import certmonger-0.79.13-2.el8
This commit is contained in:
parent
53709b48a8
commit
fc606b882e
@ -1 +1 @@
|
||||
f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz
|
||||
eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/certmonger-0.79.7.tar.gz
|
||||
SOURCES/certmonger-0.79.13.tar.gz
|
||||
|
38
SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch
Normal file
38
SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 29 Oct 2020 10:13:08 -0400
|
||||
Subject: [PATCH] Don't run the 002-keygen-* tests when root
|
||||
|
||||
The permissions tests will fail.
|
||||
---
|
||||
tests/002-keygen-dbm/prequal.sh | 5 +++++
|
||||
tests/002-keygen-sql/prequal.sh | 5 +++++
|
||||
2 files changed, 10 insertions(+)
|
||||
create mode 100755 tests/002-keygen-dbm/prequal.sh
|
||||
create mode 100755 tests/002-keygen-sql/prequal.sh
|
||||
|
||||
diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
|
||||
new file mode 100755
|
||||
index 00000000..d146a650
|
||||
--- /dev/null
|
||||
+++ b/tests/002-keygen-dbm/prequal.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+if test `id -u` -eq 0 ; then
|
||||
+ echo "This test won't work right if run as root."
|
||||
+ exit 1
|
||||
+fi
|
||||
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
|
||||
new file mode 100755
|
||||
index 00000000..d146a650
|
||||
--- /dev/null
|
||||
+++ b/tests/002-keygen-sql/prequal.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+if test `id -u` -eq 0 ; then
|
||||
+ echo "This test won't work right if run as root."
|
||||
+ exit 1
|
||||
+fi
|
||||
--
|
||||
2.25.4
|
||||
|
@ -1,293 +0,0 @@
|
||||
From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 23 Feb 2018 10:43:44 -0500
|
||||
Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
|
||||
|
||||
Remove keys < 2048 for the NSS tests. This affects some of the
|
||||
OpenSSL tests as well where they run in a combined loop.
|
||||
|
||||
Where it was not invasive to do I left the 1024/1536 for OpenSSL.
|
||||
---
|
||||
tests/001-keyiread-dsa/expected.out | 6 +++---
|
||||
tests/001-keyiread-dsa/run.sh | 2 +-
|
||||
tests/001-keyiread-rsa/expected.out | 2 --
|
||||
tests/001-keyiread-rsa/run.sh | 2 +-
|
||||
tests/001-keyiread/expected.out | 2 --
|
||||
tests/001-keyiread/run.sh | 2 +-
|
||||
tests/002-keygen-rsa/expected.out | 6 ------
|
||||
tests/002-keygen-rsa/run.sh | 2 +-
|
||||
tests/002-keygen/expected.out | 18 ------------------
|
||||
tests/002-keygen/run.sh | 2 +-
|
||||
tests/003-csrgen-rsa/expected.out | 6 ------
|
||||
tests/003-csrgen-rsa/run.sh | 4 ++--
|
||||
tests/003-csrgen/expected.out | 8 --------
|
||||
tests/003-csrgen/run.sh | 4 ++--
|
||||
tests/004-selfsign-rsa/expected.out | 2 --
|
||||
tests/004-selfsign-rsa/run.sh | 2 +-
|
||||
tests/004-selfsign/expected.out | 2 --
|
||||
tests/004-selfsign/run.sh | 2 +-
|
||||
18 files changed, 14 insertions(+), 60 deletions(-)
|
||||
|
||||
diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
|
||||
index b09db0ae..50643176 100644
|
||||
--- a/tests/001-keyiread-dsa/expected.out
|
||||
+++ b/tests/001-keyiread-dsa/expected.out
|
||||
@@ -1,4 +1,4 @@
|
||||
-OK (DSA:1024).
|
||||
-OK (DSA:1024).
|
||||
-OK (DSA:1024).
|
||||
+OK (DSA:2048).
|
||||
+OK (DSA:2048).
|
||||
+OK (DSA:2048).
|
||||
Test complete.
|
||||
diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
|
||||
index 9f96b3bc..68f6d1c3 100755
|
||||
--- a/tests/001-keyiread-dsa/run.sh
|
||||
+++ b/tests/001-keyiread-dsa/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 ; do
|
||||
+for size in 2048 ; do
|
||||
# Generate a self-signed cert.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
|
||||
index 727897d1..3daa51f2 100644
|
||||
--- a/tests/001-keyiread-rsa/expected.out
|
||||
+++ b/tests/001-keyiread-rsa/expected.out
|
||||
@@ -1,5 +1,3 @@
|
||||
-OK (RSA:1024).
|
||||
-OK (RSA:1536).
|
||||
OK (RSA:2048).
|
||||
OK (RSA:3072).
|
||||
OK (RSA:4096).
|
||||
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
|
||||
index c7b77686..ec31c7c7 100755
|
||||
--- a/tests/001-keyiread-rsa/run.sh
|
||||
+++ b/tests/001-keyiread-rsa/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Generate a self-signed cert.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
|
||||
index 727897d1..3daa51f2 100644
|
||||
--- a/tests/001-keyiread/expected.out
|
||||
+++ b/tests/001-keyiread/expected.out
|
||||
@@ -1,5 +1,3 @@
|
||||
-OK (RSA:1024).
|
||||
-OK (RSA:1536).
|
||||
OK (RSA:2048).
|
||||
OK (RSA:3072).
|
||||
OK (RSA:4096).
|
||||
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
|
||||
index ce1428ed..0b31df95 100755
|
||||
--- a/tests/001-keyiread/run.sh
|
||||
+++ b/tests/001-keyiread/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Generate a self-signed cert.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
|
||||
index 3e6e9f3c..f7c146d0 100644
|
||||
--- a/tests/002-keygen-rsa/expected.out
|
||||
+++ b/tests/002-keygen-rsa/expected.out
|
||||
@@ -1,9 +1,3 @@
|
||||
-[nss:1024]
|
||||
-OK.
|
||||
-OK (RSA:1024).
|
||||
-[nss:1536]
|
||||
-OK.
|
||||
-OK (RSA:1536).
|
||||
[nss:2048]
|
||||
OK.
|
||||
OK (RSA:2048).
|
||||
diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
|
||||
index 476f4127..c0c59249 100755
|
||||
--- a/tests/002-keygen-rsa/run.sh
|
||||
+++ b/tests/002-keygen-rsa/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
echo "[nss:$size]"
|
||||
# Generate a key.
|
||||
cat > entry.$size <<- EOF
|
||||
diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
|
||||
index dcd1af06..b8fbea56 100644
|
||||
--- a/tests/002-keygen/expected.out
|
||||
+++ b/tests/002-keygen/expected.out
|
||||
@@ -1,21 +1,3 @@
|
||||
-[nss:1024]
|
||||
-OK.
|
||||
-OK (RSA:1024).
|
||||
-OK.
|
||||
-OK (RSA:1024 after RSA:1024).
|
||||
-OK.
|
||||
-OK (RSA:1024 after RSA:1024).
|
||||
-keyi1024
|
||||
-keyi1024 (candidate (next))
|
||||
-[nss:1536]
|
||||
-OK.
|
||||
-OK (RSA:1536).
|
||||
-OK.
|
||||
-OK (RSA:1536 after RSA:1536).
|
||||
-OK.
|
||||
-OK (RSA:1536 after RSA:1536).
|
||||
-keyi1536
|
||||
-keyi1536 (candidate (next))
|
||||
[nss:2048]
|
||||
OK.
|
||||
OK (RSA:2048).
|
||||
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
|
||||
index 08af1523..94230e6f 100755
|
||||
--- a/tests/002-keygen/run.sh
|
||||
+++ b/tests/002-keygen/run.sh
|
||||
@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$scheme$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
echo "[nss:$size]"
|
||||
# Generate a key.
|
||||
cat > entry.$size <<- EOF
|
||||
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
|
||||
index c9dec729..def53fe4 100644
|
||||
--- a/tests/003-csrgen-rsa/expected.out
|
||||
+++ b/tests/003-csrgen-rsa/expected.out
|
||||
@@ -1,10 +1,4 @@
|
||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
-1024 OK.
|
||||
-Signature OK
|
||||
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
-1536 OK.
|
||||
-Signature OK
|
||||
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
2048 OK.
|
||||
Signature OK
|
||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
|
||||
index 4cd84084..bb8ebecb 100755
|
||||
--- a/tests/003-csrgen-rsa/run.sh
|
||||
+++ b/tests/003-csrgen-rsa/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Build a self-signed certificate.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
@@ -147,7 +147,7 @@ iterate() {
|
||||
|
||||
iteration=1
|
||||
|
||||
-for size in 1024 ; do
|
||||
+for size in 2048 ; do
|
||||
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
|
||||
done
|
||||
|
||||
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
|
||||
index 8e6cac6e..04342c0f 100644
|
||||
--- a/tests/003-csrgen/expected.out
|
||||
+++ b/tests/003-csrgen/expected.out
|
||||
@@ -1,13 +1,5 @@
|
||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
Signature OK
|
||||
-minicert.openssl.1024.pem: OK
|
||||
-1024 OK.
|
||||
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
-Signature OK
|
||||
-minicert.openssl.1536.pem: OK
|
||||
-1536 OK.
