From e349d3e655faf2f3f76e6bf50e3eec733d28d5a5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 8 Dec 2022 12:09:51 +0000 Subject: [PATCH] import certmonger-0.79.17-2.el8 --- .certmonger.metadata | 2 +- .gitignore | 2 +- ...t-run-the-002-keygen-tests-when-root.patch | 38 -- ...-certmaster-CA-from-the-028-dbus-te.patch} | 22 +- ...t-run-the-002-keygen-tests-when-root.patch | 24 ++ ...0003-Fix-local-CA-to-work-under-FIPS.patch | 38 -- ...option-to-treat-the-challenge-passwo.patch | 123 ------ ...before-string-compares-when-analyzin.patch | 42 -- ...Display-not_before-in-getcert-output.patch | 386 ------------------ ...iptor-leak-when-executing-CA-helpers.patch | 40 -- ...008-Use-extensions-template-from-NSS.patch | 80 ---- ...-implicit-empty-FALSE-for-extensions.patch | 280 ------------- SPECS/certmonger.spec | 25 +- 13 files changed, 51 insertions(+), 1051 deletions(-) delete mode 100644 SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch rename SOURCES/{0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch => 0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch} (94%) create mode 100644 SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch delete mode 100644 SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch delete mode 100644 SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch delete mode 100644 SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch delete mode 100644 SOURCES/0006-Display-not_before-in-getcert-output.patch delete mode 100644 SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch delete mode 100644 SOURCES/0008-Use-extensions-template-from-NSS.patch delete mode 100644 SOURCES/0009-Use-implicit-empty-FALSE-for-extensions.patch diff --git a/.certmonger.metadata b/.certmonger.metadata index 2f88761..45c296f 100644 --- a/.certmonger.metadata +++ b/.certmonger.metadata @@ -1 +1 @@ -eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz +ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz diff --git a/.gitignore b/.gitignore index 1202bac..f837024 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/certmonger-0.79.13.tar.gz +SOURCES/certmonger-0.79.17.tar.gz diff --git a/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch b/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch deleted file mode 100644 index 8590858..0000000 --- a/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 29 Oct 2020 10:13:08 -0400 -Subject: [PATCH] Don't run the 002-keygen-* tests when root - -The permissions tests will fail. ---- - tests/002-keygen-dbm/prequal.sh | 5 +++++ - tests/002-keygen-sql/prequal.sh | 5 +++++ - 2 files changed, 10 insertions(+) - create mode 100755 tests/002-keygen-dbm/prequal.sh - create mode 100755 tests/002-keygen-sql/prequal.sh - -diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh -new file mode 100755 -index 00000000..d146a650 ---- /dev/null -+++ b/tests/002-keygen-dbm/prequal.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+if test `id -u` -eq 0 ; then -+ echo "This test won't work right if run as root." -+ exit 1 -+fi -diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh -new file mode 100755 -index 00000000..d146a650 ---- /dev/null -+++ b/tests/002-keygen-sql/prequal.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+if test `id -u` -eq 0 ; then -+ echo "This test won't work right if run as root." -+ exit 1 -+fi --- -2.25.4 - diff --git a/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch b/SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch similarity index 94% rename from SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch rename to SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch index 528271a..dee558a 100644 --- a/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch +++ b/SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch @@ -1,6 +1,6 @@ -From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001 +From 14d1b5f9a482a4740706dc1cb86c454662f48d4c Mon Sep 17 00:00:00 2001 From: Rob Crittenden -Date: Tue, 10 Nov 2020 18:48:05 -0500 +Date: Wed, 7 Dec 2022 10:09:55 -0500 Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test" This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28. @@ -9,10 +9,10 @@ This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28. 1 file changed, 124 insertions(+), 6 deletions(-) diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index ca7de34f..4d6a9a59 100644 +index 86cba02..544ebd7 100644 --- a/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out -@@ -34,6 +34,10 @@ CA 'IPA': +@@ -35,6 +35,10 @@ CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: $libexecdir/ipa-submit @@ -23,7 +23,7 @@ index ca7de34f..4d6a9a59 100644 CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL -@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent': +@@ -42,8 +46,8 @@ CA 'dogtag-ipa-renew-agent': [[ API ]] [ simpleprop.py ] @@ -34,7 +34,7 @@ index ca7de34f..4d6a9a59 100644 : -> : -k admin@localhost -> : 0 -> 1 -> 0 [ walk.py ] -@@ -178,7 +182,7 @@ OK +@@ -179,7 +183,7 @@ OK OK [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] @@ -43,7 +43,7 @@ index ca7de34f..4d6a9a59 100644 [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) -@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri +@@ -507,6 +511,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri @@ -51,7 +51,7 @@ index ca7de34f..4d6a9a59 100644 [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] -@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s')) +@@ -940,10 +945,10 @@ dbus.Array([], signature=dbus.Signature('s')) [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] @@ -64,7 +64,7 @@ index ca7de34f..4d6a9a59 100644 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] 0 -@@ -952,7 +957,7 @@ EXTERNAL +@@ -955,7 +960,7 @@ EXTERNAL None [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] @@ -73,7 +73,7 @@ index ca7de34f..4d6a9a59 100644 [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] dbus.Array([], signature=dbus.Signature('s')) -@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s')) +@@ -963,3 +968,116 @@ dbus.Array([], signature=dbus.Signature('s')) [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] 1 @@ -191,5 +191,5 @@ index ca7de34f..4d6a9a59 100644 +1 + -- -2.25.4 +2.38.1 diff --git a/SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch b/SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch new file mode 100644 index 0000000..56b5ae6 --- /dev/null +++ b/SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch @@ -0,0 +1,24 @@ +From 6224c3aa01665edddbda1ec7d1e35b03823eefcb Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 7 Dec 2022 14:50:01 -0500 +Subject: [PATCH] Don't run the 002-keygen-* tests when root + +The permissions tests will fail. +--- + tests/002-keygen-dbm/prequal.sh | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100755 tests/002-keygen-dbm/prequal.sh + +diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh +new file mode 100755 +index 0000000..b6c16e0 +--- /dev/null ++++ b/tests/002-keygen-dbm/prequal.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++if test `id -u` -eq 0 ; then ++ echo "This test won't work right if run as root." ++ exit 1 ++fi +-- +2.31.1 diff --git a/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch b/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch deleted file mode 100644 index 7f90105..0000000 --- a/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 14 Apr 2021 15:34:48 -0400 -Subject: [PATCH] Fix local CA to work under FIPS - -The PKCS12 file used for the local CA fails to be created because -it uses default OpenSSL encryption algorithms that are disallowed -under FIPS. This patch simply updates the PKCS12_create() command -to use allowed encryption algorithms. ---- - src/local.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/local.c b/src/local.c -index 92bea144..2f50ac77 100644 ---- a/src/local.c -+++ b/src/local.c -@@ -39,6 +39,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots, - return CM_SUBMIT_STATUS_UNREACHABLE; - } - p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert, -- cas, 0, 0, 0, 0, 0); -+ cas, NID_aes_128_cbc, NID_aes_128_cbc, -+ 0, 0, 0); - if (p12 != NULL) { - if (!i2d_PKCS12_fp(fp, p12)) { - fclose(fp); --- -2.26.3 - diff --git a/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch b/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch deleted file mode 100644 index fcb1b1f..0000000 --- a/SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch +++ /dev/null @@ -1,123 +0,0 @@ -From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001 -From: Your Name -Date: Fri, 9 Jul 2021 20:49:28 +0000 -Subject: [PATCH] Add SCEP config option to treat the challenge password as an - OTP - -SCEP RFC 8894 specifies that a challenge password SHOULD be -removed from subsequent requests but that it MAY be included. - -This adds a new configuration option to treat the challenge password -as a one-time password (OTP) so that it will not be sent on -subsequent requests, like renewals, by removing it completely -from the tracking request. - -This allows certmonger to be able to renew AD-issued SCEP certificates -if the AD registry entry DisableRenewalSubjectNameMatch is set to 1. - -https://bugzilla.redhat.com/show_bug.cgi?id=1577570 - -Signed-off-by: Rob Crittenden ---- - src/certmonger.conf.5.in | 9 +++++++++ - src/certsave.c | 13 +++++++++++++ - src/prefs.c | 15 +++++++++++++++ - src/prefs.h | 4 ++++ - 4 files changed, 41 insertions(+) - -diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in -index 6a42d3cb..1b941b9d 100644 ---- a/src/certmonger.conf.5.in -+++ b/src/certmonger.conf.5.in -@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the - \fIselfsign\fR section, if one is set there, will be used. The default value - is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. - -+.SH SCEP -+Within the \fIscep\fR section, these variables and values are recognized: -+ -+.IP challenge_password_otp -+This controls whether the SCEP challenge password is treated as a one-time -+password. If set to yes then the challenge password and/or challenge password -+file will be removed from the tracking request after the first certificate -+issuance so will not be sent with renewal requests. The