rpms
/
certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.13-2.el8

This commit is contained in:
CentOS Sources 2020-11-25 06:09:13 +00:00 committed by Andrew Lukoshko
parent 88bf362ae0
commit e6eb41270c
35 changed files with 268 additions and 9655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.certmonger.metadata
View File

@ -1 +1 @@
f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz
eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/certmonger-0.79.7.tar.gz
SOURCES/certmonger-0.79.13.tar.gz

38
SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch Normal file
View File

@ -0,0 +1,38 @@
From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 29 Oct 2020 10:13:08 -0400
Subject: [PATCH] Don't run the 002-keygen-* tests when root
The permissions tests will fail.
---
tests/002-keygen-dbm/prequal.sh | 5 +++++
tests/002-keygen-sql/prequal.sh | 5 +++++
2 files changed, 10 insertions(+)
create mode 100755 tests/002-keygen-dbm/prequal.sh
create mode 100755 tests/002-keygen-sql/prequal.sh
diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-dbm/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-sql/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
--
2.25.4

293
SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
View File

@ -1,293 +0,0 @@
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 23 Feb 2018 10:43:44 -0500
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
Remove keys < 2048 for the NSS tests. This affects some of the
OpenSSL tests as well where they run in a combined loop.
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
---
tests/001-keyiread-dsa/expected.out | 6 +++---
tests/001-keyiread-dsa/run.sh | 2 +-
tests/001-keyiread-rsa/expected.out | 2 --
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/expected.out | 2 --
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-rsa/expected.out | 6 ------
tests/002-keygen-rsa/run.sh | 2 +-
tests/002-keygen/expected.out | 18 ------------------
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-rsa/expected.out | 6 ------
tests/003-csrgen-rsa/run.sh | 4 ++--
tests/003-csrgen/expected.out | 8 --------
tests/003-csrgen/run.sh | 4 ++--
tests/004-selfsign-rsa/expected.out | 2 --
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/expected.out | 2 --
tests/004-selfsign/run.sh | 2 +-
18 files changed, 14 insertions(+), 60 deletions(-)
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
index b09db0ae..50643176 100644
--- a/tests/001-keyiread-dsa/expected.out
+++ b/tests/001-keyiread-dsa/expected.out
@@ -1,4 +1,4 @@
-OK (DSA:1024).
-OK (DSA:1024).
-OK (DSA:1024).
+OK (DSA:2048).
+OK (DSA:2048).
+OK (DSA:2048).
Test complete.
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
index 9f96b3bc..68f6d1c3 100755
--- a/tests/001-keyiread-dsa/run.sh
+++ b/tests/001-keyiread-dsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 ; do
+for size in 2048 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread-rsa/expected.out
+++ b/tests/001-keyiread-rsa/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c7b77686..ec31c7c7 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
index 727897d1..3daa51f2 100644
--- a/tests/001-keyiread/expected.out
+++ b/tests/001-keyiread/expected.out
@@ -1,5 +1,3 @@
-OK (RSA:1024).
-OK (RSA:1536).
OK (RSA:2048).
OK (RSA:3072).
OK (RSA:4096).
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index ce1428ed..0b31df95 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Generate a self-signed cert.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
index 3e6e9f3c..f7c146d0 100644
--- a/tests/002-keygen-rsa/expected.out
+++ b/tests/002-keygen-rsa/expected.out
@@ -1,9 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-[nss:1536]
-OK.
-OK (RSA:1536).
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
index 476f4127..c0c59249 100755
--- a/tests/002-keygen-rsa/run.sh
+++ b/tests/002-keygen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
index dcd1af06..b8fbea56 100644
--- a/tests/002-keygen/expected.out
+++ b/tests/002-keygen/expected.out
@@ -1,21 +1,3 @@
-[nss:1024]
-OK.
-OK (RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-OK.
-OK (RSA:1024 after RSA:1024).
-keyi1024
-keyi1024 (candidate (next))
-[nss:1536]
-OK.
-OK (RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-OK.
-OK (RSA:1536 after RSA:1536).
-keyi1536
-keyi1536 (candidate (next))
[nss:2048]
OK.
OK (RSA:2048).
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 08af1523..94230e6f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
echo "[nss:$size]"
# Generate a key.
cat > entry.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index c9dec729..def53fe4 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -1,10 +1,4 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
-1024 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
-1536 OK.
-Signature OK
-pk12util: PKCS12 EXPORT SUCCESSFUL
2048 OK.
Signature OK
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index 4cd84084..bb8ebecb 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -147,7 +147,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
done
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 8e6cac6e..04342c0f 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -1,13 +1,5 @@
pk12util: PKCS12 EXPORT SUCCESSFUL
Signature OK
-minicert.openssl.1024.pem: OK
-1024 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
-minicert.openssl.1536.pem: OK
-1536 OK.
-pk12util: PKCS12 EXPORT SUCCESSFUL
-Signature OK
minicert.openssl.2048.pem: OK
2048 OK.
pk12util: PKCS12 EXPORT SUCCESSFUL
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index 7c169ed9..31466b5c 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -5,7 +5,7 @@ cd "$tmpdir"
source "$srcdir"/functions
initnssdb "$tmpdir"
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
@@ -199,7 +199,7 @@ iterate() {
iteration=1
-for size in 1024 ; do
+for size in 2048 ; do
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
done
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign-rsa/expected.out
+++ b/tests/004-selfsign-rsa/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index 6f9285b6..c1dd4c80 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -33,7 +33,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
index dd5029ec..0eb84ef1 100644
--- a/tests/004-selfsign/expected.out
+++ b/tests/004-selfsign/expected.out
@@ -1,5 +1,3 @@
-1024 OK.
-1536 OK.
2048 OK.
3072 OK.
4096 OK.
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index 7bb368ec..eb1df4ee 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -43,7 +43,7 @@ function setupca() {
EOF
}
-for size in 1024 1536 2048 3072 4096 ; do
+for size in 2048 3072 4096 ; do
# Build a self-signed certificate.
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
--
2.16.2

