import certmonger-0.79.13-5.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:00:26 -04:00 committed by Stepan Oksanichenko
parent b05c406b1d
commit eab5fb3893
7 changed files with 969 additions and 1 deletions

View File

@ -0,0 +1,123 @@
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Fri, 9 Jul 2021 20:49:28 +0000
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
OTP
SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.
This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.
This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/certmonger.conf.5.in | 9 +++++++++
src/certsave.c | 13 +++++++++++++
src/prefs.c | 15 +++++++++++++++
src/prefs.h | 4 ++++
4 files changed, 41 insertions(+)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 6a42d3cb..1b941b9d 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
\fIselfsign\fR section, if one is set there, will be used. The default value
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+.SH SCEP
+Within the \fIscep\fR section, these variables and values are recognized:
+
+.IP challenge_password_otp
+This controls whether the SCEP challenge password is treated as a one-time
+password. If set to yes then the challenge password and/or challenge password
+file will be removed from the tracking request after the first certificate
+issuance so will not be sent with renewal requests. The default is no.
+
.SH BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
diff --git a/src/certsave.c b/src/certsave.c
index 6eaafe59..f8503662 100644
--- a/src/certsave.c
+++ b/src/certsave.c
@@ -18,12 +18,25 @@
#include "config.h"
#include "certsave.h"
#include "certsave-int.h"
+#include "prefs.h"
#include "store-int.h"
+#include "talloc.h"
/* Start writing the certificate from the entry to the configured location. */
struct cm_certsave_state *
cm_certsave_start(struct cm_store_entry *entry)
{
+ /* If saving a SCEP certificate wipe out the challenge password */
+ if ((cm_prefs_scep_password_otp()) &&
+ (entry->cm_template_challenge_password != NULL) &&
+ (entry->cm_scep_nonce != NULL))
+ {
+ talloc_free(entry->cm_template_challenge_password);
+ entry->cm_template_challenge_password = NULL;
+ talloc_free(entry->cm_template_challenge_password_file);
+ entry->cm_template_challenge_password_file = NULL;
+ }
+
switch (entry->cm_cert_storage_type) {
#ifdef HAVE_OPENSSL
case cm_cert_storage_file:
diff --git a/src/prefs.c b/src/prefs.c
index 669e8f1f..52ffc908 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
}
return count;
}
+
+int
+cm_prefs_scep_password_otp(void)
+{
+ static int populate = -1;
+ if (populate == -1) {
+ const char *val;
+ val = cm_prefs_config("scep", "challenge_password_otp");
+ if (val == NULL) {
+ val = "no";
+ }
+ populate = cm_prefs_yesno(val);
+ }
+ return populate != -1 ? populate : 0;
+}
diff --git a/src/prefs.h b/src/prefs.h
index 248e1016..a107fb6c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,8 @@
#ifndef cmprefs_h
#define cmprefs_h
+#include <time.h>
+
enum cm_prefs_cipher {
cm_prefs_aes128,
cm_prefs_aes192,
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
long long prefs_key_end_of_life(time_t ref);
long prefs_max_key_use_count(void);
+int cm_prefs_scep_password_otp(void);
+
#endif
--
2.31.1

View File

@ -0,0 +1,42 @@
From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 17 Feb 2021 13:40:52 -0500
Subject: [PATCH] Add NULL checks before string compares when analyzing a cert
A user reported a segfault which was due to a broken request.
How it got broken I have no idea but it was effectively empty.
It had everything as defaults: 0, -1, UNSPECIFIED or not
present at all.
So when trying to analyze the request it did a NULL compare.
https://pagure.io/certmonger/issue/191
---
src/tdbush.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index a10a1aff..fb81c477 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
if (cert_storage != e->cm_cert_storage_type) {
continue;
}
- if (strcmp(cert_location, e->cm_cert_storage_location) != 0) {
+ if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) {
continue;
}
switch (cert_storage) {
case cm_cert_storage_file:
break;
case cm_cert_storage_nssdb:
- if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
+ if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
continue;
}
break;
--
2.31.1

