to issue - requests which do not make use of this feature. - .TP --\fB-v\fR -+\fB-v\fR, \fB\-\-verbose\fR - Increases the logging level. Use twice for more logging. This option - is mainly useful for troubleshooting. - -@@ -100,7 +100,7 @@ is mainly useful for troubleshooting. - .TP - 0 - if the certificate was issued. The pkcsPKIEnvelope will be printed in --PEM-encoded form. -+PEM\-encoded form. - .TP - 1 - if the CA is still thinking. A cookie (state) value will be printed. -@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger.8.in b/src/certmonger.8.in -index 8c00d5a..a726e3b 100644 ---- a/src/certmonger.8.in -+++ b/src/certmonger.8.in -@@ -1,14 +1,14 @@ --.TH certmonger 8 "14 June 2015" "certmonger Manual" -+.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual" - - .SH NAME - certmonger - - .SH SYNOPSIS --certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v] -+certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v] - - .SH DESCRIPTION - The \fIcertmonger\fR daemon monitors certificates for impending --expiration, and can optionally refresh soon-to-be-expired certificates -+expiration, and can optionally refresh soon\-to\-be\-expired certificates - with the help of a CA. If told to, it can drive the entire enrollment - process from key generation through enrollment and refresh. - -@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact. - - .SH OPTIONS - .TP ---s -+\fB\-s\fR, \fB\-\-session\fR - Listen on the session bus rather than the system bus. - .TP ---S -+\fB\-S\fR, \fB\-\-system\fR - Listen on the system bus rather than the session bus. This is the default. - .TP ---l -+\fB\-l\fR, \fB\-\-listening\-socket\fR - Also listen on a private socket for connections from clients running under the - same UID. - .TP ---L -+\fB\-L\fR, \fB\-\-only\-listening\-socket\fR - Listen only on a private socket for connections from clients running under the - same UID, and skip connecting to a bus. - .TP ---P -+\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR - Specify a location for the private listening socket. If the location beings - with a '/' character, it will be prefixed with 'unix:path=', otherwise it will - be prefixed with 'unix:'. If this option is not specified, the listening - socket, if one is created, will be placed in the abstract namespace. - .TP ---b TIMEOUT --Behave as a bus-activated service: if there are no certificates to be monitored -+\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR -+Behave as a bus\-activated service: if there are no certificates to be monitored - or obtained, and no requests are received within TIMEOUT seconds, exit. Not --compatible with the -c option. -+compatible with the \-c option. - .TP ---B --Don't behave as a bus-activated service. This is the default. -+\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR -+Don't behave as a bus\-activated service. This is the default. - .TP ---n -+\fB\-n\fR, \fB\-\-nofork\fR - Don't fork, and log messages to stderr rather than syslog. - .TP ---f -+\fB\-f\fR, \fB\-\-fork\fR - Do fork, and log messages to syslog rather than stderr. This is the default. - .TP ---d LEVEL --Set debugging level. Higher values produce more debugging output. Implies -n. -+\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR -+Set debugging level. Higher values produce more debugging output. Implies \-n. - .TP ---p FILE -+\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR - Store the daemon's process ID in the named file. - .TP ---F -+\fB\-F\fR, \fB\-\-fips\fR - Force NSS to be initialized in FIPS mode. The default behavior is to heed - the setting stored in \fI/proc/sys/crypto/fips_enabled\fR. - .TP ---c cmd -+\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR - After the service has initialized, run the specified command, then shut down --the service after the command exits. If the -l or -L option was also -+the service after the command exits. If the \-l or \-L option was also - specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR - environment variable set to the listening socket's location. Not compatible --with the -b option. -+with the \-b option. - .TP ---v -+\fB\-v\fR, \fB\-\-version\fR - Print version information and exit. - - .SH FILES -@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - - .SH SEE ALSO - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in -index 241f48b..80de748 100644 ---- a/src/certmonger.conf.5.in -+++ b/src/certmonger.conf.5.in -@@ -1,18 +1,18 @@ --.TH certmonger.conf 5 "12 May 2015" "certmonger Manual" -+.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual" - - .SH NAME --certmonger.conf - configuration file for certmonger -+certmonger.conf \- configuration file for certmonger - - .SH DESCRIPTION - The \fIcertmonger.conf\fR file contains default settings used by certmonger. --Its format is more or less that of a typical INI-style file. The only sections -+Its format is more or less that of a typical INI\-style file. The only sections - currently of note are named \fIdefaults\fR and \fIselfsign\fR. - - .SH DEFAULTS - Within the \fIdefaults\fR section, these variables and values are recognized: - - .IP notify_ttls --This is the list of times, given in seconds, before a certificate's not-after -+This is the list of times, given in seconds, before a certificate's not\-after - validity date - (often referred to as its expiration time) when \fIcertmonger\fR should warn - that the certificate will soon no longer be valid. -@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value - of the \fIttls\fR setting. The default list of values is "@CM_DEFAULT_TTL_LIST@". - - .IP enroll_ttls --This is the list of times, given in seconds, before a certificate's not-after -+This is the list of times, given in seconds, before a certificate's not\-after - validity date - (often referred to as its expiration time) when \fIcertmonger\fR should attempt - to automatically renew the certificate, if it is configured to do so. -@@ -43,7 +43,7 @@ an email address, or it can be a command to run. The default value is - - .IP key_type - This is the type of key pair which will be generated, used in certificate --signing requests, and used when self-signing certificates. -+signing requests, and used when self\-signing certificates. - @NO_MAN_DSA@\fIRSA\fR is supported. - @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported. - @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported. -@@ -58,7 +58,7 @@ software. - - .IP digest - This is the digest algorithm which will be used when signing certificate --signing requests and self-signed certificates. Recognized values include -+signing requests and self\-signed certificates. Recognized values include - \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP. The default is - \fIsha256\fP. It is not recommended that this value be changed except in cases - where the default is incompatible with other software. -@@ -95,14 +95,14 @@ There is effectively no default for this setting. - Within the \fIselfsign\fR section, these variables and values are recognized: - - .IP validity_period --This is the validity period given to self-signed certificates. -+This is the validity period given to self\-signed certificates. - The value is specified as a combination of years (y), months (M), weeks (w), - days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is - specified, seconds are assumed. - The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. - - .IP populate_unique_id --This controls whether or not self-signed certificates will have their -+This controls whether or not self\-signed certificates will have their - subjectUniqueID and issuerUniqueID fields populated. While RFC5280 prohibits - their use, they may be needed and/or used by older applications. The default - value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. -@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. - Within the \fIlocal\fR section, these variables and values are recognized: - - .IP validity_period --This is the validity period given to the locally-signed CA's certificate when it -+This is the validity period given to the locally\-signed CA's certificate when it - is generated. - The value is specified as a combination of years (y), months (M), weeks (w), - days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is -diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in -index 31b3b93..54f55f5 100644 ---- a/src/getcert-add-ca.1.in -+++ b/src/getcert-add-ca.1.in -@@ -1,10 +1,10 @@ --.TH certmonger 1 "24 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert add-ca [options] -+getcert add\-ca [options] - - .SH DESCRIPTION - Adds a CA configuration to \fIcertmonger\fR, which can subsequently be -@@ -12,17 +12,17 @@ used to enroll certificates. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - The nickname to give to this CA configuration. This same value can later be - passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and --\fIstart-tracking\fR commands using the \fB-c\fR flag. -+\fIstart\-tracking\fR commands using the \fB\-c\fR flag. - .TP --\fB\-e\fR COMMAND -+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR - The helper command to run for communicating with the CA. The helper will be - used to pass signing requests to the CA, relay the CA's responses back to the - \fIcertmonger\fR service, and to read information about the CA. - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. - -@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in -index bf07306..c2751ed 100644 ---- a/src/getcert-add-scep-ca.1.in -+++ b/src/getcert-add-scep-ca.1.in -@@ -1,64 +1,64 @@ --.TH certmonger 1 "24 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert add-scep-ca [options] -+getcert add\-scep\-ca [options] - - .SH DESCRIPTION - Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to --enroll certificates. The configuration will use the bundled \fIscep-submit\fR --helper. The \fIadd-scep-ca\fR command is more or less a wrapper for the --\fIadd-ca\fR command. -+enroll certificates. The configuration will use the bundled \fIscep\-submit\fR -+helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the -+\fIadd\-ca\fR command. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - The nickname to give to this CA configuration. This same value can later be - passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and --\fIstart-tracking\fR commands using the \fB-c\fR flag. -+\fIstart\-tracking\fR commands using the \fB\-c\fR flag. - .TP --\fB\-u\fR URL -+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR - The location of the SCEP server's enrollment interface. This option must be - specified. - .TP --\fB\-R\fR ca-certificate-file --The location of a PEM-formatted copy of the CA's certificate used to verify -+\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR -+The location of a PEM\-formatted copy of the CA's certificate used to verify - the TLS connection the SCEP server. - - This option must be specified if the URL is an \fIhttps\fR location. - .TP --\fB\-N\fR ca-certificate-file --The location of a PEM-formatted copy of the SCEP server's CA certificate. -+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR -+The location of a PEM\-formatted copy of the SCEP server's CA certificate. - A discovered value is normally supplied by the certmonger daemon, but one can - be specified for troubleshooting purposes. - .TP --\fB\-r\fR ra-certificate-file --The location of a PEM-formatted copy of the SCEP server's RA's certificate. -+\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR -+The location of a PEM\-formatted copy of the SCEP server's RA's certificate. - A discovered value is normally supplied by the certmonger daemon, but one can - be specified for troubleshooting purposes. - .TP --\fB\-I\fR other-certificates-file --The location of a file containing other PEM-formatted certificates which may be -+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR -+The location of a file containing other PEM\-formatted certificates which may be - needed in order to properly verify signed responses sent by the SCEP server - back to the client. A discovered set is normally supplied by the certmonger - daemon, but can be specified for troubleshooting purposes. - .TP --\fB\-i\fR identifier -+\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR - A CA identifier value which will passed to the server when the --\fIscep-submit\fR helper is used to retrieve copies of the server's -+\fIscep\-submit\fR helper is used to retrieve copies of the server's - certificates. - .TP --\fB\-n\fR --The SCEP Renewal feature allows a client with a previously-issued certificate -+\fB\-n\fR, \fB\-\-non\-renewal\fR -+The SCEP Renewal feature allows a client with a previously\-issued certificate - to use that certificate and the associated private key to request a new - certificate for a different key pair, and can be used to support - \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for --it. This option forces the \fIscep-submit\fR helper to issue requests without -+it. This option forces the \fIscep\-submit\fR helper to issue requests without - making use of this feature. - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. - -@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in -index 7f250e5..ff4e14f 100644 ---- a/src/getcert-list-cas.1.in -+++ b/src/getcert-list-cas.1.in -@@ -1,17 +1,17 @@ --.TH certmonger 1 "3 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert list-cas [options] -+getcert list\-cas [options] - - .SH DESCRIPTION - Queries \fIcertmonger\fR for a list of known CAs. