rpms/certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.17-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-12-08 12:09:51 +00:00 committed by root
parent bddcd4846d
commit e349d3e655
13 changed files with 51 additions and 1051 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.certmonger.metadata
View File

@ -1 +1 @@
eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/certmonger-0.79.13.tar.gz SOURCES/certmonger-0.79.17.tar.gz

38
SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch
View File

@ -1,38 +0,0 @@
From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 29 Oct 2020 10:13:08 -0400
Subject: [PATCH] Don't run the 002-keygen-* tests when root
The permissions tests will fail.
---
tests/002-keygen-dbm/prequal.sh | 5 +++++
tests/002-keygen-sql/prequal.sh | 5 +++++
2 files changed, 10 insertions(+)
create mode 100755 tests/002-keygen-dbm/prequal.sh
create mode 100755 tests/002-keygen-sql/prequal.sh
diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-dbm/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-sql/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
--
2.25.4

22
SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch → SOURCES/0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
View File

@ -1,6 +1,6 @@
From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001 From 14d1b5f9a482a4740706dc1cb86c454662f48d4c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com> From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 10 Nov 2020 18:48:05 -0500 Date: Wed, 7 Dec 2022 10:09:55 -0500
Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test" Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28. This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
@ -9,10 +9,10 @@ This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
1 file changed, 124 insertions(+), 6 deletions(-) 1 file changed, 124 insertions(+), 6 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca7de34f..4d6a9a59 100644 index 86cba02..544ebd7 100644
--- a/tests/028-dbus/expected.out --- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out +++ b/tests/028-dbus/expected.out
@@ -34,6 +34,10 @@ CA 'IPA': @@ -35,6 +35,10 @@ CA 'IPA':
is-default: no is-default: no
ca-type: EXTERNAL ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit helper-location: $libexecdir/ipa-submit
@ -23,7 +23,7 @@ index ca7de34f..4d6a9a59 100644
CA 'dogtag-ipa-renew-agent': CA 'dogtag-ipa-renew-agent':
is-default: no is-default: no
ca-type: EXTERNAL ca-type: EXTERNAL
@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent': @@ -42,8 +46,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]] [[ API ]]
[ simpleprop.py ] [ simpleprop.py ]
@ -34,7 +34,7 @@ index ca7de34f..4d6a9a59 100644
: -> : -k admin@localhost -> : : -> : -k admin@localhost -> :
0 -> 1 -> 0 0 -> 1 -> 0
[ walk.py ] [ walk.py ]
@@ -178,7 +182,7 @@ OK @@ -179,7 +183,7 @@ OK
OK OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ] [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
@ -43,7 +43,7 @@ index ca7de34f..4d6a9a59 100644
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ] [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o')) dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri @@ -507,6 +511,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/> <node name="CA2"/>
<node name="CA3"/> <node name="CA3"/>
<node name="CA4"/> <node name="CA4"/>
@ -51,7 +51,7 @@ index ca7de34f..4d6a9a59 100644
</node> </node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ] [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s')) @@ -940,10 +945,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node> </node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ] [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
@ -64,7 +64,7 @@ index ca7de34f..4d6a9a59 100644
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ] [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0 0
@@ -952,7 +957,7 @@ EXTERNAL @@ -955,7 +960,7 @@ EXTERNAL
None None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ] [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
@ -73,7 +73,7 @@ index ca7de34f..4d6a9a59 100644
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ] [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s')) dbus.Array([], signature=dbus.Signature('s'))
@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s')) @@ -963,3 +968,116 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ] [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1 1
@ -191,5 +191,5 @@ index ca7de34f..4d6a9a59 100644
+1 +1
+ +
-- --
2.25.4 2.38.1

24
SOURCES/0002-Don-t-run-the-002-keygen-tests-when-root.patch Normal file
View File

@ -0,0 +1,24 @@
From 6224c3aa01665edddbda1ec7d1e35b03823eefcb Mon Sep 17 00:00:00 2001
From: root <root@ci-vm-10-0-137-168.hosted.upshift.rdu2.redhat.com>
Date: Wed, 7 Dec 2022 14:50:01 -0500
Subject: [PATCH] Don't run the 002-keygen-* tests when root
The permissions tests will fail.
---
tests/002-keygen-dbm/prequal.sh | 5 +++++
1 file changed, 5 insertions(+)
create mode 100755 tests/002-keygen-dbm/prequal.sh
diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
new file mode 100755
index 0000000..b6c16e0
--- /dev/null
+++ b/tests/002-keygen-dbm/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
--
2.31.1