default is no. -+ - .SH BUGS - Please file tickets for any that you find at https://fedorahosted.org/certmonger/ - -diff --git a/src/certsave.c b/src/certsave.c -index 6eaafe59..f8503662 100644 ---- a/src/certsave.c -+++ b/src/certsave.c -@@ -18,12 +18,25 @@ - #include "config.h" - #include "certsave.h" - #include "certsave-int.h" -+#include "prefs.h" - #include "store-int.h" -+#include "talloc.h" - - /* Start writing the certificate from the entry to the configured location. */ - struct cm_certsave_state * - cm_certsave_start(struct cm_store_entry *entry) - { -+ /* If saving a SCEP certificate wipe out the challenge password */ -+ if ((cm_prefs_scep_password_otp()) && -+ (entry->cm_template_challenge_password != NULL) && -+ (entry->cm_scep_nonce != NULL)) -+ { -+ talloc_free(entry->cm_template_challenge_password); -+ entry->cm_template_challenge_password = NULL; -+ talloc_free(entry->cm_template_challenge_password_file); -+ entry->cm_template_challenge_password_file = NULL; -+ } -+ - switch (entry->cm_cert_storage_type) { - #ifdef HAVE_OPENSSL - case cm_cert_storage_file: -diff --git a/src/prefs.c b/src/prefs.c -index 669e8f1f..52ffc908 100644 ---- a/src/prefs.c -+++ b/src/prefs.c -@@ -595,3 +595,18 @@ prefs_max_key_use_count(void) - } - return count; - } -+ -+int -+cm_prefs_scep_password_otp(void) -+{ -+ static int populate = -1; -+ if (populate == -1) { -+ const char *val; -+ val = cm_prefs_config("scep", "challenge_password_otp"); -+ if (val == NULL) { -+ val = "no"; -+ } -+ populate = cm_prefs_yesno(val); -+ } -+ return populate != -1 ? populate : 0; -+} -diff --git a/src/prefs.h b/src/prefs.h -index 248e1016..a107fb6c 100644 ---- a/src/prefs.h -+++ b/src/prefs.h -@@ -18,6 +18,8 @@ - #ifndef cmprefs_h - #define cmprefs_h - -+#include -+ - enum cm_prefs_cipher { - cm_prefs_aes128, - cm_prefs_aes192, -@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void); - long long prefs_key_end_of_life(time_t ref); - long prefs_max_key_use_count(void); - -+int cm_prefs_scep_password_otp(void); -+ - #endif --- -2.31.1 - diff --git a/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch b/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch deleted file mode 100644 index 7fd494e..0000000 --- a/SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 17 Feb 2021 13:40:52 -0500 -Subject: [PATCH] Add NULL checks before string compares when analyzing a cert - -A user reported a segfault which was due to a broken request. -How it got broken I have no idea but it was effectively empty. - -It had everything as defaults: 0, -1, UNSPECIFIED or not -present at all. - -So when trying to analyze the request it did a NULL compare. - -https://pagure.io/certmonger/issue/191 ---- - src/tdbush.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tdbush.c b/src/tdbush.c -index a10a1aff..fb81c477 100644 ---- a/src/tdbush.c -+++ b/src/tdbush.c -@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, - if (cert_storage != e->cm_cert_storage_type) { - continue; - } -- if (strcmp(cert_location, e->cm_cert_storage_location) != 0) { -+ if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) { - continue; - } - switch (cert_storage) { - case cm_cert_storage_file: - break; - case cm_cert_storage_nssdb: -- if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) { -+ if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) { - continue; - } - break; --- -2.31.1 - diff --git a/SOURCES/0006-Display-not_before-in-getcert-output.patch b/SOURCES/0006-Display-not_before-in-getcert-output.patch deleted file mode 100644 index dff0f8e..0000000 --- a/SOURCES/0006-Display-not_before-in-getcert-output.patch +++ /dev/null @@ -1,386 +0,0 @@ -From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 8 Apr 2021 14:07:22 -0400 -Subject: [PATCH] Display not_before in getcert output - -Including not_before can help with troubleshooting -renewal problems and if time needs to be reversed -helping identify the maximum one can go back. - -https://bugzilla.redhat.com/show_bug.cgi?id=1940261 - -Signed-off-by: Rob Crittenden ---- - src/getcert.c | 21 ++++- - src/tdbush.c | 10 ++- - src/tdbusm-check.c | 32 ++++++++ - src/tdbusm.c | 150 ++++++++++++++++++++++++++++++++++++ - src/tdbusm.h | 9 +++ - tests/028-dbus/expected.out | 4 +- - tests/028-dbus/run.sh | 1 + - 7 files changed, 220 insertions(+), 7 deletions(-) - -diff --git a/src/getcert.c b/src/getcert.c -index 078f5aa1..4afafcb1 100644 ---- a/src/getcert.c -+++ b/src/getcert.c -@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv) - const char *capath, *request; - dbus_bool_t b; - char *s1, *s2, *s3, *s4, *s5, *s6; -- long n1, n2; -+ long n1, n2, n3; - char **as, **as1, **as2, **as3, **as4, **as5, t[25]; - int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j; - unsigned int k; -@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv) - /* Information from the certificate. */ - rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, - "get_cert_info", verbose); -- if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx, -+ if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx, - &s1, &s2, &s3, &n1, - &as1, &as2, &as3, -- &n2, &as4) != 0) { -+ &n2, &as4, &n3) != 0) { - printf(_("Error parsing server response.