rpms/certmonger
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.13-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-15 16:23:56 +00:00 committed by Stepan Oksanichenko
parent e6eb41270c
commit f5cb296ff6
6 changed files with 645 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch Normal file
View File

@ -0,0 +1,38 @@
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 14 Apr 2021 15:34:48 -0400
Subject: [PATCH] Fix local CA to work under FIPS
The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS. This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.
---
src/local.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/local.c b/src/local.c
index 92bea144..2f50ac77 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
#include <openssl/asn1.h>
#include <openssl/err.h>
+#include <openssl/obj_mac.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
return CM_SUBMIT_STATUS_UNREACHABLE;
}
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
- cas, 0, 0, 0, 0, 0);
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
+ 0, 0, 0);
if (p12 != NULL) {
if (!i2d_PKCS12_fp(fp, p12)) {
fclose(fp);
--
2.26.3

123
SOURCES/0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch Normal file
View File

@ -0,0 +1,123 @@
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Fri, 9 Jul 2021 20:49:28 +0000
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
OTP
SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.
This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.
This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/certmonger.conf.5.in | 9 +++++++++
src/certsave.c | 13 +++++++++++++
src/prefs.c | 15 +++++++++++++++
src/prefs.h | 4 ++++
4 files changed, 41 insertions(+)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 6a42d3cb..1b941b9d 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
\fIselfsign\fR section, if one is set there, will be used. The default value
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+.SH SCEP
+Within the \fIscep\fR section, these variables and values are recognized:
+
+.IP challenge_password_otp
+This controls whether the SCEP challenge password is treated as a one-time
+password. If set to yes then the challenge password and/or challenge password
+file will be removed from the tracking request after the first certificate
+issuance so will not be sent with renewal requests. The default is no.
+
.SH BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
diff --git a/src/certsave.c b/src/certsave.c
index 6eaafe59..f8503662 100644
--- a/src/certsave.c
+++ b/src/certsave.c
@@ -18,12 +18,25 @@
#include "config.h"
#include "certsave.h"
#include "certsave-int.h"
+#include "prefs.h"
#include "store-int.h"
+#include "talloc.h"
/* Start writing the certificate from the entry to the configured location. */
struct cm_certsave_state *
cm_certsave_start(struct cm_store_entry *entry)
{
+ /* If saving a SCEP certificate wipe out the challenge password */
+ if ((cm_prefs_scep_password_otp()) &&
+ (entry->cm_template_challenge_password != NULL) &&
+ (entry->cm_scep_nonce != NULL))
+ {
+ talloc_free(entry->cm_template_challenge_password);
+ entry->cm_template_challenge_password = NULL;
+ talloc_free(entry->cm_template_challenge_password_file);
+ entry->cm_template_challenge_password_file = NULL;
+ }
+
switch (entry->cm_cert_storage_type) {
#ifdef HAVE_OPENSSL
case cm_cert_storage_file:
diff --git a/src/prefs.c b/src/prefs.c
index 669e8f1f..52ffc908 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
}
return count;
}
+
+int
+cm_prefs_scep_password_otp(void)
+{
+ static int populate = -1;
+ if (populate == -1) {
+ const char *val;
+ val = cm_prefs_config("scep", "challenge_password_otp");
+ if (val == NULL) {
+ val = "no";
+ }
+ populate = cm_prefs_yesno(val);
+ }
+ return populate != -1 ? populate : 0;
+}
diff --git a/src/prefs.h b/src/prefs.h
index 248e1016..a107fb6c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,8 @@
#ifndef cmprefs_h
#define cmprefs_h
+#include <time.h>
+
enum cm_prefs_cipher {
cm_prefs_aes128,
cm_prefs_aes192,
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
long long prefs_key_end_of_life(time_t ref);
long prefs_max_key_use_count(void);
+int cm_prefs_scep_password_otp(void);
+
#endif
--
2.31.1