788
SOURCES/0002-Convert-tests-to-use-python3.patch
View File

@ -1,788 +0,0 @@
From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 31 Jul 2018 13:09:02 -0400
Subject: [PATCH] Convert tests to use python3
---
tests/028-dbus/expected.out | 32 +-
tests/028-dbus/expected.out.nodsa | 22 +-
tests/028-dbus/prequal.sh | 8 +-
tests/028-dbus/run.sh | 9 +-
tests/028-dbus/runsub.sh | 2 +-
tests/028-dbus/simpleprop.py | 14 +-
tests/028-dbus/walk.py | 392 ++++++++++----------
tests/038-ms-v2-template/extract-extdata.py | 5 +-
8 files changed, 243 insertions(+), 241 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca3179e..1d8bec4 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -1,5 +1,3 @@
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
[[ getcert ]]
State MONITORING, stuck: no.
Number of certificates and requests being tracked: 1.
@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -433,19 +431,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -454,19 +452,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -482,7 +480,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236
+$tmpdir/cas/date
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
SelfSign
@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-1
+$tmpdir/cas/date-1
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
IPA
@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/date-2
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
certmaster
@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
+$tmpdir/cas/date-3
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
dogtag-ipa-renew-agent
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
index a23af40..5082ee0 100644
--- a/tests/028-dbus/expected.out.nodsa
+++ b/tests/028-dbus/expected.out.nodsa
@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
OK
@@ -432,19 +432,19 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
@@ -453,19 +453,19 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
-(dbus.String(u'RSA'), dbus.Int64(512L))
+(dbus.String('RSA'), dbus.Int64(512))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
1
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
+(dbus.String('stdout'), dbus.String('daemon.notice'))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
+(dbus.String('MONITORING'), dbus.Boolean(False))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
/org/fedorahosted/certmonger/cas/CA1
@@ -481,7 +481,7 @@ recently
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
1 on /org/fedorahosted/certmonger/requests/Request2
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
1
diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh
index e645c19..4fe79c8 100755
--- a/tests/028-dbus/prequal.sh
+++ b/tests/028-dbus/prequal.sh
@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then
echo dbus-daemon not found
exit 1
fi
-if ! python -c 'import os' 2> /dev/null ; then
+if ! python3 -c 'import os' 2> /dev/null ; then
echo python not found
exit 1
fi
-if ! python -c 'import dbus' 2> /dev/null ; then
+if ! python3 -c 'import dbus' 2> /dev/null ; then
echo python-dbus not found
exit 1
fi
-if ! python -c 'import xml' 2> /dev/null ; then
+if ! python3 -c 'import xml' 2> /dev/null ; then
echo python-xml not found
exit 1
fi
-if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then
+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then
echo python-xml does not include etree.ElementTree
exit 1
fi
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index c468d51..ee90875 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -23,7 +23,7 @@ EOF
$DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid
if test -s $tmpdir/pid ; then
env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \
- $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh
+ $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null
fi
kill `cat $tmpdir/pid`
@@ -33,8 +33,8 @@ now=`date +%s`
for i in `seq 240` ; do
recently=$(($now-$i))
tomorrow=$(($now-$i+24*60*60))
- sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \
- -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out
+ sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \
+ -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out
done
cat $tmpdir/runsub.out | \
@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
-e "s|expires:.*|expires: sometime|g" \
- -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g'
+ -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
+ -e "s|cas\/[0-9]{14}|cas\/date|g"
diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh
index 3510d79..fe6766c 100755
--- a/tests/028-dbus/runsub.sh
+++ b/tests/028-dbus/runsub.sh
@@ -22,5 +22,5 @@ echo ""
echo "[[ API ]]"
for i in ./*.py ; do
echo "[" `basename "$i"` "]"
- python $i
+ python3 $i
done
diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py
index e4f937e..35d9591 100644
--- a/tests/028-dbus/simpleprop.py
+++ b/tests/028-dbus/simpleprop.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
# Get a handle for the main certmonger interface.
@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
# Toggle the helper a couple of times.
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -28,7 +28,7 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h, "->",
+print(ca_ext_h, "-> ", end='')
if ca_ext_h.split()[0] == ca_ext_h:
ca_ext_h += ' -k admin@localhost'
@@ -37,20 +37,20 @@ else:
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
-print ca_ext_h
+print(ca_ext_h)
# Toggle the "is-default" value a couple of times.
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef, "->",
+print(isdef, "-> ", end='')
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
-print isdef
+print(isdef)
cm.remove_known_ca(path)
diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py
index f60ca93..683d94e 100644
--- a/tests/028-dbus/walk.py
+++ b/tests/028-dbus/walk.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
import xml.etree.ElementTree
import os
@@ -9,217 +9,219 @@ bus = dbus.SessionBus()
# Check that reading a property directly produces the same value as reading it via GetAll().
def check_props(objpath, interface):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- props = i.GetAll(interface)
- for prop in props.keys():
- value = props[prop]
- if value != i.Get(interface, prop):
- print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ props = i.GetAll(interface)
+ for prop in props.keys():
+ value = props[prop]
+ if value != i.Get(interface, prop):
+ print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
+ return False
+ return True
# Try to call the method.
def examine_method(objpath, interface, method, idata):
- in_args = 0
- out_args = 0
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, interface)
- for child in idata.getchildren():
- if child.tag == 'arg':
- if child.get('direction') != 'out':
- in_args = in_args + 1
- else:
- out_args = out_args + 1
- if in_args == 0:
- # Takes no inputs, so just call it.
- m = i.get_dbus_method(method)
- if out_args == 0:
- m()
- print("[ %s: %s.%s ]\n" % (objpath, interface, method))
- elif out_args == 1:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- else:
- result = m()
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
- elif method == 'Get' or method == 'Set' or method == 'GetAll':
- # We check on properties elsewhere.
- return True
- # Per-method exercise.
- elif method == 'add_known_ca' or method == 'remove_known_ca':
- (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
- if not result:
- print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
- return False
- result = i.remove_known_ca(path)
- if not result:
- print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'add_request' or method == 'remove_request':
- tmpdir = os.getenv('TMPDIR')
- if not tmpdir or tmpdir == '':
- tmpdir = '/tmp'
- properties = {
- 'nickname': 'foo',
- 'cert-storage': 'file',
- 'cert-file': tmpdir + "/028-certfile",
- 'key-storage': 'file',
- 'key-file': tmpdir + "/028-keyfile",
- 'template-email': ['root@localhost', 'toor@localhost'],
- }
- (result, path) = i.add_request(properties)
- if not result:
- print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
- return False
- result = i.remove_request(path)
- if not result:
- print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_ca_by_nickname':
- capath = i.find_ca_by_nickname('local')
- o = bus.get_object('org.fedorahosted.certmonger', capath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'find_request_by_nickname':
- reqpath = i.find_request_by_nickname('Buddy')
- o = bus.get_object('org.fedorahosted.certmonger', reqpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
- return False
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
- elif method == 'modify':
- mods = {}
- propname = "template-eku"
- propval = '1.2.3.4.5.6.7.8.9.10'
- mods[propname] = [propval,]
- status, path = i.modify(mods)
- if not status:
- print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
- return False
- print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
- props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- prop = props.Get(interface, 'template-eku')
- print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
- else:
- # We're in FIXME territory.
- print('FIXME: need support for "%s"' % method)
- return False
- # If we caused things to start churning, wait for them to settle.
+ in_args = 0
+ out_args = 0
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, interface)
+ for child in idata.getchildren():
+ if child.tag == 'arg':
+ if child.get('direction') != 'out':
+ in_args = in_args + 1
+ else:
+ out_args = out_args + 1
+ if in_args == 0:
+ # Takes no inputs, so just call it.
+ m = i.get_dbus_method(method)
+ if out_args == 0:
+ m()
+ print("[ %s: %s.%s ]\n" % (objpath, interface, method))
+ elif out_args == 1:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ else:
+ result = m()
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
+ elif method == 'Get' or method == 'Set' or method == 'GetAll':
+ # We check on properties elsewhere.
+ return True
+ # Per-method exercise.
+ elif method == 'add_known_ca' or method == 'remove_known_ca':
+ (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
+ if not result:
+ print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_known_ca(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'add_request' or method == 'remove_request':
+ tmpdir = os.getenv('TMPDIR')
+ if not tmpdir or tmpdir == '':
+ tmpdir = '/tmp'
+ properties = {
+ 'nickname': 'foo',
+ 'cert-storage': 'file',
+ 'cert-file': tmpdir + "/028-certfile",
+ 'key-storage': 'file',
+ 'key-file': tmpdir + "/028-keyfile",
+ 'template-email': ['root@localhost', 'toor@localhost'],
+ }
+ (result, path) = i.add_request(properties)
+ if not result:
+ print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
+ return False
+ result = i.remove_request(path)
+ if not result:
+ print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_ca_by_nickname':
+ capath = i.find_ca_by_nickname('local')
+ o = bus.get_object('org.fedorahosted.certmonger', capath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'find_request_by_nickname':
+ reqpath = i.find_request_by_nickname('Buddy')
+ if not reqpath:
+ return False
+ o = bus.get_object('org.fedorahosted.certmonger', reqpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
+ return False
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
+ elif method == 'modify':
+ mods = {}
+ propname = "template-eku"
+ propval = '1.2.3.4.5.6.7.8.9.10'
+ mods[propname] = [propval,]
+ status, path = i.modify(mods)
+ if not status:
+ print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
+ return False
+ print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
+ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ prop = props.Get(interface, 'template-eku')
+ print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
+ else:
+ # We're in FIXME territory.
+ print('FIXME: need support for "%s"' % method)
+ return False
+ # If we caused things to start churning, wait for them to settle.
if method == 'resubmit':
props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
prop = props.Get(interface, 'status')
while prop != 'MONITORING':
time.sleep(1)
prop = props.Get(interface, 'status')
- return True
+ return True
def iget(child, proxy, interface, prop):
- value = proxy.Get(interface, prop)
- if not value:
- if child.get('type') == 'b':
- value = False
- elif child.get('type') == 'n' or child.get('type') == 'x':
- value = 0
- elif child.get('type') == 's':
- value = ''
- elif child.get('type') == 'as':
- value = ['']
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- return value
+ value = proxy.Get(interface, prop)
+ if not value:
+ if child.get('type') == 'b':
+ value = False
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ value = 0
+ elif child.get('type') == 's':
+ value = ''
+ elif child.get('type') == 'as':
+ value = ['']
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ return value
def examine_interface(objpath, interface, idata):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- for child in idata.getchildren():
- if child.tag == 'property':
- prop = child.get('name')
- if child.get('access') == 'read':
- # Check that we can read it.
- value = i.Get(interface, prop)
- elif child.get('access') == 'readwrite':
- if prop == 'external-helper' or prop == 'scep-ca-identifier':
- cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
- if cai.get_type() != 'EXTERNAL':
- print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
- continue
- # Check that we can read it, tweak it, and then reset it.
- value = iget(child, i, interface, prop)
- i.Set(interface, prop, value)
- newvalue = None
- if child.get('type') == 'b':
- newvalue = not value
- elif child.get('type') == 'n' or child.get('type') == 'x':
- newvalue = value + 1
- elif child.get('type') == 's':
- newvalue = 'x' + value
- elif child.get('type') == 'as':
- newvalue = ['x'] + value
- else:
- print("%s.%s: %s" % (interface, prop, child.get('type')))
- return False
- if newvalue:
- if newvalue == value:
- print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
- return False
- i.Set(interface, prop, newvalue)
- if newvalue != iget(child, i, interface, prop):
- print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
- return False
- i.Set(interface, prop, value)
- if value != iget(child, i, interface, prop):
- print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
- return False
- elif child.tag == 'method':
- method = child.get('name')
- if not examine_method(objpath, interface, method, child):
- return False
- elif child.tag == 'signal':
- continue
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
+ for child in idata.getchildren():
+ if child.tag == 'property':
+ prop = child.get('name')
+ if child.get('access') == 'read':
+ # Check that we can read it.
+ value = i.Get(interface, prop)
+ elif child.get('access') == 'readwrite':
+ if prop == 'external-helper' or prop == 'scep-ca-identifier':
+ cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
+ if cai.get_type() != 'EXTERNAL':
+ print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
+ continue
+ # Check that we can read it, tweak it, and then reset it.
+ value = iget(child, i, interface, prop)
+ i.Set(interface, prop, value)
+ newvalue = None
+ if child.get('type') == 'b':
+ newvalue = not value
+ elif child.get('type') == 'n' or child.get('type') == 'x':
+ newvalue = value + 1
+ elif child.get('type') == 's':
+ newvalue = 'x' + value
+ elif child.get('type') == 'as':
+ newvalue = ['x'] + value
+ else:
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
+ return False
+ if newvalue:
+ if newvalue == value:
+ print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
+ return False
+ i.Set(interface, prop, newvalue)
+ if newvalue != iget(child, i, interface, prop):
+ print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
+ return False
+ i.Set(interface, prop, value)
+ if value != iget(child, i, interface, prop):
+ print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
+ return False
+ elif child.tag == 'method':
+ method = child.get('name')
+ if not examine_method(objpath, interface, method, child):
+ return False
+ elif child.tag == 'signal':
+ continue
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
def examine_object(objpath):
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
- i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
- idata = i.Introspect()
- x = xml.etree.ElementTree.XML(idata)
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
+ idata = i.Introspect()
+ x = xml.etree.ElementTree.XML(idata)
- # Check if the object supports properties interfaces.
- props = False
- for child in x.getchildren():
- if child.tag == 'interface':
- if child.get('name') == 'org.freedesktop.DBus.Properties':
- props = True
+ # Check if the object supports properties interfaces.
+ props = False
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if child.get('name') == 'org.freedesktop.DBus.Properties':
+ props = True
- # Look at the interfaces and child nodes.
- for child in x.getchildren():
- if child.tag == 'interface':
- if props and not check_props(objpath, child.get('name')):
- return False
- if not examine_interface(objpath, child.get('name'), child):
- return False
- elif child.tag == 'node':
- if objpath == '/':
- childpath = '/' + child.get('name')
- else:
- childpath = objpath + '/' + child.get('name')
- examine_object(childpath)
- else:
- print "FIXME: handle child tag %s" % child.tag
- return False
- return True
+ # Look at the interfaces and child nodes.
+ for child in x.getchildren():
+ if child.tag == 'interface':
+ if props and not check_props(objpath, child.get('name')):
+ return False
+ if not examine_interface(objpath, child.get('name'), child):
+ return False
+ elif child.tag == 'node':
+ if objpath == '/':
+ childpath = '/' + child.get('name')
+ else:
+ childpath = objpath + '/' + child.get('name')
+ examine_object(childpath)
+ else:
+ print("FIXME: handle child tag %s" % child.tag)
+ return False
+ return True
if not examine_object('/'):
- sys.exit(1)
+ sys.exit(1)
sys.exit(0)
diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
index 1a845fd..9f9d910 100755
--- a/tests/038-ms-v2-template/extract-extdata.py
+++ b/tests/038-ms-v2-template/extract-extdata.py
@@ -1,10 +1,11 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
# Given `openssl asn1parse` output of a CSR, look for the V2 Template
# extension and output its data if found. Nonzero exit status if
# not found.
import binascii
+import os
import re
import sys
@@ -21,7 +22,7 @@ for line in sys.stdin:
#
if state == STATE_FOUND and 'OCTET STRING' in line:
result = re.search(r'\[HEX DUMP\]:(\w*)', line)
- sys.stdout.write(binascii.unhexlify(result.group(1)))
+ os.write(1, binascii.unhexlify(result.group(1)))
state = STATE_DONE
break
--
2.17.0

195
SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch Normal file
View File

@ -0,0 +1,195 @@
From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 10 Nov 2020 18:48:05 -0500
Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
---
tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
1 file changed, 124 insertions(+), 6 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca7de34f..4d6a9a59 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -34,6 +34,10 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
+CA 'certmaster':
+ is-default: no
+ ca-type: EXTERNAL
+ helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA5
-/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA6
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -178,7 +182,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
+ <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
+$tmpdir/cas/20180327134236-2
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
+certmaster
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -952,7 +957,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
+$libexecdir/certmaster-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
+[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+
+<node name="/org/fedorahosted/certmonger/cas/CA5">
+ <interface name="org.freedesktop.DBus.Introspectable">
+ <method name="Introspect">
+ <arg name="xml_data" type="s" direction="out"/>
+ </method>
+ </interface>
+ <interface name="org.freedesktop.DBus.Properties">
+ <method name="Get">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="property_name" type="s" direction="in"/>
+ <arg name="value" type="v" direction="out"/>
+ </method>
+ <method name="Set">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="property_name" type="s" direction="in"/>
+ <arg name="value" type="v" direction="in"/>
+ </method>
+ <method name="GetAll">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="props" type="a{sv}" direction="out"/>
+ </method>
+ <signal name="PropertiesChanged">
+ <arg name="interface_name" type="s"/>
+ <arg name="changed_properties" type="a{sv}"/>
+ <arg name="invalidated_properties" type="as"/>
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+ <property name="nickname" type="s" access="read"/>
+ <property name="aka" type="s" access="read"/>
+ <method name="get_is_default">
+ <arg name="default" type="b" direction="out"/>
+ </method>
+ <property name="is-default" type="b" access="readwrite"/>
+ <method name="get_type">
+ <arg name="type" type="s" direction="out"/>
+ </method>
+ <method name="get_serial">
+ <arg name="serial_hex" type="s" direction="out"/>
+ </method>
+ <method name="get_location">
+ <arg name="path" type="s" direction="out"/>
+ </method>
+ <property name="external-helper" type="s" access="readwrite"/>
+ <method name="get_issuer_names">
+ <arg name="names" type="as" direction="out"/>
+ </method>
+ <method name="refresh">
+ <arg name="working" type="b" direction="out"/>
+ </method>
+ <property name="ca-error" type="s" access="read"/>
+ <property name="issuer-names" type="as" access="read"/>
+ <property name="root-certs" type="a(ss)" access="read"/>
+ <property name="root-other-certs" type="a(ss)" access="read"/>
+ <property name="other-certs" type="a(ss)" access="read"/>
+ <property name="required-enroll-attributes" type="as" access="read"/>
+ <property name="required-renew-attributes" type="as" access="read"/>
+ <property name="supported-profiles" type="as" access="read"/>
+ <property name="default-profile" type="s" access="read"/>
+ <property name="root-cert-files" type="as" access="readwrite"/>
+ <property name="root-other-cert-files" type="as" access="readwrite"/>
+ <property name="other-cert-files" type="as" access="readwrite"/>
+ <property name="root-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="other-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="ca-presave-command" type="s" access="read"/>
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+ <property name="scep-ca-cert" type="s" access="read"/>
+ <property name="scep-other-certs" type="s" access="read"/>
+ </interface>
+</node>
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-3
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
+dogtag-ipa-renew-agent
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
+0
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
+EXTERNAL
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
+None
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
+$libexecdir/dogtag-ipa-renew-agent-submit
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
+dbus.Array([], signature=dbus.Signature('s'))
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
+1
+
--
2.25.4

41
SOURCES/0018-clang-more-Dead-assignment.patch
View File

@ -1,41 +0,0 @@
From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:48:41 -0400
Subject: [PATCH 18/25] clang: more Dead assignment
---
src/submit-x.c | 5 ++---
src/tdbus.c | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/submit-x.c b/src/submit-x.c
index fa81e9aa..abebc610 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -914,9 +914,8 @@ main(int argc, const char **argv)
/* Maybe we need a ccache. */
if (k5 || (kpname != NULL) || (ktname != NULL)) {
- if (!make_ccache ||
- (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) {
- k5 = TRUE;
+ if (make_ccache) {
+ cm_submit_x_make_ccache(ktname, kpname, NULL);
}
}
diff --git a/src/tdbus.c b/src/tdbus.c
index cb0a8ad7..a81b5349 100644
--- a/src/tdbus.c
+++ b/src/tdbus.c
@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
/* Connect to the right bus. */
bus_desc = NULL;
conn = NULL;
- exit_on_disconnect = TRUE;
if (error != NULL) {
dbus_error_init(error);
}
--
2.21.0