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - List only information about the CA which has the specified nickname. - - .SH BUGS -@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-list.1.in b/src/getcert-list.1.in -index eded28a..9bf4826 100644 ---- a/src/getcert-list.1.in -+++ b/src/getcert-list.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "28 June 2016" "certmonger Manual" -+.TH CERTMONGER 1 "June 28, 2016" "certmonger Manual" - - .SH NAME - getcert -@@ -12,35 +12,35 @@ monitoring or attempting to obtain. - - .SH ENROLLMENT OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - List only entries which use the specified CA. The name of the CA should --correspond to one listed by \fIgetcert list-cas\fR. -+correspond to one listed by \fIgetcert list\-cas\fR. - - .SH LISTING OPTIONS - .TP --\fB\-r\fR -+\fB\-r\fR, \fB\-\-requests\-only\fR - List only entries which are either currently being enrolled or refreshed. - .TP --\fB\-t\fR -+\fB\-t\fR, \fB\-\-tracking\-only\fR - List only entries which are not currently being enrolled or refreshed. - .TP --\fB\-u\fR|\fB--utc\fR -+\fB\-u\fR, \fB\-\-utc\fR - Display timestamps in UTC instead of local time. - - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR - List only entries which use an NSS database in the specified directory - for storing the certificate. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR - List only tracking requests which use an NSS database and the specified - nickname for storing the certificate. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - List only tracking requests which specify that the certificate should be - stored in the specified file. - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - List only tracking requests which use this request nickname. - - .SH STATES -@@ -53,11 +53,11 @@ The service is currently generating a new key pair. - .TP - NEED_KEY_GEN_PERMS - The service encountered a filesystem permission error while attempting --to save the newly-generated key pair. -+to save the newly\-generated key pair. - .TP - NEED_KEY_GEN_PIN - The service is missing the PIN which is required to access an NSS --database in order to save the newly-generated key pair, or it has an -+database in order to save the newly\-generated key pair, or it has an - incorrect PIN for a database. - .TP - NEED_KEY_GEN_TOKEN -@@ -75,7 +75,7 @@ The service is currently reading information about the key pair. - .TP - NEED_KEYINFO_READ_PIN - The service is missing the PIN which is required to access an NSS --database in order to read information about the newly-generated key pair, or -+database in order to read information about the newly\-generated key pair, or - it has an incorrect PIN for a database, or has an incorrect password for - accessing a key stored in encrypted PEM format. - .TP -@@ -161,8 +161,8 @@ The CA approved the signing request, and the service is about to save the - issued certificate to the location where it has been told to save it. - .TP - PRE_SAVE_CERT --The service is running a configured pre-saving command before saving the --newly-issued certificate to the location where it has been told to save -+The service is running a configured pre\-saving command before saving the -+newly\-issued certificate to the location where it has been told to save - it. - .TP - START_SAVING_CERT -@@ -175,16 +175,16 @@ where it has been told to save it. - .TP - NEED_CERTSAVE_PERMS - The service encountered a filesystem permission error while attempting --to save the newly-issued certificate to the location where it has been -+to save the newly\-issued certificate to the location where it has been - told to save it. - .TP - NEED_CERTSAVE_TOKEN --The service is unable to find the token in which the newly-issued -+The service is unable to find the token in which the newly\-issued - certificate is to be stored. - .TP - NEED_CERTSAVE_PIN - The service is missing the PIN which is required to access an NSS --database in order to save the newly-issued certificate to the location -+database in order to save the newly\-issued certificate to the location - where it has been told to save it. - .TP - NEED_TO_SAVE_CA_CERTS -@@ -231,22 +231,22 @@ issuer's certificate to the locations where it has been told to save - them. - .TP - POST_SAVED_CERT --The service is running a configured post-saving command after saving the --newly-issued certificate to the location where it has been told to save -+The service is running a configured post\-saving command after saving the -+newly\-issued certificate to the location where it has been told to save - them. - .TP - MONITORING - The service is monitoring the certificate and waiting for its --not-valid-after date to approach. This is expected to be the status -+not\-valid\-after date to approach. This is expected to be the status - most often seen. - .TP - NEED_TO_NOTIFY_VALIDITY - The service is about to notify the system administrator that the --certificate's not-valid-after date is approaching. -+certificate's not\-valid\-after date is approaching. - .TP - NOTIFYING_VALIDITY - The service is notifying the system administrator that the certificate's --not-valid-after date is approaching. -+not\-valid\-after date is approaching. - .TP - NEED_TO_NOTIFY_REJECTION - The service is about to notify the system administrator that the -@@ -350,23 +350,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-modify-ca.1.in b/src/getcert-modify-ca.1.in -index 36677c5..90bc621 100644 ---- a/src/getcert-modify-ca.1.in -+++ b/src/getcert-modify-ca.1.in -@@ -1,23 +1,23 @@ --.TH certmonger 1 "24 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert modify-ca [options] -+getcert modify\-ca [options] - - .SH DESCRIPTION - Modifies the helper command in a \fIcertmonger\fR CA configuration. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - The nickname of the CA configuration to modify. - .TP --\fB\-e\fR COMMAND -+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR - The new helper command to run for communicating with the CA. - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. - -@@ -27,22 +27,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-refresh-ca.1.in b/src/getcert-refresh-ca.1.in -index 2662adc..86318e7 100644 ---- a/src/getcert-refresh-ca.1.in -+++ b/src/getcert-refresh-ca.1.in -@@ -1,21 +1,21 @@ --.TH certmonger 1 "29 May 2014" "certmonger Manual" -+.TH CERTMONGER 1 "May 29, 2014" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert refresh-ca [options] -+getcert refresh\-ca [options] - - .SH DESCRIPTION - Forces \fIcertmonger\fR to refresh information specific to a CA, such as --locally-stored copies of its certificates. -+locally\-stored copies of its certificates. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - Refresh information about the CA which has the specified nickname. - .TP --\fB\-a\fR -+\fB\-a\fR, \fB\-\-all\fR - Refresh information about all known CAs. - - .SH BUGS -@@ -24,24 +24,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-refresh.1.in b/src/getcert-refresh.1.in -index 660c2ec..79028c1 100644 ---- a/src/getcert-refresh.1.in -+++ b/src/getcert-refresh.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "21 July 2014" "certmonger Manual" -+.TH CERTMONGER 1 "July 24, 2014" "certmonger Manual" - - .SH NAME - getcert -@@ -13,7 +13,7 @@ waiting for the CA. - - .SH SPECIFYING REQUESTS BY NICKNAME - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Check on the status of the signing request which has this nickname. - If this option is not specified, and a tracking entry which matches the - certificate storage options which are specified already exists, that entry -@@ -23,24 +23,24 @@ with the \fB\-f\fR option. - - .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION - .TP --\fB\-d\fR DIR -+\fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR - The certificate is in the NSS database in the specified directory. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR - The certificate in the NSS database named with \fB\-d\fR has the specified - nickname. Only valid with \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, the certificate - is stored in this token. This argument only rarely needs to be specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - The certificate is stored in the named file. - - .SH OPTIONS - .TP --\fB\-a\fR -+\fB\-a\fR, \fB\-\-all\fR - Refresh information about all requests for which the service will need to - attempt to contact the CA again. - -@@ -50,23 +50,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in -index 39ba761..fd848e7 100644 ---- a/src/getcert-rekey.1.in -+++ b/src/getcert-rekey.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "31 July 2015" "certmonger Manual" -+.TH CERTMONGER 1 "July 31, 2015" "certmonger Manual" - - .SH NAME - getcert -@@ -13,7 +13,7 @@ order to replace both a certificate and its private key. - - .SH SPECIFYING REQUESTS BY NICKNAME - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - The new key pair will be generated and the new certificate will be obtained for - the tracking request which has this nickname. If this option is not specified, - and a tracking entry which matches the key and certificate storage options -@@ -23,62 +23,61 @@ of the \fB\-d\fR and \fB\-n\fR options, or with the \fB\-f\fR option. - - .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR - The certificate is in the NSS database in the specified directory. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR - The certificate in the NSS database named with \fB\-d\fR has the specified - nickname. Only valid with \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, the certificate - is stored in this token. This argument only rarely needs to be specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - The certificate is stored in the named file. - - .SH KEY GENERATION OPTIONS - .TP --\fB\-G\fR TYPE -+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR - In case a new key pair needs to be generated, this option specifies the - type of the keys to be generated. If not specified, the current key type - will be used. - .TP --\fB\-g\fR BITS -+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR - This option specifies the size of the new key to be generated. If not - specified, a key of the same size as the existing key will be generated. - --\fB\-c\fR NAME - .SH ENROLLMENT OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - Submit the new signing request to the specified CA rather than the one which - was previously associated with this certificate. The name of --the CA should correspond to one listed by \fIgetcert list-cas\fR. -+the CA should correspond to one listed by \fIgetcert list\-cas\fR. - .TP --\fB\-T\fR NAME -+\fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR - Request a certificate using the named profile, template, or certtype, - from the specified CA. - .TP --\fB\-\-ms-template-spec\fR SPEC -+\fB\-\-ms\-template\-spec\fR \fISPEC\fR - Include a V2 Certificate Template extension in the signing request. - This datum includes an Object Identifier, a major version number - (positive integer) and an optional minor version number. The format - is: \fB:[:]\fR. - .TP --\fB\-X\fR NAME -+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR - Request a certificate using the named issuer from the specified CA. - .TP --\fB\-I\fR NAME -+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR - Assign the specified nickname to this task, replacing the previous nickname. - - .SH SIGNING REQUEST OPTIONS - .TP --\fB\-N\fR NAME -+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR - Change the subject name to include in the signing request. - .TP --\fB\-u\fR keyUsage -+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR - Add an extensionRequest for the specified keyUsage to the - signing request. The keyUsage value is expected to be one of these names: - -@@ -100,62 +99,74 @@ encipherOnly - - decipherOnly - .TP --\fB\-U\fR EKU -+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR - Change the extendedKeyUsage value specified in an extendedKeyUsage - extension part of the extensionRequest attribute in the signing - request. The EKU value is expected to be an object identifier (OID). - .TP --\fB\-K\fR NAME -+\fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR - Change the Kerberos principal name specified as part of a subjectAltName - extension part of the extensionRequest attribute