\n")); - exit(1); - } -@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv) - printf(_("\tissuer: %s\n"), s1); - printf(_("\tsubject: %s\n"), s3); - when = _("unknown"); -+ if (n3 != 0) { -+ if (force_utc) { -+ when = cm_store_timestamp_from_time_for_display(n3, t); -+ printf(_("\tissued: %s\n"), when); -+ } else { -+ when = cm_store_local_timestamp_from_time_for_display(n3); -+ if (when != NULL) { -+ printf(_("\tissued: %s\n"), when); -+ free(when); -+ } -+ } -+ } else { -+ printf(_("\tissued: %s\n"), when); -+ } -+ when = _("unknown"); - if (n1 != 0) { - if (force_utc) { - when = cm_store_timestamp_from_time_for_display(n1, t); -diff --git a/src/tdbush.c b/src/tdbush.c -index 3587f84f..6fc1b4be 100644 ---- a/src/tdbush.c -+++ b/src/tdbush.c -@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg, - rep = dbus_message_new_method_return(msg); - if (rep != NULL) { - eku = eku_splitv(entry, entry->cm_cert_eku); -- cm_tdbusm_set_sssnasasasnas(rep, -+ cm_tdbusm_set_sssnasasasnasn(rep, - entry->cm_cert_issuer, - entry->cm_cert_serial, - entry->cm_cert_subject, -@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg, - (const char **) entry->cm_cert_hostname, - (const char **) entry->cm_cert_principal, - ku_from_string(entry->cm_cert_ku), -- (const char **) eku); -+ (const char **) eku, -+ entry->cm_cert_not_before); - dbus_connection_send(conn, rep, NULL); - dbus_message_unref(rep); - talloc_free(eku); -@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void) - DBUS_TYPE_ARRAY_AS_STRING - DBUS_TYPE_STRING_AS_STRING, - cm_tdbush_method_arg_out, -- NULL))))))))), -+ make_method_arg("not_before", -+ DBUS_TYPE_INT64_AS_STRING, -+ cm_tdbush_method_arg_out, -+ NULL)))))))))), - NULL), - make_interface_item(cm_tdbush_interface_property, - make_property(CM_DBUS_PROP_CERT_ISSUER, -diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c -index 385b1849..31880732 100644 ---- a/src/tdbusm-check.c -+++ b/src/tdbusm-check.c -@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid) - return ret; - } - static int -+get_sssnasasasnasn(DBusMessage *rep, int msgid) -+{ -+ int ret, i; -+ long n1, n2, n3; -+ char *s1, *s2, *s3, **as1, **as2, **as3, **as4; -+ -+ ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL, -+ &s1, &s2, &s3, &n1, -+ &as1, &as2, &as3, &n2, &as4, &n3); -+ if (ret == 0) { -+ printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[", -+ msgid, s1, s2, s3, n1); -+ for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) { -+ printf("%ss:%s", i > 0 ? "," : "", as1[i]); -+ } -+ printf("],["); -+ for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) { -+ printf("%ss:%s", i > 0 ? "," : "", as2[i]); -+ } -+ printf("],["); -+ for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) { -+ printf("%ss:%s", i > 0 ? "," : "", as3[i]); -+ } -+ printf("],n:%ld,n:%ld,[", n2, n3); -+ for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) { -+ printf("%ss:%s", i > 0 ? "," : "", as4[i]); -+ } -+ printf("]\n"); -+ } -+ return ret; -+} -+static int - get_sasasasnas(DBusMessage *rep, int msgid) - { - int ret, i; -diff --git a/src/tdbusm.c b/src/tdbusm.c -index bc39e1d4..24e03e4c 100644 ---- a/src/tdbusm.c -+++ b/src/tdbusm.c -@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent, - return 0; - } - -+int -+cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent, -+ char **s1, char **s2, char **s3, long *n1, -+ char ***as1, char ***as2, char ***as3, -+ long *n2, char ***as4, long *n3) -+{ -+ DBusError err; -+ char **tmp1, **tmp2, **tmp3, **tmp4; -+ int64_t i641, i642, i643; -+ int32_t i321, i322, i323; -+ int16_t i161, i162, i163; -+ int i, j, k, l; -+ *s1 = NULL; -+ *s2 = NULL; -+ *s3 = NULL; -+ *as1 = NULL; -+ *as2 = NULL; -+ *as3 = NULL; -+ *as4 = NULL; -+ dbus_error_init(&err); -+ if (!dbus_message_get_args(msg, &err, -+ DBUS_TYPE_STRING, s1, -+ DBUS_TYPE_STRING, s2, -+ DBUS_TYPE_STRING, s3, -+ DBUS_TYPE_INT64, &i641, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k, -+ DBUS_TYPE_INT64, &i642, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l, -+ DBUS_TYPE_INT64, &i643, -+ DBUS_TYPE_INVALID)) { -+ if (dbus_error_is_set(&err)) { -+ dbus_error_free(&err); -+ dbus_error_init(&err); -+ } -+ if (!dbus_message_get_args(msg, &err, -+ DBUS_TYPE_STRING, s1, -+ DBUS_TYPE_STRING, s2, -+ DBUS_TYPE_STRING, s3, -+ DBUS_TYPE_INT32, &i321, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &tmp1, &i, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &tmp2, &j, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &tmp3, &k, -+ DBUS_TYPE_INT32, &i322, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &tmp4, &l, -+ DBUS_TYPE_INT32, &i323, -+ DBUS_TYPE_INVALID)) { -+ if (dbus_error_is_set(&err)) { -+ dbus_error_free(&err); -+ dbus_error_init(&err); -+ } -+ if (!dbus_message_get_args(msg, &err, -+ DBUS_TYPE_STRING, s1, -+ DBUS_TYPE_STRING, s2, -+ DBUS_TYPE_STRING, s3, -+ DBUS_TYPE_INT16, &i161, -+ DBUS_TYPE_ARRAY, -+ DBUS_TYPE_STRING, &tmp1, &i, -+ DBUS_TYPE_ARRAY, -+ DBUS_TYPE_STRING, &tmp2, &j, -+ DBUS_TYPE_ARRAY, -+ DBUS_TYPE_STRING, &tmp3, &k, -+ DBUS_TYPE_INT16, &i162, -+ DBUS_TYPE_ARRAY, -+ DBUS_TYPE_STRING, &tmp4, &l, -+ DBUS_TYPE_INT16, &i163, -+ DBUS_TYPE_INVALID)) { -+ if (dbus_error_is_set(&err)) { -+ dbus_error_free(&err); -+ dbus_error_init(&err); -+ } -+ return -1; -+ } -+ i321 = i161; -+ i322 = i162; -+ i323 = i163; -+ } -+ i641 = i321; -+ i642 = i322; -+ i643 = i323; -+ } -+ *s1 = *s1 ? talloc_strdup(parent, *s1) : NULL; -+ *s2 = *s2 ? talloc_strdup(parent, *s2) : NULL; -+ *s3 = *s3 ? talloc_strdup(parent, *s3) : NULL; -+ *n1 = i641; -+ *n2 = i642; -+ *n3 = i643; -+ *as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i); -+ *as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j); -+ *as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k); -+ *as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l); -+ return 0; -+} -+ - int - cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s, - char ***as1, char ***as2, char ***as3, -@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg, - } - } - -+int -+cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg, -+ const char *s1, const char *s2, const char *s3, -+ long n1, const char **as1, const char **as2, -+ const char **as3, long n2, const char **as4, -+ long n3) -+{ -+ int64_t i1 = n1, i2 = n2, i3 = n3; -+ if (s1 == NULL) { -+ s1 = empty_string; -+ } -+ if (s2 == NULL) { -+ s2 = empty_string; -+ } -+ if (s3 == NULL) { -+ s3 = empty_string; -+ } -+ if (as1 == NULL) { -+ as1 = empty_string_array; -+ } -+ if (as2 == NULL) { -+ as2 = empty_string_array; -+ } -+ if (as3 == NULL) { -+ as3 = empty_string_array; -+ } -+ if (as4 == NULL) { -+ as4 = empty_string_array; -+ } -+ if (dbus_message_append_args(msg, -+ DBUS_TYPE_STRING, &s1, -+ DBUS_TYPE_STRING, &s2, -+ DBUS_TYPE_STRING, &s3, -+ DBUS_TYPE_INT64, &i1, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &as1, cm_tdbusm_array_length(as1), -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &as2, cm_tdbusm_array_length(as2), -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &as3, cm_tdbusm_array_length(as3), -+ DBUS_TYPE_INT64, &i2, -+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, -+ &as4, cm_tdbusm_array_length(as4), -+ DBUS_TYPE_INT64, &i3, -+ DBUS_TYPE_INVALID)) { -+ return 0; -+ } else { -+ return -1; -+ } -+} -+ - int - cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s, - const char **as1, const char **as2, -diff --git a/src/tdbusm.h b/src/tdbusm.h -index fe021eff..250a9b0a 100644 ---- a/src/tdbusm.h -+++ b/src/tdbusm.h -@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent, - char **s1, char **s2, char **s3, long *n1, - char ***as1, char ***as2, - char ***as3, long *n2, char ***as4); -+int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent, -+ char **s1, char **s2, char **s3, long *n1, -+ char ***as1, char ***as2, -+ char ***as3, long *n2, char ***as4, long *n3); - int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, - char **s, - char ***as1, char ***as2, -@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg, - const char *s3, long n1, - const char **as1, const char **as2, - const char **as3, long n2, const char **as4); -+int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg, -+ const char *s1, const char *s2, -+ const char *s3, long n1, -+ const char **as1, const char **as2, -+ const char **as3, long n2, const char **as4, long n3); - int cm_tdbusm_set_sasasasnas(DBusMessage *msg, - const char *s, - const char **as1, const char **as2, -diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out -index ca7de34f..4cecbe15 100644 ---- a/tests/028-dbus/expected.out -+++ b/tests/028-dbus/expected.out -@@ -11,6 +11,7 @@ Request ID 'Buddy': - CA: local - issuer: CN=$UUID,CN=Local Signing Authority - subject: CN=localhost -+ issued: sometime - expires: sometime - dns: localhost - principal name: host/localhost@LOCALHOST -@@ -269,6 +270,7 @@ OK - - - -+ - - - -@@ -430,7 +432,7 @@ Buddy - - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ] --(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s'))) -+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently)) - - [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ] - recently -diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh -index d0be6ad8..a457834f 100755 ---- a/tests/028-dbus/run.sh -+++ b/tests/028-dbus/run.sh -@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \ - -e '/^-----BEGIN/,/^-----END/d' \ - -e "s|$libexecdir|\$libexecdir|g" \ - -e "s|$tmpdir|\$tmpdir|g" \ -+ -e "s|issued:.*|issued: sometime|g" \ - -e "s|expires:.*|expires: sometime|g" \ - -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \ --- -2.31.1 - diff --git a/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch deleted file mode 100644 index 2a7925d..0000000 --- a/SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 12 Aug 2021 16:26:09 -0400 -Subject: [PATCH] Fix file descriptor leak when executing CA helpers - -cm_cadata_start_generic() creates a pipe. One half is passed -to fetch(), the function that does all helper calls, -via the cm_cadata_state variable ret. The other half is the -reader and is used to detect execution errors. There is a pair -of write/read on this descriptor which on error would be the -errno. - -This second half wasn't being closed after reading to test for -errors. - -https://bugzilla.redhat.com/show_bug.cgi?id=1992439 - -Signed-off-by: Rob Crittenden ---- - src/cadata.