321
SOURCES/0019-clang-more-Memory-leaks.patch
View File

@ -1,321 +0,0 @@
From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 12:53:57 -0400
Subject: [PATCH 19/25] clang: more Memory leaks
Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
---
src/dogtag.c | 17 +++++++++++++----
src/getcert.c | 3 ++-
src/store-files.c | 1 +
src/submit-d.c | 6 ++++++
src/submit-x.c | 39 ++++++++++-----------------------------
tests/tools/addcinfo.c | 8 +++++---
6 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..8e3890a5 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,7 +117,7 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *serial = NULL, *template = NULL;
+ const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
char *poptarg;
@@ -127,7 +127,7 @@ main(int argc, const char **argv)
} *aoptions = NULL, *soptions = NULL;
size_t num_aoptions = 0, num_soptions = 0, j;
char *savedstate = NULL;
- char *p, *q, *params = NULL, *params2 = NULL;
+ char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL;
const char *lasturl = NULL, *lastparams = NULL;
const char *tmp = NULL, *results = NULL;
struct cm_submit_h_context *hctx;
@@ -537,16 +537,19 @@ main(int argc, const char **argv)
}
poptPrintUsage(pctx, stdout, 0);
free(csr);
+ free(p);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- csr = cm_submit_u_url_encode(csr);
+ csre = cm_submit_u_url_encode(csr);
params = talloc_asprintf(ctx,
"profileId=%s&"
"cert_request_type=pkcs10&"
"cert_request=%s&"
"xml=true",
template,
- csr);
+ csre);
+ free(csr);
+ free(csre);
}
/* Check for creds specified as options. */
for (j = 0; j < num_soptions; j++) {
@@ -608,12 +611,16 @@ main(int argc, const char **argv)
printf(_("No agent URL (-A) given, and no default "
"known.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
if ((sslcert == NULL) || (strlen(sslcert) == 0)) {
printf(_("No agent credentials (-n) given, but they "
"are needed.\n"));
poptPrintUsage(pctx, stdout, 0);
+ free(p);
+ free(q);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
/* Reading profile defaults for this certificate, then applying
@@ -778,12 +785,14 @@ main(int argc, const char **argv)
lasturl);
}
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_UNREACHABLE;
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
lasturl, lastparams);
talloc_free(ctx);
+ free(p);
return CM_SUBMIT_STATUS_REJECTED;
}
switch (op) {
diff --git a/src/getcert.c b/src/getcert.c
index ddb28de2..0d527ab0 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits)
}
u = malloc(length);
if (u == NULL) {
+ free(t);
goto done;
}
length = cm_store_base64_to_bin(t, -1, u, length);
+ free(t);
if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) {
- free(t);
t = malloc(bits / 4 + howmany(bits, 32));
if (t != NULL) {
ret = t;
diff --git a/src/store-files.c b/src/store-files.c
index b97ba5ff..4e57ae16 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp)
lines = tlines;
}
}
+ free(buf);
return lines;
}
diff --git a/src/submit-d.c b/src/submit-d.c
index 5a4edb3f..36cc9828 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1204,6 +1204,9 @@ restart:
} else {
printf("Error %d.\n", c);
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 1;
}
result = cm_submit_h_results(hctx, NULL) ?: "";
@@ -1365,6 +1368,9 @@ restart:
/* never reached */
break;
}
+ if (defaults != nodefault) {
+ free(defaults);
+ }
return 0;
}
#endif
diff --git a/src/submit-x.c b/src/submit-x.c
index abebc610..58d007ef 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode)
{
const char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
- ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
- if (ret == NULL) {
- ret = error_message(kcode);
+ if (ctx) {
+ const char *msg = krb5_get_error_message(ctx, kcode);
+ ret = strdup(msg);
+ krb5_free_error_message(ctx, msg);
+ } else {
+ ret = strdup(error_message(kcode));
}
#else
- ret = error_message(kcode);
+ ret = strdup(error_message(kcode));
#endif
- return strdup(ret);
+ return ret;
}
char *
@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return NULL;
}
@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg)
if (data == NULL) {
fprintf(stderr, "Error retrieving principal realm.\n");
if (msg != NULL) {
- *msg = "Error retrieving principal realm.\n";
+ *msg = strdup("Error retrieving principal realm.\n");
}
return NULL;
}
@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg)
if (ret == NULL) {
fprintf(stderr, "Out of memory for principal realm.\n");
if (msg != NULL) {
- *msg = "Out of memory for principal realm.\n";
+ *msg = strdup("Out of memory for principal realm.\n");
}
return NULL;
}
@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
principal, ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
ret = get_error_message(ctx, kret));
if (msg != NULL) {
*msg = ret;
- } else {
- free(ret);
}
return kret;
}
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
index 939005c2..e34612a5 100644
--- a/tests/tools/addcinfo.c
+++ b/tests/tools/addcinfo.c
@@ -63,7 +63,7 @@ content_info_template[] = {
int
main(int argc, char **argv)
{
- unsigned char *buffer = NULL, buf[BUFSIZ];
+ unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ];
int i, n = 0;
unsigned int j;
SECItem encoded;
@@ -73,11 +73,13 @@ main(int argc, char **argv)
cm_log_set_method(cm_log_stderr);
cm_log_set_level(3);
while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) {
- buffer = realloc(buffer, n + i);
- if (buffer == NULL) {
+ newbuffer = realloc(buffer, n + i);
+ if (newbuffer == NULL) {
+ free(buffer);
cm_log(0, "Out of memory.\n");
return 1;
}
+ buffer = newbuffer;
memcpy(buffer + n, buf, i);
n += i;
}
--
2.21.0

29
SOURCES/0020-clang-Avoid-buffer-overflow.patch
View File

@ -1,29 +0,0 @@
From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 13:16:08 -0400
Subject: [PATCH 20/25] clang: Avoid buffer overflow
This shouldn't be possible because the caller would never allow
it all to be passed in but quiet static analyzers.
---
src/getcert.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 0d527ab0..bbc45479 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category,
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
DBusMessage *req, *rep;
const char *request, *capath;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[30];
+ const struct cm_tdbusm_dict *params[30];
char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
char **anchor_dbs = NULL, **anchor_files = NULL;
char *id = NULL, *new_id = NULL, *new_request;
--
2.21.0

43
SOURCES/0021-clang-Garbage-value-possible.patch
View File

@ -1,43 +0,0 @@
From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:44:05 -0400
Subject: [PATCH 21/25] clang: Garbage value possible
Need to add guard so that error was only considered if the
certificate was decodable and an import was attempted.
---
src/certsave-n.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..30e242c1 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
}
/* Import the certificate. */
+ error = SECFailure;
newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
if (newcert != NULL) {
error = PK11_ImportCert(sle->slot,
@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
entry->cm_cert_nickname,
PR_FALSE);
}
- if (error == SECSuccess) {
+ if ((newcert != NULL) && (error == SECSuccess)) {
cm_log(1, "Imported certificate with "
"nickname \"%s\".\n",
entry->cm_cert_nickname);
@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
CERT_DestroyCertList(certlist);
}
} else {
+ ec = PORT_GetError();
if (ec != 0) {
es = PR_ErrorToName(ec);
} else {
--
2.21.0

25
SOURCES/0022-Uninitialized-variable.patch
View File

@ -1,25 +0,0 @@
From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 14:48:43 -0400
Subject: [PATCH 22/25] Uninitialized variable
---
src/csrgen-o.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
index 402284ff..41b4f014 100644
--- a/src/csrgen-o.c
+++ b/src/csrgen-o.c
@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
BIGNUM *serialbn;
char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename;
unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
- char *spkidec, *mcb64, *nows;
+ char *spkidec = NULL, *mcb64, *nows;
const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL;
const unsigned char *nametmp;
struct tm *now;
--
2.21.0

39
SOURCES/0023-merge-into-clang-more-Memory-leaks.patch
View File

@ -1,39 +0,0 @@
From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:43:02 -0400
Subject: [PATCH 23/25] merge into clang: more Memory leaks
---
src/getcert.c | 2 +-
src/submit-x.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index bbc45479..4713dd15 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits)
if (length == 0) {
goto done;
}
- u = malloc(length);
+ u = malloc(length+1);
if (u == NULL) {
free(t);
goto done;
diff --git a/src/submit-x.c b/src/submit-x.c
index 58d007ef..467e67e4 100644
--- a/src/submit-x.c
+++ b/src/submit-x.c
@@ -43,7 +43,7 @@
static char *
get_error_message(krb5_context ctx, krb5_error_code kcode)
{
- const char *ret;
+ char *ret;
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
if (ctx) {
const char *msg = krb5_get_error_message(ctx, kcode);
--
2.21.0

24
SOURCES/0024-Add-missing-return-type-declaration.patch
View File

@ -1,24 +0,0 @@
From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:44:07 -0400
Subject: [PATCH 24/25] Add missing return type declaration
---
src/tdbush.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tdbush.c b/src/tdbush.c
index d1bbe4da..a10a1aff 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
}
/* org.fedorahosted.certonger.ca.get_config_file_path */
+static DBusHandlerResult
ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
struct cm_client_info *ci, struct cm_context *ctx)
{
--
2.21.0

43
SOURCES/0025-Discards-const-qualifier.patch
View File

@ -1,43 +0,0 @@
From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 8 Oct 2018 15:46:50 -0400
Subject: [PATCH 25/25] Discards const qualifier
---
src/dogtag.c | 3 ++-
src/scep.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 8e3890a5..962a8bf4 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -117,9 +117,10 @@ main(int argc, const char **argv)
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
const char *sslcert = NULL, *sslkey = NULL;
const char *sslpin = NULL, *sslpinfile = NULL;
- const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
+ const char *serial = NULL, *template = NULL;
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
+ char *csr = NULL, *csre = NULL;
char *poptarg;
struct {
char *name;
diff --git a/src/scep.c b/src/scep.c
index b0bd214b..b37711cf 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -204,7 +204,8 @@ main(int argc, const char **argv)
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
enum known_ops op = op_unset;
- const char *id = NULL, *cainfo = NULL;
+ const char *id = NULL;
+ char *cainfo = NULL;
char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
--
2.21.0

134
SOURCES/0026-Optimize-closing-open-file-descriptors.patch
View File

@ -1,134 +0,0 @@
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 5 Sep 2019 12:45:52 -0400
Subject: [PATCH] Optimize closing open file descriptors
When forking, the code would close all unused file descriptors up
to maximum number of files. In the default case this is 1024. In
the container case this is 1048576. Huge delays in startup were
seen due to this.
Even in a default 1024 ulimit case this drastically reduces the
number of file descriptors to mark FD_CLOEXEC but in the container
default case this saves another order of magnitude of work.
This patch takes inspiration from systemd[1] and walks /proc/self/fd
if it is available to determine the list of open descriptors. It
falls back to the "close all fds we don't care about up to limit"
method.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
---
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 62 insertions(+), 9 deletions(-)
diff --git a/src/subproc.c b/src/subproc.c
index e49e3762..8df836ae 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
return argv;
}
+/* Based heavily on systemd version */
+static
+int safe_atoi(const char *s, int *ret_i) {
+ char *x = NULL;
+ long l;
+
+ errno = 0;
+ l = strtol(s, &x, 0);
+ if (errno > 0)
+ return -1;
+ if (!x || x == s || *x != 0)
+ return -1;
+ if ((long) (int) l != l)
+ return -1;
+
+ *ret_i = (int) l;
+ return 0;
+}
+
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
* except for perhaps one to three of them that are passed in by number. */
void
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
{
int i;
long l;
+ DIR *dir = NULL;
+ struct dirent *de;
+
if ((fd != STDIN_FILENO) &&
(fd2 != STDIN_FILENO) &&
(fd3 != STDIN_FILENO)) {
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
close(STDERR_FILENO);
}
}
- for (i = getdtablesize() - 1; i >= 3; i--) {
- if ((i == fd) ||
- (i == fd2) ||
- (i == fd3)) {
- continue;
+ dir = opendir("/proc/self/fd");
+ if (!dir) {
+ /* /proc isn't available, fall back to old way */
+ for (i = getdtablesize() - 1; i >= 3; i--) {
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
+ }
}
- l = fcntl(i, F_GETFD);
- if (l != -1) {
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
- cm_log(0, "Potentially leaking FD %d.\n", i);
+ } else {
+ while ((de = readdir(dir)) != NULL) {
+ int i = -1;
+
+ if (safe_atoi(de->d_name, &i) < 0) {
+ continue;
+ }
+
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+
+ if (i == dirfd(dir)) {
+ continue;
+ }
+
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
}
}
+ closedir(dir);
}
}
--
2.21.0