in the signing request. - .TP --\fB\-E\fR EMAIL -+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR - Change the email address specified as part of a subjectAltName - extension part of the extensionRequest attribute in the signing request. - .TP --\fB\-D\fR DNSNAME -+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR - Change the DNS name specified as part of a subjectAltName extension part of the - extensionRequest attribute in the signing request. - .TP --\fB\-A\fR ADDRESS -+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR - Change the IP address specified as part of a subjectAltName extension part of - the extensionRequest attribute in the signing request. - .TP --\fB\-l\fR FILE -+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR - Add an optional ChallengePassword value, read from the file, to the signing - request. A ChallengePassword is often required when the CA is accessed using - SCEP. - .TP --\fB\-L\fR PIN -+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR - Add the argument value to the signing request as a ChallengePassword attribute. - A ChallengePassword is often required when the CA is accessed using SCEP. - - .SH OTHER OPTIONS - .TP --\fB\-B\fR COMMAND -+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user before - saving the certificates. - .TP --\fB\-C\fR COMMAND -+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user after - saving the certificates. - .TP --\fB\-a\fR DIR -+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, save them to the specified NSS database. - .TP --\fB\-F\fR FILE -+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, and when the local copies of the - CA's root certificates are updated, save them to the specified file. - .TP --\fB\-w\fR -+\fB\-\-for\-ca\fR -+Request a CA certificate. -+.TP -+\fB\-\-not\-for\-ca\fR -+Request a non\-CA certificate (the default). -+.TP -+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR -+Path length for CA certificate. Only valid with \-\-for\-ca. -+.TP -+\fB\-w\fR, \fB\-\-wait\fR - Wait for the new certificate to be issued and saved, or for the attempt to obtain - one using the new key to fail. - .TP --\fB\-v\fR -+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR -+Maximum time to wait for the certificate to be issued. -+.TP -+\fB\-v\fR \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. - -@@ -165,22 +176,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-remove-ca.1.in b/src/getcert-remove-ca.1.in -index 4b29db7..1839f84 100644 ---- a/src/getcert-remove-ca.1.in -+++ b/src/getcert-remove-ca.1.in -@@ -1,10 +1,10 @@ --.TH certmonger 1 "24 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert remove-ca [options] -+getcert remove\-ca [options] - - .SH DESCRIPTION - Remove a CA configuration from \fIcertmonger\fR. Enrollment requests which -@@ -12,10 +12,10 @@ reference the CA will behave as though they have no assigned CA. - - .SH OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - The nickname of the CA configuration to remove. - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. - -@@ -25,22 +25,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in -index ba43016..89bc080 100644 ---- a/src/getcert-request.1.in -+++ b/src/getcert-request.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "9 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" - - .SH NAME - getcert -@@ -14,87 +14,87 @@ CA. - - .SH KEY AND CERTIFICATE STORAGE OPTIONS - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR - Use an NSS database in the specified directory for storing this - certificate and key. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR - Use the key with this nickname to generate the signing request. If no - such key is found, generate one. Give the enrolled certificate this - nickname, too. - Only valid with \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, use the token - with this name for storing and accessing the certificate and key. This - argument only rarely needs to be specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - Store the issued certificate in this file. For safety's sake, do not - use the same file specified with the \fB\-k\fR option. - .TP --\fB\-k\fR FILE -+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR - Use the key stored in this file to generate the signing request. If no - such file is found, generate a new key pair and store them in the file. - Only valid with \fB\-f\fR. - - .SH KEY ENCRYPTION OPTIONS - .TP --\fB\-p\fR FILE -+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR - Encrypt private key files or databases using the PIN stored in the named - file as the passphrase. - .TP --\fB\-P\fR PIN -+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR - Encrypt private key files or databases using the specified PIN as the --passphrase. Because command-line arguments to running processes are -+passphrase. Because command\-line arguments to running processes are - trivially discoverable, use of this option is not recommended except - for testing. - - .SH KEY GENERATION OPTIONS - .TP --\fB\-G\fR TYPE -+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR - In case a new key pair needs to be generated, this option specifies the - type of the keys to be generated. If not specified, a reasonable default - (currently \fIRSA\fR) will be used. - .TP --\fB\-g\fR BITS -+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR - In case a new key pair needs to be generated, this option specifies the - size of the key. If not specified, a reasonable default (currently - @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used. - - .SH TRACKING OPTIONS - .TP --\fB\-r\fR -+\fB\-r\fR, \fB\-\-renew\fR - Attempt to obtain a new certificate from the CA when the expiration date of a - certificate nears. This is the default setting. - .TP --\fB\-R\fR -+\fB\-R\fR, \fB\-\-no\-renew\fR - Don't attempt to obtain a new certificate from the CA when the expiration date - of a certificate nears. If this option is specified, an expired certificate - will simply stay expired. - .TP --\fB\-I\fR NAME -+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Assign the specified nickname to this task. If this option is not specified, - a name will be assigned automatically. - - .SH ENROLLMENT OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - Enroll with the specified CA rather than a possible default. The name of --the CA should correspond to one listed by \fIgetcert list-cas\fR. -+the CA should correspond to one listed by \fIgetcert list\-cas\fR. - .TP --\fB\-T\fR NAME -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - Request a certificate using the named profile, template, or certtype, - from the specified CA. - .TP --\fB\-\-ms-template-spec\fR SPEC -+\fB\-\-ms\-template\-spec\fR \fISPEC\fR - Include a V2 Certificate Template extension in the signing request. - This datum includes an Object Identifier, a major version number - (positive integer) and an optional minor version number. The format - is: \fB:[:]\fR. - .TP --\fB\-X\fR NAME -+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR - Request a certificate using the named issuer from the specified CA. - - .SH SIGNING REQUEST OPTIONS -@@ -108,11 +108,11 @@ The options \fB\-K\fR, \fB\-E\fR, \fB\-D\fR and \fB\-A\fR may be provided - multiple times to set multiple subjectAltName of the same type. - - .TP --\fB\-N\fR NAME -+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR - Set the subject name to include in the signing request. The default - used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname. - .TP --\fB\-u\fR keyUsage -+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR - Add an extensionRequest for the specified keyUsage to the - signing request. The keyUsage value is expected to be one of these names: - -@@ -134,84 +134,113 @@ encipherOnly - - decipherOnly - .TP --\fB\-U\fR EKU -+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR - Add an extensionRequest for the specified extendedKeyUsage to the - signing request. The EKU value is expected to be an object identifier - (OID), but some specific names are also recognized. These are some - names and their associated OID values: - --id-kp-serverAuth 1.3.6.1.5.5.7.3.1 -+id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1 - --id-kp-clientAuth 1.3.6.1.5.5.7.3.2 -+id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2 - --id-kp-codeSigning 1.3.6.1.5.5.7.3.3 -+id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3 - --id-kp-emailProtection 1.3.6.1.5.5.7.3.4 -+id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4 - --id-kp-timeStamping 1.3.6.1.5.5.7.3.8 -+id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8 - --id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9 -+id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9 - --id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4 -+id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4 - --id-pkinit-KPKdc 1.3.6.1.5.2.3.5 -+id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5 - --id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2 -+id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2 - .TP --\fB\-K\fR NAME -+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR - Add an extensionRequest for a subjectAltName, with the specified Kerberos - principal name as its value, to the signing request. - .TP --\fB\-E\fR EMAIL -+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR - Add an extensionRequest for a subjectAltName, with the specified email - address as its value, to the signing request. - .TP --\fB\-D\fR DNSNAME -+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR - Add an extensionRequest for a subjectAltName, with the specified DNS name - as its value, to the signing request. - .TP --\fB\-A\fR ADDRESS -+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR - Add an extensionRequest for a subjectAltName, with the specified IP address - as its value, to the signing request. - .TP --\fB\-l\fR FILE -+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR - Add an optional ChallengePassword value, read from the file, to the signing - request. A ChallengePassword is often required when the CA is accessed using - SCEP. - .TP --\fB\-L\fR PIN -+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR - Add the argument value to the signing request as a ChallengePassword attribute. - A ChallengePassword is often required when the CA is accessed using SCEP. - - .SH OTHER OPTIONS - .TP --\fB\-B\fR COMMAND -+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user before - saving the certificates. - .TP --\fB\-C\fR COMMAND -+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user after - saving the certificates. - .TP --\fB\-a\fR DIR -+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, save them to the specified NSS database. - .TP --\fB\-F\fR FILE -+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, and when the local copies of the - CA's root certificates are updated, save them to the specified file. - .TP --\fB\-w\fR -+\fB\-\-for\-ca\fR -+Request a CA certificate. -+.TP -+\fB\-\-not\-for\-ca\fR -+Request a non\-CA certificate (the default). -+.TP -+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR -+Path length for CA certificate. Only valid with \-\-for\-ca. -+.TP -+\fB\-w\fR, \fB\-\-wait\fR - Wait for the certificate to be issued and saved, or for the attempt to obtain - one to fail. - .TP --\fB\-v\fR -+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR -+Maximum time to wait for the certificate to be issued. -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. -- -+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR -+After generation set the owner on the private key file or database to OWNER. -+.TP -+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the private key file or database to MODE. -+.TP -+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR -+After generation set the owner on the certificate file or database to OWNER. -+.TP -+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the certificate file or database to MODE. -+.SH BUS OPTIONS -+\fB\-s\fR, \fB\-\-session\fR -+Connect to certmonger on the session bus rather than the system bus. -+.TP -+\fB\-S\fR, \fB\-\-system\fR -+Connect to certmonger on the system bus rather than the session bus. This -+is the default. - .SH NOTES - Locations specified for key and certificate storage need to be - accessible to the \fIcertmonger\fR daemon process. When run as a system -@@ -219,7 +248,7 @@ daemon on a system which uses a mandatory access control mechanism such - as SELinux, the system policy must ensure that the daemon is allowed to - access the locations where certificates and keys that it will manage - will be stored (these locations are typically labeled as \fIcert_t\fR or --an equivalent). More SELinux-specific information can be found in the -+an equivalent). More SELinux\-specific information can be found in the - \fIselinux.txt\fR documentation file for this package. - - .SH BUGS -@@ -228,23 +257,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in -index f9e6bb1..aefea51 100644 ---- a/src/getcert-resubmit.1.in -+++ b/src/getcert-resubmit.