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/cadata.c b/src/cadata.c -index 3e916c9..d851b9e 100644 ---- a/src/cadata.c -+++ b/src/cadata.c -@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, - cm_log(1, "Error running enrollment helper \"%s\": %s.\n", - ca->cm_ca_external_helper, strerror(u)); - talloc_free(ret); -+ close(error_fd[0]); - return NULL; - } -+ close(error_fd[0]); - return ret; - } - --- -2.31.1 - diff --git a/SOURCES/0008-Use-extensions-template-from-NSS.patch b/SOURCES/0008-Use-extensions-template-from-NSS.patch deleted file mode 100644 index 99e98c3..0000000 --- a/SOURCES/0008-Use-extensions-template-from-NSS.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 4 Oct 2021 15:55:44 +0200 -Subject: [PATCH] Use extensions template from NSS - -Drop certmonger's custom extension template and use the sequence of X509v3 -extensions template from NSS. - -The certmonger template had a bug that caused certmonger to create CSRs -with invalid DER. It was encoding extension's critical element even for -default value FALSE. - -Fixes: https://pagure.io/certmonger/issue/223 -Signed-off-by: Christian Heimes ---- - src/certext.c | 41 +---------------------------------------- - 1 file changed, 1 insertion(+), 40 deletions(-) - -diff --git a/src/certext.c b/src/certext.c -index be536987..0d66971e 100644 ---- a/src/certext.c -+++ b/src/certext.c -@@ -203,45 +203,6 @@ cm_ms_template_template[] = { - {0, 0, NULL, 0}, - }; - --/* RFC 5280, 4.1 */ --const SEC_ASN1Template --cm_certext_cert_extension_template[] = { -- { -- .kind = SEC_ASN1_SEQUENCE, -- .offset = 0, -- .sub = NULL, -- .size = sizeof(CERTCertExtension), -- }, -- { -- .kind = SEC_ASN1_OBJECT_ID, -- .offset = offsetof(CERTCertExtension, id), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- { -- .kind = SEC_ASN1_BOOLEAN, -- .offset = offsetof(CERTCertExtension, critical), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- { -- .kind = SEC_ASN1_OCTET_STRING, -- .offset = offsetof(CERTCertExtension, value), -- .sub = NULL, -- .size = sizeof(SECItem), -- }, -- {0, 0, NULL, 0}, --}; --const SEC_ASN1Template --cm_certext_sequence_of_cert_extension_template[] = { -- { -- .kind = SEC_ASN1_SEQUENCE_OF, -- .offset = 0, -- .sub = cm_certext_cert_extension_template, -- .size = sizeof(CERTCertExtension **), -- }, --}; -- - /* Windows 2000-style UPN */ - static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03}; - static const SECOidData oid_ms_upn_name = { -@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, - /* Encode the sequence. */ - memset(&encoded, 0, sizeof(encoded)); - if (i > 1) { -- template = cm_certext_sequence_of_cert_extension_template; -+ template = CERT_SequenceOfCertExtensionTemplate; - if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr, - template) == &encoded) { - *extensions = talloc_memdup(entry, encoded.data, --- -2.31.1 - diff --git a/SOURCES/0009-Use-implicit-empty-FALSE-for-extensions.patch b/SOURCES/0009-Use-implicit-empty-FALSE-for-extensions.patch deleted file mode 100644 index 9264e87..0000000 --- a/SOURCES/0009-Use-implicit-empty-FALSE-for-extensions.patch +++ /dev/null @@ -1,280 +0,0 @@ -From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 4 Oct 2021 18:52:53 +0200 -Subject: [PATCH] Use implicit, empty FALSE for extensions - -Cemplate had a bug that caused certmonger to create CSRs with invalid DER. -It was encoding extension's critical element even for default value FALSE. - -Fixes: https://pagure.io/certmonger/issue/223 -Signed-off-by: Christian Heimes ---- - src/certext.c | 7 +- - tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------ - tests/003-csrgen/expected.out | 110 +++++++++++++----------------- - 3 files changed, 91 insertions(+), 108 deletions(-) - -diff --git a/src/certext.c b/src/certext.c -index 0d66971e..e5e0b4dc 100644 ---- a/src/certext.c -+++ b/src/certext.c -@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry, - CERTCertExtension ext[13], *exts[14], **exts_ptr; - SECOidData *oid; - SECItem *item, encoded; -+ /* X509v3 extension's critical element has an implicit default, -+ * see https://pagure.io/certmonger/issue/223 -+ */ - SECItem der_false = { -- .len = 1, -- .data = (unsigned char *) "\000", -+ .len = 0, -+ .data = NULL, - }; - SECItem der_true = { - .len = 1, -diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out -index def53fe4..0fb88323 100644 ---- a/tests/003-csrgen-rsa/expected.out -+++ b/tests/003-csrgen-rsa/expected.out -@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL - 4096 OK. - Signature OK - The last CSR (the one with everything) was: -- 0:d=0 hl=4 l=1413 cons: SEQUENCE -- 4:d=1 hl=4 l=1133 cons: SEQUENCE -+ 0:d=0 hl=4 l=1389 cons: SEQUENCE -+ 4:d=1 hl=4 l=1109 cons: SEQUENCE - 8:d=2 hl=2 l= 1 prim: INTEGER :00 - 11:d=2 hl=2 l= 22 cons: SEQUENCE - 13:d=3 hl=2 l= 20 cons: SET -@@ -21,7 +21,7 @@ The last CSR (the