33
SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
View File

@ -1,33 +0,0 @@
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 16:28:18 -0400
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/cadata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cadata.c b/src/cadata.c
index eb87eb76..3e916c96 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
}
return -1;
}
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

35
SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
View File

@ -1,35 +0,0 @@
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Oct 2019 20:25:36 +0000
Subject: [PATCH] Don't close STDERR when submitting request
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/submit-e.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/submit-e.c b/src/submit-e.c
index d6158d7a..69b4f8e2 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
}
return -1;
}
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

259
SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
View File

@ -1,259 +0,0 @@
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Aug 2019 22:01:35 +0000
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
tokens
The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.
When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.
https://pagure.io/certmonger/issue/125
---
src/casave.c | 3 +--
src/certread-n.c | 33 ++++++++++++++++-----------------
src/certsave-n.c | 5 +++++
src/dogtag.c | 3 +--
src/keygen-n.c | 5 +++++
src/keyiread-n.c | 11 ++++++++++-
src/scepgen-n.c | 5 +++++
src/submit-n.c | 5 +++++
src/toklist.c | 2 +-
9 files changed, 49 insertions(+), 23 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index bde63f99..1cf5a406 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
break;
default:
flags = NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB;
+ NSS_INIT_NOROOTINIT;
/* Sigh. Not a lot of detail. Check
* if we succeed in read-only mode,
* which we'll interpret as lack of
diff --git a/src/certread-n.c b/src/certread-n.c
index d535030b..bb61b61b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Unable to open NSS database.\n");
_exit(status);
}
+ /* Re-open the database with modules enabled */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
es = util_n_fips_hook();
if (es != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
- /* Allocate a memory pool. */
- arena = PORT_NewArena(sizeof(double));
- if (arena == NULL) {
- cm_log(1, "Error opening database '%s'.\n",
- entry->cm_cert_storage_location);
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
- cm_log(1, "Error shutting down NSS.\n");
- }
- _exit(ENOMEM);
- }
/* Find the tokens that we might use for cert storage. */
mech = CKM_RSA_X_509;
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
if (slotlist == NULL) {
cm_log(1, "Error getting list of tokens.\n");
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we need to log in in order to read certificates, do so. */
if (PK11_NeedLogin(sle->slot)) {
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
if (cm_pin_read_for_cert(entry, &pin) != 0) {
cm_log(1, "Error reading PIN for cert db, "
"skipping.\n");
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Walk the list of certificates in the slot, looking for one
* which matches the specified nickname. */
certs = PK11_ListCertsInSlot(sle->slot);
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
if (certs != NULL) {
for (node = CERT_LIST_HEAD(certs);
!CERT_LIST_EMPTY(certs) &&
!CERT_LIST_END(node, certs);
node = CERT_LIST_NEXT(node)) {
- if (strcmp(node->cert->nickname,
- entry->cm_cert_nickname) == 0) {
+ cm_log(3, "certread-n: Slot nickname %s\n",
+ node->cert->nickname);
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token, entry->cm_cert_nickname);
+ if ((strcmp(node->cert->nickname,
+ entry->cm_cert_nickname) == 0) ||
+ (strcmp(node->cert->nickname, es) == 0)) {
cm_log(3, "Located the certificate "
"\"%s\".\n",
entry->cm_cert_nickname);
@@ -321,7 +323,6 @@ next_slot:
if (cert == NULL) {
cm_log(1, "Error locating certificate.\n");
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -332,7 +333,6 @@ next_slot:
fclose(fp);
CERT_DestroyCertificate(cert);
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..eda03b34 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
} else {
/* We don't try to force FIPS mode here, as it seems to get in
* the way of saving the certificate. */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
/* Allocate a memory pool. */
arena = PORT_NewArena(sizeof(double));
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..c43664ef 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (nctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 061bd2af..e921d7ec 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 91b1be41..dc1c6092 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
cnode = CERT_LIST_NEXT(cnode)) {
nickname = entry->cm_key_nickname;
cert = cnode->cert;
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token,
+ entry->cm_cert_nickname);
if ((nickname != NULL) &&
- (strcmp(cert->nickname, nickname) == 0)) {
+ ((strcmp(cert->nickname, nickname) == 0) ||
+ (strcmp(cert->nickname, es) == 0))) {
cm_log(3, "Located a certificate with "
"the key's nickname (\"%s\").\n",
nickname);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index d6735aa7..8c67b122 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/submit-n.c b/src/submit-n.c
index b07ea23a..f27b9c7f 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
goto done;
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/toklist.c b/src/toklist.c
index a4328218..ac166722 100644
--- a/src/toklist.c
+++ b/src/toklist.c
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
/* Open the database. */
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
printf("Unable to open NSS database '%s'.\n", dbdir);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
--
2.21.0

233
SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
View File

@ -1,233 +0,0 @@
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 27 Aug 2019 18:01:02 +0000
Subject: [PATCH] Update tests to include the security module DB in expected
output
certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).
https://pagure.io/certmonger/issue/125
---
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
tests/034-perms/expected.out | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms-dbm/expected.out
+++ b/tests/034-perms-dbm/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
index 2808e02c..c5914e02 100644
--- a/tests/034-perms-sql/expected.out
+++ b/tests/034-perms-sql/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
[rekey:sql:start]
[rekey:sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:keygen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
OK
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms/expected.out
+++ b/tests/034-perms/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
--
2.21.0

50
SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
View File

@ -1,50 +0,0 @@
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 18:24:32 +0000
Subject: [PATCH] Try to pull the entire CA chain from IPA
IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.
Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
---
src/ipa.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index acd1a4e2..40a4b52c 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
LDAP *ld = NULL;
LDAPMessage *lresult = NULL, *lmsg = NULL;
char *lattrs[2] = {"caCertificate;binary", NULL};
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
struct berval **lbvalues, *lbv;
unsigned char *bv_val;
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
+ /* Fall back to the old location */
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+ lfilter, lattrs, 0, NULL, NULL, NULL,
+ LDAP_NO_LIMIT, &lresult);
+ }
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

34
SOURCES/0032-Fix-use-after-free-issue.patch
View File

@ -1,34 +0,0 @@
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2019 15:08:54 -0500
Subject: [PATCH] Fix use-after-free issue
The basedn value was freed after the first search but a second
one could be initiated.
---
src/ipa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index 40a4b52c..41ca9081 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
/* Now look up the root certificates for the domain. */
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
}
+ free(basedn);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