View File

@ -0,0 +1,386 @@
From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Apr 2021 14:07:22 -0400
Subject: [PATCH] Display not_before in getcert output
Including not_before can help with troubleshooting
renewal problems and if time needs to be reversed
helping identify the maximum one can go back.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/getcert.c | 21 ++++-
src/tdbush.c | 10 ++-
src/tdbusm-check.c | 32 ++++++++
src/tdbusm.c | 150 ++++++++++++++++++++++++++++++++++++
src/tdbusm.h | 9 +++
tests/028-dbus/expected.out | 4 +-
tests/028-dbus/run.sh | 1 +
7 files changed, 220 insertions(+), 7 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 078f5aa1..4afafcb1 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv)
const char *capath, *request;
dbus_bool_t b;
char *s1, *s2, *s3, *s4, *s5, *s6;
- long n1, n2;
+ long n1, n2, n3;
char **as, **as1, **as2, **as3, **as4, **as5, t[25];
int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j;
unsigned int k;
@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv)
/* Information from the certificate. */
rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
"get_cert_info", verbose);
- if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx,
+ if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx,
&s1, &s2, &s3, &n1,
&as1, &as2, &as3,
- &n2, &as4) != 0) {
+ &n2, &as4, &n3) != 0) {
printf(_("Error parsing server response.\n"));
exit(1);
}
@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv)
printf(_("\tissuer: %s\n"), s1);
printf(_("\tsubject: %s\n"), s3);
when = _("unknown");
+ if (n3 != 0) {
+ if (force_utc) {
+ when = cm_store_timestamp_from_time_for_display(n3, t);
+ printf(_("\tissued: %s\n"), when);
+ } else {
+ when = cm_store_local_timestamp_from_time_for_display(n3);
+ if (when != NULL) {
+ printf(_("\tissued: %s\n"), when);
+ free(when);
+ }
+ }
+ } else {
+ printf(_("\tissued: %s\n"), when);
+ }
+ when = _("unknown");
if (n1 != 0) {
if (force_utc) {
when = cm_store_timestamp_from_time_for_display(n1, t);
diff --git a/src/tdbush.c b/src/tdbush.c
index 3587f84f..6fc1b4be 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
rep = dbus_message_new_method_return(msg);
if (rep != NULL) {
eku = eku_splitv(entry, entry->cm_cert_eku);
- cm_tdbusm_set_sssnasasasnas(rep,
+ cm_tdbusm_set_sssnasasasnasn(rep,
entry->cm_cert_issuer,
entry->cm_cert_serial,
entry->cm_cert_subject,
@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
(const char **) entry->cm_cert_hostname,
(const char **) entry->cm_cert_principal,
ku_from_string(entry->cm_cert_ku),
- (const char **) eku);
+ (const char **) eku,
+ entry->cm_cert_not_before);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
talloc_free(eku);
@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void)
DBUS_TYPE_ARRAY_AS_STRING
DBUS_TYPE_STRING_AS_STRING,
cm_tdbush_method_arg_out,
- NULL))))))))),
+ make_method_arg("not_before",
+ DBUS_TYPE_INT64_AS_STRING,
+ cm_tdbush_method_arg_out,
+ NULL)))))))))),
NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_CERT_ISSUER,
diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c
index 385b1849..31880732 100644
--- a/src/tdbusm-check.c
+++ b/src/tdbusm-check.c
@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid)
return ret;
}
static int
+get_sssnasasasnasn(DBusMessage *rep, int msgid)
+{
+ int ret, i;
+ long n1, n2, n3;
+ char *s1, *s2, *s3, **as1, **as2, **as3, **as4;
+
+ ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL,
+ &s1, &s2, &s3, &n1,
+ &as1, &as2, &as3, &n2, &as4, &n3);
+ if (ret == 0) {
+ printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[",
+ msgid, s1, s2, s3, n1);
+ for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as1[i]);
+ }
+ printf("],[");
+ for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as2[i]);
+ }
+ printf("],[");
+ for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as3[i]);
+ }
+ printf("],n:%ld,n:%ld,[", n2, n3);
+ for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as4[i]);
+ }
+ printf("]\n");
+ }
+ return ret;
+}
+static int
get_sasasasnas(DBusMessage *rep, int msgid)
{
int ret, i;
diff --git a/src/tdbusm.c b/src/tdbusm.c
index bc39e1d4..24e03e4c 100644
--- a/src/tdbusm.c
+++ b/src/tdbusm.c
@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
return 0;
}
+int
+cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2, char ***as3,
+ long *n2, char ***as4, long *n3)
+{
+ DBusError err;
+ char **tmp1, **tmp2, **tmp3, **tmp4;
+ int64_t i641, i642, i643;
+ int32_t i321, i322, i323;
+ int16_t i161, i162, i163;
+ int i, j, k, l;
+ *s1 = NULL;
+ *s2 = NULL;
+ *s3 = NULL;
+ *as1 = NULL;
+ *as2 = NULL;
+ *as3 = NULL;