38
SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch
View File

@ -1,38 +0,0 @@
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 14 Apr 2021 15:34:48 -0400
Subject: [PATCH] Fix local CA to work under FIPS
The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS. This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.
---
src/local.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/local.c b/src/local.c
index 92bea144..2f50ac77 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
#include <openssl/asn1.h>
#include <openssl/err.h>
+#include <openssl/obj_mac.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
return CM_SUBMIT_STATUS_UNREACHABLE;
}
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
- cas, 0, 0, 0, 0, 0);
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
+ 0, 0, 0);
if (p12 != NULL) {
if (!i2d_PKCS12_fp(fp, p12)) {
fclose(fp);
--
2.26.3

123
SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
View File

@ -1,123 +0,0 @@
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Fri, 9 Jul 2021 20:49:28 +0000
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
OTP
SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.
This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.
This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/certmonger.conf.5.in | 9 +++++++++
src/certsave.c | 13 +++++++++++++
src/prefs.c | 15 +++++++++++++++
src/prefs.h | 4 ++++
4 files changed, 41 insertions(+)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 6a42d3cb..1b941b9d 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
\fIselfsign\fR section, if one is set there, will be used. The default value
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+.SH SCEP
+Within the \fIscep\fR section, these variables and values are recognized:
+
+.IP challenge_password_otp
+This controls whether the SCEP challenge password is treated as a one-time
+password. If set to yes then the challenge password and/or challenge password
+file will be removed from the tracking request after the first certificate
+issuance so will not be sent with renewal requests. The default is no.
+
.SH BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
diff --git a/src/certsave.c b/src/certsave.c
index 6eaafe59..f8503662 100644
--- a/src/certsave.c
+++ b/src/certsave.c
@@ -18,12 +18,25 @@
#include "config.h"
#include "certsave.h"
#include "certsave-int.h"
+#include "prefs.h"
#include "store-int.h"
+#include "talloc.h"
/* Start writing the certificate from the entry to the configured location. */
struct cm_certsave_state *
cm_certsave_start(struct cm_store_entry *entry)
{
+ /* If saving a SCEP certificate wipe out the challenge password */
+ if ((cm_prefs_scep_password_otp()) &&
+ (entry->cm_template_challenge_password != NULL) &&
+ (entry->cm_scep_nonce != NULL))
+ {
+ talloc_free(entry->cm_template_challenge_password);
+ entry->cm_template_challenge_password = NULL;
+ talloc_free(entry->cm_template_challenge_password_file);
+ entry->cm_template_challenge_password_file = NULL;
+ }
+
switch (entry->cm_cert_storage_type) {
#ifdef HAVE_OPENSSL
case cm_cert_storage_file:
diff --git a/src/prefs.c b/src/prefs.c
index 669e8f1f..52ffc908 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
}
return count;
}
+
+int
+cm_prefs_scep_password_otp(void)
+{
+ static int populate = -1;
+ if (populate == -1) {
+ const char *val;
+ val = cm_prefs_config("scep", "challenge_password_otp");
+ if (val == NULL) {
+ val = "no";
+ }
+ populate = cm_prefs_yesno(val);
+ }
+ return populate != -1 ? populate : 0;
+}
diff --git a/src/prefs.h b/src/prefs.h
index 248e1016..a107fb6c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,8 @@
#ifndef cmprefs_h
#define cmprefs_h
+#include <time.h>
+
enum cm_prefs_cipher {
cm_prefs_aes128,
cm_prefs_aes192,
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
long long prefs_key_end_of_life(time_t ref);
long prefs_max_key_use_count(void);
+int cm_prefs_scep_password_otp(void);
+
#endif
--
2.31.1

42
SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch
View File

@ -1,42 +0,0 @@
From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 17 Feb 2021 13:40:52 -0500
Subject: [PATCH] Add NULL checks before string compares when analyzing a cert
A user reported a segfault which was due to a broken request.
How it got broken I have no idea but it was effectively empty.
It had everything as defaults: 0, -1, UNSPECIFIED or not
present at all.
So when trying to analyze the request it did a NULL compare.
https://pagure.io/certmonger/issue/191
---
src/tdbush.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index a10a1aff..fb81c477 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
if (cert_storage != e->cm_cert_storage_type) {
continue;
}
- if (strcmp(cert_location, e->cm_cert_storage_location) != 0) {
+ if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) {
continue;
}
switch (cert_storage) {
case cm_cert_storage_file:
break;
case cm_cert_storage_nssdb:
- if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
+ if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
continue;
}
break;
--
2.31.1