931
SOURCES/0033-Improve-logging-in-SCEP-helper.patch
View File

@ -1,931 +0,0 @@
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:50:16 -0400
Subject: [PATCH 33/39] Improve logging in SCEP helper
Always check return value of cm_pkcs7_verify_signed() and return
a unique error message.
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
so they appear by default.
Centralize logging across scep.c and pkcs7.c to reduce code
duplication.
Check the return code to cm_pkcs7_verify_signed in all cases.
Add the last available message, if any, to the error returned
via stdout to certmonger as a hint to what is going on.
---
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
src/pkcs7.h | 2 +
src/scep.c | 59 ++++++++++---------------
src/scepgen-n.c | 28 ++++++------
src/scepgen-o.c | 72 ++++++++++++++++---------------
src/scepgen.c | 2 +-
6 files changed, 140 insertions(+), 134 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 6de1775..29420b9 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
}
}
+void
+log_pkcs7_errors(int level, char *msg)
+{
+ char buf[LINE_MAX] = "";
+ long error;
+ int nss_err;
+
+ cm_log(level, "%s\n", msg);
+ while ((error = ERR_get_error()) != 0) {
+ memset(buf, '\0', sizeof(buf));
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(level, "%s\n", buf);
+ }
+ nss_err = PORT_GetError();
+ if (nss_err < 0) {
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
+ }
+}
+
int
cm_pkcs7_parsev(unsigned int flags, void *parent,
char **certleaf, char **certtop, char ***certothers,
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(encryption_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
if (recipient == NULL) {
- cm_log(1, "Error parsing recipient certificate.\n");
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
goto done;
}
BIO_free(in);
recipients = sk_X509_new(util_o_cert_cmp);
if (recipients == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
sk_X509_push(recipients, recipient);
in = BIO_new_mem_buf(data, dlength);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
BIO_free(in);
if (p7 == NULL) {
- cm_log(1, "Error encrypting signing request.\n");
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
goto done;
}
len = i2d_PKCS7(p7, NULL);
if (len < 0) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
dp7 = malloc(len);
if (dp7 == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dp7;
if (i2d_PKCS7(p7, &u) != len) {
- cm_log(1, "Error encoding encrypted signing request.\n");
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
goto done;
}
*enveloped = dp7;
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
in = BIO_new_mem_buf(csr, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
BIO_free(in);
if (req == NULL) {
- cm_log(1, "Error parsing certificate signing request.\n");
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
goto done;
}
dlen = i2d_X509_REQ(req, NULL);
if (dlen < 0) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
dreq = malloc(dlen);
if (dreq == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = dreq;
if (i2d_X509_REQ(req, &u) != dlen) {
- cm_log(1, "Error encoding certificate signing request.\n");
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
goto done;
}
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
in = BIO_new_mem_buf(cacert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (ca == NULL) {
- cm_log(1, "Error parsing CA certificate.\n");
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
goto done;
}
in = BIO_new_mem_buf(minicert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (mini == NULL) {
- cm_log(1, "Error parsing client certificate.\n");
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
goto done;
}
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
if (issuerlen < 0) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
issuer = malloc(issuerlen);
if (issuer == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = issuer;
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
- cm_log(1, "Error encoding CA certificate issuer name.\n");
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
goto done;
}
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
if (subjectlen < 0) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ cm_log(0, "Error encoding client certificate subject name.\n");
goto done;
}
subject = malloc(subjectlen);
if (subject == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
u = subject;
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
- cm_log(1, "Error encoding client certificate subject name.\n");
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
goto done;
}
+ PORT_SetError(0);
+ ERR_clear_error();
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
issuerandsubject.issuer.data = issuer;
issuerandsubject.issuer.len = issuerlen;
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
issuerandsubject.subject.len = subjectlen;
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
cm_pkcs7_ias_template) != &encoded) {
- cm_log(1, "Error encoding issuer and subject names.\n");
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
goto done;
}
*ias = malloc(encoded.len);
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
u = data;
p7 = d2i_PKCS7(NULL, &u, length);
if ((p7 == NULL) || (u != data + length)) {
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
goto done;
}
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
- cm_log(1, "PKCS#7 data is not signed-data.\n");
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
goto done;
}
store = X509_STORE_new();
if (store == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
certs = sk_X509_new(util_o_cert_cmp);
if (certs == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
s = talloc_strdup(parent, roots[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
X509_STORE_add_cert(store, x);
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
s = talloc_strdup(parent, othercerts[i]);
if (s == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
/* In case one of these is multiple PEM certificates
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
in = BIO_new_mem_buf(p, q - p);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (x == NULL) {
- cm_log(1, "Error parsing chain certificate.\n");
+ cm_log(0, "Error parsing chain certificate.\n");
goto done;
}
sk_X509_push(certs, x);
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
out = BIO_new(BIO_s_mem());
if (out == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
if (roots != NULL) {
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
for (i = 0; i < sk_X509_num(certs); i++) {
x = X509_dup(sk_X509_value(certs, i));
if (x == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
PKCS7_add_certificate(p7, x);
}
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
- cm_log(1, "Message failed verification.\n");
+ cm_log(0, "Message failed verification.\n");
goto done;
}
}
p7s = p7->d.sign;
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
goto done;
}
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
encapsulated = p7s->contents;
if (expected_content_type != NID_undef) {
if (encapsulated == NULL) {
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
goto done;
}
if ((encapsulated->type == NULL) ||
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
OBJ_nid2ln(expected_content_type),
encapsulated->type ?
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
if (attrs == NULL) {
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
goto done;
}
ret = 0;
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
if (*payload_length > 0) {
*payload = talloc_size(parent, *payload_length + 1);
if (*payload == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
goto done;
}
memcpy(*payload, s, *payload_length);
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
}
}
done:
- if (ret != 0) {
- while ((error = ERR_get_error()) != 0) {
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- }
if (p7 != NULL) {
PKCS7_free(p7);
}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index 097f7ca..fae52f8 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+void log_pkcs7_errors(int level, char *msg);
+
#endif
diff --git a/src/scep.c b/src/scep.c
index b37711c..0b8bef9 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(rekey_message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
NULL, &msgtype, NULL, NULL,
NULL, NULL,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "rekey PKCSReq.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
if ((message != NULL) && (strlen(message) != 0)) {
tmp1 = cm_submit_u_base64_from_text(message);
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
NULL, NULL, NID_pkcs7_data, ctx, NULL,
&sent_tx, &msgtype, NULL, NULL,
&sent_nonce, &sent_nonce_length,
NULL, NULL, NULL, NULL);
+ if (i != 0) {
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "message.\n");
+ }
if ((msgtype == NULL) ||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
&payload, &payload_length);
if (i != 0) {
printf(_("Error: failed to verify signature on "
- "server response.\n"));
- cm_log(1, "Error: failed to verify signature on "
- "server response.\n");
- while ((error = ERR_get_error()) != 0) {
+ "server response. "));
+ error = ERR_peek_last_error();
+ if (error != 0) {
memset(buf, '\0', sizeof(buf));
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ printf("%s", buf);
}
+ printf("\n");
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
+ "server response.\n");
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
results_length2);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
p7 = d2i_PKCS7(NULL, &u, payload_length);
if (p7 == NULL) {
printf(_("Error: couldn't parse signed-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
- s = cm_store_base64_from_bin(ctx,
- (unsigned char *) results2,
- results_length2);
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- fprintf(stderr, "Full reply:\n%s", s);
- free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
- }
- if (!PKCS7_type_is_enveloped(p7)) {
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
+ "enveloped-data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
(p7->d.enveloped->enc_data->content_type == NULL) ||
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
printf(_("Error: enveloped-data payload is not data.\n"));
- while ((error = ERR_get_error()) != 0) {
- memset(buf, '\0', sizeof(buf));
- ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
- }
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
+ "not data.\n");
s = cm_store_base64_from_bin(ctx,
(unsigned char *) results2,
results_length2);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index 8c67b12..ce73c31 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
return;
}
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
- cm_log(1, "More than one signer, not sure what to do.\n");
+ cm_log(0, "More than one signer, not sure what to do.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
u = sabuf = malloc(salen);
if (sabuf == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
* that ourselves. */
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
if (l != salen) {
- cm_log(1, "Error encoding attributes.\n");
+ cm_log(0, "Error encoding attributes.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
if (sigalg == SEC_OID_UNKNOWN) {
- cm_log(1, "Unable to match digest algorithm and key.\n");
+ cm_log(0, "Unable to match digest algorithm and key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (SEC_SignData(&signature, sabuf, salen, privkey,
sigalg) != SECSuccess) {
- cm_log(1, "Error re-signing: %s.\n",
+ cm_log(0, "Error re-signing: %s.\n",
PR_ErrorToName(PORT_GetError()));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
fprintf(status, "Error opening database "
"'%s': %s.\n",
entry->cm_key_storage_location, es);
- cm_log(1, "Error opening database '%s': %s.\n",
+ cm_log(0, "Error opening database '%s': %s.\n",
entry->cm_key_storage_location, es);
} else {
fprintf(status, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
- cm_log(1, "Error opening database '%s'.\n",
+ cm_log(0, "Error opening database '%s'.\n",
entry->cm_key_storage_location);
}
switch (ec) {
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Generating dummy key.\n");
key = EVP_PKEY_new();
if (key == NULL) {
- cm_log(1, "Error allocating new key.\n");
+ cm_log(0, "Error allocating new key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
exponent = BN_new();
if (exponent == NULL) {
- cm_log(1, "Error setting up exponent.\n");
+ cm_log(0, "Error setting up exponent.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
rsa = RSA_new();
if (rsa == NULL) {
- cm_log(1, "Error allocating new RSA key.\n");
+ cm_log(0, "Error allocating new RSA key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
retry_gen:
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
- cm_log(1, "Error generating key.\n");
+ cm_log(0, "Error generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
@@ -228,7 +228,7 @@ retry_gen:
if ((keys->privkey->keyType != rsaKey) ||
((keys->privkey_next != NULL) &&
(keys->privkey_next->keyType != rsaKey))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
index 010abb7..a431815 100644
--- a/src/scepgen-o.c
+++ b/src/scepgen-o.c
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
keyfp = fopen(filename, "r");
if (keyfp == NULL) {
if (errno != ENOENT) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (cm_pin_read_for_key(entry, &pin) != 0) {
- cm_log(1, "Internal error reading key encryption PIN.\n");
+ cm_log(0, "Internal error reading key encryption PIN.\n");
_exit(CM_SUB_STATUS_ERROR_AUTH);
}
memset(&cb_data, 0, sizeof(cb_data));
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
cm_pin_read_for_key_ossl_cb, &cb_data);
if (pkey == NULL) {
error = errno;
- cm_log(1, "Error reading private key '%s': %s.\n",
+ cm_log(0, "Error reading private key '%s': %s.\n",
filename, strerror(error));
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
} else {
if ((pin != NULL) &&
(strlen(pin) > 0) &&
(cb_data.n_attempts == 0)) {
- cm_log(1, "PIN was not needed to read private "
+ cm_log(0, "PIN was not needed to read private "
"key '%s', though one was provided. "
"Treating this as an error.\n",
filename);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
}
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
if ((pem != NULL) && (strlen(pem) > 0)) {
in = BIO_new_mem_buf(pem, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
return cert;
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
in = BIO_new_mem_buf(this->cm_cert, -1);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
BIO_free(in);
if (cert == NULL) {
- cm_log(1, "Error parsing certificate.\n");
+ cm_log(0, "Error parsing certificate.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (sk == NULL) {
sk = sk_X509_new(util_o_cert_cmp);
if (sk == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
}
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
in = BIO_new_mem_buf(data, data_length);
if (in == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
ret = PKCS7_sign(signer, key, certs, in, flags);
if (ret == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_free(in);
/* Set the digest to use for signing. */
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
- cm_log(1, "Error signing data: %d signers.\n",
+ cm_log(0, "Error signing data: %d signers.\n",
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
goto errors;
}
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
PKCS7_content_new(ret, NID_pkcs7_data);
out = PKCS7_dataInit(ret, NULL);
if (out == NULL) {
- cm_log(1, "Error signing data.\n");
+ cm_log(0, "Error signing data.\n");
goto errors;
}
BIO_write(out, data, data_length);
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
errors:
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
util_o_init();
ERR_load_crypto_strings();
if (RAND_status() != 1) {
- cm_log(1, "PRNG not seeded for generating key.\n");
+ cm_log(0, "PRNG not seeded for generating key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
if (RAND_bytes(nonce, nonce_length) == -1) {
- cm_log(1, "PRNG unable to generate nonce.\n");
+ cm_log(0, "PRNG unable to generate nonce.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
entry->cm_minicert);
if (pem == NULL) {
- cm_log(1, "Out of memory.\n");
+ cm_log(0, "Out of memory.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_cert = cert_from_pem(pem, entry);
if (new_cert == NULL) {
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
cipher = cm_prefs_des;
}
else {
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
_exit(1);
}
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
digest = cm_prefs_md5;
}
else {
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
_exit(1);
}
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
entry->cm_cert,
&old_ias, &old_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
ca->cm_ca_encryption_issuer_cert,
pem,
&new_ias, &new_ias_length) != 0) {
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
free(pem);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
entry->cm_csr,
&csr, &csr_length) != 0) {
- cm_log(1, "Error generating enveloped CSR.\n");
+ cm_log(0, "Error generating enveloped CSR.\n");
+ while ((error = ERR_get_error()) != 0) {
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(0, "%s\n", buf);
+ }
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* the matching key. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(old_cert, old_pkey);
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* if we do, we did that in another code path. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, old_pkey);
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
* any previously-issued certificate won't match. */
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
if (pubkey == NULL) {
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
util_X509_set_pubkey(new_cert, new_pkey);
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
X509_free(new_cert);
while ((error = ERR_get_error()) != 0) {
ERR_error_string_n(error, buf, sizeof(buf));
- cm_log(1, "%s\n", buf);
+ cm_log(0, "%s\n", buf);
}
}
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if (ca->cm_ca_encryption_cert == NULL) {
- cm_log(1, "Can't generate new SCEP request data without "
+ cm_log(0, "Can't generate new SCEP request data without "
"the RA/CA encryption certificate.\n");
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
}
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
if (old_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
entry->cm_key_storage_location);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
filename = util_build_next_filename(entry->cm_key_storage_location,
entry->cm_key_next_marker);
if (filename == NULL) {
- cm_log(1, "Error opening key file \"%s\" "
+ cm_log(0, "Error opening key file \"%s\" "
"for reading: %s.\n",
filename, strerror(errno));
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
}
new_pkey = key_from_file(filename, entry);
if (new_pkey == NULL) {
- cm_log(1, "Error reading key from file \"%s\".\n",
+ cm_log(0, "Error reading key from file \"%s\".\n",
filename);
free(filename);
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
}
diff --git a/src/scepgen.c b/src/scepgen.c
index eaf2b7c..115446f 100644
--- a/src/scepgen.c
+++ b/src/scepgen.c
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
{
switch (entry->cm_key_storage_type) {
case cm_key_storage_none:
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
"the key, and we don't know where that is or should "
"be.\n", entry->cm_busname, entry->cm_nickname);
break;
--
2.21.1

33
SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
View File

@ -1,33 +0,0 @@
From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 27 Feb 2020 18:15:02 -0500
Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
add-scep-ca
This option was silently dropped from the helper arguments even
if requested on the add-scep-ca CLI and was only passed to the
dbus helper.
Add as many -v as requested though the scep helper only logs at
most at level 1.
---
src/getcert.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/getcert.c b/src/getcert.c
index 4713dd1..3d78a73 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
prefer_non_renewal ? "-n" : "");
+ for (c = 0; c < verbose; c++) {
+ command = talloc_strdup_append(command, " -v");
+ }
if (command == NULL) {
printf(_("Error building command line.\n"));
exit(1);
--
2.21.1