42
SOURCES/0005-Add-NULL-checks-before-string-compares-when-analyzin.patch Normal file
View File

@ -0,0 +1,42 @@
From 0eec70b9dbd0a50a24fe173a68fd9ab72857e08d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 17 Feb 2021 13:40:52 -0500
Subject: [PATCH] Add NULL checks before string compares when analyzing a cert
A user reported a segfault which was due to a broken request.
How it got broken I have no idea but it was effectively empty.
It had everything as defaults: 0, -1, UNSPECIFIED or not
present at all.
So when trying to analyze the request it did a NULL compare.
https://pagure.io/certmonger/issue/191
---
src/tdbush.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tdbush.c b/src/tdbush.c
index a10a1aff..fb81c477 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -678,14 +678,14 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
if (cert_storage != e->cm_cert_storage_type) {
continue;
}
- if (strcmp(cert_location, e->cm_cert_storage_location) != 0) {
+ if ((e->cm_cert_storage_location == NULL) || strcmp(cert_location, e->cm_cert_storage_location) != 0) {
continue;
}
switch (cert_storage) {
case cm_cert_storage_file:
break;
case cm_cert_storage_nssdb:
- if (strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
+ if ((e->cm_cert_nickname == NULL) || strcmp(cert_nickname, e->cm_cert_nickname) != 0) {
continue;
}
break;
--
2.31.1