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "9 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" - - .SH NAME - getcert -@@ -12,7 +12,7 @@ submit (or resubmit) the signing request to a CA for signing. - - .SH SPECIFYING REQUESTS BY NICKNAME - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Resubmit a signing request for the tracking request which has this nickname. - If this option is not specified, and a tracking entry which matches the key - and certificate storage options which are specified already exists, that entry -@@ -22,50 +22,50 @@ with the \fB\-f\fR option. - - .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR - The certificate is in the NSS database in the specified directory. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR - The certificate in the NSS database named with \fB\-d\fR has the specified - nickname. Only valid with \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, the certificate - is stored in this token. This argument only rarely needs to be specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - The certificate is stored in the named file. - - .SH ENROLLMENT OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - Submit the new signing request to the specified CA rather than the one which - was previously associated with this certificate. The name of --the CA should correspond to one listed by \fIgetcert list-cas\fR. -+the CA should correspond to one listed by \fIgetcert list\-cas\fR. - .TP --\fB\-T\fR NAME -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - Request a certificate using the named profile, template, or certtype, - from the specified CA. - .TP --\fB\-\-ms-template-spec\fR SPEC -+\fB\-\-ms\-template\-spec\fR \fISPEC\fR - Include a V2 Certificate Template extension in the signing request. - This datum includes an Object Identifier, a major version number - (positive integer) and an optional minor version number. The format - is: \fB:[:]\fR. - .TP --\fB\-X\fR NAME -+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR - Request a certificate using the named issuer from the specified CA. - .TP --\fB\-I\fR NAME -+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Assign the specified nickname to this task, replacing the previous nickname. - - .SH SIGNING REQUEST OPTIONS - .TP --\fB\-N\fR NAME -+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR - Change the subject name to include in the signing request. - .TP --\fB\-u\fR keyUsage -+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR - Add an extensionRequest for the specified keyUsage to the - signing request. The keyUsage value is expected to be one of these names: - -@@ -87,64 +87,84 @@ encipherOnly - - decipherOnly - .TP --\fB\-U\fR EKU -++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR - Change the extendedKeyUsage value specified in an extendedKeyUsage - extension part of the extensionRequest attribute in the signing - request. The EKU value is expected to be an object identifier (OID). - .TP --\fB\-K\fR NAME -+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR - Change the Kerberos principal name specified as part of a subjectAltName - extension part of the extensionRequest attribute in the signing request. - .TP --\fB\-E\fR EMAIL -+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR - Change the email address specified as part of a subjectAltName - extension part of the extensionRequest attribute in the signing request. - .TP --\fB\-D\fR DNSNAME -+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR - Change the DNS name specified as part of a subjectAltName extension part of the - extensionRequest attribute in the signing request. - .TP --\fB\-A\fR ADDRESS -+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR - Change the IP address specified as part of a subjectAltName extension part of - the extensionRequest attribute in the signing request. - .TP --\fB\-l\fR FILE -+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR - Add an optional ChallengePassword value, read from the file, to the signing - request. A ChallengePassword is often required when the CA is accessed using - SCEP. - .TP --\fB\-L\fR PIN -+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR - Add the argument value to the signing request as a ChallengePassword attribute. - A ChallengePassword is often required when the CA is accessed using SCEP. - - .SH OTHER OPTIONS - .TP --\fB\-B\fR COMMAND -+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user before - saving the certificates. - .TP --\fB\-C\fR COMMAND -+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user after - saving the certificates. - .TP --\fB\-a\fR DIR -+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, save them to the specified NSS database. - .TP --\fB\-F\fR FILE -+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, and when the local copies of the - CA's root certificates are updated, save them to the specified file. - .TP --\fB\-w\fR -+\fB\-\-for\-ca\fR -+Request a CA certificate. -+.TP -+\fB\-\-not\-for\-ca\fR -+Request a non\-CA certificate (the default). -+.TP -+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR -+Path length for CA certificate. Only valid with \-\-for\-ca. -+.TP -+\fB\-w\fR, \fB\-\-wait\fR - Wait for the certificate to be reissued and saved, or for the attempt to obtain - one to fail. - .TP --\fB\-v\fR -+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR -+Maximum time to wait for the certificate to be issued. -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. -+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR -+After generation set the owner on the private key file or database to OWNER. -+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the private key file or database to MODE. -+\fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR -+After generation set the owner on the certificate file or database to OWNER. -+\fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the certificate file or database to MODE. - - .SH BUGS - Please file tickets for any that you find at https://fedorahosted.org/certmonger/ -@@ -152,23 +172,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in -index f60e4a7..fff16f5 100644 ---- a/src/getcert-start-tracking.1.in -+++ b/src/getcert-start-tracking.1.in -@@ -1,13 +1,13 @@ --.TH certmonger 1 "9 February 2015" "certmonger Manual" -+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert start-tracking [options] -+getcert start\-tracking [options] - - .SH DESCRIPTION --Tells \fIcertmonger\fR to monitor an already-issued certificate. -+Tells \fIcertmonger\fR to monitor an already\-issued certificate. - Optionally, when the certificate nears expiration, use an existing key - pair (or to generate one if one is not already found in the specified - location), to generate a signing request using the key pair and to -@@ -15,7 +15,7 @@ submit them for signing to a CA. - - .SH SPECIFYING EXISTING REQUESTS - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Modify the request which has this nickname. If this option is not specified, - and a tracking entry which matches the key and certificate storage options - which are specified already exists, that entry will be modified. Otherwise, a -@@ -23,27 +23,27 @@ new tracking entry will be added. - - .SH KEY AND CERTIFICATE STORAGE OPTIONS - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR - Use an NSS database in the specified directory for reading this - certificate and, if possible, the corresponding key. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR - Use the certificate with this nickname, and if a private key with the - same nickname or which corresponds to the certificate is available, to - use it, too. - Only valid with \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, use the token - with this name for accessing the certificate and key. This argument - only rarely needs to be specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - Read the certificate from this file. For safety's sake, do not use the - same file specified with the \fB\-k\fR option. - .TP --\fB\-k\fR FILE -+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR - Use the key stored in this file to generate a signing request for - refreshing the certificate. If no such file is found when needed, - generate a new key pair and store them in the file. -@@ -51,58 +51,58 @@ Only valid with \fB\-f\fR. - - .SH KEY ENCRYPTION OPTIONS - .TP --\fB\-p\fR FILE -+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR - The private key files or databases are encrypted using the PIN stored in the - named file as the passphrase. - .TP --\fB\-P\fR PIN -+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR - The private key files or databases are encrypted using the specified PIN as the --passphrase. Because command-line arguments to running processes are trivially -+passphrase. Because command\-line arguments to running processes are trivially - discoverable, use of this option is not recommended except for testing. - - .SH TRACKING OPTIONS - .TP --\fB\-I\fR NAME -+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR - Assign the specified nickname to this task. If this option is not specified, - a name will be assigned automatically. - .TP --\fB\-r\fR -+\fB\-r\fR, \fB\-\-renew\fR - Attempt to obtain a new certificate from the CA when the expiration date of a - certificate nears. This is the default setting. - .TP --\fB\-R\fR -+\fB\-R\fR, \fB\-\-no\-renew\fR - Don't attempt to obtain a new certificate from the CA when the expiration date - of a certificate nears. If this option is specified, an expired certificate - will simply stay expired. - - .SH ENROLLMENT OPTIONS - .TP --\fB\-c\fR NAME -+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR - Enroll with the specified CA rather than a possible default. The name of --the CA should correspond to one listed by \fIgetcert list-cas\fR. Only -+the CA should correspond to one listed by \fIgetcert list\-cas\fR. Only - useful in combination with \fB\-r\fR. - .TP --\fB\-T\fR NAME -+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR - Request a certificate using the named profile, template, or certtype, - from the specified CA. - .TP --\fB\-\-ms-template-spec\fR SPEC -+\fB\-\-ms\-template\-spec\fR \fISPEC\fR - Include a V2 Certificate Template extension in the signing request. - This datum includes an Object Identifier, a major version number - (positive integer) and an optional minor version number. The format - is: \fB:[:]\fR. - .TP --\fB\-X\fR NAME -+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR - Request a certificate using the named issuer from the specified CA. - - .SH SIGNING REQUEST OPTIONS - If and when \fIcertmonger\fR attempts to obtain a new certificate to replace - the one being monitored, the values to be added to the signing request will be - taken from the current certificate, unless preferred values are set using one --or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR. -+or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR. - - .TP --\fB\-u\fR keyUsage -+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR - Add an extensionRequest for the specified keyUsage to the - signing request. The keyUsage value is expected to be one of these names: - -@@ -124,64 +124,86 @@ encipherOnly - - decipherOnly - .TP --\fB\-U\fR EKU -+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR - Add an extensionRequest for the specified extendedKeyUsage to the - signing request. The EKU value is expected to be an object identifier - (OID). - .TP --\fB\-K\fR NAME -+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR - Add an extensionRequest for a subjectAltName, with the specified Kerberos - principal name as its value, to the signing request. - .TP --\fB\-E\fR EMAIL -+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR - Add an extensionRequest for a subjectAltName, with the specified email - address as its value, to the signing request. - .TP --\fB\-D\fR DNSNAME -+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR - Add an extensionRequest for a subjectAltName, with the specified DNS name - as its value, to the signing request. --\fB\-A\fR ADDRESS -+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR - Add an extensionRequest for a subjectAltName, with the specified IP address - as its value, to the signing request. - .TP --\fB\-l\fR FILE -+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR - Add an optional ChallengePassword value, read from the file, to the signing - request. A ChallengePassword is often required when the CA is accessed using - SCEP. - .TP --\fB\-L\fR PIN -+\fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR - Add the argument value to the signing request as a ChallengePassword attribute. - A ChallengePassword is often required when the CA is accessed using SCEP. - - .SH OTHER OPTIONS - .TP --\fB\-B\fR COMMAND -+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user before - saving the certificates. - .TP --\fB\-C\fR COMMAND -+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR - When ever the certificate or the CA's certificates are saved to the - specified locations, run the specified command as the client user after - saving the certificates. - .TP --\fB\-a\fR DIR -+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, save them to the specified NSS database. - .TP --\fB\-F\fR FILE -+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR - When ever the certificate is saved to the specified location, if root - certificates for the CA are available, and when the local copies of the - CA's root certificates are updated, save them to the specified file. - .TP --\fB\-w\fR -+\fB\-w\fR, \fB\-\-wait\fR - Wait for the certificate to become valid or to be reissued and saved, or for - the attempt to obtain a new one to fail. - .TP --\fB\-v\fR -+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR -+Maximum time to wait for the certificate to be issued. -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. -- -+.TP -+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR -+After generation set the owner on the private key file or database to OWNER. -+.TP -+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the private key file or database to MODE. -+.TP -+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR -+After generation set the owner on the certificate file or database to OWNER. -+.TP -+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR -+After generation set the file permissions on the certificate file or database to MODE. -+.SH BUS OPTIONS -+.TP -+\fB\-s\fR, \fB\-\-session\fR -+Connect to certmonger on the session bus rather than the system bus. -+.TP -+\fB\-S\fR, \fB\-\-system\fR -+Connect to certmonger on the system bus rather than the session bus. This -+is the default. - .SH NOTES - Locations specified for key and certificate storage need to be - accessible to the \fIcertmonger\fR daemon process. When run as a system -@@ -189,7 +211,7 @@ daemon on a system which uses a mandatory access control mechanism such - as SELinux, the system policy must ensure that the daemon is allowed to - access the locations where certificates and keys that it will manage - will be stored (these locations are typically labeled as \fIcert_t\fR or --an equivalent). More SELinux-specific information can be found in the -+an equivalent). More SELinux\-specific information can be found in the - \fIselinux.txt\fR documentation file for this package. - - .SH BUGS -@@ -198,23 +220,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-status.1.in b/src/getcert-status.1.in -index 071d393..da2fbc6 100644 ---- a/src/getcert-status.1.in -+++ b/src/getcert-status.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "13 June 2014" "certmonger Manual" -+.TH CERTMONGER 1 "June 13, 2014" "certmonger Manual" - - .SH NAME - getcert -@@ -12,18 +12,18 @@ request and sets an exit status to reflect that status. - - .SH SELECTION OPTIONS - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR - Check that status of a certificate in the named NSS database. Must be --specified with the \fB-n\fR option. -+specified with the \fB\-n\fR option. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR - Check that status of a certificate in with the specified nickname. Must be --specified with the \fB-d\fR option. -+specified with the \fB\-d\fR option. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - Check that status of a certificate stored in the specified PEM file. - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - Check that status of a certificate with the specified request nickname. - - .SH EXIT STATUS -@@ -53,24 +53,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert-stop-tracking.1.in b/src/getcert-stop-tracking.1.in -index a8657f3..96345d1 100644 ---- a/src/getcert-stop-tracking.1.in -+++ b/src/getcert-stop-tracking.1.in -@@ -1,10 +1,10 @@ --.TH certmonger 1 "3 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" - - .SH NAME - getcert - - .SH SYNOPSIS --getcert stop-tracking [options] -+getcert stop\-tracking [options] - - .SH DESCRIPTION - Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or -@@ -12,7 +12,7 @@ refresh a certificate. - - .SH TRACKING OPTIONS - .TP --\fB\-i\fR NAME -+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR - The certificate was tracked using the request with the specified nickname. - If this option is not specified, some combination of \fB\-d\fR and - \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should -@@ -20,55 +20,62 @@ henceforth be forgotten. - - .SH KEY AND CERTIFICATE STORAGE OPTIONS - .TP --\fB\-d\fR DIR -+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR - The certificate is the one stored in the specified NSS database. - .TP --\fB\-n\fR NAME -+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR - The certificate is the one which has this nickname. Only valid with - \fB\-d\fR. - .TP --\fB\-t\fR TOKEN -+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR - If the NSS database has more than one token available, the certificate - is stored in this token. This argument only rarely needs to be - specified. - Only valid with \fB\-d\fR. - .TP --\fB\-f\fR FILE -+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR - The certificate is or was to be stored in this file. - .TP --\fB\-k\fR FILE -+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR - The private key is or was to be stored in this file. - Only valid with \fB\-f\fR. - - .SH OTHER OPTIONS - .TP --\fB\-v\fR -+\fB\-v\fR, \fB\-\-verbose\fR - Be verbose about errors. Normally, the details of an error received from - the daemon will be suppressed if the client can make a diagnostic suggestion. -- -+.SH BUS OPTIONS -+.TP -+\fB\-s\fR, \fB\-\-session\fR -+Connect to certmonger on the session bus rather than the system bus. -+.TP -+\fB\-S\fR, \fB\-\-system\fR -+Connect to certmonger on the system bus rather than the session bus. This -+is the default. - .SH BUGS - Please file tickets for any that you find at https://fedorahosted.org/certmonger/ - - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/getcert.1.in b/src/getcert.1.in -index 7380f49..8669c76 100644 ---- a/src/getcert.1.in -+++ b/src/getcert.1.in -@@ -1,4 +1,4 @@ --.TH certmonger 1 "3 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" - - .SH NAME - getcert -@@ -6,12 +6,12 @@ getcert - .SH SYNOPSIS - getcert request [options] - getcert resubmit [options] -- getcert start-tracking [options] -+ getcert start\-tracking [options] - getcert status [options] -- getcert stop-tracking [options] -+ getcert stop\-tracking [options] - getcert list [options] -- getcert list-cas [options] -- getcert refresh-cas [options] -+ getcert list\-cas [options] -+ getcert refresh\-cas [options] - - .SH DESCRIPTION - The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on -@@ -22,7 +22,7 @@ expiration, and optionally to refresh it when expiration nears, it can - list the set of certificates that the service is already monitoring, or - it can list the set of CAs that the service is capable of using. - --If no command is given as the first command-line argument, \fIgetcert\fR -+If no command is given as the first command\-line argument, \fIgetcert\fR - will print short usage information for each of its functions. - - If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus -@@ -32,7 +32,7 @@ available, \fIgetcert\fR will attempt to launch a temporary copy of the - .SH COMMON ARGUMENTS - If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR - contacts the service directly at the specified location. --All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct -+All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct - \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system - bus, if no value is set. By default, \fIgetcert\fR consults the @CM_DBUS_NAME@ - service attached to the system bus. -@@ -42,24 +42,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - - .SH SEE ALSO - \fBcertmonger\fR(8) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/ipa-getcert.1.in b/src/ipa-getcert.1.in -index a1d36d5..f1b3682 100644 ---- a/src/ipa-getcert.1.in -+++ b/src/ipa-getcert.1.in -@@ -1,20 +1,20 @@ --.TH certmonger 1 "3 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" - - .SH NAME --ipa-getcert -+ipa\-getcert - - .SH SYNOPSIS -- ipa-getcert request [options] -- ipa-getcert resubmit [options] -- ipa-getcert start-tracking [options] -- ipa-getcert status [options] -- ipa-getcert stop-tracking [options] -- ipa-getcert list [options] -- ipa-getcert list-cas [options] -- ipa-getcert refresh-cas [options] -+ ipa\-getcert request [options] -+ ipa\-getcert resubmit [options] -+ ipa\-getcert start\-tracking [options] -+ ipa\-getcert status [options] -+ ipa\-getcert stop\-tracking [options] -+ ipa\-getcert list [options] -+ ipa\-getcert list\-cas [options] -+ ipa\-getcert refresh\-cas [options] - - .SH DESCRIPTION --The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@ -+The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ - service on behalf of the invoking user. It can ask the service to begin - enrollment, optionally generating a key pair to use, it can ask the - service to begin monitoring a certificate in a specified location for -@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can - list the set of certificates that the service is already monitoring, or - it can list the set of CAs that the service is capable of using. - --If no command is given as the first command-line argument, --\fIipa-getcert\fR will print short usage information for each of -+If no command is given as the first command\-line argument, -+\fIipa\-getcert\fR will print short usage information for each of - its functions. - --The \fIipa-getcert\fR tool behaves identically to the generic --\fIgetcert\fR tool when it is used with the \fB-c -+The \fIipa\-getcert\fR tool behaves identically to the generic -+\fIgetcert\fR tool when it is used with the \fB\-c - \fI@CM_IPA_CA_NAME@\fR option. - - \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs. See --\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about --using the \fB-F\fR and \fB-a\fR options to specify where those certificates -+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about -+using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates - should be stored. - - .SH BUGS -@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/local-getcert.1.in b/src/local-getcert.1.in -index 526e31f..48a265b 100644 ---- a/src/local-getcert.1.in -+++ b/src/local-getcert.1.in -@@ -1,20 +1,20 @@ --.TH certmonger 1 "7 June 2014" "certmonger Manual" -+.TH CERTMONGER 1 "June 7, 2014" "certmonger Manual" - - .SH NAME --local-getcert -+local\-getcert - - .SH SYNOPSIS -- local-getcert request [options] -- local-getcert resubmit [options] -- local-getcert start-tracking [options] -- local-getcert status [options] -- local-getcert stop-tracking [options] -- local-getcert list [options] -- local-getcert list-cas [options] -- local-getcert refresh-cas [options] -+ local\-getcert request [options] -+ local\-getcert resubmit [options] -+ local\-getcert start\-tracking [options] -+ local\-getcert status [options] -+ local\-getcert stop\-tracking [options] -+ local\-getcert list [options] -+ local\-getcert list\-cas [options] -+ local\-getcert refresh\-cas [options] - - .SH DESCRIPTION --The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@ -+The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ - service on behalf of the invoking user. It can ask the service to begin - enrollment, optionally generating a key pair to use, it can ask the - service to begin monitoring a certificate in a specified location for -@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can - list the set of certificates that the service is already monitoring, or - it can list the set of CAs that the service is capable of using. - --If no command is given as the first command-line argument, --\fIlocal-getcert\fR will print short usage information for each of -+If no command is given as the first command\-line argument, -+\fIlocal\-getcert\fR will print short usage information for each of - its functions. - --The \fIlocal-getcert\fR tool behaves identically to the generic --\fIgetcert\fR tool when it is used with the \fB-c -+The \fIlocal\-getcert\fR tool behaves identically to the generic -+\fIgetcert\fR tool when it is used with the \fB\-c - \fIlocal\fR option. - --\fBcertmonger\fR supports retrieving the list of current and previously-used --local CA certificates. See \fBgetcert-request\fR(1) and --\fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR -+\fBcertmonger\fR supports retrieving the list of current and previously\-used -+local CA certificates. See \fBgetcert\-request\fR(1) and -+\fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR - options to specify where those certificates should be stored. - - .SH BUGS -@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) -diff --git a/src/selfsign-getcert.1.in b/src/selfsign-getcert.1.in -index 88389e8..d15c398 100644 ---- a/src/selfsign-getcert.1.in -+++ b/src/selfsign-getcert.1.in -@@ -1,20 +1,20 @@ --.TH certmonger 1 "3 November 2009" "certmonger Manual" -+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" - - .SH NAME --selfsign-getcert -+selfsign\-getcert - - .SH SYNOPSIS -- selfsign-getcert request [options] -- selfsign-getcert resubmit [options] -- selfsign-getcert start-tracking [options] -- selfsign-getcert status [options] -- selfsign-getcert stop-tracking [options] -- selfsign-getcert list [options] -- selfsign-getcert list-cas [options] -- selfsign-getcert refresh-cas [options] -+ selfsign\-getcert request [options] -+ selfsign\-getcert resubmit [options] -+ selfsign\-getcert start\-tracking [options] -+ selfsign\-getcert status [options] -+ selfsign\-getcert stop\-tracking [options] -+ selfsign\-getcert list [options] -+ selfsign\-getcert list\-cas [options] -+ selfsign\-getcert refresh\-cas [options] - - .SH DESCRIPTION --The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@ -+The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ - service on behalf of the invoking user. It can ask the service to begin - enrollment, optionally generating a key pair to use, it can ask the - service to begin monitoring a certificate in a specified location for -@@ -22,16 +22,16 @@ expiration, and optionally to refresh it when expiration nears, it can - list the set of certificates that the service is already monitoring, or - it can list the set of CAs that the service is capable of using. - --If no command is given as the first command-line argument, --\fIselfsign-getcert\fR will print short usage information for each of -+If no command is given as the first command\-line argument, -+\fIselfsign\-getcert\fR will print short usage information for each of - its functions. - --The \fIselfsign-getcert\fR tool behaves identically to the generic --\fIgetcert\fR tool when it is used with the \fB-c -+The \fIselfsign\-getcert\fR tool behaves identically to the generic -+\fIgetcert\fR tool when it is used with the \fB\-c - \fI@CM_SELF_SIGN_CA_NAME@\fR option. - --\fBcertmonger\fR's self-signer doesn't use root certificates. While the --\fB-F\fR and \fB-a\fR options will still be recognized, they will effectively -+\fBcertmonger\fR's self\-signer doesn't use root certificates. While the -+\fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively - be ignored. - - .SH BUGS -@@ -40,24 +40,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger - .SH SEE ALSO - \fBcertmonger\fR(8) - \fBgetcert\fR(1) --\fBgetcert-add-ca\fR(1) --\fBgetcert-add-scep-ca\fR(1) --\fBgetcert-list-cas\fR(1) --\fBgetcert-list\fR(1) --\fBgetcert-modify-ca\fR(1) --\fBgetcert-refresh-ca\fR(1) --\fBgetcert-refresh\fR(1) --\fBgetcert-rekey\fR(1) --\fBgetcert-remove-ca\fR(1) --\fBgetcert-request\fR(1) --\fBgetcert-resubmit\fR(1) --\fBgetcert-start-tracking\fR(1) --\fBgetcert-status\fR(1) --\fBgetcert-stop-tracking\fR(1) --\fBcertmonger-certmaster-submit\fR(8) --\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) --\fBcertmonger-dogtag-submit\fR(8) --\fBcertmonger-ipa-submit\fR(8) --\fBcertmonger-local-submit\fR(8) --\fBcertmonger-scep-submit\fR(8) -+\fBgetcert\-add\-ca\fR(1) -+\fBgetcert\-add\-scep\-ca\fR(1) -+\fBgetcert\-list\-cas\fR(1) -+\fBgetcert\-list\fR(1) -+\fBgetcert\-modify\-ca\fR(1) -+\fBgetcert\-refresh\-ca\fR(1) -+\fBgetcert\-refresh\fR(1) -+\fBgetcert\-rekey\fR(1) -+\fBgetcert\-remove\-ca\fR(1) -+\fBgetcert\-request\fR(1) -+\fBgetcert\-resubmit\fR(1) -+\fBgetcert\-start\-tracking\fR(1) -+\fBgetcert\-status\fR(1) -+\fBgetcert\-stop\-tracking\fR(1) -+\fBcertmonger\-certmaster\-submit\fR(8) -+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) -+\fBcertmonger\-dogtag\-submit\fR(8) -+\fBcertmonger\-ipa\-submit\fR(8) -+\fBcertmonger\-local\-submit\fR(8) -+\fBcertmonger\-scep\-submit\fR(8) - \fBcertmonger_selinux\fR(8) --- -2.21.1 - diff --git a/SOURCES/0043-Add-long-options-to-command-line-help.patch b/SOURCES/0043-Add-long-options-to-command-line-help.patch deleted file mode 100644 index 6e52b5c..0000000 --- a/SOURCES/0043-Add-long-options-to-command-line-help.patch +++ /dev/null @@ -1,757 +0,0 @@ -From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 14 May 2020 14:37:31 -0400 -Subject: [PATCH 43/43] Add long options to command-line help - -The command-line help mostly consisted of only the short options. -Add the long-option and clean up some of the output. - -https://bugzilla.redhat.com/show_bug.cgi?id=1782838 ---- - src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------ - src/scep.c | 2 +- - 2 files changed, 345 insertions(+), 193 deletions(-) - -diff --git a/src/getcert.c b/src/getcert.c -index 5c8dc94..84e0bf3 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Required arguments:\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), -+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), -+ N_(" (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -k FILE PEM file for private key\n"), -- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), -+ N_(" -k FILE, --keyfile=FILE\n"), -+ N_(" PEM file for private key\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" PEM file for certificate (only valid with -k)\n"), - N_("* If keys are to be encrypted:\n"), -- N_(" -p FILE file which holds the encryption PIN\n"), -- N_(" -P PIN PIN value\n"), -+ N_(" -p FILE, --pinfile=FILE\n"), -+ N_(" file which holds the encryption PIN\n"), -+ N_(" -P PIN, --pin=PIN PIN value\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Certificate handling settings:\n"), -- N_(" -I NAME nickname to assign to the request\n"), -- N_(" -G TYPE type of key to be generated if one is not already in place\n"), -- N_(" -g SIZE size of key to be generated if one is not already in place\n"), -- N_(" -r attempt to renew the certificate when expiration nears (default)\n"), -- N_(" -R don't attempt to renew the certificate when expiration nears\n"), -+ N_(" -I NAME, --new-id=NAME\n"), -+ N_(" new nickname to give to tracking request\n"), -+ N_(" -G TYPE, --key-type=TYPE\n"), -+ N_(" type of key to be generated if one is not already\n"), -+ N_(" in place\n"), -+ N_(" -g BITS, --key-size=BITS\n"), -+ N_(" size of key to be generated if one is not already\n"), -+ N_(" in place\n"), -+ N_(" -r, --renew attempt to renew the certificate when\n"), -+ N_(" expiration nears (default)\n"), -+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"), -+ N_(" expiration nears\n"), - #ifndef FORCE_CA -- N_(" -c CA use the specified CA rather than the default\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif -- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), -+ N_(" -T PROFILE, --profile=NAME\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named profile or template\n"), - N_(" --ms-template-spec SPEC\n"), -- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), -+ N_(" include V2 template specifier in CSR\n"), -+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -+ N_(" -X ISSUER, --issuer=ISSUER\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named issuer\n"), - N_("* Parameters for the signing request:\n"), -- N_(" -N NAME set requested subject name (default: CN=)\n"), -- N_(" -U EXTUSAGE set requested extended key usage OID\n"), -- N_(" -u KEYUSAGE set requested key usage value\n"), -- N_(" -K NAME set requested principal name\n"), -- N_(" -D DNSNAME set requested DNS name\n"), -- N_(" -E EMAIL set requested email address\n"), -- N_(" -A ADDRESS set requested IP address\n"), -- N_(" -l FILE file which holds an optional challenge password\n"), -- N_(" -L PASSWORD an optional challenge password value\n"), -+ N_(" -N NAME, --subject-name=NAME\n"), -+ N_(" set requested subject name (default: CN=)\n"), -+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), -+ N_(" override requested extended key usage OID\n"), -+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), -+ N_(" set requested key usage value\n"), -+ N_(" -K NAME, --principal=NAME\n"), -+ N_(" override requested principal name\n"), -+ N_(" -D DNSNAME, --dns=DNSNAME\n"), -+ N_(" override requested DNS name\n"), -+ N_(" -E EMAIL, --email=EMAIL\n"), -+ N_(" override requested email address\n"), -+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), -+ N_(" override requested IP address\n"), -+ N_(" -l FILE, --challenge-password-file=FILE\n"), -+ N_(" file which holds an optional challenge password\n"), -+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), -+ N_(" an optional challenge password value\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -B command to run before saving the certificate\n"), -- N_(" -C command to run after saving the certificate\n"), -- N_(" -F file in which to store the CA's certificates\n"), -- N_(" -a NSS database in which to store the CA's certificates\n"), -- N_(" -w try to wait for the certificate to be issued\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -B COMMAND, --before-command=COMMAND\n"), -+ N_(" command to run before saving the certificate\n"), -+ N_(" -C COMMAND, --after-command=COMMAND\n"), -+ N_(" command to run after saving the certificate\n"), -+ N_(" -F FILE, --ca-file=FILE\n"), -+ N_(" file in which to store the CA's certificates\n"), -+ N_(" -a DIR, --ca-dbdir=DIR\n"), -+ N_(" NSS database in which to store the CA's certificates\n"), -+ N_(" -w, --wait try to wait for the certificate to be issued\n"), -+ N_(" --wait-timeout TIMEOUT\n"), -+ N_(" Maximum time to wait for the certificateto be issued\n"), -+ N_(" -v, --verbose report all details of errors\n"), -+ N_(" -o OWNER, --key-owner=OWNER\n"), -+ N_(" owner information for private key\n"), -+ N_(" -m MODE, --key-perms=MODE\n"), -+ N_(" file permissions for private key\n"), -+ N_(" -O OWNER, --cert-owner=OWNER\n"), -+ N_(" owner information for certificate\n"), -+ N_(" -M MODE, --cert-perms=MODE\n"), -+ N_(" file permissions for certificate\n"), - NULL, - }; - const char *start_tracking_help[] = { -@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Required arguments:\n"), - N_("* If modifying an existing request:\n"), -- N_(" -i NAME nickname of an existing tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname of an existing tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), -+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), -+ N_(" (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -k FILE PEM file for private key\n"), -- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), -+ N_(" -k FILE, --keyfile=FILE\n"), -+ N_(" PEM file for private key\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" PEM file for certificate (only valid with -k)\n"), - N_("* If keys are encrypted:\n"), -- N_(" -p FILE file which holds the encryption PIN\n"), -- N_(" -P PIN PIN value\n"), -+ N_(" -p FILE, --pinfile=FILE\n"), -+ N_(" file which holds the encryption PIN\n"), -+ N_(" -P PIN, --pin=PIN PIN value\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Certificate handling settings:\n"), -- N_(" -I NAME nickname to give to tracking request\n"), -- N_(" -r attempt to renew the certificate when expiration nears (default)\n"), -- N_(" -R don't attempt to renew the certificate when expiration nears\n"), -+ N_(" -I NAME, --new-id=NAME\n"), -+ N_(" nickname to give to tracking request\n"), -+ N_(" -r, --renew attempt to renew the certificate when\n"), -+ N_(" expiration nears (default)\n"), -+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"), -+ N_(" expiration nears\n"), - #ifndef FORCE_CA -- N_(" -c CA use the specified CA rather than the default\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif -- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), -+ N_(" -T PROFILE, --profile=NAME\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named profile or template\n"), - N_(" --ms-template-spec SPEC\n"), -- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), -+ N_(" include V2 template specifier in CSR\n"), -+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -+ N_(" -X ISSUER, --issuer=ISSUER\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named issuer\n"), - N_("* Parameters for the signing request at renewal time:\n"), -- N_(" -U EXTUSAGE override requested extended key usage OID\n"), -- N_(" -u KEYUSAGE set requested key usage value\n"), -- N_(" -K NAME override requested principal name\n"), -- N_(" -D DNSNAME override requested DNS name\n"), -- N_(" -E EMAIL override requested email address\n"), -- N_(" -A ADDRESS override requested IP address\n"), -- N_(" -l FILE file which holds an optional challenge password\n"), -- N_(" -L PASSWORD an optional challenge password value\n"), -+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), -+ N_(" override requested extended key usage OID\n"), -+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), -+ N_(" set requested key usage value\n"), -+ N_(" -K NAME, --principal=NAME\n"), -+ N_(" override requested principal name\n"), -+ N_(" -D DNSNAME, --dns=DNSNAME\n"), -+ N_(" override requested DNS name\n"), -+ N_(" -E EMAIL, --email=EMAIL\n"), -+ N_(" override requested email address\n"), -+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), -+ N_(" override requested IP address\n"), -+ N_(" -l FILE, --challenge-password-file=FILE\n"), -+ N_(" file which holds an optional challenge password\n"), -+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), -+ N_(" an optional challenge password value\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -B command to run before saving the certificate\n"), -- N_(" -C command to run after saving the certificate\n"), -- N_(" -F file in which to store the CA's certificates\n"), -- N_(" -a NSS database in which to store the CA's certificates\n"), -- N_(" -w try to wait for the certificate to be issued\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -B COMMAND, --before-command=COMMAND\n"), -+ N_(" command to run before saving the certificate\n"), -+ N_(" -C COMMAND, --after-command=COMMAND\n"), -+ N_(" command to run after saving the certificate\n"), -+ N_(" -F FILE, --ca-file=FILE\n"), -+ N_(" file in which to store the CA's certificates\n"), -+ N_(" -a DIR, --ca-dbdir=DIR\n"), -+ N_(" NSS database in which to store the CA's certificates\n"), -+ N_(" -w, --wait try to wait for the certificate to be issued\n"), -+ N_(" --wait-timeout TIMEOUT\n"), -+ N_(" Maximum time to wait for the certificateto be issued\n"), -+ N_(" -v, --verbose report all details of errors\n"), -+ N_(" -o OWNER, --key-owner=OWNER\n"), -+ N_(" owner information for private key\n"), -+ N_(" -m MODE, --key-perms=MODE\n"), -+ N_(" file permissions for private key\n"), -+ N_(" -O OWNER, --cert-owner=OWNER\n"), -+ N_(" owner information for certificate\n"), -+ N_(" -M MODE, --cert-perms=MODE\n"), -+ N_(" file permissions for certificate\n"), - NULL, - }; - const char *stop_tracking_help[] = { -@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Required arguments:\n"), - N_("* By request identifier:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -k FILE PEM file for private key\n"), -- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), -+ N_(" -k FILE, --keyfile=FILE\n"), -+ N_(" PEM file for private key\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" PEM file for certificate (only valid with -k)\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), -+ "\n", - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *resubmit_help[] = { -@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Required arguments:\n"), - N_("* By request identifier:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), -+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), -+ N_(" (only valid with -d)\n"), - N_("* If using files for storage:\n"), - N_(" -f FILE PEM file for certificate\n"), - "\n", - N_("* If keys are encrypted:\n"), -- N_(" -p FILE file which holds the encryption PIN\n"), -- N_(" -P PIN PIN value\n"), -+ N_(" -p FILE, --pinfile=FILE\n"), -+ N_(" file which holds the encryption PIN\n"), -+ N_(" -P PIN, --pin=PIN PIN value\n"), - "\n", - N_("* New parameter values for the signing request:\n"), -- N_(" -N NAME set requested subject name (default: CN=)\n"), -- N_(" -U EXTUSAGE set requested extended key usage OID\n"), -- N_(" -u KEYUSAGE set requested key usage value\n"), -- N_(" -K NAME set requested principal name\n"), -- N_(" -D DNSNAME set requested DNS name\n"), -- N_(" -E EMAIL set requested email address\n"), -- N_(" -A ADDRESS set requested IP address\n"), -- N_(" -l FILE file which holds an optional challenge password\n"), -- N_(" -L PASSWORD an optional challenge password value\n"), -+ N_(" -N NAME, --subject-name=NAME\n"), -+ N_(" set requested subject name (default: CN=)\n"), -+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), -+ N_(" override requested extended key usage OID\n"), -+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), -+ N_(" set requested key usage value\n"), -+ N_(" -K NAME, --principal=NAME\n"), -+ N_(" override requested principal name\n"), -+ N_(" -D DNSNAME, --dns=DNSNAME\n"), -+ N_(" override requested DNS name\n"), -+ N_(" -E EMAIL, --email=EMAIL\n"), -+ N_(" override requested email address\n"), -+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), -+ N_(" override requested IP address\n"), -+ N_(" -l FILE, --challenge-password-file=FILE\n"), -+ N_(" file which holds an optional challenge password\n"), -+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), -+ N_(" an optional challenge password value\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Certificate handling settings:\n"), -- N_(" -I NAME new nickname to give to tracking request\n"), -+ N_(" -I NAME, --new-id=NAME\n"), -+ N_(" nickname to give to tracking request\n"), - #ifndef FORCE_CA -- N_(" -c CA use the specified CA rather than the current one\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif -- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), -+ N_(" -T PROFILE, --profile=NAME\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named profile or template\n"), - N_(" --ms-template-spec SPEC\n"), -- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), -+ N_(" include V2 template specifier in CSR\n"), -+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -+ N_(" -X ISSUER, --issuer=ISSUER\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named issuer\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -B command to run before saving the certificate\n"), -- N_(" -C command to run after saving the certificate\n"), -- N_(" -F file in which to store the CA's certificates\n"), -- N_(" -a NSS database in which to store the CA's certificates\n"), -- N_(" -w try to wait for the certificate to be issued\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -B COMMAND, --before-command=COMMAND\n"), -+ N_(" command to run before saving the certificate\n"), -+ N_(" -C COMMAND, --after-command=COMMAND\n"), -+ N_(" command to run after saving the certificate\n"), -+ N_(" -F FILE, --ca-file=FILE\n"), -+ N_(" file in which to store the CA's certificates\n"), -+ N_(" -a DIR, --ca-dbdir=DIR\n"), -+ N_(" NSS database in which to store the CA's certificates\n"), -+ N_(" -w, --wait try to wait for the certificate to be issued\n"), -+ N_(" --wait-timeout TIMEOUT\n"), -+ N_(" Maximum time to wait for the certificateto be issued\n"), -+ N_(" -v, --verbose report all details of errors\n"), -+ N_(" -o OWNER, --key-owner=OWNER\n"), -+ N_(" owner information for private key\n"), -+ N_(" -m MODE, --key-perms=MODE\n"), -+ N_(" file permissions for private key\n"), -+ N_(" -O OWNER, --cert-owner=OWNER\n"), -+ N_(" owner information for certificate\n"), -+ N_(" -M MODE, --cert-perms=MODE\n"), -+ N_(" file permissions for certificate\n"), - NULL, - }; - const char *rekey_help[] = { -@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Required arguments:\n"), - N_("* By request identifier:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), -+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), -+ N_(" (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -f FILE PEM file for certificate\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" PEM file for certificate\n"), - "\n", - N_("* If keys are encrypted:\n"), -- N_(" -p FILE file which holds the encryption PIN\n"), -- N_(" -P PIN PIN value\n"), -+ N_(" -p FILE, --pinfile=FILE\n"), -+ N_(" file which holds the encryption PIN\n"), -+ N_(" -P PIN, --pin=PIN PIN value\n"), - "\n", - N_("* New parameter values for the signing request:\n"), -- N_(" -N NAME set requested subject name (default: CN=)\n"), -- N_(" -U EXTUSAGE set requested extended key usage OID\n"), -- N_(" -u KEYUSAGE set requested key usage value\n"), -- N_(" -K NAME set requested principal name\n"), -- N_(" -D DNSNAME set requested DNS name\n"), -- N_(" -E EMAIL set requested email address\n"), -- N_(" -A ADDRESS set requested IP address\n"), -- N_(" -l FILE file which holds an optional challenge password\n"), -- N_(" -L PASSWORD an optional challenge password value\n"), -+ N_(" -N NAME, --subject-name=NAME\n"), -+ N_(" set requested subject name (default: CN=)\n"), -+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), -+ N_(" override requested extended key usage OID\n"), -+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), -+ N_(" set requested key usage value\n"), -+ N_(" -K NAME, --principal=NAME\n"), -+ N_(" override requested principal name\n"), -+ N_(" -D DNSNAME, --dns=DNSNAME\n"), -+ N_(" override requested DNS name\n"), -+ N_(" -E EMAIL, --email=EMAIL\n"), -+ N_(" override requested email address\n"), -+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), -+ N_(" override requested IP address\n"), -+ N_(" -l FILE, --challenge-password-file=FILE\n"), -+ N_(" file which holds an optional challenge password\n"), -+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), -+ N_(" an optional challenge password value\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Certificate handling settings:\n"), -- N_(" -I NAME new nickname to give to tracking request\n"), -+ N_(" -I NAME, --new-id=NAME\n"), -+ N_(" new nickname to give to tracking request\n"), - #ifndef FORCE_CA -- N_(" -c CA use the specified CA rather than the current one\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif -- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), -+ N_(" -T PROFILE, --profile=NAME\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named profile or template\n"), - N_(" --ms-template-spec SPEC\n"), -- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), -- N_(" -G TYPE type of new key to be generated\n"), -- N_(" -g SIZE size of new key to be generated\n"), -+ N_(" include V2 template specifier in CSR\n"), -+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), -+ N_(" -X ISSUER, --issuer=ISSUER\n"), -+ N_(" ask the CA to process the request using the\n"), -+ N_(" named issuer\n"), -+ N_(" -G TYPE, --key-type=TYPE\n"), -+ N_(" type of key to be generated if one is not already\n"), -+ N_(" in place\n"), -+ N_(" -g BITS, --key-size=BITS\n"), -+ N_(" size of key to be generated if one is not already\n"), -+ N_(" in place\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -B command to run before saving the certificate\n"), -- N_(" -C command to run after saving the certificate\n"), -- N_(" -F file in which to store the CA's certificates\n"), -- N_(" -a NSS database in which to store the CA's certificates\n"), -- N_(" -w try to wait for the certificate to be issued\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -B COMMAND, --before-command=COMMAND\n"), -+ N_(" command to run before saving the certificate\n"), -+ N_(" -C COMMAND, --after-command=COMMAND\n"), -+ N_(" command to run after saving the certificate\n"), -+ N_(" -F FILE, --ca-file=FILE\n"), -+ N_(" file in which to store the CA's certificates\n"), -+ N_(" -a DIR, --ca-dbdir=DIR\n"), -+ N_(" NSS database in which to store the CA's certificates\n"), -+ N_(" -w, --wait try to wait for the certificate to be issued\n"), -+ N_(" --wait-timeout TIMEOUT\n"), -+ N_(" Maximum time to wait for the certificateto be issued\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *list_help[] = { -@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category) - N_("Optional arguments:\n"), - N_("* General options:\n"), - #ifndef FORCE_CA -- N_(" -c CA list only requests and certs associated with this CA\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif -- N_(" -r list only information about outstanding requests\n"), -- N_(" -t list only information about tracked certificates\n"), -- N_(" -u display times in UTC instead of local time\n"), -+ N_(" -r, --requests-only list only information about outstanding requests\n"), -+ N_(" -t, --tracking-only list only information about tracked certificates\n"), -+ N_(" -u, --utc display times in UTC instead of local time\n"), - N_("* If selecting a specific request:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR only list requests and certs which use this NSS database\n"), -- N_(" -n NAME only list requests and certs which use this nickname\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -f FILE only list requests and certs stored in this PEM file\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" only list requests and certs stored in this PEM file\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *refresh_help[] = { - N_("Usage: %s refresh [options]\n"), - "\n", - N_("* General options:\n"), -- N_(" -a refresh information about all outstanding requests\n"), -+ N_(" -a, --all refresh information about all outstanding requests\n"), - "\n", - N_("Required arguments:\n"), - N_("* By request identifier:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* If using an NSS database for storage:\n"), -- N_(" -d DIR NSS database for key and cert\n"), -- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), -- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), -+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), -+ N_(" (only