422
SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
View File

@ -1,422 +0,0 @@
From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 14 Apr 2020 13:17:14 +0000
Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
finished
The talloc context was freed in only a few cases and the curl
context was never freed.
---
src/scep.c | 127 ++++++++++++++++++++++++++++++++-----------------
src/submit-h.c | 15 +++++-
src/submit-h.h | 1 +
3 files changed, 97 insertions(+), 46 deletions(-)
diff --git a/src/scep.c b/src/scep.c
index 0b8bef9..4d00692 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -199,7 +199,7 @@ int
main(int argc, const char **argv)
{
const char *url = NULL, *results = NULL, *results2 = NULL;
- struct cm_submit_h_context *hctx;
+ struct cm_submit_h_context *hctx = NULL;
int c, verbose = 0, results_length = 0, results_length2 = 0, i;
int prefer_non_renewal = 0, can_renewal = 0;
int response_code = 0, response_code2 = 0;
@@ -225,7 +225,8 @@ main(int argc, const char **argv)
size_t payload_length;
long error;
PKCS7 *p7;
- poptContext pctx;
+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ poptContext pctx = NULL;
struct poptOption popts[] = {
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
@@ -388,8 +389,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -408,8 +409,8 @@ main(int argc, const char **argv)
}
if ((message == NULL) || (strlen(message) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- free(cainfo);
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
}
/* First step: read capabilities for our use. */
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
@@ -420,8 +421,8 @@ main(int argc, const char **argv)
/* Supply help output, if it's needed. */
if (missing_args) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Check the rekey PKCSReq message, if we have one. */
@@ -505,7 +506,6 @@ main(int argc, const char **argv)
verbose > 1 ?
cm_submit_h_curl_verbose_on :
cm_submit_h_curl_verbose_off);
- free(cainfo);
cm_submit_h_run(hctx);
content_type = cm_submit_h_result_type(hctx);
if (content_type == NULL) {
@@ -551,7 +551,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -576,7 +577,8 @@ main(int argc, const char **argv)
}
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
+ goto done;
} else
if (verbose > 0) {
if (tmp2 == rekey_message) {
@@ -638,7 +640,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(hctx),
url);
}
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
switch (op) {
case op_unset:
@@ -651,16 +654,19 @@ main(int argc, const char **argv)
response_code, url);
if (response_code == 500) {
/* The server might recover, right? */
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
} else {
/* Maybe not? */
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
}
if (results == NULL) {
printf(_("Internal error: no response to \"%s?%s\".\n"),
url, params);
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -685,10 +691,12 @@ main(int argc, const char **argv)
fprintf(stderr, "Result is surprisingly large, "
"suppressing it.\n");
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
}
printf("%s\n", results);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
break;
case op_get_ca_certs:
if ((strcasecmp(content_type,
@@ -697,7 +705,8 @@ main(int argc, const char **argv)
"application/x-x509-ca-ra-cert") != 0)) {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (racert == NULL) {
racertp = &racert;
@@ -710,7 +719,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) racert;
lengths[n_buffers] = strlen(racert);
@@ -727,7 +737,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) cacert;
lengths[n_buffers] = strlen(cacert);
@@ -741,7 +752,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results;
lengths[n_buffers] = results_length;
@@ -755,7 +767,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -850,7 +863,8 @@ main(int argc, const char **argv)
n_buffers + 1);
if ((buffers == NULL) || (lengths == NULL)) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
buffers[n_buffers] = (unsigned char *) results2;
lengths[n_buffers] = results_length2;
@@ -882,11 +896,11 @@ main(int argc, const char **argv)
}
}
}
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
- talloc_free(ctx);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
case op_get_cert_initial:
@@ -957,42 +971,50 @@ main(int argc, const char **argv)
fprintf(stderr, "%s", s);
cm_log(1, "%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((msgtype == NULL) ||
(strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
printf(_("Error: reply was not a CertRep (%s).\n"),
msgtype ? msgtype : "none");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (tx == NULL) {
printf(_("Error: reply is missing transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sent_tx != NULL) {
if (strcmp(sent_tx, tx) != 0) {
printf(_("Error: reply contains a "
"different transactionId.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
}
if (pkistatus == NULL) {
printf(_("Error: reply is missing pkiStatus.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (recipient_nonce == NULL) {
printf(_("Error: reply is missing recipientNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((recipient_nonce_length != sent_nonce_length) ||
(memcmp(recipient_nonce, sent_nonce,
sent_nonce_length) != 0)) {
printf(_("Error: reply nonce doesn't match request.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (sender_nonce == NULL) {
printf(_("Error: reply is missing senderNonce.\n"));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
if (verbose > 0) {
@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
s = cm_store_base64_from_bin(ctx, sender_nonce,
sender_nonce_length);
printf("%s\n", s);
- return CM_SUBMIT_STATUS_WAIT;
+ rval = CM_SUBMIT_STATUS_WAIT;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
if (verbose > 0) {
@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
printf(_("Server returned failure code \"%s\".\n"),
failinfo);
}
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto done;
} else
if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
if (verbose > 0) {
@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if (!PKCS7_type_is_enveloped(p7)) {
printf(_("Error: signed-data payload is not enveloped-data.\n"));
@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
if ((p7->d.enveloped == NULL) ||
(p7->d.enveloped->enc_data == NULL) ||
@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
fprintf(stderr, "Full reply:\n%s", s);
free(s);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
s = cm_store_base64_from_bin(ctx, payload,
payload_length);
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
printf("%s", s);
free(s);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto done;
} else {
if (verbose > 0) {
fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
}
printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
pkistatus);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
} else {
printf(_("Server reply was of unexpected MIME type "
"\"%s\".\n"), content_type);
printf("Full reply:\n%.*s", results_length2, results2);
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto done;
}
break;
}
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+
+done:
+ if (pctx) {
+ poptFreeContext(pctx);
+ }
+ free(cainfo);
+ free(id);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+ return rval;
}
diff --git a/src/submit-h.c b/src/submit-h.c
index 33f9b39..9b507db 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
return ret;
}
+void
+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
+{
+
+ if (ctx != NULL && ctx->curl != NULL) {
+ curl_easy_cleanup(ctx->curl);
+ }
+}
+
#ifdef CM_SUBMIT_H_MAIN
int
main(int argc, const char **argv)
@@ -307,7 +316,7 @@ main(int argc, const char **argv)
enum cm_submit_h_opt_negotiate negotiate;
enum cm_submit_h_opt_delegate negotiate_delegate;
enum cm_submit_h_opt_clientauth clientauth;
- int c, fd, l, verbose = 0, length = 0;
+ int c, fd, l, verbose = 0, length = 0, rval = 0;
char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
char *pinfile;
const char *method, *url;
@@ -423,6 +432,8 @@ main(int argc, const char **argv)
cm_submit_h_result_code(ctx),
cm_submit_h_result_code_text(ctx));
}
- return cm_submit_h_result_code(ctx);
+ rval = cm_submit_h_result_code(ctx);
+ cm_submit_h_cleanup(ctx);
+ return rval;
}
#endif
diff --git a/src/submit-h.h b/src/submit-h.h
index 1283c53..931cc89 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
#endif
--
2.21.1

232
SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
View File

@ -1,232 +0,0 @@
From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 15 Apr 2020 17:16:42 -0400
Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
collected
Put cacert into the ca store, the racert at the top of the
othercerts list. Then we parse certs, placing all ca certs
we find into the ca store, and all other certs we find after
the racert.
Variables are renamed to match the cm_pkcs7_parse() and
cm_pkcs7_verify_signed() calls.
A special case for IPA (dogtag) was added because dogtag
uses its CA cert to sign the PKCS7 so it is both an RA cert
and a CA cert. If a self-signed CA is detected and no other
certs are provided then the CA is treated as the RA.
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
Graham Leggett did the majority of the work on this patch.
---
src/pkcs7.c | 18 +++++++++
src/pkcs7.h | 1 +
src/scep.c | 104 +++++++++++++++++++++++++++++++++++-----------------
3 files changed, 89 insertions(+), 34 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index 29420b9..f81174f 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -1189,3 +1189,21 @@ done:
}
return ret;
}
+
+/* Return 0 if we think "issuer" could have issued "issued", which includes
+ * self-signing. */
+int
+cm_selfsigned(char *cert)
+{
+ BIO *in;
+ X509 *c;
+
+ in = BIO_new_mem_buf(cert, -1);
+ if (in == NULL) {
+ cm_log(0, "Out of memory.\n");
+ return 1;
+ }
+ c = PEM_read_bio_X509(in, NULL, NULL, NULL);
+ BIO_free(in);
+ return(issuerissued(c, c));
+}
diff --git a/src/pkcs7.h b/src/pkcs7.h
index fae52f8..cbde1bc 100644
--- a/src/pkcs7.h
+++ b/src/pkcs7.h
@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
unsigned char **recipient_nonce,
size_t *recipient_nonce_length,
unsigned char **payload, size_t *payload_length);
+int cm_selfsigned(char *cert);
void log_pkcs7_errors(int level, char *msg);
diff --git a/src/scep.c b/src/scep.c
index 4d00692..b80278e 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -211,12 +211,12 @@ main(int argc, const char **argv)
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
char buf[LINE_MAX] = "";
const unsigned char **buffers = NULL;
size_t n_buffers = 0, *lengths = NULL, j;
- const char *cacerts[3], **racerts;
+ const char *root[3], **othercerts;
dbus_bool_t missing_args = FALSE;
char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
@@ -871,27 +871,27 @@ main(int argc, const char **argv)
n_buffers++;
}
if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
- racertp, cacertp, &othercerts,
+ racertp, cacertp, &certothers,
NULL, NULL,
n_buffers, buffers, lengths) == 0) {
if (racert != NULL) {
printf("%s", racert);
if (cacert != NULL) {
printf("%s", cacert);
- if (othercerts != NULL) {
+ if (certothers != NULL) {
for (c = 0;
- othercerts[c] != NULL;
+ certothers[c] != NULL;
c++) {
printf("%s",
- othercerts[c]);
+ certothers[c]);
}
}
if ((dracert != NULL) &&
- (cert_among(dracert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dracert, racert, cacert, certothers) != 0)) {
printf("%s", dracert);
}
if ((dcacert != NULL) &&
- (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
+ (cert_among(dcacert, racert, cacert, certothers) != 0)) {
printf("%s", dcacert);
}
}
@@ -907,47 +907,83 @@ main(int argc, const char **argv)
case op_pkcsreq:
if ((content_type2 != NULL) && (strcasecmp(content_type2,
"application/x-pki-message") == 0)) {
- memset(&cacerts, 0, sizeof(cacerts));
- cacerts[0] = cacert ? cacert : racert;
- cacerts[1] = cacert ? racert : NULL;
- cacerts[2] = NULL;
- racerts = NULL;
+ /*
+ * At this point, we have:
+ * - zero or more ra certs; and
+ * - zero or more ca certificates; and
+ * - zero or more other certificates; that
+ * need to be reordered so that the leaf
+ * certificates go first, the ca certificates
+ * are separated into a seperate certificate
+ * store, and the other certificates go after
+ * the leaf certificates.
+ *
+ * To do this we put cacert into the ca store,
+ * the racert at the top of the othercerts list.
+ * Then we parse certs, placing all ca certs
+ * we find into the ca store, and all other
+ * certs we find after the racert.
+ *
+ * As a limitation of cm_pkcs7_parse(), we
+ * can only isolate one ca certificate in the
+ * list of other certificates.
+ */
+ /* handle the other certs */
if ((certs != NULL) &&
(cm_pkcs7_parse(0, ctx,
- &cert1, &cert2, &othercerts,
+ &certleaf, &certtop, &certothers,
NULL, NULL,
(const unsigned char *) certs,
strlen(certs), NULL) == 0)) {
- for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
- c++) {
- continue;
+ /* Special case for IPA which uses dogtag which signs SCEP
+ * certs using the CA cert and the typical way to get
+ * verification to work is to use -I /etc/ipa/ca.crt.
+ * Because cm_pkcs7_parse explicitly doesn't allow
+ * certleaf to equal certtop we end up with no CAs so verification
+ * fails.
+ *
+ * So if cacert and certleaf are both NULL and certtop is
+ * self-signed then assume the IPA case and set certtop equal
+ * to certleaf.
+ */
+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
+ if (cm_selfsigned(certleaf) == 0) {
+ certtop = certleaf;
+ }
}
- racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
+ memset(&root, 0, sizeof(root));
+ root[0] = cacert ? cacert : certtop ? certtop : NULL;
+ root[1] = cacert ? certtop : NULL;
+ root[2] = NULL;
for (c = 0;
- (othercerts != NULL) &&
- (othercerts[c] != NULL);
+ (certothers != NULL) &&
+ (certothers[c] != NULL);
c++) {
- racerts[c] = othercerts[c];
- }
- if (cacert != NULL) {
- racerts[c++] = cacert;
+ continue;
}
- if (cert1 != NULL) {
- racerts[c++] = cert1;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
+ c = 0;
+ if (racert != NULL) {
+ othercerts[c++] = racert;
}
- if (cert2 != NULL) {
- racerts[c++] = cert2;
+ if (certleaf != NULL) {
+ othercerts[c++] = certleaf;
}
- if (racert != NULL) {
- racerts[c++] = racert;
+ while (certothers != NULL && *certothers != NULL) {
+ othercerts[c++] = *certothers++;
}
- racerts[c++] = NULL;
+ othercerts[c++] = NULL;
+ }
+ else {
+ root[0] = cacert;
+ root[1] = NULL;
+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
+ othercerts[0] = racert ? racert : NULL;
+ othercerts[1] = NULL;
}
ERR_clear_error();
i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
- cacerts, racerts,
+ root, othercerts,
NID_pkcs7_data, ctx, NULL,
&tx, &msgtype, &pkistatus, &failinfo,
&sender_nonce, &sender_nonce_length,
--
2.21.1