386
SOURCES/0006-Display-not_before-in-getcert-output.patch Normal file
View File

@ -0,0 +1,386 @@
From 84d575da7516cae1ee94099317cf0f8fae2c7ea1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 8 Apr 2021 14:07:22 -0400
Subject: [PATCH] Display not_before in getcert output
Including not_before can help with troubleshooting
renewal problems and if time needs to be reversed
helping identify the maximum one can go back.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/getcert.c | 21 ++++-
src/tdbush.c | 10 ++-
src/tdbusm-check.c | 32 ++++++++
src/tdbusm.c | 150 ++++++++++++++++++++++++++++++++++++
src/tdbusm.h | 9 +++
tests/028-dbus/expected.out | 4 +-
tests/028-dbus/run.sh | 1 +
7 files changed, 220 insertions(+), 7 deletions(-)
diff --git a/src/getcert.c b/src/getcert.c
index 078f5aa1..4afafcb1 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -3389,7 +3389,7 @@ list(const char *argv0, int argc, const char **argv)
const char *capath, *request;
dbus_bool_t b;
char *s1, *s2, *s3, *s4, *s5, *s6;
- long n1, n2;
+ long n1, n2, n3;
char **as, **as1, **as2, **as3, **as4, **as5, t[25];
int requests_only = 0, tracking_only = 0, verbose = 0, c, i, j;
unsigned int k;
@@ -3754,10 +3754,10 @@ list(const char *argv0, int argc, const char **argv)
/* Information from the certificate. */
rep = query_rep(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
"get_cert_info", verbose);
- if (cm_tdbusm_get_sssnasasasnas(rep, globals.tctx,
+ if (cm_tdbusm_get_sssnasasasnasn(rep, globals.tctx,
&s1, &s2, &s3, &n1,
&as1, &as2, &as3,
- &n2, &as4) != 0) {
+ &n2, &as4, &n3) != 0) {
printf(_("Error parsing server response.\n"));
exit(1);
}
@@ -3768,6 +3768,21 @@ list(const char *argv0, int argc, const char **argv)
printf(_("\tissuer: %s\n"), s1);
printf(_("\tsubject: %s\n"), s3);
when = _("unknown");
+ if (n3 != 0) {
+ if (force_utc) {
+ when = cm_store_timestamp_from_time_for_display(n3, t);
+ printf(_("\tissued: %s\n"), when);
+ } else {
+ when = cm_store_local_timestamp_from_time_for_display(n3);
+ if (when != NULL) {
+ printf(_("\tissued: %s\n"), when);
+ free(when);
+ }
+ }
+ } else {
+ printf(_("\tissued: %s\n"), when);
+ }
+ when = _("unknown");
if (n1 != 0) {
if (force_utc) {
when = cm_store_timestamp_from_time_for_display(n1, t);
diff --git a/src/tdbush.c b/src/tdbush.c
index 3587f84f..6fc1b4be 100644
--- a/src/tdbush.c
+++ b/src/tdbush.c
@@ -2701,7 +2701,7 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
rep = dbus_message_new_method_return(msg);
if (rep != NULL) {
eku = eku_splitv(entry, entry->cm_cert_eku);
- cm_tdbusm_set_sssnasasasnas(rep,
+ cm_tdbusm_set_sssnasasasnasn(rep,
entry->cm_cert_issuer,
entry->cm_cert_serial,
entry->cm_cert_subject,
@@ -2710,7 +2710,8 @@ request_get_cert_info(DBusConnection *conn, DBusMessage *msg,
(const char **) entry->cm_cert_hostname,
(const char **) entry->cm_cert_principal,
ku_from_string(entry->cm_cert_ku),
- (const char **) eku);
+ (const char **) eku,
+ entry->cm_cert_not_before);
dbus_connection_send(conn, rep, NULL);
dbus_message_unref(rep);
talloc_free(eku);
@@ -6563,7 +6564,10 @@ cm_tdbush_iface_request(void)
DBUS_TYPE_ARRAY_AS_STRING
DBUS_TYPE_STRING_AS_STRING,
cm_tdbush_method_arg_out,
- NULL))))))))),
+ make_method_arg("not_before",
+ DBUS_TYPE_INT64_AS_STRING,
+ cm_tdbush_method_arg_out,
+ NULL)))))))))),
NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_CERT_ISSUER,
diff --git a/src/tdbusm-check.c b/src/tdbusm-check.c
index 385b1849..31880732 100644
--- a/src/tdbusm-check.c
+++ b/src/tdbusm-check.c
@@ -539,6 +539,38 @@ get_sssnasasasnas(DBusMessage *rep, int msgid)
return ret;
}
static int
+get_sssnasasasnasn(DBusMessage *rep, int msgid)
+{
+ int ret, i;
+ long n1, n2, n3;
+ char *s1, *s2, *s3, **as1, **as2, **as3, **as4;
+
+ ret = cm_tdbusm_get_sssnasasasnasn(rep, NULL,
+ &s1, &s2, &s3, &n1,
+ &as1, &as2, &as3, &n2, &as4, &n3);
+ if (ret == 0) {
+ printf("Message %d - s:%s,s:%s,s:%s," "n:%ld,[",
+ msgid, s1, s2, s3, n1);
+ for (i = 0; (as1 != NULL) && (as1[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as1[i]);
+ }
+ printf("],[");
+ for (i = 0; (as2 != NULL) && (as2[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as2[i]);
+ }
+ printf("],[");
+ for (i = 0; (as3 != NULL) && (as3[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as3[i]);
+ }
+ printf("],n:%ld,n:%ld,[", n2, n3);
+ for (i = 0; (as4 != NULL) && (as4[i] != NULL); i++) {
+ printf("%ss:%s", i > 0 ? "," : "", as4[i]);
+ }
+ printf("]\n");
+ }
+ return ret;
+}
+static int
get_sasasasnas(DBusMessage *rep, int msgid)
{
int ret, i;
diff --git a/src/tdbusm.c b/src/tdbusm.c
index bc39e1d4..24e03e4c 100644
--- a/src/tdbusm.c
+++ b/src/tdbusm.c
@@ -935,6 +935,105 @@ cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
return 0;
}
+int
+cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2, char ***as3,
+ long *n2, char ***as4, long *n3)
+{
+ DBusError err;
+ char **tmp1, **tmp2, **tmp3, **tmp4;
+ int64_t i641, i642, i643;
+ int32_t i321, i322, i323;
+ int16_t i161, i162, i163;
+ int i, j, k, l;
+ *s1 = NULL;
+ *s2 = NULL;
+ *s3 = NULL;
+ *as1 = NULL;
+ *as2 = NULL;
+ *as3 = NULL;
+ *as4 = NULL;
+ dbus_error_init(&err);