+ *as4 = NULL;
+ dbus_error_init(&err);
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT64, &i641,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT64, &i642,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT64, &i643,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT32, &i321,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp3, &k,
+ DBUS_TYPE_INT32, &i322,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp4, &l,
+ DBUS_TYPE_INT32, &i323,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT16, &i161,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT16, &i162,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT16, &i163,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ return -1;
+ }
+ i321 = i161;
+ i322 = i162;
+ i323 = i163;
+ }
+ i641 = i321;
+ i642 = i322;
+ i643 = i323;
+ }
+ *s1 = *s1 ? talloc_strdup(parent, *s1) : NULL;
+ *s2 = *s2 ? talloc_strdup(parent, *s2) : NULL;
+ *s3 = *s3 ? talloc_strdup(parent, *s3) : NULL;
+ *n1 = i641;
+ *n2 = i642;
+ *n3 = i643;
+ *as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i);
+ *as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j);
+ *as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k);
+ *as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l);
+ return 0;
+}
+
int
cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s,
char ***as1, char ***as2, char ***as3,
@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
}
}
+int
+cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2, const char *s3,
+ long n1, const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4,
+ long n3)
+{
+ int64_t i1 = n1, i2 = n2, i3 = n3;
+ if (s1 == NULL) {
+ s1 = empty_string;
+ }
+ if (s2 == NULL) {
+ s2 = empty_string;
+ }
+ if (s3 == NULL) {
+ s3 = empty_string;
+ }
+ if (as1 == NULL) {
+ as1 = empty_string_array;
+ }
+ if (as2 == NULL) {
+ as2 = empty_string_array;
+ }
+ if (as3 == NULL) {
+ as3 = empty_string_array;
+ }
+ if (as4 == NULL) {
+ as4 = empty_string_array;
+ }
+ if (dbus_message_append_args(msg,
+ DBUS_TYPE_STRING, &s1,
+ DBUS_TYPE_STRING, &s2,
+ DBUS_TYPE_STRING, &s3,
+ DBUS_TYPE_INT64, &i1,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as1, cm_tdbusm_array_length(as1),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as2, cm_tdbusm_array_length(as2),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as3, cm_tdbusm_array_length(as3),
+ DBUS_TYPE_INT64, &i2,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as4, cm_tdbusm_array_length(as4),
+ DBUS_TYPE_INT64, &i3,
+ DBUS_TYPE_INVALID)) {
+ return 0;
+ } else {
+ return -1;
+ }
+}
+
int
cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s,
const char **as1, const char **as2,
diff --git a/src/tdbusm.h b/src/tdbusm.h
index fe021eff..250a9b0a 100644
--- a/src/tdbusm.h
+++ b/src/tdbusm.h
@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
char **s1, char **s2, char **s3, long *n1,
char ***as1, char ***as2,
char ***as3, long *n2, char ***as4);
+int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2,
+ char ***as3, long *n2, char ***as4, long *n3);
int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent,
char **s,
char ***as1, char ***as2,
@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
const char *s3, long n1,
const char **as1, const char **as2,
const char **as3, long n2, const char **as4);
+int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2,
+ const char *s3, long n1,
+ const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4, long n3);
int cm_tdbusm_set_sasasasnas(DBusMessage *msg,
const char *s,
const char **as1, const char **as2,
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca7de34f..4cecbe15 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -11,6 +11,7 @@ Request ID 'Buddy':
CA: local
issuer: CN=$UUID,CN=Local Signing Authority
subject: CN=localhost
+ issued: sometime
expires: sometime
dns: localhost
principal name: host/localhost@LOCALHOST
@@ -269,6 +270,7 @@ OK
<arg name="principal_names" type="as" direction="out"/>
<arg name="key_usage" type="x" direction="out"/>
<arg name="extended_key_usage" type="as" direction="out"/>
+ <arg name="not_before" type="x" direction="out"/>
</method>
<property name="issuer" type="s" access="read"/>
<property name="serial" type="s" access="read"/>
@@ -430,7 +432,7 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index d0be6ad8..a457834f 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e '/^-----BEGIN/,/^-----END/d' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
+ -e "s|issued:.*|issued: sometime|g" \
-e "s|expires:.*|expires: sometime|g" \
-e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
--
2.31.1