|
||||
-pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
-Signature OK
|
||||
minicert.openssl.2048.pem: OK
|
||||
2048 OK.
|
||||
pk12util: PKCS12 EXPORT SUCCESSFUL
|
||||
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
|
||||
index 7c169ed9..31466b5c 100755
|
||||
--- a/tests/003-csrgen/run.sh
|
||||
+++ b/tests/003-csrgen/run.sh
|
||||
@@ -5,7 +5,7 @@ cd "$tmpdir"
|
||||
source "$srcdir"/functions
|
||||
initnssdb "$tmpdir"
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Build a self-signed certificate.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
@@ -199,7 +199,7 @@ iterate() {
|
||||
|
||||
iteration=1
|
||||
|
||||
-for size in 1024 ; do
|
||||
+for size in 2048 ; do
|
||||
iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
|
||||
done
|
||||
|
||||
diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
|
||||
index dd5029ec..0eb84ef1 100644
|
||||
--- a/tests/004-selfsign-rsa/expected.out
|
||||
+++ b/tests/004-selfsign-rsa/expected.out
|
||||
@@ -1,5 +1,3 @@
|
||||
-1024 OK.
|
||||
-1536 OK.
|
||||
2048 OK.
|
||||
3072 OK.
|
||||
4096 OK.
|
||||
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
|
||||
index 6f9285b6..c1dd4c80 100755
|
||||
--- a/tests/004-selfsign-rsa/run.sh
|
||||
+++ b/tests/004-selfsign-rsa/run.sh
|
||||
@@ -33,7 +33,7 @@ function setupca() {
|
||||
EOF
|
||||
}
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Build a self-signed certificate.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
|
||||
index dd5029ec..0eb84ef1 100644
|
||||
--- a/tests/004-selfsign/expected.out
|
||||
+++ b/tests/004-selfsign/expected.out
|
||||
@@ -1,5 +1,3 @@
|
||||
-1024 OK.
|
||||
-1536 OK.
|
||||
2048 OK.
|
||||
3072 OK.
|
||||
4096 OK.
|
||||
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
|
||||
index 7bb368ec..eb1df4ee 100755
|
||||
--- a/tests/004-selfsign/run.sh
|
||||
+++ b/tests/004-selfsign/run.sh
|
||||
@@ -43,7 +43,7 @@ function setupca() {
|
||||
EOF
|
||||
}
|
||||
|
||||
-for size in 1024 1536 2048 3072 4096 ; do
|
||||
+for size in 2048 3072 4096 ; do
|
||||
# Build a self-signed certificate.
|
||||
run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
|
||||
-s "cn=T$size" -c "cn=T$size" \
|
||||
--
|
||||
2.16.2
|
||||
|
@ -1,788 +0,0 @@
|
||||
From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 31 Jul 2018 13:09:02 -0400
|
||||
Subject: [PATCH] Convert tests to use python3
|
||||
|
||||
---
|
||||
tests/028-dbus/expected.out | 32 +-
|
||||
tests/028-dbus/expected.out.nodsa | 22 +-
|
||||
tests/028-dbus/prequal.sh | 8 +-
|
||||
tests/028-dbus/run.sh | 9 +-
|
||||
tests/028-dbus/runsub.sh | 2 +-
|
||||
tests/028-dbus/simpleprop.py | 14 +-
|
||||
tests/028-dbus/walk.py | 392 ++++++++++----------
|
||||
tests/038-ms-v2-template/extract-extdata.py | 5 +-
|
||||
8 files changed, 243 insertions(+), 241 deletions(-)
|
||||
|
||||
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
|
||||
index ca3179e..1d8bec4 100644
|
||||
--- a/tests/028-dbus/expected.out
|
||||
+++ b/tests/028-dbus/expected.out
|
||||
@@ -1,5 +1,3 @@
|
||||
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
|
||||
-Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
|
||||
[[ getcert ]]
|
||||
State MONITORING, stuck: no.
|
||||
Number of certificates and requests being tracked: 1.
|
||||
@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
|
||||
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
|
||||
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
|
||||
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
|
||||
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
|
||||
OK
|
||||
@@ -433,19 +431,19 @@ Buddy
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
|
||||
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
|
||||
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
|
||||
recently
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
|
||||
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
|
||||
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
|
||||
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
|
||||
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
|
||||
|
||||
@@ -454,19 +452,19 @@ recently
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
|
||||
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
|
||||
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
|
||||
-(dbus.String(u'RSA'), dbus.Int64(512L))
|
||||
+(dbus.String('RSA'), dbus.Int64(512))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
|
||||
1
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
|
||||
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
|
||||
+(dbus.String('stdout'), dbus.String('daemon.notice'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
|
||||
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
|
||||
+(dbus.String('MONITORING'), dbus.Boolean(False))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
|
||||
/org/fedorahosted/certmonger/cas/CA1
|
||||
@@ -482,7 +480,7 @@ recently
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
|
||||
1 on /org/fedorahosted/certmonger/requests/Request2
|
||||
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
|
||||
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
|
||||
1
|
||||
@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
-$tmpdir/cas/20180327134236
|
||||
+$tmpdir/cas/date
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
SelfSign
|
||||
@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
-$tmpdir/cas/20180327134236-1
|
||||
+$tmpdir/cas/date-1
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
IPA
|
||||
@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
-$tmpdir/cas/20180327134236-2
|
||||
+$tmpdir/cas/date-2
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
certmaster
|
||||
@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
-$tmpdir/cas/20180327134236-3
|
||||
+$tmpdir/cas/date-3
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
dogtag-ipa-renew-agent
|
||||
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
|
||||
index a23af40..5082ee0 100644
|
||||
--- a/tests/028-dbus/expected.out.nodsa
|
||||
+++ b/tests/028-dbus/expected.out.nodsa
|
||||
@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
|
||||
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
|
||||
-dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
|
||||
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
|
||||
-dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
|
||||
+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
|
||||
|
||||
[ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
|
||||
OK
|
||||
@@ -432,19 +432,19 @@ Buddy
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
|
||||
-(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
|
||||
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
|
||||
recently
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
|
||||
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
|
||||
+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
|
||||
-(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
|
||||
+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
|
||||
|
||||
@@ -453,19 +453,19 @@ recently
|
||||
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
|
||||
-(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
|
||||
+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
|
||||
-(dbus.String(u'RSA'), dbus.Int64(512L))
|
||||
+(dbus.String('RSA'), dbus.Int64(512))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
|
||||
1
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
|
||||
-(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
|
||||
+(dbus.String('stdout'), dbus.String('daemon.notice'))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
|
||||
-(dbus.String(u'MONITORING'), dbus.Boolean(False))
|
||||
+(dbus.String('MONITORING'), dbus.Boolean(False))
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
|
||||
/org/fedorahosted/certmonger/cas/CA1
|
||||
@@ -481,7 +481,7 @@ recently
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
|
||||
1 on /org/fedorahosted/certmonger/requests/Request2
|
||||
-After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
|
||||
+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
|
||||
|
||||
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
|
||||
1
|
||||
diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh
|
||||
index e645c19..4fe79c8 100755
|
||||
--- a/tests/028-dbus/prequal.sh
|
||||
+++ b/tests/028-dbus/prequal.sh
|
||||
@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then
|
||||
echo dbus-daemon not found
|
||||
exit 1
|
||||
fi
|
||||
-if ! python -c 'import os' 2> /dev/null ; then
|
||||
+if ! python3 -c 'import os' 2> /dev/null ; then
|
||||
echo python not found
|
||||
exit 1
|
||||
fi
|
||||
-if ! python -c 'import dbus' 2> /dev/null ; then
|
||||
+if ! python3 -c 'import dbus' 2> /dev/null ; then
|
||||
echo python-dbus not found
|
||||
exit 1
|
||||
fi
|
||||
-if ! python -c 'import xml' 2> /dev/null ; then
|
||||
+if ! python3 -c 'import xml' 2> /dev/null ; then
|
||||
echo python-xml not found
|
||||
exit 1
|
||||
fi
|
||||
-if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then
|
||||
+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then
|
||||
echo python-xml does not include etree.ElementTree
|
||||
exit 1
|
||||
fi
|
||||
diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
|
||||
index c468d51..ee90875 100755
|
||||
--- a/tests/028-dbus/run.sh
|
||||
+++ b/tests/028-dbus/run.sh
|
||||
@@ -23,7 +23,7 @@ EOF
|
||||
$DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid
|
||||
if test -s $tmpdir/pid ; then
|
||||
env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \
|
||||
- $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh
|
||||
+ $toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null
|
||||
fi
|
||||
kill `cat $tmpdir/pid`
|
||||
|
||||
@@ -33,8 +33,8 @@ now=`date +%s`
|
||||
for i in `seq 240` ; do
|
||||
recently=$(($now-$i))
|
||||
tomorrow=$(($now-$i+24*60*60))
|
||||
- sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \
|
||||
- -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out
|
||||
+ sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \
|
||||
+ -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out
|
||||
done
|
||||
|
||||
cat $tmpdir/runsub.out | \
|
||||
@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
|
||||
-e "s|$libexecdir|\$libexecdir|g" \
|
||||
-e "s|$tmpdir|\$tmpdir|g" \
|
||||
-e "s|expires:.*|expires: sometime|g" \
|
||||
- -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g'
|
||||
+ -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
|
||||
+ -e "s|cas\/[0-9]{14}|cas\/date|g"
|
||||
diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh
|
||||
index 3510d79..fe6766c 100755
|
||||
--- a/tests/028-dbus/runsub.sh
|
||||
+++ b/tests/028-dbus/runsub.sh
|
||||
@@ -22,5 +22,5 @@ echo ""
|
||||
echo "[[ API ]]"
|
||||
for i in ./*.py ; do
|
||||
echo "[" `basename "$i"` "]"
|
||||
- python $i
|
||||
+ python3 $i
|
||||
done
|
||||
diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py
|
||||
index e4f937e..35d9591 100644
|
||||
--- a/tests/028-dbus/simpleprop.py
|
||||
+++ b/tests/028-dbus/simpleprop.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/python3