one with everything) was: - 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption - 52:d=4 hl=2 l= 0 prim: NULL - 54:d=3 hl=4 l= 271 prim: BIT STRING -- 329:d=2 hl=4 l= 808 cons: cont [ 0 ] -+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ] - 333:d=3 hl=2 l= 52 cons: SEQUENCE - 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword - 346:d=4 hl=2 l= 39 cons: SET -@@ -30,48 +30,40 @@ The last CSR (the one with everything) was: - 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName - 400:d=4 hl=2 l= 48 cons: SET - 402:d=5 hl=2 l= 46 prim: BMPSTRING -- 450:d=3 hl=4 l= 687 cons: SEQUENCE -+ 450:d=3 hl=4 l= 663 cons: SEQUENCE - 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request -- 465:d=4 hl=4 l= 672 cons: SET -- 469:d=5 hl=4 l= 668 cons: SEQUENCE -- 473:d=6 hl=2 l= 14 cons: SEQUENCE -+ 465:d=4 hl=4 l= 648 cons: SET -+ 469:d=5 hl=4 l= 644 cons: SEQUENCE -+ 473:d=6 hl=2 l= 11 cons: SEQUENCE - 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage -- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -- 489:d=6 hl=4 l= 264 cons: SEQUENCE -- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 -- 757:d=6 hl=2 l= 32 cons: SEQUENCE -- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -- 791:d=6 hl=2 l= 18 cons: SEQUENCE -- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255 -- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -- 811:d=6 hl=2 l= 34 cons: SEQUENCE -- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -- 847:d=6 hl=2 l= 32 cons: SEQUENCE -- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -- 881:d=6 hl=2 l= 107 cons: SEQUENCE -- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -- 990:d=6 hl=2 l= 96 cons: SEQUENCE -- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -- 1088:d=6 hl=2 l= 51 cons: SEQUENCE -- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -- 1141:d=1 hl=2 l= 13 cons: SEQUENCE -- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -- 1154:d=2 hl=2 l= 0 prim: NULL -- 1156:d=1 hl=4 l= 257 prim: BIT STRING -+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -+ 486:d=6 hl=4 l= 261 cons: SEQUENCE -+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74 -+ 751:d=6 hl=2 l= 29 cons: SEQUENCE -+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -+ 782:d=6 hl=2 l= 18 cons: SEQUENCE -+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255 -+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -+ 802:d=6 hl=2 l= 31 cons: SEQUENCE -+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -+ 835:d=6 hl=2 l= 29 cons: SEQUENCE -+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -+ 866:d=6 hl=2 l= 104 cons: SEQUENCE -+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -+ 972:d=6 hl=2 l= 93 cons: SEQUENCE -+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE -+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE -+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -+ 1130:d=2 hl=2 l= 0 prim: NULL -+ 1132:d=1 hl=4 l= 257 prim: BIT STRING - Test complete (32 combinations). -diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out -index 46e010cf..1081a678 100644 ---- a/tests/003-csrgen/expected.out -+++ b/tests/003-csrgen/expected.out -@@ -11,8 +11,8 @@ Signature OK - minicert.openssl.4096.pem: OK - 4096 OK. - The last CSR (the one with everything) was: -- 0:d=0 hl=4 l=1635 cons: SEQUENCE -- 4:d=1 hl=4 l=1355 cons: SEQUENCE -+ 0:d=0 hl=4 l=1599 cons: SEQUENCE -+ 4:d=1 hl=4 l=1319 cons: SEQUENCE - 8:d=2 hl=2 l= 1 prim: INTEGER :00 - 11:d=2 hl=2 l= 22 cons: SEQUENCE - 13:d=3 hl=2 l= 20 cons: SET -@@ -24,7 +24,7 @@ The last CSR (the one with everything) was: - 41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption - 52:d=4 hl=2 l= 0 prim: NULL - 54:d=3 hl=4 l= 271 prim: BIT STRING -- 329:d=2 hl=4 l=1030 cons: cont [ 0 ] -+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ] - 333:d=3 hl=2 l= 52 cons: SEQUENCE - 335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword - 346:d=4 hl=2 l= 39 cons: SET -@@ -33,64 +33,52 @@ The last CSR (the one with everything) was: - 389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName - 400:d=4 hl=2 l= 48 cons: SET - 402:d=5 hl=2 l= 46 prim: BMPSTRING -- 450:d=3 hl=4 l= 909 cons: SEQUENCE -+ 450:d=3 hl=4 l= 873 cons: SEQUENCE - 454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request -- 465:d=4 hl=4 l= 894 cons: SET -- 469:d=5 hl=4 l= 890 cons: SEQUENCE -- 473:d=6 hl=2 l= 14 cons: SEQUENCE -+ 465:d=4 hl=4 l= 858 cons: SET -+ 469:d=5 hl=4 l= 854 cons: SEQUENCE -+ 473:d=6 hl=2 l= 11 cons: SEQUENCE - 475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage -- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -- 489:d=6 hl=4 l= 290 cons: SEQUENCE -- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 -- 783:d=6 hl=2 l= 32 cons: SEQUENCE -- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -- 817:d=6 hl=2 l= 18 cons: SEQUENCE -- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255 -- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -- 837:d=6 hl=2 l= 34 cons: SEQUENCE -- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -- 873:d=6 hl=2 l= 32 cons: SEQUENCE -- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -- 