173
SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
View File

@ -1,173 +0,0 @@
From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:29:50 -0400
Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
chain
The -R option was doing double-duty for the SCEP CA.
1. It was required if the SCEP URL used TLS
2. It override the CA certificate downloaded from the SCEP server
If the chains were different then validating the SCEP responses would
fail.
https://bugzilla.redhat.com/show_bug.cgi?id=1808613
---
src/certmonger-scep-submit.8.in | 14 +++++++++-----
src/getcert-add-scep-ca.1.in | 12 ++++++++----
src/getcert.c | 6 +++++-
src/scep.c | 13 ++++++-------
4 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
index 95d674a..42ffcd6 100644
--- a/src/certmonger-scep-submit.8.in
+++ b/src/certmonger-scep-submit.8.in
@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
[-r ra-cert-file]
[-R ca-cert-file]
[-I other-certs-file]
+[-N ca-cert-file]
[-i ca-identifier]
[-v]
[-n]
@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
always required.
.TP
\fB\-R\fR CA-certificate-file
-The location of the SCEP server's CA certificate, which was used to
-issue the SCEP server's certificate, or the SCEP server's own
-certificate, if it is self-signed, in PEM form. If the URL specified
-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
-required.
+The location of the CA certificate which was used to issue the SCEP web
+server's certificate in PEM form. If the URL specified with the
+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
+.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
.TP
\fB\-r\fR RA-certificate-file
The location of the SCEP server's RA certificate, which is expected to
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index 11ab4ce..bf07306 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be
specified.
.TP
\fB\-R\fR ca-certificate-file
-The location of a PEM-formatted copy of the SCEP server's CA's certificate.
-A discovered value is supplied by the certmonger daemon for use in verifying
-the signature on data returned by the SCEP server, but it is not used for
-verifying HTTPS server certificates.
+The location of a PEM-formatted copy of the CA's certificate used to verify
+the TLS connection the SCEP server.
+
This option must be specified if the URL is an \fIhttps\fR location.
.TP
+\fB\-N\fR ca-certificate-file
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
+A discovered value is normally supplied by the certmonger daemon, but one can
+be specified for troubleshooting purposes.
+.TP
\fB\-r\fR ra-certificate-file
The location of a PEM-formatted copy of the SCEP server's RA's certificate.
A discovered value is normally supplied by the certmonger daemon, but one can
diff --git a/src/getcert.c b/src/getcert.c
index 3d78a73..493771f 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
+ char *signingca = NULL;
const char *err;
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
command = talloc_asprintf(globals.tctx,
- "%s -u %s %s %s %s %s %s %s %s",
+ "%s -u %s %s %s %s %s %s %s %s %s %s",
shell_escape(globals.tctx,
CM_SCEP_HELPER_PATH),
shell_escape(globals.tctx, url),
@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
racert ? shell_escape(globals.tctx, racert) : "",
certs ? "-I" : "",
certs ? shell_escape(globals.tctx, certs) : "",
+ signingca ? "-N" : "",
+ signingca ? shell_escape(globals.tctx, signingca) : "",
prefer_non_renewal ? "-n" : "");
for (c = 0; c < verbose; c++) {
command = talloc_strdup_append(command, " -v");
diff --git a/src/scep.c b/src/scep.c
index b80278e..4294cda 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -206,7 +206,6 @@ main(int argc, const char **argv)
enum known_ops op = op_unset;
const char *id = NULL;
char *cainfo = NULL;
- char *poptarg;
char *message = NULL, *rekey_message = NULL;
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
void *ctx;
@@ -235,8 +234,9 @@ main(int argc, const char **argv)
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
POPT_AUTOHELP
@@ -329,9 +329,10 @@ main(int argc, const char **argv)
racert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'R':
- poptarg = poptGetOptArg(pctx);
- cainfo = strdup(poptarg);
- cacert = cm_submit_u_from_file(poptarg);
+ cainfo = poptGetOptArg(pctx);
+ break;
+ case 'N':
+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
break;
case 'I':
certs = cm_submit_u_from_file(poptGetOptArg(pctx));
@@ -340,7 +341,6 @@ main(int argc, const char **argv)
}
if (c != -1) {
poptPrintUsage(pctx, stdout, 0);
- free(cainfo);
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
@@ -1189,7 +1189,6 @@ done:
if (pctx) {
poptFreeContext(pctx);
}
- free(cainfo);
free(id);
cm_submit_h_cleanup(hctx);
talloc_free(ctx);
--
2.21.1

53
SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch
View File

@ -1,53 +0,0 @@
From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:33:35 -0400
Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template
in output
---
src/getcert.c | 16 ++++++++++++++++
tests/028-dbus/expected.out | 1 +
2 files changed, 17 insertions(+)
diff --git a/src/getcert.c b/src/getcert.c
index 493771f..42281af 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv)
printf("\t\t%s\n", as[j]);
}
}
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tprofile: %s\n"), s1);
+ }
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
+ verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tms v2 template: %s\n"), s1);
+ }
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
+ CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx);
+ if (s1 != NULL && strlen(s1) > 0) {
+ printf(_("\tissuer template: %s\n"), s1);
+ }
printf(_("\tpre-save command: %s\n"),
query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx));
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 1d8bec4..a25eb34 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -15,6 +15,7 @@ Request ID 'Buddy':
key usage: digitalSignature,dataEncipherment
eku: id-kp-serverAuth
certificate template/profile: SomeProfileName
+ profile: SomeProfileName
pre-save command: echo Pre
post-save command: echo Post
track: yes
--
2.21.1

26
SOURCES/0039-Fix-broken-N-option-configuration.patch
View File

@ -1,26 +0,0 @@
From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 16:34:53 -0400
Subject: [PATCH 39/39] Fix broken -N option configuration
There was an extra NULL value which caused it to not work.
---
src/getcert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/getcert.c b/src/getcert.c
index 42281af..5c8dc94 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
- {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
--
2.21.1

52
SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch
View File

@ -1,52 +0,0 @@
From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 30 Apr 2020 12:46:41 -0400
Subject: [PATCH] Address an include issue discovered by coverity
nspr.h isn't included so use PORT_ErrorToString() instead
of PR_ErrorToString(), and remain consistent with the
other PORT calls even though they directly translate
to their NSPR equivalents.
Also remove a couple of unused variables in pkcs7.c
---
src/pkcs7.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/pkcs7.c b/src/pkcs7.c
index f81174f..a569256 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -57,6 +57,9 @@
#define _(_text) (_text)
#endif
+/* taken from nspr4.h */
+#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */
+
/* Return 0 if we think "issuer" could have issued "issued", which includes
* self-signing. */
static int
@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg)
}
nss_err = PORT_GetError();
if (nss_err < 0) {
- cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
+ cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err));
}
}
@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
PKCS7_SIGNER_INFO *si;
BIO *in, *out = NULL;
const unsigned char *u;
- char *s, buf[LINE_MAX], *p, *q;
+ char *s, *p, *q;
int ret = -1, i;
- long error;
if (digest != NULL) {
*digest = NULL;
--
2.21.1

237
SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
View File

@ -1,237 +0,0 @@
From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Apr 2020 13:26:14 -0400
Subject: [PATCH] Ensure that files read in have a trailing new-line
In SCEP when retrieving the CA chain the certificates passed in
on the command-line (RA agent and CA cert) area printed along with
the contents of what was retrieved remotely.
If one of the filesystem certificates lacks a newline then the
output will be jumbled like:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----\n
https://bugzilla.redhat.com/show_bug.cgi?id=1814976
---
src/submit-u.c | 11 +++++++
tests/039-fromfile/expected.out | 4 +++
tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++
tests/Makefile.am | 10 ++++--
tests/tools/Makefile.am | 6 +++-
tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++
6 files changed, 134 insertions(+), 4 deletions(-)
create mode 100644 tests/039-fromfile/expected.out
create mode 100755 tests/039-fromfile/run.sh
create mode 100644 tests/tools/fromfile.c
diff --git a/src/submit-u.c b/src/submit-u.c
index b0b45ba..dca23a7 100644
--- a/src/submit-u.c
+++ b/src/submit-u.c
@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename)
}
if (csr == NULL) {
csr = strdup("");
+ } else {
+ int length = strlen(csr);
+ if (csr[length-1] != '\n') {
+ length += 1;
+ csr = realloc(csr, length + 1);
+ if (csr == NULL) {
+ return NULL;
+ }
+ csr[length - 1] = '\n';
+ csr[length] = '\0';
+ }
}
return csr;
}
diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out
new file mode 100644
index 0000000..9191a57
--- /dev/null
+++ b/tests/039-fromfile/expected.out
@@ -0,0 +1,4 @@
+[trailing_nl]
+Ok
+[no_trailing_nl]
+Ok
diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh
new file mode 100755
index 0000000..8bae773
--- /dev/null
+++ b/tests/039-fromfile/run.sh
@@ -0,0 +1,55 @@
+#!/bin/bash -e
+
+cd $tmpdir
+
+cat > $tmpdir/trailing_nl <<- EOF
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
+8gM=
+-----END CERTIFICATE-----
+EOF
+cat > $tmpdir/no_trailing_nl <<- EOF
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
+8gM=
+EOF
+echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl
+
+$toolsdir/fromfile trailing_nl
+$toolsdir/fromfile no_trailing_nl
diff --git a/tests/Makefile.am b/tests/Makefile.am
index fe368dc..1552c48 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -127,7 +127,9 @@ CLEANFILES = \
037-rekey2/actual.out \
037-rekey2/actual.err \
038-ms-v2-template/actual.out \
- 038-ms-v2-template/actual.err
+ 038-ms-v2-template/actual.err \
+ 039-fromfile/actual.out \
+ 039-fromfile/actual.err
EXTRA_DIST = \
run-tests.sh functions certmonger.conf tools/cachain.sh \
001-keyiread/run.sh \
@@ -349,7 +351,8 @@ EXTRA_DIST = \
037-rekey2/run.sh \
038-ms-v2-template/expected.out \
038-ms-v2-template/extract-extdata.py \
- 038-ms-v2-template/run.sh
+ 038-ms-v2-template/run.sh \
+ 039-fromfile/run.sh
subdirs = \
001-keyiread \
@@ -392,7 +395,8 @@ subdirs = \
035-json \
036-getcert \
037-rekey2 \
- 038-ms-v2-template
+ 038-ms-v2-template \
+ 039-fromfile
if HAVE_DBM_NSSDB
subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 39fa954..e0d2f08 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,7 @@ endif
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
name2oid iterate prefs dates listnicks pem2base base2pem \
dparse payload checksig base64 cadata citerate casave hooks \
- libexecdir canon srv addcinfo ls json json-utf8 printenv
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
noinst_LIBRARIES = libtools.a
if HAVE_OPENSSL
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD)
srv_SOURCES = srv.c
srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD)
+
+fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS)
+fromfile_SOURCES = fromfile.c
+fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS)
diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c
new file mode 100644
index 0000000..bb70507
--- /dev/null
+++ b/tests/tools/fromfile.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2020 Red Hat, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <krb5.h>
+
+#include "../../src/submit-u.h"
+#include "../../src/submit-u.c"
+
+int
+main(int argc, char **argv)
+{
+ int i, result = 0;
+ char *cert;
+
+ for (i = 1; i < argc; i++) {
+ printf("[%s]\n", argv[i]);
+ cert = cm_submit_u_from_file(argv[i]);
+ if (cert == NULL) {
+ printf("OOM error\n");
+ result = 1;
+ }
+ else if (cert[strlen(cert) - 1] != '\n') {
+ printf("Missing trailing newline\n");
+ result = 1;
+ } else {
+ printf("Ok\n");
+ }
+ free(cert);
+ }
+ return result;
+}
--
2.18.4