|
||||
import dbus
|
||||
|
||||
# Get a handle for the main certmonger interface.
|
||||
@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
|
||||
# Toggle the helper a couple of times.
|
||||
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
|
||||
-print ca_ext_h, "->",
|
||||
+print(ca_ext_h, "-> ", end='')
|
||||
|
||||
if ca_ext_h.split()[0] == ca_ext_h:
|
||||
ca_ext_h += ' -k admin@localhost'
|
||||
@@ -28,7 +28,7 @@ else:
|
||||
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
|
||||
|
||||
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
|
||||
-print ca_ext_h, "->",
|
||||
+print(ca_ext_h, "-> ", end='')
|
||||
|
||||
if ca_ext_h.split()[0] == ca_ext_h:
|
||||
ca_ext_h += ' -k admin@localhost'
|
||||
@@ -37,20 +37,20 @@ else:
|
||||
ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
|
||||
|
||||
ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
|
||||
-print ca_ext_h
|
||||
+print(ca_ext_h)
|
||||
|
||||
# Toggle the "is-default" value a couple of times.
|
||||
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
|
||||
-print isdef, "->",
|
||||
+print(isdef, "-> ", end='')
|
||||
|
||||
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
|
||||
|
||||
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
|
||||
-print isdef, "->",
|
||||
+print(isdef, "-> ", end='')
|
||||
|
||||
ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
|
||||
|
||||
isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
|
||||
-print isdef
|
||||
+print(isdef)
|
||||
|
||||
cm.remove_known_ca(path)
|
||||
diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py
|
||||
index f60ca93..683d94e 100644
|
||||
--- a/tests/028-dbus/walk.py
|
||||
+++ b/tests/028-dbus/walk.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/python3
|
||||
import dbus
|
||||
import xml.etree.ElementTree
|
||||
import os
|
||||
@@ -9,217 +9,219 @@ bus = dbus.SessionBus()
|
||||
|
||||
# Check that reading a property directly produces the same value as reading it via GetAll().
|
||||
def check_props(objpath, interface):
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
- props = i.GetAll(interface)
|
||||
- for prop in props.keys():
|
||||
- value = props[prop]
|
||||
- if value != i.Get(interface, prop):
|
||||
- print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
|
||||
- return False
|
||||
- return True
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
+ props = i.GetAll(interface)
|
||||
+ for prop in props.keys():
|
||||
+ value = props[prop]
|
||||
+ if value != i.Get(interface, prop):
|
||||
+ print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
|
||||
+ return False
|
||||
+ return True
|
||||
|
||||
# Try to call the method.
|
||||
def examine_method(objpath, interface, method, idata):
|
||||
- in_args = 0
|
||||
- out_args = 0
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
- i = dbus.Interface(o, interface)
|
||||
- for child in idata.getchildren():
|
||||
- if child.tag == 'arg':
|
||||
- if child.get('direction') != 'out':
|
||||
- in_args = in_args + 1
|
||||
- else:
|
||||
- out_args = out_args + 1
|
||||
- if in_args == 0:
|
||||
- # Takes no inputs, so just call it.
|
||||
- m = i.get_dbus_method(method)
|
||||
- if out_args == 0:
|
||||
- m()
|
||||
- print("[ %s: %s.%s ]\n" % (objpath, interface, method))
|
||||
- elif out_args == 1:
|
||||
- result = m()
|
||||
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
|
||||
- else:
|
||||
- result = m()
|
||||
- print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
|
||||
- elif method == 'Get' or method == 'Set' or method == 'GetAll':
|
||||
- # We check on properties elsewhere.
|
||||
- return True
|
||||
- # Per-method exercise.
|
||||
- elif method == 'add_known_ca' or method == 'remove_known_ca':
|
||||
- (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
|
||||
- if not result:
|
||||
- print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
|
||||
- return False
|
||||
- result = i.remove_known_ca(path)
|
||||
- if not result:
|
||||
- print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
|
||||
- return False
|
||||
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
- elif method == 'add_request' or method == 'remove_request':
|
||||
- tmpdir = os.getenv('TMPDIR')
|
||||
- if not tmpdir or tmpdir == '':
|
||||
- tmpdir = '/tmp'
|
||||
- properties = {
|
||||
- 'nickname': 'foo',
|
||||
- 'cert-storage': 'file',
|
||||
- 'cert-file': tmpdir + "/028-certfile",
|
||||
- 'key-storage': 'file',
|
||||
- 'key-file': tmpdir + "/028-keyfile",
|
||||
- 'template-email': ['root@localhost', 'toor@localhost'],
|
||||
- }
|
||||
- (result, path) = i.add_request(properties)
|
||||
- if not result:
|
||||
- print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
|
||||
- return False
|
||||
- result = i.remove_request(path)
|
||||
- if not result:
|
||||
- print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
|
||||
- return False
|
||||
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
- elif method == 'find_ca_by_nickname':
|
||||
- capath = i.find_ca_by_nickname('local')
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', capath)
|
||||
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
- if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
|
||||
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
|
||||
- return False
|
||||
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
- elif method == 'find_request_by_nickname':
|
||||
- reqpath = i.find_request_by_nickname('Buddy')
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', reqpath)
|
||||
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
- if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
|
||||
- print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
|
||||
- return False
|
||||
- print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
- elif method == 'modify':
|
||||
- mods = {}
|
||||
- propname = "template-eku"
|
||||
- propval = '1.2.3.4.5.6.7.8.9.10'
|
||||
- mods[propname] = [propval,]
|
||||
- status, path = i.modify(mods)
|
||||
- if not status:
|
||||
- print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
|
||||
- return False
|
||||
- print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
|
||||
- props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
- prop = props.Get(interface, 'template-eku')
|
||||
- print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
|
||||
- else:
|
||||
- # We're in FIXME territory.
|
||||
- print('FIXME: need support for "%s"' % method)
|
||||
- return False
|
||||
- # If we caused things to start churning, wait for them to settle.
|
||||
+ in_args = 0
|
||||
+ out_args = 0
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
+ i = dbus.Interface(o, interface)
|
||||
+ for child in idata.getchildren():
|
||||
+ if child.tag == 'arg':
|
||||
+ if child.get('direction') != 'out':
|
||||
+ in_args = in_args + 1
|
||||
+ else:
|
||||
+ out_args = out_args + 1
|
||||
+ if in_args == 0:
|
||||
+ # Takes no inputs, so just call it.
|
||||
+ m = i.get_dbus_method(method)
|
||||
+ if out_args == 0:
|
||||
+ m()
|
||||
+ print("[ %s: %s.%s ]\n" % (objpath, interface, method))
|
||||
+ elif out_args == 1:
|
||||
+ result = m()
|
||||
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
|
||||
+ else:
|
||||
+ result = m()
|
||||
+ print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
|
||||
+ elif method == 'Get' or method == 'Set' or method == 'GetAll':
|
||||
+ # We check on properties elsewhere.
|
||||
+ return True
|
||||
+ # Per-method exercise.
|
||||
+ elif method == 'add_known_ca' or method == 'remove_known_ca':
|
||||
+ (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
|
||||
+ if not result:
|
||||
+ print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
|
||||
+ return False
|
||||
+ result = i.remove_known_ca(path)
|
||||
+ if not result:
|
||||
+ print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
|
||||
+ return False
|
||||
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
+ elif method == 'add_request' or method == 'remove_request':
|
||||
+ tmpdir = os.getenv('TMPDIR')
|
||||
+ if not tmpdir or tmpdir == '':
|
||||
+ tmpdir = '/tmp'
|
||||
+ properties = {
|
||||
+ 'nickname': 'foo',
|
||||
+ 'cert-storage': 'file',
|
||||
+ 'cert-file': tmpdir + "/028-certfile",
|
||||
+ 'key-storage': 'file',
|
||||
+ 'key-file': tmpdir + "/028-keyfile",
|
||||
+ 'template-email': ['root@localhost', 'toor@localhost'],
|
||||
+ }
|
||||
+ (result, path) = i.add_request(properties)
|
||||
+ if not result:
|
||||
+ print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
|
||||
+ return False
|
||||
+ result = i.remove_request(path)
|
||||
+ if not result:
|
||||
+ print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
|
||||
+ return False
|
||||
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
+ elif method == 'find_ca_by_nickname':
|
||||
+ capath = i.find_ca_by_nickname('local')
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', capath)
|
||||
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
+ if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
|
||||
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
|
||||
+ return False
|
||||
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
+ elif method == 'find_request_by_nickname':
|
||||
+ reqpath = i.find_request_by_nickname('Buddy')
|
||||
+ if not reqpath:
|
||||
+ return False
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', reqpath)
|
||||
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
+ if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
|
||||
+ print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
|
||||
+ return False
|
||||
+ print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
|
||||
+ elif method == 'modify':
|
||||
+ mods = {}
|
||||
+ propname = "template-eku"
|
||||
+ propval = '1.2.3.4.5.6.7.8.9.10'
|
||||
+ mods[propname] = [propval,]
|
||||
+ status, path = i.modify(mods)
|
||||
+ if not status:
|
||||
+ print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
|
||||
+ return False
|
||||
+ print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
|
||||
+ props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
+ prop = props.Get(interface, 'template-eku')
|
||||
+ print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
|
||||
+ else:
|
||||
+ # We're in FIXME territory.
|
||||
+ print('FIXME: need support for "%s"' % method)
|
||||
+ return False
|
||||
+ # If we caused things to start churning, wait for them to settle.