907:d=6 hl=2 l= 107 cons: SEQUENCE -- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -- 1016:d=6 hl=2 l= 96 cons: SEQUENCE -- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -- 1114:d=6 hl=2 l= 106 cons: SEQUENCE -- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL -- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 -- 1222:d=6 hl=2 l= 51 cons: SEQUENCE -- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -- 1275:d=6 hl=2 l= 18 cons: SEQUENCE -- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check -- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 -- 1295:d=6 hl=2 l= 44 cons: SEQUENCE -- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 -- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 -- 1341:d=6 hl=2 l= 20 cons: SEQUENCE -- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type -- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0 -- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 -- 1363:d=1 hl=2 l= 13 cons: SEQUENCE -- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -- 1376:d=2 hl=2 l= 0 prim: NULL -- 1378:d=1 hl=4 l= 257 prim: BIT STRING -+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0 -+ 486:d=6 hl=4 l= 287 cons: SEQUENCE -+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name -+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001 -+ 777:d=6 hl=2 l= 29 cons: SEQUENCE -+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage -+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304 -+ 808:d=6 hl=2 l= 18 cons: SEQUENCE -+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints -+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255 -+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103 -+ 828:d=6 hl=2 l= 31 cons: SEQUENCE -+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D -+ 861:d=6 hl=2 l= 29 cons: SEQUENCE -+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D -+ 892:d=6 hl=2 l= 104 cons: SEQUENCE -+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access -+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435 -+ 998:d=6 hl=2 l= 93 cons: SEQUENCE -+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points -+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574 -+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE -+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL -+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461 -+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE -+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment -+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374 -+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE -+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check -+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500 -+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE -+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 -+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074 -+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE -+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type -+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0 -+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE -+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption -+ 1340:d=2 hl=2 l= 0 prim: NULL -+ 1342:d=1 hl=4 l= 257 prim: BIT STRING - Test complete (69 combinations). --- -2.31.1 - diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 1132402..0b7bbdc 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -10,24 +10,18 @@ %bcond_without xmlrpc Name: certmonger -Version: 0.79.13 -Release: 5%{?dist} +Version: 0.79.17 +Release: 2%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons License: GPLv3+ URL: http://pagure.io/certmonger/ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz +#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig -Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch -Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch -Patch0003: 0003-Fix-local-CA-to-work-under-FIPS.patch -Patch0004: 0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch -Patch0005: 0005-Add-NULL-checks-before-string-compares-when-analyzin.patch -Patch0006: 0006-Display-not_before-in-getcert-output.patch -Patch0007: 0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch -Patch0008: 0008-Use-extensions-template-from-NSS.patch -Patch0009: 0009-Use-implicit-empty-FALSE-for-extensions.patch +Patch0001: 0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch +Patch0002: 0002-Don-t-run-the-002-keygen-tests-when-root.patch BuildRequires: autoconf BuildRequires: automake @@ -242,6 +236,15 @@ exit 0 %endif %changelog +* Wed Dec 7 2022 Rob Crittenden - 0.79.17-2 +- Skip the keygen tests when executed as root. + +* Tue Dec 6 2022 Rob Crittenden - 0.79.17-1 +- Update to upstream 0.79.17 (#2139523) +- Certificate format validation when adding the SCEP server's CA (#2150025) +- Certmonger SCEP renewal should not use old challenges (#2150030) +- certmonger SEGV during rekey in FIPS mode (#2150070) + * Mon Oct 18 2021 Rob Crittenden - 0.79.13-5 - certmonger creates CSRs with invalid DER syntax for X509v3 extensions with critical=FALSE (#2012258)