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT64, &i641,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT64, &i642,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT64, &i643,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT32, &i321,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp1, &i,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp2, &j,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp3, &k,
+ DBUS_TYPE_INT32, &i322,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &tmp4, &l,
+ DBUS_TYPE_INT32, &i323,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ if (!dbus_message_get_args(msg, &err,
+ DBUS_TYPE_STRING, s1,
+ DBUS_TYPE_STRING, s2,
+ DBUS_TYPE_STRING, s3,
+ DBUS_TYPE_INT16, &i161,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp1, &i,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp2, &j,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp3, &k,
+ DBUS_TYPE_INT16, &i162,
+ DBUS_TYPE_ARRAY,
+ DBUS_TYPE_STRING, &tmp4, &l,
+ DBUS_TYPE_INT16, &i163,
+ DBUS_TYPE_INVALID)) {
+ if (dbus_error_is_set(&err)) {
+ dbus_error_free(&err);
+ dbus_error_init(&err);
+ }
+ return -1;
+ }
+ i321 = i161;
+ i322 = i162;
+ i323 = i163;
+ }
+ i641 = i321;
+ i642 = i322;
+ i643 = i323;
+ }
+ *s1 = *s1 ? talloc_strdup(parent, *s1) : NULL;
+ *s2 = *s2 ? talloc_strdup(parent, *s2) : NULL;
+ *s3 = *s3 ? talloc_strdup(parent, *s3) : NULL;
+ *n1 = i641;
+ *n2 = i642;
+ *n3 = i643;
+ *as1 = cm_tdbusm_take_dbus_string_array(parent, tmp1, i);
+ *as2 = cm_tdbusm_take_dbus_string_array(parent, tmp2, j);
+ *as3 = cm_tdbusm_take_dbus_string_array(parent, tmp3, k);
+ *as4 = cm_tdbusm_take_dbus_string_array(parent, tmp4, l);
+ return 0;
+}
+
int
cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent, char **s,
char ***as1, char ***as2, char ***as3,
@@ -1856,6 +1955,57 @@ cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
}
}
+int
+cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2, const char *s3,
+ long n1, const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4,
+ long n3)
+{
+ int64_t i1 = n1, i2 = n2, i3 = n3;
+ if (s1 == NULL) {
+ s1 = empty_string;
+ }
+ if (s2 == NULL) {
+ s2 = empty_string;
+ }
+ if (s3 == NULL) {
+ s3 = empty_string;
+ }
+ if (as1 == NULL) {
+ as1 = empty_string_array;
+ }
+ if (as2 == NULL) {
+ as2 = empty_string_array;
+ }
+ if (as3 == NULL) {
+ as3 = empty_string_array;
+ }
+ if (as4 == NULL) {
+ as4 = empty_string_array;
+ }
+ if (dbus_message_append_args(msg,
+ DBUS_TYPE_STRING, &s1,
+ DBUS_TYPE_STRING, &s2,
+ DBUS_TYPE_STRING, &s3,
+ DBUS_TYPE_INT64, &i1,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as1, cm_tdbusm_array_length(as1),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as2, cm_tdbusm_array_length(as2),
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as3, cm_tdbusm_array_length(as3),
+ DBUS_TYPE_INT64, &i2,
+ DBUS_TYPE_ARRAY, DBUS_TYPE_STRING,
+ &as4, cm_tdbusm_array_length(as4),
+ DBUS_TYPE_INT64, &i3,
+ DBUS_TYPE_INVALID)) {
+ return 0;
+ } else {
+ return -1;
+ }
+}
+
int
cm_tdbusm_set_sasasasnas(DBusMessage *msg, const char *s,
const char **as1, const char **as2,
diff --git a/src/tdbusm.h b/src/tdbusm.h
index fe021eff..250a9b0a 100644
--- a/src/tdbusm.h
+++ b/src/tdbusm.h
@@ -55,6 +55,10 @@ int cm_tdbusm_get_sssnasasasnas(DBusMessage *msg, void *parent,
char **s1, char **s2, char **s3, long *n1,
char ***as1, char ***as2,
char ***as3, long *n2, char ***as4);
+int cm_tdbusm_get_sssnasasasnasn(DBusMessage *msg, void *parent,
+ char **s1, char **s2, char **s3, long *n1,
+ char ***as1, char ***as2,
+ char ***as3, long *n2, char ***as4, long *n3);
int cm_tdbusm_get_sasasasnas(DBusMessage *msg, void *parent,
char **s,
char ***as1, char ***as2,
@@ -124,6 +128,11 @@ int cm_tdbusm_set_sssnasasasnas(DBusMessage *msg,
const char *s3, long n1,
const char **as1, const char **as2,
const char **as3, long n2, const char **as4);
+int cm_tdbusm_set_sssnasasasnasn(DBusMessage *msg,
+ const char *s1, const char *s2,
+ const char *s3, long n1,
+ const char **as1, const char **as2,
+ const char **as3, long n2, const char **as4, long n3);
int cm_tdbusm_set_sasasasnas(DBusMessage *msg,
const char *s,
const char **as1, const char **as2,
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index ca7de34f..4cecbe15 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -11,6 +11,7 @@ Request ID 'Buddy':
CA: local
issuer: CN=$UUID,CN=Local Signing Authority
subject: CN=localhost
+ issued: sometime
expires: sometime
dns: localhost
principal name: host/localhost@LOCALHOST
@@ -269,6 +270,7 @@ OK
<arg name="principal_names" type="as" direction="out"/>
<arg name="key_usage" type="x" direction="out"/>
<arg name="extended_key_usage" type="as" direction="out"/>
+ <arg name="not_before" type="x" direction="out"/>
</method>
<property name="issuer" type="s" access="read"/>
<property name="serial" type="s" access="read"/>
@@ -430,7 +432,7 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
index d0be6ad8..a457834f 100755
--- a/tests/028-dbus/run.sh
+++ b/tests/028-dbus/run.sh
@@ -42,5 +42,6 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-e '/^-----BEGIN/,/^-----END/d' \
-e "s|$libexecdir|\$libexecdir|g" \
-e "s|$tmpdir|\$tmpdir|g" \
+ -e "s|issued:.*|issued: sometime|g" \
-e "s|expires:.*|expires: sometime|g" \
-e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
--
2.31.1