|
||||
if method == 'resubmit':
|
||||
props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
prop = props.Get(interface, 'status')
|
||||
while prop != 'MONITORING':
|
||||
time.sleep(1)
|
||||
prop = props.Get(interface, 'status')
|
||||
- return True
|
||||
+ return True
|
||||
|
||||
def iget(child, proxy, interface, prop):
|
||||
- value = proxy.Get(interface, prop)
|
||||
- if not value:
|
||||
- if child.get('type') == 'b':
|
||||
- value = False
|
||||
- elif child.get('type') == 'n' or child.get('type') == 'x':
|
||||
- value = 0
|
||||
- elif child.get('type') == 's':
|
||||
- value = ''
|
||||
- elif child.get('type') == 'as':
|
||||
- value = ['']
|
||||
- else:
|
||||
- print("%s.%s: %s" % (interface, prop, child.get('type')))
|
||||
- return False
|
||||
- return value
|
||||
+ value = proxy.Get(interface, prop)
|
||||
+ if not value:
|
||||
+ if child.get('type') == 'b':
|
||||
+ value = False
|
||||
+ elif child.get('type') == 'n' or child.get('type') == 'x':
|
||||
+ value = 0
|
||||
+ elif child.get('type') == 's':
|
||||
+ value = ''
|
||||
+ elif child.get('type') == 'as':
|
||||
+ value = ['']
|
||||
+ else:
|
||||
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
|
||||
+ return False
|
||||
+ return value
|
||||
|
||||
def examine_interface(objpath, interface, idata):
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
- i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
- for child in idata.getchildren():
|
||||
- if child.tag == 'property':
|
||||
- prop = child.get('name')
|
||||
- if child.get('access') == 'read':
|
||||
- # Check that we can read it.
|
||||
- value = i.Get(interface, prop)
|
||||
- elif child.get('access') == 'readwrite':
|
||||
- if prop == 'external-helper' or prop == 'scep-ca-identifier':
|
||||
- cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
|
||||
- if cai.get_type() != 'EXTERNAL':
|
||||
- print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
|
||||
- continue
|
||||
- # Check that we can read it, tweak it, and then reset it.
|
||||
- value = iget(child, i, interface, prop)
|
||||
- i.Set(interface, prop, value)
|
||||
- newvalue = None
|
||||
- if child.get('type') == 'b':
|
||||
- newvalue = not value
|
||||
- elif child.get('type') == 'n' or child.get('type') == 'x':
|
||||
- newvalue = value + 1
|
||||
- elif child.get('type') == 's':
|
||||
- newvalue = 'x' + value
|
||||
- elif child.get('type') == 'as':
|
||||
- newvalue = ['x'] + value
|
||||
- else:
|
||||
- print("%s.%s: %s" % (interface, prop, child.get('type')))
|
||||
- return False
|
||||
- if newvalue:
|
||||
- if newvalue == value:
|
||||
- print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
|
||||
- return False
|
||||
- i.Set(interface, prop, newvalue)
|
||||
- if newvalue != iget(child, i, interface, prop):
|
||||
- print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
|
||||
- return False
|
||||
- i.Set(interface, prop, value)
|
||||
- if value != iget(child, i, interface, prop):
|
||||
- print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
|
||||
- return False
|
||||
- elif child.tag == 'method':
|
||||
- method = child.get('name')
|
||||
- if not examine_method(objpath, interface, method, child):
|
||||
- return False
|
||||
- elif child.tag == 'signal':
|
||||
- continue
|
||||
- else:
|
||||
- print "FIXME: handle child tag %s" % child.tag
|
||||
- return False
|
||||
- return True
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
|
||||
+ for child in idata.getchildren():
|
||||
+ if child.tag == 'property':
|
||||
+ prop = child.get('name')
|
||||
+ if child.get('access') == 'read':
|
||||
+ # Check that we can read it.
|
||||
+ value = i.Get(interface, prop)
|
||||
+ elif child.get('access') == 'readwrite':
|
||||
+ if prop == 'external-helper' or prop == 'scep-ca-identifier':
|
||||
+ cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
|
||||
+ if cai.get_type() != 'EXTERNAL':
|
||||
+ print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
|
||||
+ continue
|
||||
+ # Check that we can read it, tweak it, and then reset it.
|
||||
+ value = iget(child, i, interface, prop)
|
||||
+ i.Set(interface, prop, value)
|
||||
+ newvalue = None
|
||||
+ if child.get('type') == 'b':
|
||||
+ newvalue = not value
|
||||
+ elif child.get('type') == 'n' or child.get('type') == 'x':
|
||||
+ newvalue = value + 1
|
||||
+ elif child.get('type') == 's':
|
||||
+ newvalue = 'x' + value
|
||||
+ elif child.get('type') == 'as':
|
||||
+ newvalue = ['x'] + value
|
||||
+ else:
|
||||
+ print("%s.%s: %s" % (interface, prop, child.get('type')))
|
||||
+ return False
|
||||
+ if newvalue:
|
||||
+ if newvalue == value:
|
||||
+ print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
|
||||
+ return False
|
||||
+ i.Set(interface, prop, newvalue)
|
||||
+ if newvalue != iget(child, i, interface, prop):
|
||||
+ print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
|
||||
+ return False
|
||||
+ i.Set(interface, prop, value)
|
||||
+ if value != iget(child, i, interface, prop):
|
||||
+ print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
|
||||
+ return False
|
||||
+ elif child.tag == 'method':
|
||||
+ method = child.get('name')
|
||||
+ if not examine_method(objpath, interface, method, child):
|
||||
+ return False
|
||||
+ elif child.tag == 'signal':
|
||||
+ continue
|
||||
+ else:
|
||||
+ print("FIXME: handle child tag %s" % child.tag)
|
||||
+ return False
|
||||
+ return True
|
||||
|
||||
def examine_object(objpath):
|
||||
- o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
- i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
|
||||
- idata = i.Introspect()
|
||||
- x = xml.etree.ElementTree.XML(idata)
|
||||
+ o = bus.get_object('org.fedorahosted.certmonger', objpath)
|
||||
+ i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
|
||||
+ idata = i.Introspect()
|
||||
+ x = xml.etree.ElementTree.XML(idata)
|
||||
|
||||
- # Check if the object supports properties interfaces.
|
||||
- props = False
|
||||
- for child in x.getchildren():
|
||||
- if child.tag == 'interface':
|
||||
- if child.get('name') == 'org.freedesktop.DBus.Properties':
|
||||
- props = True
|
||||
+ # Check if the object supports properties interfaces.
|
||||
+ props = False
|
||||
+ for child in x.getchildren():
|
||||
+ if child.tag == 'interface':
|
||||
+ if child.get('name') == 'org.freedesktop.DBus.Properties':
|
||||
+ props = True
|
||||
|
||||
- # Look at the interfaces and child nodes.
|
||||
- for child in x.getchildren():
|
||||
- if child.tag == 'interface':
|
||||
- if props and not check_props(objpath, child.get('name')):
|
||||
- return False
|
||||
- if not examine_interface(objpath, child.get('name'), child):
|
||||
- return False
|
||||
- elif child.tag == 'node':
|
||||
- if objpath == '/':
|
||||
- childpath = '/' + child.get('name')
|
||||
- else:
|
||||
- childpath = objpath + '/' + child.get('name')
|
||||
- examine_object(childpath)
|
||||
- else:
|
||||
- print "FIXME: handle child tag %s" % child.tag
|
||||
- return False
|
||||
- return True
|
||||
+ # Look at the interfaces and child nodes.
|
||||
+ for child in x.getchildren():
|
||||
+ if child.tag == 'interface':
|
||||
+ if props and not check_props(objpath, child.get('name')):
|
||||
+ return False
|
||||
+ if not examine_interface(objpath, child.get('name'), child):
|
||||
+ return False
|
||||
+ elif child.tag == 'node':
|
||||
+ if objpath == '/':
|
||||
+ childpath = '/' + child.get('name')
|
||||
+ else:
|
||||
+ childpath = objpath + '/' + child.get('name')
|
||||
+ examine_object(childpath)
|
||||
+ else:
|
||||
+ print("FIXME: handle child tag %s" % child.tag)
|
||||
+ return False
|
||||
+ return True
|
||||
|
||||
if not examine_object('/'):
|
||||
- sys.exit(1)
|
||||
+ sys.exit(1)
|
||||
sys.exit(0)