386
SOURCES/0006-Display-not_before-in-getcert-output.patch
View File

@ -1,386 +0,0 @@
From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Apr 2021 14:07:22 -0400
Subject: [PATCH] Display not_before in getcert output
Including not_before can help with troubleshooting
renewal problems and if time needs to be reversed
helping identify the maximum one can go back.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/getcert.c | 21 ++++-
src/tdbush.c | 10 ++-
src/tdbusm-check.c | 32 ++++++++
src/tdbusm.c | 150 ++++++++++++++++++++++++++++++++++++
src/tdbusm.h | 9 +++
tests/028-dbus/expected.out | 4 +-
tests/028-dbus/run.sh | 1 +
7 files changed, 220 insertions(+), 7 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 078f5aa1..4afafcb1 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv)
const char *capath, *request;
dbus_bool_t b;
char *s1, *s2, *s3, *s4, *s5, *s6;
- long n1, n2;
+ long n1, n2, n3;
char **as, **as1, **as2, **as3, **as4, **as5, t[25];
int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j;
unsigned int k;
@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv)
/* Information from the certificate. */
rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
"get_cert_info", verbose);
- if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx,
+ if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx,
&s1, &s2, &s3, &n1,
&as1, &as2, &as3,
- &n2, &as4) != 0) {
+ &n2, &as4, &n3) != 0) {
printf(_("Error parsing server response.\n"));
exit(1);
}
@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv)
printf(_("\tissuer: %s\n"), s1);
printf(_("\tsubject: %s\n"), s3);
when = _("unknown");
+ if (n3 != 0) {
+ if (force_utc) {
+ when = cm_store_timestamp_from_time_for_display(n3, t);
+ printf(_("\tissued: %s\n"), when);
+ } else {
+ when = cm_store_local_timestamp_from_time_for_display(n3);
+ if (when != NULL) {
+ printf(_("\tissued: %s\n"), when);
+ free(when);
+ }
+ }
+ } else {
+ printf(_("\tissued: %s\n"), when);
+ }
+ when = _("unknown");
if (n1 != 0) {
if (force_utc) {
when = cm_store_timestamp_from_time_for_display(n1, t);
diff --git a/src/tdbush.c b/src/tdbush.c
index 3587f84f..6fc1b4be 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
rep = dbus_message_new_method_return(msg);
if (rep != NULL) {
eku = eku_splitv(entry, entry->cm_cert_eku);
- cm_tdbusm_set_sssnasasasnas(rep,
+ cm_tdbusm_set_sssnasasasnasn(rep,
entry->cm_cert_issuer,
entry->cm_cert_serial,
entry->cm_cert_subject,
@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
(const char **) entry->cm_cert_hostname,
(const char **) entry->cm_cert_principal,
ku_from_string(entry->cm_cert_ku),
- (const char **) eku);
+ (const char **) eku,
+ entry->cm_cert_not_before);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
talloc_free(eku);
@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void)
DBUS_TYPE_ARRAY_AS_STRING
DBUS_TYPE_STRING_AS_STRING,
cm_tdbush_method_arg_out,
- NULL))))))))),
+ make_method_arg("not_before",
+ DBUS_TYPE_INT64_AS_STRING,
+ cm_tdbush_method_arg_out,
+ NULL)))))))))),
NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_CERT_ISSUER,
diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c
index 385b1849..31880732 100644
--- a/src/tdbusm-check.c
+++ b/src/tdbusm-check.c
@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid)
return ret;
}
static int
+get_sssnasasasnasn(DBusMessage *rep, int msgid)
+{
+ int ret, i;
+ long n1, n2, n3;
+ char *s1, *s2, *s3, **as1, **as2, **as3, **as4;
+
+ ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL,
+ &s1, &s2, &s3, &n1,
+ &as1, &as2, &as3, &n2, &as4, &n3);
+ if (ret == 0) {
+ printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[",
+ msgid, s1, s2, s3, n1);
+ for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as1[i]);
+ }
+ printf("],[");
+ for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as2[i]);
+ }
+ printf("],[");
+ for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as3[i]);
+ }
+ printf("],n:%ld,n:%ld,[", n2, n3);
+ for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as4[i]);
+ }
+ printf("]\n");
+ }
+ return ret;
+}
+static int
get_sasasasnas(DBusMessage *rep, int msgid)
{
int ret, i;
diff --git a/src/tdbusm.c b/src/tdbusm.c
index bc39e1d4..24e03e4c 100644
--- a/src/tdbusm.c
+++ b/src/tdbusm.c
@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
return 0;
}
+int
+cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2, char ***as3,
+ long *n2, char ***as4, long *n3)
+{
+ DBusError err;
+ char **tmp1, **tmp2, **tmp3, **tmp4;
+ int64_t i641, i642, i643;
+ int32_t i321, i322, i323;
+ int16_t i161, i162, i163;
+ int i, j, k, l;
+ *s1 = NULL;
+ *s2 = NULL;
+ *s3 = NULL;
+ *as1 = NULL;