4160
SOURCES/0042-Add-long-command-line-options-to-man-pages.patch
View File

File diff suppressed because it is too large Load Diff

757
SOURCES/0043-Add-long-options-to-command-line-help.patch
View File

@ -1,757 +0,0 @@
From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 14 May 2020 14:37:31 -0400
Subject: [PATCH 43/43] Add long options to command-line help
The command-line help mostly consisted of only the short options.
Add the long-option and clean up some of the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1782838
---
src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------
src/scep.c | 2 +-
2 files changed, 345 insertions(+), 193 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 5c8dc94..84e0bf3 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
N_("* If keys are to be encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME nickname to assign to the request\n"),
- N_(" -G TYPE type of key to be generated if one is not already in place\n"),
- N_(" -g SIZE size of key to be generated if one is not already in place\n"),
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" new nickname to give to tracking request\n"),
+ N_(" -G TYPE, --key-type=TYPE\n"),
+ N_(" type of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -g BITS, --key-size=BITS\n"),
+ N_(" size of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -r, --renew attempt to renew the certificate when\n"),
+ N_(" expiration nears (default)\n"),
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
+ N_(" expiration nears\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the default\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Parameters for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *start_tracking_help[] = {
@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* If modifying an existing request:\n"),
- N_(" -i NAME nickname of an existing tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname of an existing tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME nickname to give to tracking request\n"),
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" nickname to give to tracking request\n"),
+ N_(" -r, --renew attempt to renew the certificate when\n"),
+ N_(" expiration nears (default)\n"),
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
+ N_(" expiration nears\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the default\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Parameters for the signing request at renewal time:\n"),
- N_(" -U EXTUSAGE override requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME override requested principal name\n"),
- N_(" -D DNSNAME override requested DNS name\n"),
- N_(" -E EMAIL override requested email address\n"),
- N_(" -A ADDRESS override requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *stop_tracking_help[] = {
@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -k FILE PEM file for private key\n"),
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
+ N_(" -k FILE, --keyfile=FILE\n"),
+ N_(" PEM file for private key\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate (only valid with -k)\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
+ "\n",
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *resubmit_help[] = {
@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
N_(" -f FILE PEM file for certificate\n"),
"\n",
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("* New parameter values for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME new nickname to give to tracking request\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" nickname to give to tracking request\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the current one\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
+ N_(" -o OWNER, --key-owner=OWNER\n"),
+ N_(" owner information for private key\n"),
+ N_(" -m MODE, --key-perms=MODE\n"),
+ N_(" file permissions for private key\n"),
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
+ N_(" owner information for certificate\n"),
+ N_(" -M MODE, --cert-perms=MODE\n"),
+ N_(" file permissions for certificate\n"),
NULL,
};
const char *rekey_help[] = {
@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE PEM file for certificate\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate\n"),
"\n",
N_("* If keys are encrypted:\n"),
- N_(" -p FILE file which holds the encryption PIN\n"),
- N_(" -P PIN PIN value\n"),
+ N_(" -p FILE, --pinfile=FILE\n"),
+ N_(" file which holds the encryption PIN\n"),
+ N_(" -P PIN, --pin=PIN PIN value\n"),
"\n",
N_("* New parameter values for the signing request:\n"),
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
- N_(" -u KEYUSAGE set requested key usage value\n"),
- N_(" -K NAME set requested principal name\n"),
- N_(" -D DNSNAME set requested DNS name\n"),
- N_(" -E EMAIL set requested email address\n"),
- N_(" -A ADDRESS set requested IP address\n"),
- N_(" -l FILE file which holds an optional challenge password\n"),
- N_(" -L PASSWORD an optional challenge password value\n"),
+ N_(" -N NAME, --subject-name=NAME\n"),
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
+ N_(" override requested extended key usage OID\n"),
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
+ N_(" set requested key usage value\n"),
+ N_(" -K NAME, --principal=NAME\n"),
+ N_(" override requested principal name\n"),
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
+ N_(" override requested DNS name\n"),
+ N_(" -E EMAIL, --email=EMAIL\n"),
+ N_(" override requested email address\n"),
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
+ N_(" override requested IP address\n"),
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
+ N_(" file which holds an optional challenge password\n"),
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
+ N_(" an optional challenge password value\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Certificate handling settings:\n"),
- N_(" -I NAME new nickname to give to tracking request\n"),
+ N_(" -I NAME, --new-id=NAME\n"),
+ N_(" new nickname to give to tracking request\n"),
#ifndef FORCE_CA
- N_(" -c CA use the specified CA rather than the current one\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
+ N_(" -T PROFILE, --profile=NAME\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named profile or template\n"),
N_(" --ms-template-spec SPEC\n"),
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
- N_(" -G TYPE type of new key to be generated\n"),
- N_(" -g SIZE size of new key to be generated\n"),
+ N_(" include V2 template specifier in CSR\n"),
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
+ N_(" ask the CA to process the request using the\n"),
+ N_(" named issuer\n"),
+ N_(" -G TYPE, --key-type=TYPE\n"),
+ N_(" type of key to be generated if one is not already\n"),
+ N_(" in place\n"),
+ N_(" -g BITS, --key-size=BITS\n"),
+ N_(" size of key to be generated if one is not already\n"),
+ N_(" in place\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -B command to run before saving the certificate\n"),
- N_(" -C command to run after saving the certificate\n"),
- N_(" -F file in which to store the CA's certificates\n"),
- N_(" -a NSS database in which to store the CA's certificates\n"),
- N_(" -w try to wait for the certificate to be issued\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
+ N_(" command to run before saving the certificate\n"),
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
+ N_(" command to run after saving the certificate\n"),
+ N_(" -F FILE, --ca-file=FILE\n"),
+ N_(" file in which to store the CA's certificates\n"),
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
+ N_(" NSS database in which to store the CA's certificates\n"),
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
+ N_(" --wait-timeout TIMEOUT\n"),
+ N_(" Maximum time to wait for the certificateto be issued\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *list_help[] = {
@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
N_("* General options:\n"),
#ifndef FORCE_CA
- N_(" -c CA list only requests and certs associated with this CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
- N_(" -r list only information about outstanding requests\n"),
- N_(" -t list only information about tracked certificates\n"),
- N_(" -u display times in UTC instead of local time\n"),
+ N_(" -r, --requests-only list only information about outstanding requests\n"),
+ N_(" -t, --tracking-only list only information about tracked certificates\n"),
+ N_(" -u, --utc display times in UTC instead of local time\n"),
N_("* If selecting a specific request:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR only list requests and certs which use this NSS database\n"),
- N_(" -n NAME only list requests and certs which use this nickname\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE only list requests and certs stored in this PEM file\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" only list requests and certs stored in this PEM file\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *refresh_help[] = {
N_("Usage: %s refresh [options]\n"),
"\n",
N_("* General options:\n"),
- N_(" -a refresh information about all outstanding requests\n"),
+ N_(" -a, --all refresh information about all outstanding requests\n"),
"\n",
N_("Required arguments:\n"),
N_("* By request identifier:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* If using an NSS database for storage:\n"),
- N_(" -d DIR NSS database for key and cert\n"),
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
+ N_(" (only valid with -d)\n"),
N_("* If using files for storage:\n"),
- N_(" -f FILE PEM file for certificate\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" PEM file for certificate\n"),
"\n",
N_("Optional arguments:\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
+ N_("* Other options:\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *status_help[] = {
@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* Selecting a specific request:\n"),
- N_(" -i NAME nickname for tracking request\n"),
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
N_("* When using an NSS database for storage:\n"),
- N_(" -d DIR return status for the request in this NSS database\n"),
- N_(" -n NAME return status for cert which uses this nickname\n"),
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
+ N_(" -n NAME, --nickname NAME\n"),
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
N_("* When using files for storage:\n"),
- N_(" -f FILE return status for cert stored in this PEM file\n"),
+ N_(" -f FILE, --certfile=FILE\n"),
+ N_(" return status for cert stored in this PEM file\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *list_cas_help[] = {
@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
#ifndef FORCE_CA
N_("* General options:\n"),
- N_(" -c CA list only information about the CA with this name\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
#endif
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *refresh_ca_help[] = {
@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category)
N_("Optional arguments:\n"),
#ifndef FORCE_CA
N_("* General options:\n"),
- N_(" -c CA refresh information about the CA with this name\n"),
- N_(" -a refresh information about all known CAs\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -a, --all refresh information about all known CAs\n"),
#endif
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
#ifndef FORCE_CA
@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname to give to the new CA configuration\n"),
- N_(" -e CMD helper command to run to communicate with CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *add_scep_ca_help[] = {
@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname to give to the new CA configuration\n"),
- N_(" -u URL location of SCEP server\n"),
- N_(" -i ID CA identifier\n"),
- N_(" -R FILE file containing CA's certificate\n"),
- N_(" -r FILE file containing RA's certificate\n"),
- N_(" -I FILE file containing certificates in RA's certifying chain\n"),
- N_(" -n prefer not to use the SCEP Renewal feature\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -u URL, --URL URL location of SCEP server\n"),
+ N_(" -i ID, --id ID CA identifier\n"),
+ N_(" -R FILE, --cacert=FILE\n"),
+ N_(" file containing web server's certificate\n"),
+ N_(" -r FILE, --racert=FILE\n"),
+ N_(" file containing RA's certificate\n"),
+ N_(" -N FILE, --signingca=FILE\n"),
+ N_(" file containing CA's certificate\n"),
+ N_(" -I FILE, --other-certs=FILE\n"),
+ N_(" file containing certificates in RA's certifying chain\n"),
+ N_(" -n, --non-renewal prefer not to use the SCEP Renewal feature\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *modify_ca_help[] = {
@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname of the CA configuration\n"),
- N_(" -e CMD updated helper command to run to communicate with CA\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
const char *remove_ca_help[] = {
@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category)
"\n",
N_("Optional arguments:\n"),
N_("* General options:\n"),
- N_(" -c CA nickname of CA configuration to remove\n"),
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
N_("* Bus options:\n"),
- N_(" -S connect to the certmonger service on the system bus\n"),
- N_(" -s connect to the certmonger service on the session bus\n"),
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
N_("* Other options:\n"),
- N_(" -v report all details of errors\n"),
+ N_(" -v, --verbose report all details of errors\n"),
NULL,
};
#endif
diff --git a/src/scep.c b/src/scep.c
index 4294cda..4dde1ce 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -230,7 +230,7 @@ main(int argc, const char **argv)
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
{"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL},
- {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL},
+ {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL},
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
--
2.21.1

25
SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch
View File

@ -1,25 +0,0 @@
From 5e45029b429aa383db295facea18a6a72e1a2357 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 30 Jul 2020 10:41:00 -0400
Subject: [PATCH] Link certmonger to dbus so it stops and restarts with it
This will ensure that certmonger will run if dbus is restarted.
---
systemd/certmonger.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/systemd/certmonger.service.in b/systemd/certmonger.service.in
index 6381d845..9d942513 100644
--- a/systemd/certmonger.service.in
+++ b/systemd/certmonger.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=Certificate monitoring and PKI enrollment
After=syslog.target network.target dbus.service
+PartOf=dbus.service
[Service]
Type=dbus
--
2.25.4

62
SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
View File

@ -1,62 +0,0 @@
From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 22 May 2020 12:58:44 -0400
Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert
requests
The guttman spec is quite unclear on this and in the GetCACaps
section doesn't mention &message at all. It only appears in the
generic GET requests section 4.1
The nourse spec is clearer and requires &message=CA-IDENT on
GetCACaps requests.
AD 2012 R2 servers also require message on GetCACert requests.
This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242
https://bugzilla.redhat.com/show_bug.cgi?id=1839181
https://pagure.io/certmonger/issue/103
---
src/scep.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/scep.c b/src/scep.c
index 4dde1ce..11ebd6f 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -370,11 +370,11 @@ main(int argc, const char **argv)
break;
case op_get_ca_caps:
/* Only step: read capabilities for the daemon. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
break;
case op_get_ca_certs:
/* First step: get the root certificate. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id);
break;
case op_get_cert_initial:
if ((racert == NULL) || (strlen(racert) == 0)) {
@@ -393,7 +393,7 @@ main(int argc, const char **argv)
goto done;
}
/* First step: read capabilities for our use. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
}
break;
case op_pkcsreq:
@@ -413,7 +413,7 @@ main(int argc, const char **argv)
goto done;
}
/* First step: read capabilities for our use. */
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
}
break;
}
--
2.25.4

99
SPECS/certmonger.spec
View File

@ -7,9 +7,11 @@
%global sysvinitdir %{_initddir}
%bcond_without xmlrpc
Name: certmonger
Version: 0.79.7
Release: 15%{?dist}
Version: 0.79.13
Release: 2%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@ -17,6 +19,9 @@ License: GPLv3+
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch
Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gettext-devel
@ -31,7 +36,11 @@ BuildRequires: openssl-devel
BuildRequires: libuuid-devel
BuildRequires: libtalloc-devel, libtevent-devel
BuildRequires: libcurl-devel
BuildRequires: libxml2-devel, xmlrpc-c-devel
BuildRequires: libxml2-devel
%if %{with xmlrpc}
BuildRequires: xmlrpc-c-devel
%endif
BuildRequires: jansson-devel
# Required for 'make check':
# for diff and cmp
BuildRequires: diffutils
@ -51,7 +60,7 @@ BuildRequires: /usr/bin/which
BuildRequires: popt-devel
# for make check
BuildRequires: python3-devel
BuildRequires: krb5-devel
BuildRequires: krb5-devel
# we need a running system bus
Requires: dbus
@ -80,74 +89,13 @@ Requires(post): /sbin/chkconfig, /sbin/service
Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
%endif
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
Patch2: 0002-Convert-tests-to-use-python3.patch
Patch18: 0018-clang-more-Dead-assignment.patch
Patch19: 0019-clang-more-Memory-leaks.patch
Patch20: 0020-clang-Avoid-buffer-overflow.patch
Patch21: 0021-clang-Garbage-value-possible.patch
Patch22: 0022-Uninitialized-variable.patch
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
Patch24: 0024-Add-missing-return-type-declaration.patch
Patch25: 0025-Discards-const-qualifier.patch
Patch26: 0026-Optimize-closing-open-file-descriptors.patch
Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
Patch32: 0032-Fix-use-after-free-issue.patch
Patch33: 0033-Improve-logging-in-SCEP-helper.patch
Patch34: 0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
Patch35: 0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
Patch36: 0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
Patch37: 0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
Patch38: 0038-Include-template-profile-issuer-and-MS-cert-template.patch
Patch39: 0039-Fix-broken-N-option-configuration.patch
Patch40: 0040-Address-an-include-issue-discovered-by-coverity.patch
Patch41: 0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
Patch42: 0042-Add-long-command-line-options-to-man-pages.patch
Patch43: 0043-Add-long-options-to-command-line-help.patch
Patch44: 0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch
Patch45: 0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
%description
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%autosetup -p1
%build
autoreconf -i -f
@ -162,10 +110,17 @@ autoreconf -i -f
--enable-tmpfiles \
%endif
--with-homedir=/run/certmonger \
%if %{with xmlrpc}
--with-xmlrpc \
%endif
--with-tmpdir=/run/certmonger --enable-pie --enable-now
%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
# tell us about libxmlrpc_client, but we need more. Work around.
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
%else
make %{?_smp_mflags}
%endif
%install
rm -rf $RPM_BUILD_ROOT
@ -185,6 +140,12 @@ make check
if test $1 -eq 1 ; then
%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
fi
%if %{without xmlrpc}
# remove any existing certmaster CA configuration
if test $1 -gt 1 ; then
%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
fi
%endif
%if %{systemd}
if test $1 -eq 1 ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
@ -274,6 +235,12 @@ exit 0
%endif
%changelog
* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
- Rebuild with xmlrpc-c support enabled (#1687698)
* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
- Rebase to 0.79.13 (#1891743)
* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
- Replace the previous fix for dbus restarting with PartOf in the
certmonger systemd service file to link the two (#1687698)