|
||||
diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
|
||||
index 1a845fd..9f9d910 100755
|
||||
--- a/tests/038-ms-v2-template/extract-extdata.py
|
||||
+++ b/tests/038-ms-v2-template/extract-extdata.py
|
||||
@@ -1,10 +1,11 @@
|
||||
-#!/usr/bin/python2
|
||||
+#!/usr/bin/python3
|
||||
|
||||
# Given `openssl asn1parse` output of a CSR, look for the V2 Template
|
||||
# extension and output its data if found. Nonzero exit status if
|
||||
# not found.
|
||||
|
||||
import binascii
|
||||
+import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
@@ -21,7 +22,7 @@ for line in sys.stdin:
|
||||
#
|
||||
if state == STATE_FOUND and 'OCTET STRING' in line:
|
||||
result = re.search(r'\[HEX DUMP\]:(\w*)', line)
|
||||
- sys.stdout.write(binascii.unhexlify(result.group(1)))
|
||||
+ os.write(1, binascii.unhexlify(result.group(1)))
|
||||
state = STATE_DONE
|
||||
break
|
||||
|
||||
--
|
||||
2.17.0
|
||||
|
@ -0,0 +1,195 @@
|
||||
From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 10 Nov 2020 18:48:05 -0500
|
||||
Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
|
||||
|
||||
This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
|
||||
---
|
||||
tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 124 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
|
||||
index ca7de34f..4d6a9a59 100644
|
||||
--- a/tests/028-dbus/expected.out
|
||||
+++ b/tests/028-dbus/expected.out
|
||||
@@ -34,6 +34,10 @@ CA 'IPA':
|
||||
is-default: no
|
||||
ca-type: EXTERNAL
|
||||
helper-location: $libexecdir/ipa-submit
|
||||
+CA 'certmaster':
|
||||
+ is-default: no
|
||||
+ ca-type: EXTERNAL
|
||||
+ helper-location: $libexecdir/certmaster-submit
|
||||
CA 'dogtag-ipa-renew-agent':
|
||||
is-default: no
|
||||
ca-type: EXTERNAL
|
||||
@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent':
|
||||
|
||||
[[ API ]]
|
||||
[ simpleprop.py ]
|
||||
-/org/fedorahosted/certmonger/cas/CA5
|
||||
-/org/fedorahosted/certmonger/cas/CA5
|
||||
+/org/fedorahosted/certmonger/cas/CA6
|
||||
+/org/fedorahosted/certmonger/cas/CA6
|
||||
: -> : -k admin@localhost -> :
|
||||
0 -> 1 -> 0
|
||||
[ walk.py ]
|
||||
@@ -178,7 +182,7 @@ OK
|
||||
OK
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
|
||||
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
|
||||
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
|
||||
|
||||
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
|
||||
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
|
||||
@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
|
||||
<node name="CA2"/>
|
||||
<node name="CA3"/>
|
||||
<node name="CA4"/>
|
||||
+ <node name="CA5"/>
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
|
||||
@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
</node>
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
-$tmpdir/cas/20180327134236-3
|
||||
+$tmpdir/cas/20180327134236-2
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
-dogtag-ipa-renew-agent
|
||||
+certmaster
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
|
||||
0
|
||||
@@ -952,7 +957,7 @@ EXTERNAL
|
||||
None
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
|
||||
-$libexecdir/dogtag-ipa-renew-agent-submit
|
||||
+$libexecdir/certmaster-submit
|
||||
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
|
||||
dbus.Array([], signature=dbus.Signature('s'))
|
||||
@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s'))
|
||||
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
|
||||
1
|
||||
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
|
||||
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
|
||||
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
||||
+
|
||||
+<node name="/org/fedorahosted/certmonger/cas/CA5">
|
||||
+ <interface name="org.freedesktop.DBus.Introspectable">
|
||||
+ <method name="Introspect">
|
||||
+ <arg name="xml_data" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ </interface>
|
||||
+ <interface name="org.freedesktop.DBus.Properties">
|
||||
+ <method name="Get">
|
||||
+ <arg name="interface_name" type="s" direction="in"/>
|
||||
+ <arg name="property_name" type="s" direction="in"/>
|
||||
+ <arg name="value" type="v" direction="out"/>
|
||||
+ </method>
|
||||
+ <method name="Set">
|
||||
+ <arg name="interface_name" type="s" direction="in"/>
|
||||
+ <arg name="property_name" type="s" direction="in"/>
|
||||
+ <arg name="value" type="v" direction="in"/>
|
||||
+ </method>
|
||||
+ <method name="GetAll">
|
||||
+ <arg name="interface_name" type="s" direction="in"/>
|
||||
+ <arg name="props" type="a{sv}" direction="out"/>
|
||||
+ </method>
|
||||
+ <signal name="PropertiesChanged">
|
||||
+ <arg name="interface_name" type="s"/>
|
||||
+ <arg name="changed_properties" type="a{sv}"/>
|
||||
+ <arg name="invalidated_properties" type="as"/>
|
||||
+ </signal>
|
||||
+ </interface>
|
||||
+ <interface name="org.fedorahosted.certmonger.ca">
|
||||
+ <method name="get_config_file_path">
|
||||
+ <arg name="path" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ <method name="get_nickname">
|
||||
+ <arg name="nickname" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ <property name="nickname" type="s" access="read"/>
|
||||
+ <property name="aka" type="s" access="read"/>
|
||||
+ <method name="get_is_default">
|
||||
+ <arg name="default" type="b" direction="out"/>
|
||||
+ </method>
|
||||
+ <property name="is-default" type="b" access="readwrite"/>
|
||||
+ <method name="get_type">
|
||||
+ <arg name="type" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ <method name="get_serial">
|
||||
+ <arg name="serial_hex" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ <method name="get_location">
|
||||
+ <arg name="path" type="s" direction="out"/>
|
||||
+ </method>
|
||||
+ <property name="external-helper" type="s" access="readwrite"/>
|
||||
+ <method name="get_issuer_names">
|
||||
+ <arg name="names" type="as" direction="out"/>
|
||||
+ </method>
|
||||
+ <method name="refresh">
|
||||
+ <arg name="working" type="b" direction="out"/>
|
||||
+ </method>
|
||||
+ <property name="ca-error" type="s" access="read"/>
|
||||
+ <property name="issuer-names" type="as" access="read"/>
|
||||
+ <property name="root-certs" type="a(ss)" access="read"/>
|
||||
+ <property name="root-other-certs" type="a(ss)" access="read"/>
|
||||
+ <property name="other-certs" type="a(ss)" access="read"/>
|
||||
+ <property name="required-enroll-attributes" type="as" access="read"/>
|
||||
+ <property name="required-renew-attributes" type="as" access="read"/>
|
||||
+ <property name="supported-profiles" type="as" access="read"/>
|
||||
+ <property name="default-profile" type="s" access="read"/>
|
||||
+ <property name="root-cert-files" type="as" access="readwrite"/>
|
||||
+ <property name="root-other-cert-files" type="as" access="readwrite"/>
|
||||
+ <property name="other-cert-files" type="as" access="readwrite"/>
|
||||
+ <property name="root-cert-nssdbs" type="as" access="readwrite"/>
|
||||
+ <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
|
||||
+ <property name="other-cert-nssdbs" type="as" access="readwrite"/>
|
||||
+ <property name="ca-presave-command" type="s" access="read"/>
|
||||
+ <property name="ca-presave-uid" type="s" access="read"/>
|
||||
+ <property name="ca-postsave-command" type="s" access="read"/>
|
||||
+ <property name="ca-postsave-uid" type="s" access="read"/>
|
||||
+ <property name="scep-cipher" type="s" access="readwrite"/>
|
||||
+ <property name="scep-digest" type="s" access="readwrite"/>
|
||||
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
|
||||
+ <property name="scep-ca-capabilities" type="as" access="read"/>
|
||||
+ <property name="scep-ra-cert" type="s" access="read"/>
|
||||
+ <property name="scep-ca-cert" type="s" access="read"/>
|
||||
+ <property name="scep-other-certs" type="s" access="read"/>
|
||||
+ </interface>
|
||||
+</node>
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
|
||||
+$tmpdir/cas/20180327134236-3
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
|
||||
+dogtag-ipa-renew-agent
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
|
||||
+0
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
|
||||
+EXTERNAL
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
|
||||
+None
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
|
||||
+$libexecdir/dogtag-ipa-renew-agent-submit
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
|
||||
+dbus.Array([], signature=dbus.Signature('s'))
|
||||
+
|
||||
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
|
||||
+1
|
||||
+
|
||||
--
|
||||
2.25.4
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 12:48:41 -0400
|
||||
Subject: [PATCH 18/25] clang: more Dead assignment
|
||||
|
||||
---
|
||||
src/submit-x.c | 5 ++---
|
||||
src/tdbus.c | 1 -
|
||||
2 files changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/submit-x.c b/src/submit-x.c
|
||||
index fa81e9aa..abebc610 100644
|
||||
--- a/src/submit-x.c
|
||||
+++ b/src/submit-x.c
|
||||
@@ -914,9 +914,8 @@ main(int argc, const char **argv)
|
||||
|
||||
/* Maybe we need a ccache. */
|
||||
if (k5 || (kpname != NULL) || (ktname != NULL)) {
|
||||
- if (!make_ccache ||
|
||||