+ *as2 = NULL;
+ *as3 = NULL;
+ *as4 = NULL;
+ dbus_error_init(&err);
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT64, &i641,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT64, &i642,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT64, &i643,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT32, &i321,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp3, &k,
+ DBUS_TYPE_INT32, &i322,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp4, &l,
+ DBUS_TYPE_INT32, &i323,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT16, &i161,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT16, &i162,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT16, &i163,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ return -1;
+ }
+ i321 = i161;
+ i322 = i162;
+ i323 = i163;
+ }
+ i641 = i321;
+ i642 = i322;
+ i643 = i323;
+ }
+ *s1 = *s1 ? talloc_strdup(parent, *s1) : NULL;
+ *s2 = *s2 ? talloc_strdup(parent, *s2) : NULL;
+ *s3 = *s3 ? talloc_strdup(parent, *s3) : NULL;
+ *n1 = i641;
+ *n2 = i642;
+ *n3 = i643;
+ *as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i);
+ *as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j);
+ *as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k);
+ *as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l);
+ return 0;
+}
+
int
cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s,
char ***as1, char ***as2, char ***as3,
@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
}
}
+int
+cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2, const char *s3,
+ long n1, const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4,
+ long n3)
+{
+ int64_t i1 = n1, i2 = n2, i3 = n3;
+ if (s1 == NULL) {
+ s1 = empty_string;
+ }
+ if (s2 == NULL) {
+ s2 = empty_string;
+ }
+ if (s3 == NULL) {
+ s3 = empty_string;
+ }
+ if (as1 == NULL) {
+ as1 = empty_string_array;
+ }
+ if (as2 == NULL) {
+ as2 = empty_string_array;
+ }
+ if (as3 == NULL) {
+ as3 = empty_string_array;
+ }
+ if (as4 == NULL) {
+ as4 = empty_string_array;
+ }
+ if (dbus_message_append_args(msg,
+ DBUS_TYPE_STRING, &s1,
+ DBUS_TYPE_STRING, &s2,
+ DBUS_TYPE_STRING, &s3,
+ DBUS_TYPE_INT64, &i1,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as1, cm_tdbusm_array_length(as1),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as2, cm_tdbusm_array_length(as2),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as3, cm_tdbusm_array_length(as3),
+ DBUS_TYPE_INT64, &i2,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as4, cm_tdbusm_array_length(as4),
+ DBUS_TYPE_INT64, &i3,
+ DBUS_TYPE_INVALID)) {
+ return 0;
+ } else {
+ return -1;
+ }
+}
+
int
cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s,
const char **as1, const char **as2,
diff --git a/src/tdbusm.h b/src/tdbusm.h
index fe021eff..250a9b0a 100644
--- a/src/tdbusm.h
+++ b/src/tdbusm.h
@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
char **s1, char **s2, char **s3, long *n1,
char ***as1, char ***as2,
char ***as3, long *n2, char ***as4);
+int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2,
+ char ***as3, long *n2, char ***as4, long *n3);
int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent,
char **s,
char ***as1, char ***as2,
@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
const char *s3, long n1,
const char **as1, const char **as2,
const char **as3, long n2, const char **as4);
+int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2,
+ const char *s3, long n1,
+ const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4, long n3);
int cm_tdbusm_set_sasasasnas(DBusMessage *msg,
const char *s,
const char **as1, const char **as2,
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca7de34f..4cecbe15 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -11,6 +11,7 @@ Request ID 'Buddy':
CA: local
issuer: CN=$UUID,CN=Local Signing Authority
subject: CN=localhost
+ issued: sometime
expires: sometime
dns: localhost
principal name: host/localhost@LOCALHOST
@@ -269,6 +270,7 @@ OK
<arg name="principal_names" type="as" direction="out"/>
<arg name="key_usage" type="x" direction="out"/>
<arg name="extended_key_usage" type="as" direction="out"/>
+ <arg name="not_before" type="x" direction="out"/>
</method>
<property name="issuer" type="s" access="read"/>
<property name="serial" type="s" access="read"/>
@@ -430,7 +432,7 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index d0be6ad8..a457834f 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e '/^-----BEGIN/,/^-----END/d' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
+ -e "s|issued:.*|issued: sometime|g" \
-e "s|expires:.*|expires: sometime|g" \
-e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
--
2.31.1

