From f021a3d3fd3ab45e4d2a132d7fd8dd3e520b16ab Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 8 May 2018 13:08:07 -0400 Subject: [PATCH] Update to upstream 0.79.6 --- .gitignore | 1 + ...qlite-databases-show-up-in-slightly-.patch | 63 --- ...-require-a-password-to-modify-trust-.patch | 52 --- ...28-was-switched-to-sqlite-fix-assump.patch | 405 ------------------ ...ug-in-associating-private-key-to-cer.patch | 48 --- ...on-tests-against-both-dbm-and-sqlite.patch | 314 -------------- certmonger.spec | 22 +- sources | 2 +- 8 files changed, 12 insertions(+), 895 deletions(-) delete mode 100644 0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch delete mode 100644 0002-SQLite-databases-require-a-password-to-modify-trust-.patch delete mode 100644 0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch delete mode 100644 0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch delete mode 100644 0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch diff --git a/.gitignore b/.gitignore index 377135c..468e356 100644 --- a/.gitignore +++ b/.gitignore @@ -122,3 +122,4 @@ certmonger-0.28.tar.gz /certmonger-0.79.3.tar.gz.sig /certmonger-0.79.4.tar.gz /certmonger-0.79.5.tar.gz +/certmonger-0.79.6.tar.gz diff --git a/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch b/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch deleted file mode 100644 index ad64493..0000000 --- a/0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 3cb710fbea245476a49af77d670fedb35bba16de Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jan 2018 22:07:17 -0500 -Subject: [PATCH 1/6] Perm issues in sqlite databases show up in slightly - different ways - -SQLite databases may return SEC_ERROR_READ_ONLY instead of -SEC_ERROR_BAD_DATABASE. - -If a database is opened as read-write but it fails (e.g. in a -read-only directory) it will try again to open it as read-only -and potentially fail because it doesn't exist at all. This sets -errno as ENOENT rather than the expected EACCES so treat that -as a read failure as well. - -Related: https://pagure.io/certmonger/issue/88 ---- - src/certsave-n.c | 5 ++++- - src/keygen-n.c | 6 +++++- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index 67deb88b..a2c97000 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -128,10 +128,13 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - NSS_INIT_NOMODDB); - ec = PORT_GetError(); - if (ctx == NULL) { -- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { -+ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { -+ ec = PR_NO_ACCESS_RIGHTS_ERROR; -+ } else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { - switch (errno) { - case EACCES: - case EPERM: -+ case ENOENT: - ec = PR_NO_ACCESS_RIGHTS_ERROR; - break; - default: -diff --git a/src/keygen-n.c b/src/keygen-n.c -index 08f00496..8078a520 100644 ---- a/src/keygen-n.c -+++ b/src/keygen-n.c -@@ -169,10 +169,14 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - NSS_INIT_NOMODDB); - ec = PORT_GetError(); - if (ctx == NULL) { -- if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { -+ if ((ec == SEC_ERROR_READ_ONLY) && readwrite) { -+ ec = PR_NO_ACCESS_RIGHTS_ERROR; -+ } -+ else if ((ec == SEC_ERROR_BAD_DATABASE) && readwrite) { - switch (errno) { - case EACCES: - case EPERM: -+ case ENOENT: - ec = PR_NO_ACCESS_RIGHTS_ERROR; - break; - default: --- -2.15.1 - diff --git a/0002-SQLite-databases-require-a-password-to-modify-trust-.patch b/0002-SQLite-databases-require-a-password-to-modify-trust-.patch deleted file mode 100644 index 6cae47d..0000000 --- a/0002-SQLite-databases-require-a-password-to-modify-trust-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f1b7eeceef117606c060f61542754f5556739469 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jan 2018 22:13:49 -0500 -Subject: [PATCH 2/6] SQLite databases require a password to modify trust and - to sign - -This affects certutil -M and cmsutil -S. Need to add -f pinfile. - -https://pagure.io/certmonger/issue/88 ---- - tests/030-rekey/run.sh | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh -index 9b50da4a..07fea683 100755 ---- a/tests/030-rekey/run.sh -+++ b/tests/030-rekey/run.sh -@@ -140,11 +140,11 @@ for preserve in 1 0 ; do - - echo "This is the plaintext." > plain.txt - echo "NSS Signing:" -- certutil -M -d $tmpdir -n i$size -t P,P,P -- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -+ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile -+ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile - echo "NSS Verify:" -- cmsutil -D -d $tmpdir -f pinfile -i signed -- certutil -M -d $tmpdir -n i$size -t ,, -+ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile -+ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile - - # Go and save the new certs and keys (NSS). - echo '(saving)' -@@ -163,11 +163,11 @@ for preserve in 1 0 ; do - - echo "This is the plaintext." > plain.txt - echo "NSS Signing:" -- certutil -M -d $tmpdir -n i$size -t P,P,P -- cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -+ certutil -M -d $tmpdir -n i$size -t P,P,P -f pinfile -+ cmsutil -S -d $tmpdir -f pinfile -N i$size -i plain.txt -o signed -f pinfile - echo "NSS Verify:" -- cmsutil -D -d $tmpdir -f pinfile -i signed -- certutil -M -d $tmpdir -n i$size -t ,, -+ cmsutil -D -d $tmpdir -f pinfile -i signed -f pinfile -+ certutil -M -d $tmpdir -n i$size -t ,, -f pinfile - - # Now generate new keys, CSRs, and certificates (OpenSSL). - echo "PEM keys before re-keygen (preserve=$preserve,pin=\"$pin\"):" --- -2.15.1 - diff --git a/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch b/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch deleted file mode 100644 index 401aec4..0000000 --- a/0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch +++ /dev/null @@ -1,405 +0,0 @@ -From 0cfefe50373cd5f7da5b49f1a1380ba8b5baf825 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jan 2018 22:14:53 -0500 -Subject: [PATCH 3/6] NSS in rawhide (F28) was switched to sqlite, fix - assumptions - -Previous releases of NSS had dbm as the default storage type. -Certain assumptions were built into the tests. Make the default -scheme more explicit, leaving it as dbm for now. - -https://pagure.io/certmonger/issue/88 ---- - tests/007-certsave-dbm/expected.out | 4 ++-- - tests/007-certsave/expected.out | 4 ++-- - tests/007-certsave/run.sh | 47 +++++++++++++++++++------------------ - tests/025-casave/run.sh | 36 ++++++++++++++-------------- - tests/034-perms/expected.out | 36 ++++++++++++++-------------- - tests/034-perms/run.sh | 2 ++ - 6 files changed, 66 insertions(+), 63 deletions(-) - -diff --git a/tests/007-certsave-dbm/expected.out b/tests/007-certsave-dbm/expected.out -index e0978c66..ed6b4ede 100644 ---- a/tests/007-certsave-dbm/expected.out -+++ b/tests/007-certsave-dbm/expected.out -@@ -37,7 +37,7 @@ Testing setting trust to C,c,p: - wrong nickname, right subject: cert ,, - wrong subject, right nickname: cert ,, - [nss:rosubdir] --Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. -+Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. - [nss:rwsubdir] --Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. -+Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. - Test complete. -diff --git a/tests/007-certsave/expected.out b/tests/007-certsave/expected.out -index e0978c66..ed6b4ede 100644 ---- a/tests/007-certsave/expected.out -+++ b/tests/007-certsave/expected.out -@@ -37,7 +37,7 @@ Testing setting trust to C,c,p: - wrong nickname, right subject: cert ,, - wrong subject, right nickname: cert ,, - [nss:rosubdir] --Failed to