- (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) {
|
||||
- k5 = TRUE;
|
||||
+ if (make_ccache) {
|
||||
+ cm_submit_x_make_ccache(ktname, kpname, NULL);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/tdbus.c b/src/tdbus.c
|
||||
index cb0a8ad7..a81b5349 100644
|
||||
--- a/src/tdbus.c
|
||||
+++ b/src/tdbus.c
|
||||
@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
|
||||
/* Connect to the right bus. */
|
||||
bus_desc = NULL;
|
||||
conn = NULL;
|
||||
- exit_on_disconnect = TRUE;
|
||||
if (error != NULL) {
|
||||
dbus_error_init(error);
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,321 +0,0 @@
|
||||
From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 12:53:57 -0400
|
||||
Subject: [PATCH 19/25] clang: more Memory leaks
|
||||
|
||||
Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
|
||||
---
|
||||
src/dogtag.c | 17 +++++++++++++----
|
||||
src/getcert.c | 3 ++-
|
||||
src/store-files.c | 1 +
|
||||
src/submit-d.c | 6 ++++++
|
||||
src/submit-x.c | 39 ++++++++++-----------------------------
|
||||
tests/tools/addcinfo.c | 8 +++++---
|
||||
6 files changed, 37 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/src/dogtag.c b/src/dogtag.c
|
||||
index 55607f3d..8e3890a5 100644
|
||||
--- a/src/dogtag.c
|
||||
+++ b/src/dogtag.c
|
||||
@@ -117,7 +117,7 @@ main(int argc, const char **argv)
|
||||
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
|
||||
const char *sslcert = NULL, *sslkey = NULL;
|
||||
const char *sslpin = NULL, *sslpinfile = NULL;
|
||||
- const char *csr = NULL, *serial = NULL, *template = NULL;
|
||||
+ const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
|
||||
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
|
||||
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
|
||||
char *poptarg;
|
||||
@@ -127,7 +127,7 @@ main(int argc, const char **argv)
|
||||
} *aoptions = NULL, *soptions = NULL;
|
||||
size_t num_aoptions = 0, num_soptions = 0, j;
|
||||
char *savedstate = NULL;
|
||||
- char *p, *q, *params = NULL, *params2 = NULL;
|
||||
+ char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL;
|
||||
const char *lasturl = NULL, *lastparams = NULL;
|
||||
const char *tmp = NULL, *results = NULL;
|
||||
struct cm_submit_h_context *hctx;
|
||||
@@ -537,16 +537,19 @@ main(int argc, const char **argv)
|
||||
}
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
free(csr);
|
||||
+ free(p);
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
}
|
||||
- csr = cm_submit_u_url_encode(csr);
|
||||
+ csre = cm_submit_u_url_encode(csr);
|
||||
params = talloc_asprintf(ctx,
|
||||
"profileId=%s&"
|
||||
"cert_request_type=pkcs10&"
|
||||
"cert_request=%s&"
|
||||
"xml=true",
|
||||
template,
|
||||
- csr);
|
||||
+ csre);
|
||||
+ free(csr);
|
||||
+ free(csre);
|
||||
}
|
||||
/* Check for creds specified as options. */
|
||||
for (j = 0; j < num_soptions; j++) {
|
||||
@@ -608,12 +611,16 @@ main(int argc, const char **argv)
|
||||
printf(_("No agent URL (-A) given, and no default "
|
||||
"known.\n"));
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
+ free(p);
|
||||
+ free(q);
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
}
|
||||
if ((sslcert == NULL) || (strlen(sslcert) == 0)) {
|
||||
printf(_("No agent credentials (-n) given, but they "
|
||||
"are needed.\n"));
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
+ free(p);
|
||||
+ free(q);
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
}
|
||||
/* Reading profile defaults for this certificate, then applying
|
||||
@@ -778,12 +785,14 @@ main(int argc, const char **argv)
|
||||
lasturl);
|
||||
}
|
||||
talloc_free(ctx);
|
||||
+ free(p);
|
||||
return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
}
|
||||
if (results == NULL) {
|
||||
printf(_("Internal error: no response to \"%s?%s\".\n"),
|
||||
lasturl, lastparams);
|
||||
talloc_free(ctx);
|
||||
+ free(p);
|
||||
return CM_SUBMIT_STATUS_REJECTED;
|
||||
}
|
||||
switch (op) {
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index ddb28de2..0d527ab0 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits)
|
||||
}
|
||||
u = malloc(length);
|
||||
if (u == NULL) {
|
||||
+ free(t);
|
||||
goto done;
|
||||
}
|
||||
length = cm_store_base64_to_bin(t, -1, u, length);
|
||||
+ free(t);
|
||||
if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) {
|
||||
- free(t);
|
||||
t = malloc(bits / 4 + howmany(bits, 32));
|
||||
if (t != NULL) {
|
||||
ret = t;
|
||||
diff --git a/src/store-files.c b/src/store-files.c
|
||||
index b97ba5ff..4e57ae16 100644
|
||||
--- a/src/store-files.c
|
||||
+++ b/src/store-files.c
|
||||
@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp)
|
||||
lines = tlines;
|
||||
}
|
||||
}
|
||||
+ free(buf);
|
||||
return lines;
|
||||
}
|
||||
|
||||
diff --git a/src/submit-d.c b/src/submit-d.c
|
||||
index 5a4edb3f..36cc9828 100644
|
||||
--- a/src/submit-d.c
|
||||
+++ b/src/submit-d.c
|
||||
@@ -1204,6 +1204,9 @@ restart:
|
||||
} else {
|
||||
printf("Error %d.\n", c);
|
||||
}
|
||||
+ if (defaults != nodefault) {
|
||||
+ free(defaults);
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
result = cm_submit_h_results(hctx, NULL) ?: "";
|
||||
@@ -1365,6 +1368,9 @@ restart:
|
||||
/* never reached */
|
||||
break;
|
||||
}
|
||||
+ if (defaults != nodefault) {
|
||||
+ free(defaults);
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
diff --git a/src/submit-x.c b/src/submit-x.c
|
||||
index abebc610..58d007ef 100644
|
||||
--- a/src/submit-x.c
|
||||
+++ b/src/submit-x.c
|
||||
@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode)
|
||||
{
|
||||
const char *ret;
|
||||
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
|
||||
- ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
|
||||
- if (ret == NULL) {
|
||||
- ret = error_message(kcode);
|
||||
+ if (ctx) {
|
||||
+ const char *msg = krb5_get_error_message(ctx, kcode);
|
||||
+ ret = strdup(msg);
|
||||
+ krb5_free_error_message(ctx, msg);
|
||||
+ } else {
|
||||
+ ret = strdup(error_message(kcode));
|
||||
}
|
||||
#else
|
||||
- ret = error_message(kcode);
|
||||
+ ret = strdup(error_message(kcode));
|
||||
#endif
|
||||
- return strdup(ret);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
char *
|
||||
@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg)
|
||||
if (data == NULL) {
|
||||
fprintf(stderr, "Error retrieving principal realm.\n");
|
||||
if (msg != NULL) {
|
||||
- *msg = "Error retrieving principal realm.\n";
|
||||
+ *msg = strdup("Error retrieving principal realm.\n");
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg)
|
||||
if (ret == NULL) {
|
||||
fprintf(stderr, "Out of memory for principal realm.\n");
|
||||
if (msg != NULL) {
|
||||
- *msg = "Out of memory for principal realm.\n";
|
||||
+ *msg = strdup("Out of memory for principal realm.\n");
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
principal, ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
|
||||
ret = get_error_message(ctx, kret));
|
||||
if (msg != NULL) {
|
||||
*msg = ret;
|
||||
- } else {
|
||||
- free(ret);
|
||||
}
|
||||
return kret;
|
||||
}
|
||||
diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
|
||||
index 939005c2..e34612a5 100644
|
||||
--- a/tests/tools/addcinfo.c
|
||||
+++ b/tests/tools/addcinfo.c
|
||||
@@ -63,7 +63,7 @@ content_info_template[] = {
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
- unsigned char *buffer = NULL, buf[BUFSIZ];
|
||||
+ unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ];
|
||||
int i, n = 0;
|
||||
unsigned int j;
|
||||
SECItem encoded;
|
||||
@@ -73,11 +73,13 @@ main(int argc, char **argv)
|
||||
cm_log_set_method(cm_log_stderr);
|
||||
cm_log_set_level(3);
|
||||
while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) {
|
||||
- buffer = realloc(buffer, n + i);
|
||||
- if (buffer == NULL) {
|
||||
+ newbuffer = realloc(buffer, n + i);
|
||||
+ if (newbuffer == NULL) {
|
||||
+ free(buffer);
|
||||
cm_log(0, "Out of memory.\n");
|
||||
return 1;
|
||||
}
|
||||
+ buffer = newbuffer;
|
||||
memcpy(buffer + n, buf, i);
|
||||
n += i;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 13:16:08 -0400
|
||||
Subject: [PATCH 20/25] clang: Avoid buffer overflow
|
||||
|
||||
This shouldn't be possible because the caller would never allow
|
||||
it all to be passed in but quiet static analyzers.
|
||||
---
|
||||
src/getcert.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 0d527ab0..bbc45479 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category,
|
||||
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
|
||||
DBusMessage *req, *rep;
|
||||
const char *request, *capath;
|
||||
- struct cm_tdbusm_dict param[28];
|
||||
- const struct cm_tdbusm_dict *params[29];
|
||||
+ struct cm_tdbusm_dict param[30];
|
||||
+ const struct cm_tdbusm_dict *params[30];
|
||||
char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
|
||||
char **anchor_dbs = NULL, **anchor_files = NULL;
|
||||
char *id = NULL, *new_id = NULL, *new_request;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 14:44:05 -0400
|
||||
Subject: [PATCH 21/25] clang: Garbage value possible
|
||||
|
||||
Need to add guard so that error was only considered if the
|
||||
certificate was decodable and an import was attempted.