40
SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
View File

@ -1,40 +0,0 @@
From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.
This second half wasn't being closed after reading to test for
errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/cadata.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cadata.c b/src/cadata.c
index 3e916c9..d851b9e 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
ca->cm_ca_external_helper, strerror(u));
talloc_free(ret);
+ close(error_fd[0]);
return NULL;
}
+ close(error_fd[0]);
return ret;
}
--
2.31.1

80
SOURCES/0008-Use-extensions-template-from-NSS.patch
View File

@ -1,80 +0,0 @@
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 15:55:44 +0200
Subject: [PATCH] Use extensions template from NSS
Drop certmonger's custom extension template and use the sequence of X509v3
extensions template from NSS.
The certmonger template had a bug that caused certmonger to create CSRs
with invalid DER. It was encoding extension's critical element even for
default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 41 +----------------------------------------
1 file changed, 1 insertion(+), 40 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index be536987..0d66971e 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
{0, 0, NULL, 0},
};
-/* RFC 5280, 4.1 */
-const SEC_ASN1Template
-cm_certext_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(CERTCertExtension),
- },
- {
- .kind = SEC_ASN1_OBJECT_ID,
- .offset = offsetof(CERTCertExtension, id),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_BOOLEAN,
- .offset = offsetof(CERTCertExtension, critical),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_OCTET_STRING,
- .offset = offsetof(CERTCertExtension, value),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {0, 0, NULL, 0},
-};
-const SEC_ASN1Template
-cm_certext_sequence_of_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE_OF,
- .offset = 0,
- .sub = cm_certext_cert_extension_template,
- .size = sizeof(CERTCertExtension **),
- },
-};
-
/* Windows 2000-style UPN */
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
static const SECOidData oid_ms_upn_name = {
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
/* Encode the sequence. */
memset(&encoded, 0, sizeof(encoded));
if (i > 1) {
- template = cm_certext_sequence_of_cert_extension_template;
+ template = CERT_SequenceOfCertExtensionTemplate;
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
template) == &encoded) {
*extensions = talloc_memdup(entry, encoded.data,
--
2.31.1