save (NSS:${tmpdir}/rosubdir), filesystem permissions error. -+Failed to save (NSS:dbm:${tmpdir}/rosubdir), filesystem permissions error. - [nss:rwsubdir] --Failed to save (NSS:${tmpdir}/rwsubdir), filesystem permissions error. -+Failed to save (NSS:dbm:${tmpdir}/rwsubdir), filesystem permissions error. - Test complete. -diff --git a/tests/007-certsave/run.sh b/tests/007-certsave/run.sh -index bea8341a..29b02152 100755 ---- a/tests/007-certsave/run.sh -+++ b/tests/007-certsave/run.sh -@@ -2,8 +2,9 @@ - - cd "$tmpdir" - -+scheme="${scheme:-dbm}" - source "$srcdir"/functions --initnssdb ${scheme:+${scheme}:}$tmpdir -+initnssdb $scheme:$tmpdir - - wrongcert='-----BEGIN CERTIFICATE----- - MIIDQTCCAimgAwIBAgIBBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdwaWxs -@@ -50,7 +51,7 @@ echo "$wrongcert" | sed -e 's,^$,,g' -e 's,^ ,,g' > cert.wrong - echo "[nss:wrongnick]" - cat > entry.nss << EOF - cert_storage_type=NSSDB --cert_storage_location=${scheme:+${scheme}:}$tmpdir -+cert_storage_location=$scheme:$tmpdir - cert_nickname=wrongnick - cert=$cert - EOF -@@ -59,7 +60,7 @@ $toolsdir/certsave entry.nss - echo "[nss:wrongcert]" - cat > entry.nss << EOF - cert_storage_type=NSSDB --cert_storage_location=${scheme:+${scheme}:}$tmpdir -+cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$wrongcert - EOF -@@ -68,13 +69,13 @@ $toolsdir/certsave entry.nss - echo "[nss:right]" - cat > entry.nss << EOF - cert_storage_type=NSSDB --cert_storage_location=${scheme:+${scheme}:}$tmpdir -+cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$cert - EOF - $toolsdir/certsave entry.nss - $toolsdir/listnicks entry.nss --certutil -d ${scheme:+${scheme}:}$tmpdir -L -n cert -a > cert.nss -+certutil -d $scheme:$tmpdir -L -n cert -a > cert.nss - # Save the wrong certificate to the PEM file. - echo "[openssl:wrong]" - cat > entry.openssl << EOF -@@ -96,7 +97,7 @@ run_dos2unix cert.original - run_dos2unix cert.nss - run_dos2unix cert.openssl - if ! cmp cert.original cert.nss ; then -- echo Original and NSS disagree "(${scheme:+${scheme}:}$tmpdir)". -+ echo Original and NSS disagree "($scheme:$tmpdir)". - cat cert.original cert.nss - exit 1 - fi -@@ -137,62 +138,62 @@ $toolsdir/certsave entry.openssl || true - for trust in ,, P,, ,P, CT,C, C,c,p ; do - echo Testing setting trust to "$trust": - # Save the right certificate to NSS's database and read it back. -- initnssdb ${scheme:+${scheme}:}$tmpdir -+ initnssdb $scheme:$tmpdir - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=${scheme:+${scheme}:}$tmpdir -+ cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$cert - EOF - $toolsdir/certsave entry.nss -- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust -+ certutil -d $scheme:$tmpdir -M -n cert -t $trust - echo -n " baseline: " -- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' -+ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' - $toolsdir/certsave entry.nss - echo -n " right nickname, right subject: " -- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' -+ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' - # Save the right certificate to NSS's database with the wrong nickname. -- initnssdb ${scheme:+${scheme}:}$tmpdir -+ initnssdb $scheme:$tmpdir - $toolsdir/certsave entry.nss - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=${scheme:+${scheme}:}$tmpdir -+ cert_storage_location=$scheme:$tmpdir - cert_nickname=wrongnick - cert=$cert - EOF - $toolsdir/certsave entry.nss -- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n wrongnick -t $trust -+ certutil -d $scheme:$tmpdir -M -n wrongnick -t $trust - # Save the right certificate to NSS's database and read it back. - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=${scheme:+${scheme}:}$tmpdir -+ cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$cert - EOF - $toolsdir/certsave entry.nss - echo -n " wrong nickname, right subject: " -- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' -+ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' - # Save the wrong certificate to NSS's database with the right nickname. -- initnssdb ${scheme:+${scheme}:}$tmpdir -+ initnssdb $scheme:$tmpdir - $toolsdir/certsave entry.nss - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=${scheme:+${scheme}:}$tmpdir -+ cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$wrongcert - EOF - $toolsdir/certsave entry.nss -- certutil -d ${scheme:+${scheme}:}$tmpdir -M -n cert -t $trust -+ certutil -d $scheme:$tmpdir -M -n cert -t $trust - # Save the right certificate to NSS's database and read it back. - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=${scheme:+${scheme}:}$tmpdir -+ cert_storage_location=$scheme:$tmpdir - cert_nickname=cert - cert=$cert - EOF - $toolsdir/certsave entry.nss - echo -n " wrong subject, right nickname: " -- certutil -d ${scheme:+${scheme}:}$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' -+ certutil -d $scheme:$tmpdir -L | grep cert | sed -r 's,[ \t]+, ,g' - done - - if test "$scheme" = sql ; then -@@ -202,7 +203,7 @@ else - echo "[nss:rosubdir]" - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=$tmpdir/rosubdir -+ cert_storage_location=$scheme:$tmpdir/rosubdir - cert_nickname=cert - cert=$cert - EOF -@@ -216,7 +217,7 @@ else - echo "[nss:rwsubdir]" - cat > entry.nss <<- EOF - cert_storage_type=NSSDB -- cert_storage_location=$tmpdir/rwsubdir -+ cert_storage_location=$scheme:$tmpdir/rwsubdir - cert_nickname=cert - cert=$cert - EOF -diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh -index 44a08b06..aff1e6d9 100755 ---- a/tests/025-casave/run.sh -+++ b/tests/025-casave/run.sh -@@ -196,7 +196,7 @@ id=EntryD1 - root_cert_files= - other_root_cert_files= - other_cert_files= --root_cert_dbs=$tmpdir/db1,$tmpdir/dba -+root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba - other_root_cert_dbs= - other_cert_dbs= - cert_roots=Per-certificate Signing Authority D1 -@@ -229,7 +229,7 @@ root_cert_files= - other_root_cert_files= - other_cert_files= - root_cert_dbs= --other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba -+other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba - other_cert_dbs= - EOF - cat > $tmpdir/entryd3 <<- EOF -@@ -239,7 +239,7 @@ other_root_cert_files= - other_cert_files= - root_cert_dbs= - other_root_cert_dbs= --other_cert_dbs=$tmpdir/db3,$tmpdir/dba -+other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba - cert_chain=Per-certificate Signing Authority D3 - -----BEGIN CERTIFICATE----- - MIIDjjCCAnagAwIBAgIRALuVK2FuXklPuMP4qtRyQjUwDQYJKoZIhvcNAQELBQAw -@@ -300,7 +300,7 @@ ca_name=CAD1 - root_cert_files= - other_root_cert_files= - other_cert_files= --root_cert_dbs=$tmpdir/db1,$tmpdir/dba -+root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba - other_root_cert_dbs= - other_cert_dbs= - EOF -@@ -311,7 +311,7 @@ root_cert_files= - other_root_cert_files= - other_cert_files= - root_cert_dbs= --other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba -+other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba - other_cert_dbs= - EOF - cat > $tmpdir/entrycad3 <<- EOF -@@ -322,7 +322,7 @@ other_root_cert_files= - other_cert_files= - root_cert_dbs= - other_root_cert_dbs= --other_cert_dbs=$tmpdir/db3,$tmpdir/dba -+other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba - EOF - - cat > $tmpdir/cab1 <<- EOF -@@ -564,9 +564,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh - ca_root_cert_files= - ca_other_root_cert_files= - ca_other_cert_files= --ca_root_cert_dbs=$tmpdir/db1,$tmpdir/dba --ca_other_root_cert_dbs=$tmpdir/dba --ca_other_cert_dbs=$tmpdir/dba -+ca_root_cert_dbs=dbm:$tmpdir/db1,dbm:$tmpdir/dba -+ca_other_root_cert_dbs=dbm:$tmpdir/dba -+ca_other_cert_dbs=dbm:$tmpdir/dba - ca_root_certs=Root Certificate D1 - -----BEGIN CERTIFICATE----- - MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ -@@ -639,9 +639,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh - ca_root_cert_files= - ca_other_root_cert_files= - ca_other_cert_files= --ca_root_cert_dbs=$tmpdir/dba --ca_other_root_cert_dbs=$tmpdir/db2,$tmpdir/dba --ca_other_cert_dbs=$tmpdir/dba -+ca_root_cert_dbs=dbm:$tmpdir/dba -+ca_other_root_cert_dbs=dbm:$tmpdir/db2,dbm:$tmpdir/dba -+ca_other_cert_dbs=dbm:$tmpdir/dba - ca_root_certs=Root Certificate D2 - -----BEGIN CERTIFICATE----- - MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET -@@ -722,9 +722,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh - ca_root_cert_files= - ca_other_root_cert_files= - ca_other_cert_files= --ca_root_cert_dbs=,$tmpdir/dba --ca_other_root_cert_dbs=,$tmpdir/dba, --ca_other_cert_dbs=$tmpdir/db3,$tmpdir/dba -+ca_root_cert_dbs=,dbm:$tmpdir/dba -+ca_other_root_cert_dbs=,dbm:$tmpdir/dba, -+ca_other_cert_dbs=dbm:$tmpdir/db3,dbm:$tmpdir/dba - ca_root_certs=Root Certificate D3 - -----BEGIN CERTIFICATE----- - MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL -@@ -796,9 +796,9 @@ ca_external_helper=$tmpdir/no-such-helper.sh - ca_root_cert_files=$tmpdir/bundle-all - ca_other_root_cert_files= - ca_other_cert_files= --ca_root_cert_dbs=$tmpdir/dba --ca_other_root_cert_dbs=,$tmpdir/dba --ca_other_cert_dbs=,$tmpdir/dba -+ca_root_cert_dbs=dbm:$tmpdir/dba -+ca_other_root_cert_dbs=,dbm:$tmpdir/dba -+ca_other_cert_dbs=,dbm:$tmpdir/dba - ca_root_certs=Root Certificate DA - -----BEGIN CERTIFICATE----- - MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL -diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out -index 4e2fbd71..c062d409 100644 ---- a/tests/034-perms/expected.out -+++ b/tests/034-perms/expected.out -@@ -41,54 +41,54 @@ $owner:$group|0755|ee.key.MARKER.key - $owner:$group|0662|ee.crt - $owner:$group|0620|ee.key - --[start] --[keygen] -+[dbm:start] -+[dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db --[reset] -+[dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[csrgen] -+[dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db --[reset] -+[dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[submit] -+[dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[reset] -+[dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[save] -+[dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db --[rekey:start] --[rekey:keygen] -+[rekey:dbm:start] -+[rekey:dbm:keygen] - $owner:$group|0600|cert8.db - $owner:$group|0620|key3.db --[rekey:reset] -+[rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[rekey:keygen] -+[rekey:dbm:keygen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db --[rekey:reset] -+[rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[rekey:csrgen] -+[rekey:dbm:csrgen] - $owner:$group|0755|cert8.db - $owner:$group|0620|key3.db --[rekey:reset] -+[rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[rekey:submit] -+[rekey:dbm:submit] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[rekey:reset] -+[rekey:dbm:reset] - $owner:$group|0755|cert8.db - $owner:$group|0755|key3.db --[rekey:save] -+[rekey:dbm:save] - $owner:$group|0662|cert8.db - $owner:$group|0620|key3.db - OK -diff --git a/tests/034-perms/run.sh b/tests/034-perms/run.sh -index 7f349d3b..88eae19f 100755 ---- a/tests/034-perms/run.sh -+++ b/tests/034-perms/run.sh -@@ -1,6 +1,8 @@ - #!/bin/bash - cd "$tmpdir" - -+scheme="${scheme:-dbm:}" -+ - function list() { - $toolsdir/ls *.