|
||||
---
|
||||
src/certsave-n.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
||||
index 972a1dfa..30e242c1 100644
|
||||
--- a/src/certsave-n.c
|
||||
+++ b/src/certsave-n.c
|
||||
@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
}
|
||||
/* Import the certificate. */
|
||||
+ error = SECFailure;
|
||||
newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
|
||||
if (newcert != NULL) {
|
||||
error = PK11_ImportCert(sle->slot,
|
||||
@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
entry->cm_cert_nickname,
|
||||
PR_FALSE);
|
||||
}
|
||||
- if (error == SECSuccess) {
|
||||
+ if ((newcert != NULL) && (error == SECSuccess)) {
|
||||
cm_log(1, "Imported certificate with "
|
||||
"nickname \"%s\".\n",
|
||||
entry->cm_cert_nickname);
|
||||
@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
CERT_DestroyCertList(certlist);
|
||||
}
|
||||
} else {
|
||||
+ ec = PORT_GetError();
|
||||
if (ec != 0) {
|
||||
es = PR_ErrorToName(ec);
|
||||
} else {
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,25 +0,0 @@
|
||||
From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 14:48:43 -0400
|
||||
Subject: [PATCH 22/25] Uninitialized variable
|
||||
|
||||
---
|
||||
src/csrgen-o.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/csrgen-o.c b/src/csrgen-o.c
|
||||
index 402284ff..41b4f014 100644
|
||||
--- a/src/csrgen-o.c
|
||||
+++ b/src/csrgen-o.c
|
||||
@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
BIGNUM *serialbn;
|
||||
char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename;
|
||||
unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
|
||||
- char *spkidec, *mcb64, *nows;
|
||||
+ char *spkidec = NULL, *mcb64, *nows;
|
||||
const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL;
|
||||
const unsigned char *nametmp;
|
||||
struct tm *now;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 15:43:02 -0400
|
||||
Subject: [PATCH 23/25] merge into clang: more Memory leaks
|
||||
|
||||
---
|
||||
src/getcert.c | 2 +-
|
||||
src/submit-x.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index bbc45479..4713dd15 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits)
|
||||
if (length == 0) {
|
||||
goto done;
|
||||
}
|
||||
- u = malloc(length);
|
||||
+ u = malloc(length+1);
|
||||
if (u == NULL) {
|
||||
free(t);
|
||||
goto done;
|
||||
diff --git a/src/submit-x.c b/src/submit-x.c
|
||||
index 58d007ef..467e67e4 100644
|
||||
--- a/src/submit-x.c
|
||||
+++ b/src/submit-x.c
|
||||
@@ -43,7 +43,7 @@
|
||||
static char *
|
||||
get_error_message(krb5_context ctx, krb5_error_code kcode)
|
||||
{
|
||||
- const char *ret;
|
||||
+ char *ret;
|
||||
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
|
||||
if (ctx) {
|
||||
const char *msg = krb5_get_error_message(ctx, kcode);
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,24 +0,0 @@
|
||||
From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 15:44:07 -0400
|
||||
Subject: [PATCH 24/25] Add missing return type declaration
|
||||
|
||||
---
|
||||
src/tdbush.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/tdbush.c b/src/tdbush.c
|
||||
index d1bbe4da..a10a1aff 100644
|
||||
--- a/src/tdbush.c
|
||||
+++ b/src/tdbush.c
|
||||
@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
|
||||
}
|
||||
|
||||
/* org.fedorahosted.certonger.ca.get_config_file_path */
|
||||
+static DBusHandlerResult
|
||||
ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
|
||||
struct cm_client_info *ci, struct cm_context *ctx)
|
||||
{
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,43 +0,0 @@
|
||||
From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 15:46:50 -0400
|
||||
Subject: [PATCH 25/25] Discards const qualifier
|
||||
|
||||
---
|
||||
src/dogtag.c | 3 ++-
|
||||
src/scep.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/dogtag.c b/src/dogtag.c
|
||||
index 8e3890a5..962a8bf4 100644
|
||||
--- a/src/dogtag.c
|
||||
+++ b/src/dogtag.c
|
||||
@@ -117,9 +117,10 @@ main(int argc, const char **argv)
|
||||
const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
|
||||
const char *sslcert = NULL, *sslkey = NULL;
|
||||
const char *sslpin = NULL, *sslpinfile = NULL;
|
||||
- const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
|
||||
+ const char *serial = NULL, *template = NULL;
|
||||
const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
|
||||
const char *udn = NULL, *pin = NULL, *pinfile = NULL;
|
||||
+ char *csr = NULL, *csre = NULL;
|
||||
char *poptarg;
|
||||
struct {
|
||||
char *name;
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index b0bd214b..b37711cf 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -204,7 +204,8 @@ main(int argc, const char **argv)
|
||||
int prefer_non_renewal = 0, can_renewal = 0;
|
||||
int response_code = 0, response_code2 = 0;
|
||||
enum known_ops op = op_unset;
|
||||
- const char *id = NULL, *cainfo = NULL;
|
||||
+ const char *id = NULL;
|
||||
+ char *cainfo = NULL;
|
||||
char *poptarg;
|
||||
char *message = NULL, *rekey_message = NULL;
|
||||
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,134 +0,0 @@
|
||||
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 5 Sep 2019 12:45:52 -0400
|
||||
Subject: [PATCH] Optimize closing open file descriptors
|
||||
|
||||
When forking, the code would close all unused file descriptors up
|
||||
to maximum number of files. In the default case this is 1024. In
|
||||
the container case this is 1048576. Huge delays in startup were
|
||||
seen due to this.
|
||||
|
||||
Even in a default 1024 ulimit case this drastically reduces the
|
||||
number of file descriptors to mark FD_CLOEXEC but in the container
|
||||
default case this saves another order of magnitude of work.
|
||||
|
||||
This patch takes inspiration from systemd[1] and walks /proc/self/fd
|
||||
if it is available to determine the list of open descriptors. It
|
||||
falls back to the "close all fds we don't care about up to limit"
|
||||
method.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
|
||||
|
||||
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
|
||||
---
|
||||
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 62 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/subproc.c b/src/subproc.c
|
||||
index e49e3762..8df836ae 100644
|
||||
--- a/src/subproc.c
|
||||
+++ b/src/subproc.c
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
+#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <paths.h>
|
||||
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
|
||||
return argv;
|
||||
}
|
||||
|
||||
+/* Based heavily on systemd version */
|
||||
+static
|
||||
+int safe_atoi(const char *s, int *ret_i) {
|
||||
+ char *x = NULL;
|
||||
+ long l;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ l = strtol(s, &x, 0);
|
||||
+ if (errno > 0)
|
||||
+ return -1;
|
||||
+ if (!x || x == s || *x != 0)
|
||||
+ return -1;
|
||||
+ if ((long) (int) l != l)
|
||||
+ return -1;
|
||||
+
|
||||
+ *ret_i = (int) l;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
|
||||
* except for perhaps one to three of them that are passed in by number. */
|
||||
void
|
||||
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
|
||||
{
|
||||
int i;
|
||||
long l;
|
||||
+ DIR *dir = NULL;
|
||||
+ struct dirent *de;
|
||||
+
|
||||
if ((fd != STDIN_FILENO) &&
|
||||
(fd2 != STDIN_FILENO) &&
|
||||
(fd3 != STDIN_FILENO)) {
|
||||
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
|
||||
close(STDERR_FILENO);
|
||||
}
|
||||
}
|
||||
- for (i = getdtablesize() - 1; i >= 3; i--) {
|
||||
- if ((i == fd) ||
|
||||
- (i == fd2) ||
|
||||
- (i == fd3)) {
|
||||
- continue;
|
||||
+ dir = opendir("/proc/self/fd");
|
||||
+ if (!dir) {
|
||||
+ /* /proc isn't available, fall back to old way */
|
||||
+ for (i = getdtablesize() - 1; i >= 3; i--) {
|
||||
+ if ((i == fd) ||
|
||||
+ (i == fd2) ||
|
||||
+ (i == fd3)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ l = fcntl(i, F_GETFD);
|
||||
+ if (l != -1) {
|
||||
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
+ cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- l = fcntl(i, F_GETFD);
|
||||
- if (l != -1) {
|
||||
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
- cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ } else {
|
||||
+ while ((de = readdir(dir)) != NULL) {
|
||||
+ int i = -1;
|
||||
+
|
||||
+ if (safe_atoi(de->d_name, &i) < 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if ((i == fd) ||
|
||||
+ (i == fd2) ||
|
||||
+ (i == fd3)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (i == dirfd(dir)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ l = fcntl(i, F_GETFD);
|
||||
+ if (l != -1) {
|
||||
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
+ cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+ closedir(dir);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,33 +0,0 @@
|
||||
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 10 Oct 2019 16:28:18 -0400
|
||||
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
|
||||
|
||||
cm_subproc_mark_most_cloexec() now closes all open file
|
||||
descriptors except for up to three requested for stdin, stdout
|
||||
and stderr. Before the optimization those three were always
|
||||
left open.
|
||||
|
||||
This was causing errors in the IPA helper ipa-server-guard
|
||||
because it tries to display the contents of stderr which was
|
||||
always being closed, causing ipa-server-guard to blow up.
|
||||
---
|
||||
src/cadata.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cadata.c b/src/cadata.c
|
||||
index eb87eb76..3e916c96 100644
|
||||
--- a/src/cadata.c
|
||||
+++ b/src/cadata.c
|
||||
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
|
||||
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
|
||||
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
|
||||
execvp(argv[0], argv);
|
||||
u = errno;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 25 Oct 2019 20:25:36 +0000
|
||||
Subject: [PATCH] Don't close STDERR when submitting request
|
||||
|
||||
cm_subproc_mark_most_cloexec() now closes all open file
|
||||
descriptors except for up to three requested for stdin, stdout
|
||||
and stderr. Before the optimization those three were always
|
||||
left open.
|
||||
|
||||
This was causing errors in the IPA helper ipa-server-guard
|
||||
because it tries to display the contents of stderr which was
|
||||
always being closed, causing ipa-server-guard to blow up.
|
||||
---
|
||||
src/submit-e.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/submit-e.c b/src/submit-e.c
|
||||
index d6158d7a..69b4f8e2 100644
|
||||
--- a/src/submit-e.c
|
||||
+++ b/src/submit-e.c
|
||||
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
|
||||
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
|
||||
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
|
||||
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
|
||||
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
|
||||
execvp(argv[0], argv);
|
||||
u = errno;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,259 +0,0 @@
|
||||
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 26 Aug 2019 22:01:35 +0000
|
||||
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
|
||||
tokens
|
||||
|
||||
The NSS databases were almost universally initialized with the
|
||||
NOMODDB flag. I'm not sure if something changed in NSS but the
|
||||
PKCS#11 modules were not being initialized. Adding this back after
|
||||
permission checks are done results in tokens working again.
|
||||
|
||||
When looking for certs and keys try the full token:nickname string
|
||||
as well as just nickname when comparing values.