View File

@ -0,0 +1,40 @@
From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.
This second half wasn't being closed after reading to test for
errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/cadata.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cadata.c b/src/cadata.c
index 3e916c9..d851b9e 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
ca->cm_ca_external_helper, strerror(u));
talloc_free(ret);
+ close(error_fd[0]);
return NULL;
}
+ close(error_fd[0]);
return ret;
}
--
2.31.1

View File

@ -0,0 +1,80 @@
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 15:55:44 +0200
Subject: [PATCH] Use extensions template from NSS
Drop certmonger's custom extension template and use the sequence of X509v3
extensions template from NSS.
The certmonger template had a bug that caused certmonger to create CSRs
with invalid DER. It was encoding extension's critical element even for
default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 41 +----------------------------------------
1 file changed, 1 insertion(+), 40 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index be536987..0d66971e 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
{0, 0, NULL, 0},
};
-/* RFC 5280, 4.1 */
-const SEC_ASN1Template
-cm_certext_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(CERTCertExtension),
- },
- {
- .kind = SEC_ASN1_OBJECT_ID,
- .offset = offsetof(CERTCertExtension, id),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_BOOLEAN,
- .offset = offsetof(CERTCertExtension, critical),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_OCTET_STRING,
- .offset = offsetof(CERTCertExtension, value),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {0, 0, NULL, 0},
-};
-const SEC_ASN1Template
-cm_certext_sequence_of_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE_OF,
- .offset = 0,
- .sub = cm_certext_cert_extension_template,
- .size = sizeof(CERTCertExtension **),
- },
-};
-
/* Windows 2000-style UPN */
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
static const SECOidData oid_ms_upn_name = {
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
/* Encode the sequence. */
memset(&encoded, 0, sizeof(encoded));
if (i > 1) {
- template = cm_certext_sequence_of_cert_extension_template;
+ template = CERT_SequenceOfCertExtensionTemplate;
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
template) == &encoded) {
*extensions = talloc_memdup(entry, encoded.data,
--
2.31.1