40
SOURCES/0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch Normal file
View File

@ -0,0 +1,40 @@
From f9c774f737a060b355533c215d7443b9865992a0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.
This second half wasn't being closed after reading to test for
errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/cadata.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cadata.c b/src/cadata.c
index 3e916c9..d851b9e 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -772,8 +772,10 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
cm_log(1, "Error running enrollment helper \"%s\": %s.\n",
ca->cm_ca_external_helper, strerror(u));
talloc_free(ret);
+ close(error_fd[0]);
return NULL;
}
+ close(error_fd[0]);
return ret;
}
--
2.31.1

17
SPECS/certmonger.spec
View File

@ -11,7 +11,7 @@
Name: certmonger Name: certmonger
Version: 0.79.13 Version: 0.79.13
Release: 2%{?dist} Release: 4%{?dist}
Summary: Certificate status monitor and PKI enrollment client Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons Group: System Environment/Daemons
@ -21,6 +21,11 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch
Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
Patch0003: 0003-Fix-local-CA-to-work-under-FIPS.patch
Patch0004: 0004-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
Patch0005: 0005-Add-NULL-checks-before-string-compares-when-analyzin.patch
Patch0006: 0006-Display-not_before-in-getcert-output.patch
Patch0007: 0007-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -235,6 +240,16 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
- Certmonger SCEP renewal should not use old challenges (#1577570)
- Certmonger segfault after cert renewal request (#1881500)
- Include certificate NotBefore date in output of the 'getcert list' command
(#1940261)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
- Fix local CA to work under FIPS (#1950132)
* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2 * Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
- Rebuild with xmlrpc-c support enabled (#1687698) - Rebuild with xmlrpc-c support enabled (#1687698)