* | sed -e "s~^$owner:$group|~\$owner:\$group|~g" - } --- -2.15.1 - diff --git a/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch b/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch deleted file mode 100644 index a4df8db..0000000 --- a/0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 19d70d9817a5d22d05ff990f354ddadb77cc05a6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jan 2018 22:18:58 -0500 -Subject: [PATCH 4/6] Workaround NSS bug in associating private key to - certificate - -If NSS uses SQL DB storage, CERT_ImportCerts creates incomplete -internal state (the cert isn't associated with the private key, -and calling PK11_FindKeyByAnyCert returns no result). - -As a workaround, we import the cert again using PK11_ImportCert -which magically fixes the issue. - -See rhbz#1532188 - -Related: https://pagure.io/certmonger/issue/88 ---- - src/certsave-n.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/certsave-n.c b/src/certsave-n.c -index a2c97000..8e15a18a 100644 ---- a/src/certsave-n.c -+++ b/src/certsave-n.c -@@ -474,6 +474,20 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, - PR_FALSE, - entry->cm_cert_nickname); - ec = PORT_GetError(); -+ if (error == SECSuccess) { -+ /* If NSS uses SQL DB storage, CERT_ImportCerts creates -+ * an incomplete internal state (the cert isn't -+ * associated with the private key, and calling -+ * PK11_FindKeyByAnyCert returns no result). -+ * As a workaround, we import the cert again using -+ * PK11_ImportCert, which magically fixes the issue. -+ * See rhbz#1532188 */ -+ error = PK11_ImportCert(PK11_GetInternalKeySlot(), -+ returned[0], -+ CK_INVALID_HANDLE, -+ returned[0]->nickname, -+ PR_FALSE); -+ } - if (error == SECSuccess) { - cm_log(1, "Imported certificate \"%s\", got " - "nickname \"%s\".\n", --- -2.15.1 - diff --git a/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch b/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch deleted file mode 100644 index 3ab6046..0000000 --- a/0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch +++ /dev/null @@ -1,314 +0,0 @@ -From 920572235f82eb3a88a3b8dd274f809baee31c67 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jan 2018 22:54:06 -0500 -Subject: [PATCH 5/6] Run key generation tests against both dbm and sqlite - databases - -Related: https://pagure.io/certmonger/issue/88 ---- - tests/002-keygen-dbm/expected.out | 99 +++++++++++++++++++++++++++++++++++++++ - tests/002-keygen-dbm/run.sh | 2 + - tests/002-keygen-sql/expected.out | 99 +++++++++++++++++++++++++++++++++++++++ - tests/002-keygen-sql/run.sh | 2 + - tests/002-keygen/expected.out | 4 +- - tests/002-keygen/run.sh | 12 +++-- - 6 files changed, 211 insertions(+), 7 deletions(-) - create mode 100644 tests/002-keygen-dbm/expected.out - create mode 100755 tests/002-keygen-dbm/run.sh - create mode 100644 tests/002-keygen-sql/expected.out - create mode 100755 tests/002-keygen-sql/run.sh - -diff --git a/tests/002-keygen-dbm/expected.out b/tests/002-keygen-dbm/expected.out -new file mode 100644 -index 00000000..dcd1af06 ---- /dev/null -+++ b/tests/002-keygen-dbm/expected.out -@@ -0,0 +1,99 @@ -+[nss:1024] -+OK. -+OK (RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+keyi1024 -+keyi1024 (candidate (next)) -+[nss:1536] -+OK. -+OK (RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+keyi1536 -+keyi1536 (candidate (next)) -+[nss:2048] -+OK. -+OK (RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+keyi2048 -+keyi2048 (candidate (next)) -+[nss:3072] -+OK. -+OK (RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+keyi3072 -+keyi3072 (candidate (next)) -+[nss:4096] -+OK. -+OK (RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+keyi4096 -+keyi4096 (candidate (next)) -+[nss:rosubdir] -+Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. -+[nss:rwsubdir] -+Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. -+[openssl:1024] -+OK. -+OK (RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+${tmpdir}/sample.1024 -+${tmpdir}/sample.1024.