View File

@ -0,0 +1,280 @@
From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 18:52:53 +0200
Subject: [PATCH] Use implicit, empty FALSE for extensions
Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
It was encoding extension's critical element even for default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 7 +-
tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------
tests/003-csrgen/expected.out | 110 +++++++++++++-----------------
3 files changed, 91 insertions(+), 108 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index 0d66971e..e5e0b4dc 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
CERTCertExtension ext[13], *exts[14], **exts_ptr;
SECOidData *oid;
SECItem *item, encoded;
+ /* X509v3 extension's critical element has an implicit default,
+ * see https://pagure.io/certmonger/issue/223
+ */
SECItem der_false = {
- .len = 1,
- .data = (unsigned char *) "\000",
+ .len = 0,
+ .data = NULL,
};
SECItem der_true = {
.len = 1,
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index def53fe4..0fb88323 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
4096 OK.
Signature OK
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1413 cons: SEQUENCE
- 4:d=1 hl=4 l=1133 cons: SEQUENCE
+ 0:d=0 hl=4 l=1389 cons: SEQUENCE
+ 4:d=1 hl=4 l=1109 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l= 808 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 687 cons: SEQUENCE
+ 450:d=3 hl=4 l= 663 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 672 cons: SET
- 469:d=5 hl=4 l= 668 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 648 cons: SET
+ 469:d=5 hl=4 l= 644 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 264 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
- 757:d=6 hl=2 l= 32 cons: SEQUENCE
- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 791:d=6 hl=2 l= 18 cons: SEQUENCE
- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 811:d=6 hl=2 l= 34 cons: SEQUENCE
- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 847:d=6 hl=2 l= 32 cons: SEQUENCE
- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 881:d=6 hl=2 l= 107 cons: SEQUENCE
- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 990:d=6 hl=2 l= 96 cons: SEQUENCE
- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1088:d=6 hl=2 l= 51 cons: SEQUENCE
- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1141:d=1 hl=2 l= 13 cons: SEQUENCE
- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1154:d=2 hl=2 l= 0 prim: NULL
- 1156:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 261 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
+ 751:d=6 hl=2 l= 29 cons: SEQUENCE
+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 782:d=6 hl=2 l= 18 cons: SEQUENCE
+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 802:d=6 hl=2 l= 31 cons: SEQUENCE
+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 835:d=6 hl=2 l= 29 cons: SEQUENCE
+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 866:d=6 hl=2 l= 104 cons: SEQUENCE
+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 972:d=6 hl=2 l= 93 cons: SEQUENCE
+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1130:d=2 hl=2 l= 0 prim: NULL
+ 1132:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (32 combinations).
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 46e010cf..1081a678 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -11,8 +11,8 @@ Signature OK
minicert.openssl.4096.pem: OK
4096 OK.
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1635 cons: SEQUENCE
- 4:d=1 hl=4 l=1355 cons: SEQUENCE
+ 0:d=0 hl=4 l=1599 cons: SEQUENCE
+ 4:d=1 hl=4 l=1319 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l=1030 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 909 cons: SEQUENCE
+ 450:d=3 hl=4 l= 873 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 894 cons: SET
- 469:d=5 hl=4 l= 890 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 858 cons: SET
+ 469:d=5 hl=4 l= 854 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 290 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
- 783:d=6 hl=2 l= 32 cons: SEQUENCE
- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 817:d=6 hl=2 l= 18 cons: SEQUENCE
- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 837:d=6 hl=2 l= 34 cons: SEQUENCE
- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 873:d=6 hl=2 l= 32 cons: SEQUENCE
- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 907:d=6 hl=2 l= 107 cons: SEQUENCE
- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 1016:d=6 hl=2 l= 96 cons: SEQUENCE
- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1114:d=6 hl=2 l= 106 cons: SEQUENCE
- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
- 1222:d=6 hl=2 l= 51 cons: SEQUENCE
- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1275:d=6 hl=2 l= 18 cons: SEQUENCE
- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
- 1295:d=6 hl=2 l= 44 cons: SEQUENCE
- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
- 1341:d=6 hl=2 l= 20 cons: SEQUENCE
- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
- 1363:d=1 hl=2 l= 13 cons: SEQUENCE
- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1376:d=2 hl=2 l= 0 prim: NULL
- 1378:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 287 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
+ 777:d=6 hl=2 l= 29 cons: SEQUENCE
+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 808:d=6 hl=2 l= 18 cons: SEQUENCE
+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 828:d=6 hl=2 l= 31 cons: SEQUENCE
+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 861:d=6 hl=2 l= 29 cons: SEQUENCE
+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 892:d=6 hl=2 l= 104 cons: SEQUENCE
+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 998:d=6 hl=2 l= 93 cons: SEQUENCE
+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE
+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE
+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE
+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE
+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1340:d=2 hl=2 l= 0 prim: NULL
+ 1342:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (69 combinations).
--
2.31.1

View File

@ -11,7 +11,7 @@
Name: certmonger
Version: 0.79.13
Release: 3%{?dist}
Release: 5%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@ -22,6 +22,12 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch
Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
Patch0003: 0003-Fix-local-CA-to-work-under-FIPS.patch
Patch0004: 0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
Patch0005: 0005-Add-NULL-checks-before-string-compares-when-analyzin.patch
Patch0006: 0006-Display-not_before-in-getcert-output.patch
Patch0007: 0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
Patch0008: 0008-Use-extensions-template-from-NSS.patch
Patch0009: 0009-Use-implicit-empty-FALSE-for-extensions.patch
BuildRequires: autoconf
BuildRequires: automake
@ -236,6 +242,17 @@ exit 0
%endif
%changelog
* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
with critical=FALSE (#2012258)
* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
- Certmonger SCEP renewal should not use old challenges (#1577570)
- Certmonger segfault after cert renewal request (#1881500)
- Include certificate NotBefore date in output of the 'getcert list' command
(#1940261)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
- Fix local CA to work under FIPS (#1950132)