280
SOURCES/0009-Use-implicit-empty-FALSE-for-extensions.patch
View File

@ -1,280 +0,0 @@
From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 18:52:53 +0200
Subject: [PATCH] Use implicit, empty FALSE for extensions
Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
It was encoding extension's critical element even for default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 7 +-
tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------
tests/003-csrgen/expected.out | 110 +++++++++++++-----------------
3 files changed, 91 insertions(+), 108 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index 0d66971e..e5e0b4dc 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
CERTCertExtension ext[13], *exts[14], **exts_ptr;
SECOidData *oid;
SECItem *item, encoded;
+ /* X509v3 extension's critical element has an implicit default,
+ * see https://pagure.io/certmonger/issue/223
+ */
SECItem der_false = {
- .len = 1,
- .data = (unsigned char *) "\000",
+ .len = 0,
+ .data = NULL,
};
SECItem der_true = {
.len = 1,
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index def53fe4..0fb88323 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
4096 OK.
Signature OK
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1413 cons: SEQUENCE
- 4:d=1 hl=4 l=1133 cons: SEQUENCE
+ 0:d=0 hl=4 l=1389 cons: SEQUENCE
+ 4:d=1 hl=4 l=1109 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l= 808 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 687 cons: SEQUENCE
+ 450:d=3 hl=4 l= 663 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 672 cons: SET
- 469:d=5 hl=4 l= 668 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 648 cons: SET
+ 469:d=5 hl=4 l= 644 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 264 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
- 757:d=6 hl=2 l= 32 cons: SEQUENCE
- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 791:d=6 hl=2 l= 18 cons: SEQUENCE
- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 811:d=6 hl=2 l= 34 cons: SEQUENCE
- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 847:d=6 hl=2 l= 32 cons: SEQUENCE
- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 881:d=6 hl=2 l= 107 cons: SEQUENCE
- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 990:d=6 hl=2 l= 96 cons: SEQUENCE
- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1088:d=6 hl=2 l= 51 cons: SEQUENCE
- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1141:d=1 hl=2 l= 13 cons: SEQUENCE
- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1154:d=2 hl=2 l= 0 prim: NULL
- 1156:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 261 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
+ 751:d=6 hl=2 l= 29 cons: SEQUENCE
+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 782:d=6 hl=2 l= 18 cons: SEQUENCE
+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 802:d=6 hl=2 l= 31 cons: SEQUENCE
+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 835:d=6 hl=2 l= 29 cons: SEQUENCE
+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 866:d=6 hl=2 l= 104 cons: SEQUENCE
+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 972:d=6 hl=2 l= 93 cons: SEQUENCE
+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1130:d=2 hl=2 l= 0 prim: NULL
+ 1132:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (32 combinations).
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 46e010cf..1081a678 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -11,8 +11,8 @@ Signature OK
minicert.openssl.4096.pem: OK
4096 OK.
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1635 cons: SEQUENCE
- 4:d=1 hl=4 l=1355 cons: SEQUENCE
+ 0:d=0 hl=4 l=1599 cons: SEQUENCE
+ 4:d=1 hl=4 l=1319 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l=1030 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 909 cons: SEQUENCE
+ 450:d=3 hl=4 l= 873 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 894 cons: SET
- 469:d=5 hl=4 l= 890 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 858 cons: SET
+ 469:d=5 hl=4 l= 854 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 290 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
- 783:d=6 hl=2 l= 32 cons: SEQUENCE
- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 817:d=6 hl=2 l= 18 cons: SEQUENCE
- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 837:d=6 hl=2 l= 34 cons: SEQUENCE
- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 873:d=6 hl=2 l= 32 cons: SEQUENCE
- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 907:d=6 hl=2 l= 107 cons: SEQUENCE
- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 1016:d=6 hl=2 l= 96 cons: SEQUENCE
- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1114:d=6 hl=2 l= 106 cons: SEQUENCE
- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
- 1222:d=6 hl=2 l= 51 cons: SEQUENCE
- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1275:d=6 hl=2 l= 18 cons: SEQUENCE
- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
- 1295:d=6 hl=2 l= 44 cons: SEQUENCE
- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
- 1341:d=6 hl=2 l= 20 cons: SEQUENCE
- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
- 1363:d=1 hl=2 l= 13 cons: SEQUENCE
- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1376:d=2 hl=2 l= 0 prim: NULL
- 1378:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 287 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
+ 777:d=6 hl=2 l= 29 cons: SEQUENCE
+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 808:d=6 hl=2 l= 18 cons: SEQUENCE
+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 828:d=6 hl=2 l= 31 cons: SEQUENCE
+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 861:d=6 hl=2 l= 29 cons: SEQUENCE
+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 892:d=6 hl=2 l= 104 cons: SEQUENCE
+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 998:d=6 hl=2 l= 93 cons: SEQUENCE
+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE
+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE
+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE
+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE
+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1340:d=2 hl=2 l= 0 prim: NULL
+ 1342:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (69 combinations).
--
2.31.1

25
SPECS/certmonger.spec
View File

@ -10,24 +10,18 @@
%bcond_without xmlrpc %bcond_without xmlrpc
Name: certmonger Name: certmonger
Version: 0.79.13 Version: 0.79.17
Release: 5%{?dist} Release: 2%{?dist}
Summary: Certificate status monitor and PKI enrollment client Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons Group: System Environment/Daemons
License: GPLv3+ License: GPLv3+
URL: http://pagure.io/certmonger/ URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch Patch0001: 0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch Patch0002: 0002-Don-t-run-the-002-keygen-tests-when-root.patch
Patch0003: 0003-Fix-local-CA-to-work-under-FIPS.patch
Patch0004: 0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
Patch0005: 0005-Add-NULL-checks-before-string-compares-when-analyzin.patch
Patch0006: 0006-Display-not_before-in-getcert-output.patch
Patch0007: 0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
Patch0008: 0008-Use-extensions-template-from-NSS.patch
Patch0009: 0009-Use-implicit-empty-FALSE-for-extensions.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -242,6 +236,15 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Dec 7 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
- Skip the keygen tests when executed as root.
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17 (#2139523)
- Certificate format validation when adding the SCEP server's CA (#2150025)
- Certmonger SCEP renewal should not use old challenges (#2150030)
- certmonger SEGV during rekey in FIPS mode (#2150070)
* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5 * Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions - certmonger creates CSRs with invalid DER syntax for X509v3 extensions
with critical=FALSE (#2012258) with critical=FALSE (#2012258)