(next).key -+[openssl:1536] -+OK. -+OK (RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+${tmpdir}/sample.1536 -+${tmpdir}/sample.1536.(next).key -+[openssl:2048] -+OK. -+OK (RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+${tmpdir}/sample.2048 -+${tmpdir}/sample.2048.(next).key -+[openssl:3072] -+OK. -+OK (RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+${tmpdir}/sample.3072 -+${tmpdir}/sample.3072.(next).key -+[openssl:4096] -+OK. -+OK (RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+${tmpdir}/sample.4096 -+${tmpdir}/sample.4096.(next).key -+[openssl:rosubdir] -+Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. -+[openssl:rwsubdir] -+Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. -+Test complete. -diff --git a/tests/002-keygen-dbm/run.sh b/tests/002-keygen-dbm/run.sh -new file mode 100755 -index 00000000..36323947 ---- /dev/null -+++ b/tests/002-keygen-dbm/run.sh -@@ -0,0 +1,2 @@ -+#!/bin/bash -e -+exec env scheme=dbm: ../002-keygen/run.sh -diff --git a/tests/002-keygen-sql/expected.out b/tests/002-keygen-sql/expected.out -new file mode 100644 -index 00000000..178f1b3a ---- /dev/null -+++ b/tests/002-keygen-sql/expected.out -@@ -0,0 +1,99 @@ -+[nss:1024] -+OK. -+OK (RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+keyi1024 -+keyi1024 (candidate (next)) -+[nss:1536] -+OK. -+OK (RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+keyi1536 -+keyi1536 (candidate (next)) -+[nss:2048] -+OK. -+OK (RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+keyi2048 -+keyi2048 (candidate (next)) -+[nss:3072] -+OK. -+OK (RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+keyi3072 -+keyi3072 (candidate (next)) -+[nss:4096] -+OK. -+OK (RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+keyi4096 -+keyi4096 (candidate (next)) -+[nss:rosubdir] -+Failed to save NSS:sql:${tmpdir}/rosubdir: need fs permissions. -+[nss:rwsubdir] -+Failed to save NSS:sql:${tmpdir}/rwsubdir: need fs permissions. -+[openssl:1024] -+OK. -+OK (RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+OK. -+OK (RSA:1024 after RSA:1024). -+${tmpdir}/sample.1024 -+${tmpdir}/sample.1024.(next).key -+[openssl:1536] -+OK. -+OK (RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+OK. -+OK (RSA:1536 after RSA:1536). -+${tmpdir}/sample.1536 -+${tmpdir}/sample.1536.(next).key -+[openssl:2048] -+OK. -+OK (RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+OK. -+OK (RSA:2048 after RSA:2048). -+${tmpdir}/sample.2048 -+${tmpdir}/sample.2048.(next).key -+[openssl:3072] -+OK. -+OK (RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+OK. -+OK (RSA:3072 after RSA:3072). -+${tmpdir}/sample.3072 -+${tmpdir}/sample.3072.(next).key -+[openssl:4096] -+OK. -+OK (RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+OK. -+OK (RSA:4096 after RSA:4096). -+${tmpdir}/sample.4096 -+${tmpdir}/sample.4096.(next).key -+[openssl:rosubdir] -+Failed to save FILE:${tmpdir}/rosubdir/sample.4096: need fs permissions. -+[openssl:rwsubdir] -+Failed to save FILE:${tmpdir}/rwsubdir/sample.4096: need fs permissions. -+Test complete. -diff --git a/tests/002-keygen-sql/run.sh b/tests/002-keygen-sql/run.sh -new file mode 100755 -index 00000000..cd5bc978 ---- /dev/null -+++ b/tests/002-keygen-sql/run.sh -@@ -0,0 +1,2 @@ -+#!