valid with -d)\n"), - N_("* If using files for storage:\n"), -- N_(" -f FILE PEM file for certificate\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" PEM file for certificate\n"), - "\n", - N_("Optional arguments:\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), -+ N_("* Other options:\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *status_help[] = { -@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Optional arguments:\n"), - N_("* Selecting a specific request:\n"), -- N_(" -i NAME nickname for tracking request\n"), -+ N_(" -i NAME, --id=NAME nickname for tracking request\n"), - N_("* When using an NSS database for storage:\n"), -- N_(" -d DIR return status for the request in this NSS database\n"), -- N_(" -n NAME return status for cert which uses this nickname\n"), -+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), -+ N_(" -n NAME, --nickname NAME\n"), -+ N_(" nickname for NSS-based storage (only valid with -d)\n"), - N_("* When using files for storage:\n"), -- N_(" -f FILE return status for cert stored in this PEM file\n"), -+ N_(" -f FILE, --certfile=FILE\n"), -+ N_(" return status for cert stored in this PEM file\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *list_cas_help[] = { -@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category) - N_("Optional arguments:\n"), - #ifndef FORCE_CA - N_("* General options:\n"), -- N_(" -c CA list only information about the CA with this name\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - #endif - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *refresh_ca_help[] = { -@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category) - N_("Optional arguments:\n"), - #ifndef FORCE_CA - N_("* General options:\n"), -- N_(" -c CA refresh information about the CA with this name\n"), -- N_(" -a refresh information about all known CAs\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), -+ N_(" -a, --all refresh information about all known CAs\n"), - #endif - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - #ifndef FORCE_CA -@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Optional arguments:\n"), - N_("* General options:\n"), -- N_(" -c CA nickname to give to the new CA configuration\n"), -- N_(" -e CMD helper command to run to communicate with CA\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), -+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *add_scep_ca_help[] = { -@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Optional arguments:\n"), - N_("* General options:\n"), -- N_(" -c CA nickname to give to the new CA configuration\n"), -- N_(" -u URL location of SCEP server\n"), -- N_(" -i ID CA identifier\n"), -- N_(" -R FILE file containing CA's certificate\n"), -- N_(" -r FILE file containing RA's certificate\n"), -- N_(" -I FILE file containing certificates in RA's certifying chain\n"), -- N_(" -n prefer not to use the SCEP Renewal feature\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), -+ N_(" -u URL, --URL URL location of SCEP server\n"), -+ N_(" -i ID, --id ID CA identifier\n"), -+ N_(" -R FILE, --cacert=FILE\n"), -+ N_(" file containing web server's certificate\n"), -+ N_(" -r FILE, --racert=FILE\n"), -+ N_(" file containing RA's certificate\n"), -+ N_(" -N FILE, --signingca=FILE\n"), -+ N_(" file containing CA's certificate\n"), -+ N_(" -I FILE, --other-certs=FILE\n"), -+ N_(" file containing certificates in RA's certifying chain\n"), -+ N_(" -n, --non-renewal prefer not to use the SCEP Renewal feature\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *modify_ca_help[] = { -@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Optional arguments:\n"), - N_("* General options:\n"), -- N_(" -c CA nickname of the CA configuration\n"), -- N_(" -e CMD updated helper command to run to communicate with CA\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), -+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - const char *remove_ca_help[] = { -@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category) - "\n", - N_("Optional arguments:\n"), - N_("* General options:\n"), -- N_(" -c CA nickname of CA configuration to remove\n"), -+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), - N_("* Bus options:\n"), -- N_(" -S connect to the certmonger service on the system bus\n"), -- N_(" -s connect to the certmonger service on the session bus\n"), -+ N_(" -S, --system connect to the certmonger service on the system bus\n"), -+ N_(" -s, --session connect to the certmonger service on the session bus\n"), - N_("* Other options:\n"), -- N_(" -v report all details of errors\n"), -+ N_(" -v, --verbose report all details of errors\n"), - NULL, - }; - #endif -diff --git a/src/scep.c b/src/scep.c -index 4294cda..4dde1ce 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -230,7 +230,7 @@ main(int argc, const char **argv) - {"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"}, - {"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"}, - {"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL}, -- {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL}, -+ {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL}, - {"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL}, - {"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL}, - {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, --- -2.21.1 - diff --git a/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch b/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch deleted file mode 100644 index 9f2b833..0000000 --- a/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 5e45029b429aa383db295facea18a6a72e1a2357 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 30 Jul 2020 10:41:00 -0400 -Subject: [PATCH] Link certmonger to dbus so it stops and restarts with it - -This will ensure that certmonger will run if dbus is restarted. ---- - systemd/certmonger.service.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/systemd/certmonger.service.in b/systemd/certmonger.service.in -index 6381d845..9d942513 100644 ---- a/systemd/certmonger.service.in -+++ b/systemd/certmonger.service.in -@@ -1,6 +1,7 @@ - [Unit] - Description=Certificate monitoring and PKI enrollment - After=syslog.target network.target dbus.service -+PartOf=dbus.service - - [Service] - Type=dbus --- -2.25.4 - diff --git a/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch b/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch deleted file mode 100644 index 6d2634c..0000000 --- a/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch +++ /dev/null @@ -1,62 +0,0 @@ -From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 22 May 2020 12:58:44 -0400 -Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert - requests - -The guttman spec is quite unclear on this and in the GetCACaps -section doesn't mention &message at all. It only appears in the -generic GET requests section 4.1 - -The nourse spec is clearer and requires &message=CA-IDENT on -GetCACaps requests. - -AD 2012 R2 servers also require message on GetCACert requests. - -This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242 - -https://bugzilla.redhat.com/show_bug.cgi?id=1839181 -https://pagure.io/certmonger/issue/103 ---- - src/scep.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/scep.c b/src/scep.c -index 4dde1ce..11ebd6f 100644 ---- a/src/scep.c -+++ b/src/scep.c -@@ -370,11 +370,11 @@ main(int argc, const char **argv) - break; - case op_get_ca_caps: - /* Only step: read capabilities for the daemon. */ -- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); -+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); - break; - case op_get_ca_certs: - /* First step: get the root certificate. */ -- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT); -+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id); - break; - case op_get_cert_initial: - if ((racert == NULL) || (strlen(racert) == 0)) { -@@ -393,7 +393,7 @@ main(int argc, const char **argv) - goto done; - } - /* First step: read capabilities for our use. */ -- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); -+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); - } - break; - case op_pkcsreq: -@@ -413,7 +413,7 @@ main(int argc, const char **argv) - goto done; - } - /* First step: read capabilities for our use. */ -- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); -+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); - } - break; - } --- -2.25.4 - diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index f233461..69eac18 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -7,9 +7,11 @@ %global sysvinitdir %{_initddir} +%bcond_without xmlrpc + Name: certmonger -Version: 0.79.7 -Release: 15%{?dist} +Version: 0.79.13 +Release: 2%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -17,6 +19,9 @@ License: GPLv3+ URL: http://pagure.io/certmonger/ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz +Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch +Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: gettext-devel @@ -31,7 +36,11 @@ BuildRequires: openssl-devel BuildRequires: libuuid-devel BuildRequires: libtalloc-devel, libtevent-devel BuildRequires: libcurl-devel -BuildRequires: libxml2-devel, xmlrpc-c-devel +BuildRequires: libxml2-devel +%if %{with xmlrpc} +BuildRequires: xmlrpc-c-devel +%endif +BuildRequires: jansson-devel # Required for 'make check': # for diff and cmp BuildRequires: diffutils @@ -51,7 +60,7 @@ BuildRequires: /usr/bin/which BuildRequires: popt-devel # for make check BuildRequires: python3-devel -BuildRequires: krb5-devel +BuildRequires: krb5-devel # we need a running system bus Requires: dbus @@ -80,74 +89,13 @@ Requires(post): /sbin/chkconfig, /sbin/service Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed %endif -Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch -Patch2: 0002-Convert-tests-to-use-python3.patch -Patch18: 0018-clang-more-Dead-assignment.patch -Patch19: 0019-clang-more-Memory-leaks.patch -Patch20: 0020-clang-Avoid-buffer-overflow.patch -Patch21: 0021-clang-Garbage-value-possible.patch -Patch22: 0022-Uninitialized-variable.patch -Patch23: 0023-merge-into-clang-more-Memory-leaks.patch -Patch24: 0024-Add-missing-return-type-declaration.patch -Patch25: 0025-Discards-const-qualifier.patch -Patch26: 0026-Optimize-closing-open-file-descriptors.patch -Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch -Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch -Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch -Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch -Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch -Patch32: 0032-Fix-use-after-free-issue.patch -Patch33: 0033-Improve-logging-in-SCEP-helper.patch -Patch34: 0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch -Patch35: 0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch -Patch36: 0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch -Patch37: 0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch -Patch38: 0038-Include-template-profile-issuer-and-MS-cert-template.patch -Patch39: 0039-Fix-broken-N-option-configuration.patch -Patch40: 0040-Address-an-include-issue-discovered-by-coverity.patch -Patch41: 0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch -Patch42: 0042-Add-long-command-line-options-to-man-pages.patch -Patch43: 0043-Add-long-options-to-command-line-help.patch -Patch44: 0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch -Patch45: 0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch - %description Certmonger is a service which is primarily concerned with getting your system enrolled with a certificate authority (CA) and keeping it enrolled. %prep -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch43 -p1 -%patch44 -p1 -%patch45 -p1 +%autosetup -p1 %build autoreconf -i -f @@ -162,10 +110,17 @@ autoreconf -i -f --enable-tmpfiles \ %endif --with-homedir=/run/certmonger \ +%if %{with xmlrpc} + --with-xmlrpc \ +%endif --with-tmpdir=/run/certmonger --enable-pie --enable-now +%if %{with xmlrpc} # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just # tell us about libxmlrpc_client, but we need more. Work around. make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" +%else +make %{?_smp_mflags} +%endif %install rm -rf $RPM_BUILD_ROOT @@ -185,6 +140,12 @@ make check if test $1 -eq 1 ; then %{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || : fi +%if %{without xmlrpc} +# remove any existing certmaster CA configuration +if test $1 -gt 1 ; then + %{_bindir}/getcert remove-ca -c certmaster 2>&1 || : +fi +%endif %if %{systemd} if test $1 -eq 1 ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : @@ -274,6 +235,12 @@ exit 0 %endif %changelog +* Tue Nov 10 2020 Rob Crittenden - 0.79.13-2 +- Rebuild with xmlrpc-c support enabled (#1687698) + +* Wed Oct 28 2020 Rob Crittenden - 0.79.13-1 +- Rebase to 0.79.13 (#1891743) + * Thu Jul 30 2020 Rob Crittenden - 0.79.7-15 - Replace the previous fix for dbus restarting with PartOf in the certmonger systemd service file to link the two (#1687698)