/bin/bash -e -+exec env scheme=sql: ../002-keygen/run.sh -diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out -index ff56372a..dcd1af06 100644 ---- a/tests/002-keygen/expected.out -+++ b/tests/002-keygen/expected.out -@@ -44,9 +44,9 @@ OK (RSA:4096 after RSA:4096). - keyi4096 - keyi4096 (candidate (next)) - [nss:rosubdir] --Failed to save NSS:${tmpdir}/rosubdir: need fs permissions. -+Failed to save NSS:dbm:${tmpdir}/rosubdir: need fs permissions. - [nss:rwsubdir] --Failed to save NSS:${tmpdir}/rwsubdir: need fs permissions. -+Failed to save NSS:dbm:${tmpdir}/rwsubdir: need fs permissions. - [openssl:1024] - OK. - OK (RSA:1024). -diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh -index f550feeb..08af1523 100755 ---- a/tests/002-keygen/run.sh -+++ b/tests/002-keygen/run.sh -@@ -2,15 +2,17 @@ - - cd "$tmpdir" - -+scheme="${scheme:-dbm:}" -+ - source "$srcdir"/functions --initnssdb "$tmpdir" -+initnssdb "$scheme$tmpdir" - - for size in 1024 1536 2048 3072 4096 ; do - echo "[nss:$size]" - # Generate a key. - cat > entry.$size <<- EOF - key_storage_type=NSSDB -- key_storage_location=$tmpdir -+ key_storage_location=$scheme$tmpdir - key_nickname=keyi$size - key_gen_size=$size - EOF -@@ -28,13 +30,13 @@ for size in 1024 1536 2048 3072 4096 ; do - # Extract the marker. - marker=`grep ^key_next_marker= entry.$size | cut -f2- -d=` - # Make sure we're clean. -- run_certutil -K -d "$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort -+ run_certutil -K -d "$scheme$tmpdir" | grep keyi$size | sed -e 's,.*keyi,keyi,' -e s,"${marker:-////////}","(next)",g | env LANG=C sort - done - - echo "[nss:rosubdir]" - cat > entry.$size <<- EOF - key_storage_type=NSSDB --key_storage_location=$tmpdir/rosubdir -+key_storage_location=$scheme$tmpdir/rosubdir - key_nickname=keyi$size - key_gen_size=$size - EOF -@@ -43,7 +45,7 @@ $toolsdir/keygen entry.$size || true - echo "[nss:rwsubdir]" - cat > entry.$size <<- EOF - key_storage_type=NSSDB --key_storage_location=$tmpdir/rwsubdir -+key_storage_location=$scheme$tmpdir/rwsubdir - key_nickname=keyi$size - key_gen_size=$size - EOF --- -2.15.1 - diff --git a/certmonger.spec b/certmonger.spec index 34dc2f1..d0c1c5c 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -25,8 +25,8 @@ %endif Name: certmonger -Version: 0.79.5 -Release: 7%{?dist} +Version: 0.79.6 +Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -36,8 +36,12 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz #Source1: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gettext-devel BuildRequires: gcc BuildRequires: openldap-devel +BuildRequires: libidn2-devel BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 BuildRequires: libuuid-devel @@ -107,11 +111,6 @@ Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed Conflicts: libtevent < 0.9.13 %endif -Patch1: 0001-Perm-issues-in-sqlite-databases-show-up-in-slightly-.patch -Patch2: 0002-SQLite-databases-require-a-password-to-modify-trust-.patch -Patch3: 0003-NSS-in-rawhide-F28-was-switched-to-sqlite-fix-assump.patch -Patch4: 0004-Workaround-NSS-bug-in-associating-private-key-to-cer.patch -Patch5: 0005-Run-key-generation-tests-against-both-dbm-and-sqlite.patch Patch6: 0006-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch %description @@ -120,11 +119,6 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 %patch6 -p1 %if 0%{?rhel} > 0 @@ -134,6 +128,7 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in %endif %build +autoreconf -i -f %configure \ %if %{systemd} --enable-systemd \ @@ -253,6 +248,9 @@ exit 0 %endif %changelog +* Tue May 8 2018 Rob Crittenden - 0.79.6-1 +- Update to upstream 0.79.6 + * Wed Mar 14 2018 Iryna Shcherbina - 0.79.5-7 - Update Python 2 dependency declarations to new packaging standards (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) diff --git a/sources b/sources index c1c5fde..8dd2d19 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (certmonger-0.79.5.tar.gz) = b447bbbe6cbe1e3561c4a4083789baa4503516273273a7ac6a17b1287a3b36f8fa2b0c56e075a7eb98e582cdff5939c1c6436f2d011ed0f61b555da0d7b4a7ba +SHA512 (certmonger-0.79.6.tar.gz) = 55721a114d874d484bbde01a31f72b8d2a6d3ce0a676c73a217019c5da96aa28d4c0a32abb962abe996bf55b47050b7e0558fffbef6dd4d13ab922e0de5d8224