|
||||
|
||||
https://pagure.io/certmonger/issue/125
|
||||
---
|
||||
src/casave.c | 3 +--
|
||||
src/certread-n.c | 33 ++++++++++++++++-----------------
|
||||
src/certsave-n.c | 5 +++++
|
||||
src/dogtag.c | 3 +--
|
||||
src/keygen-n.c | 5 +++++
|
||||
src/keyiread-n.c | 11 ++++++++++-
|
||||
src/scepgen-n.c | 5 +++++
|
||||
src/submit-n.c | 5 +++++
|
||||
src/toklist.c | 2 +-
|
||||
9 files changed, 49 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/casave.c b/src/casave.c
|
||||
index bde63f99..1cf5a406 100644
|
||||
--- a/src/casave.c
|
||||
+++ b/src/casave.c
|
||||
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
|
||||
break;
|
||||
default:
|
||||
flags = NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB;
|
||||
+ NSS_INIT_NOROOTINIT;
|
||||
/* Sigh. Not a lot of detail. Check
|
||||
* if we succeed in read-only mode,
|
||||
* which we'll interpret as lack of
|
||||
diff --git a/src/certread-n.c b/src/certread-n.c
|
||||
index d535030b..bb61b61b 100644
|
||||
--- a/src/certread-n.c
|
||||
+++ b/src/certread-n.c
|
||||
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cm_log(1, "Unable to open NSS database.\n");
|
||||
_exit(status);
|
||||
}
|
||||
+ /* Re-open the database with modules enabled */
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
es = util_n_fips_hook();
|
||||
if (es != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
}
|
||||
- /* Allocate a memory pool. */
|
||||
- arena = PORT_NewArena(sizeof(double));
|
||||
- if (arena == NULL) {
|
||||
- cm_log(1, "Error opening database '%s'.\n",
|
||||
- entry->cm_cert_storage_location);
|
||||
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
- cm_log(1, "Error shutting down NSS.\n");
|
||||
- }
|
||||
- _exit(ENOMEM);
|
||||
- }
|
||||
/* Find the tokens that we might use for cert storage. */
|
||||
mech = CKM_RSA_X_509;
|
||||
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
|
||||
if (slotlist == NULL) {
|
||||
cm_log(1, "Error getting list of tokens.\n");
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
/* If we need to log in in order to read certificates, do so. */
|
||||
if (PK11_NeedLogin(sle->slot)) {
|
||||
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
|
||||
if (cm_pin_read_for_cert(entry, &pin) != 0) {
|
||||
cm_log(1, "Error reading PIN for cert db, "
|
||||
"skipping.\n");
|
||||
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
/* Walk the list of certificates in the slot, looking for one
|
||||
* which matches the specified nickname. */
|
||||
certs = PK11_ListCertsInSlot(sle->slot);
|
||||
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
|
||||
if (certs != NULL) {
|
||||
for (node = CERT_LIST_HEAD(certs);
|
||||
!CERT_LIST_EMPTY(certs) &&
|
||||
!CERT_LIST_END(node, certs);
|
||||
node = CERT_LIST_NEXT(node)) {
|
||||
- if (strcmp(node->cert->nickname,
|
||||
- entry->cm_cert_nickname) == 0) {
|
||||
+ cm_log(3, "certread-n: Slot nickname %s\n",
|
||||
+ node->cert->nickname);
|
||||
+ es = talloc_asprintf(entry, "%s:%s",
|
||||
+ entry->cm_cert_token, entry->cm_cert_nickname);
|
||||
+ if ((strcmp(node->cert->nickname,
|
||||
+ entry->cm_cert_nickname) == 0) ||
|
||||
+ (strcmp(node->cert->nickname, es) == 0)) {
|
||||
cm_log(3, "Located the certificate "
|
||||
"\"%s\".\n",
|
||||
entry->cm_cert_nickname);
|
||||
@@ -321,7 +323,6 @@ next_slot:
|
||||
if (cert == NULL) {
|
||||
cm_log(1, "Error locating certificate.\n");
|
||||
PK11_FreeSlotList(slotlist);
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -332,7 +333,6 @@ next_slot:
|
||||
fclose(fp);
|
||||
CERT_DestroyCertificate(cert);
|
||||
PK11_FreeSlotList(slotlist);
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
|
||||
NULL, NULL, NULL, NULL,
|
||||
NSS_INIT_NOCERTDB |
|
||||
NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (ctx == NULL) {
|
||||
cm_log(1, "Unable to initialize NSS.\n");
|
||||
_exit(1);
|
||||
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
||||
index 972a1dfa..eda03b34 100644
|
||||
--- a/src/certsave-n.c
|
||||
+++ b/src/certsave-n.c
|
||||
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
} else {
|
||||
/* We don't try to force FIPS mode here, as it seems to get in
|
||||
* the way of saving the certificate. */
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
|
||||
/* Allocate a memory pool. */
|
||||
arena = PORT_NewArena(sizeof(double));
|
||||
diff --git a/src/dogtag.c b/src/dogtag.c
|
||||
index 55607f3d..c43664ef 100644
|
||||
--- a/src/dogtag.c
|
||||
+++ b/src/dogtag.c
|
||||
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
|
||||
NULL, NULL, NULL, NULL,
|
||||
NSS_INIT_NOCERTDB |
|
||||
NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (nctx == NULL) {
|
||||
cm_log(1, "Unable to initialize NSS.\n");
|
||||
_exit(1);
|
||||
diff --git a/src/keygen-n.c b/src/keygen-n.c
|
||||
index 061bd2af..e921d7ec 100644
|
||||
--- a/src/keygen-n.c
|
||||
+++ b/src/keygen-n.c
|
||||
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
|
||||
index 91b1be41..dc1c6092 100644
|
||||
--- a/src/keyiread-n.c
|
||||
+++ b/src/keyiread-n.c
|
||||
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
|
||||
cnode = CERT_LIST_NEXT(cnode)) {
|
||||
nickname = entry->cm_key_nickname;
|
||||
cert = cnode->cert;
|
||||
+ es = talloc_asprintf(entry, "%s:%s",
|
||||
+ entry->cm_cert_token,
|
||||
+ entry->cm_cert_nickname);
|
||||
if ((nickname != NULL) &&
|
||||
- (strcmp(cert->nickname, nickname) == 0)) {
|
||||
+ ((strcmp(cert->nickname, nickname) == 0) ||
|
||||
+ (strcmp(cert->nickname, es) == 0))) {
|
||||
cm_log(3, "Located a certificate with "
|
||||
"the key's nickname (\"%s\").\n",
|
||||
nickname);
|
||||
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
|
||||
index d6735aa7..8c67b122 100644
|
||||
--- a/src/scepgen-n.c
|
||||
+++ b/src/scepgen-n.c
|
||||
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ NSS_INIT_READONLY |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/submit-n.c b/src/submit-n.c
|
||||
index b07ea23a..f27b9c7f 100644
|
||||
--- a/src/submit-n.c
|
||||
+++ b/src/submit-n.c
|
||||
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ NSS_INIT_READONLY |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/toklist.c b/src/toklist.c
|
||||
index a4328218..ac166722 100644
|
||||
--- a/src/toklist.c
|
||||
+++ b/src/toklist.c
|
||||
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
|
||||
|
||||
/* Open the database. */
|
||||
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
|
||||
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (ctx == NULL) {
|
||||
printf("Unable to open NSS database '%s'.\n", dbdir);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,233 +0,0 @@
|
||||
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 27 Aug 2019 18:01:02 +0000
|
||||
Subject: [PATCH] Update tests to include the security module DB in expected
|
||||
output
|
||||
|
||||
certmonger was previously always initializing the databases with
|
||||
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
|
||||
seem to initialize external modules (tested with SoftHSM2).
|
||||
|
||||
https://pagure.io/certmonger/issue/125
|
||||
---
|
||||
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
|
||||
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
|
||||
tests/034-perms/expected.out | 16 ++++++++++++++++
|
||||
3 files changed, 48 insertions(+)
|
||||
|
||||
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
|
||||
index c062d409..7bf23a37 100644
|
||||
--- a/tests/034-perms-dbm/expected.out
|
||||
+++ b/tests/034-perms-dbm/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
[rekey:dbm:start]
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
OK
|
||||
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
|
||||
index 2808e02c..c5914e02 100644
|
||||
--- a/tests/034-perms-sql/expected.out
|
||||
+++ b/tests/034-perms-sql/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[sql:keygen]
|
||||
$owner:$group|0600|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0600|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:csrgen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:submit]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:save]
|
||||
$owner:$group|0662|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0662|pkcs11.txt
|
||||
[rekey:sql:start]
|
||||
[rekey:sql:keygen]
|
||||
$owner:$group|0600|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0600|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:keygen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:csrgen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:submit]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:save]
|
||||
$owner:$group|0662|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0662|pkcs11.txt
|
||||
OK
|
||||
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
|
||||
index c062d409..7bf23a37 100644
|
||||
--- a/tests/034-perms/expected.out
|
||||
+++ b/tests/034-perms/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
[rekey:dbm:start]
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
OK
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 10 Oct 2019 18:24:32 +0000
|
||||
Subject: [PATCH] Try to pull the entire CA chain from IPA
|
||||
|
||||
IPA originally stored a single cert in cn=cacert which is
|
||||
what certmonger has always retrieved in fetch_roots. It was
|
||||
replaced to store cn=certificates as separate entries in order
|
||||
to more easily support chains and to include additional
|
||||
metadata about certificates.
|
||||
|
||||
Try to pull the chain from that location first and fall back
|
||||
to cn=cacert if no entries are found.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
|
||||
---
|
||||
src/ipa.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ipa.c b/src/ipa.c
|
||||
index acd1a4e2..40a4b52c 100644
|
||||
--- a/src/ipa.c
|
||||
+++ b/src/ipa.c
|
||||
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
LDAP *ld = NULL;
|
||||
LDAPMessage *lresult = NULL, *lmsg = NULL;
|
||||
char *lattrs[2] = {"caCertificate;binary", NULL};
|
||||
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
|
||||
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
|
||||
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
|
||||
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
|
||||
struct berval **lbvalues, *lbv;
|
||||
unsigned char *bv_val;
|
||||
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
|
||||
+ /* Fall back to the old location */
|
||||
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
|
||||
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
+ lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
+ LDAP_NO_LIMIT, &lresult);
|
||||
+ }
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
fprintf(stderr, "Error searching '%s': %s.\n",
|
||||
ldn, ldap_err2string(rc));
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,34 +0,0 @@
|
||||
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 15:08:54 -0500
|
||||
Subject: [PATCH] Fix use-after-free issue
|
||||
|
||||
The basedn value was freed after the first search but a second
|
||||
one could be initiated.
|
||||
---
|
||||
src/ipa.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ipa.c b/src/ipa.c
|
||||
index 40a4b52c..41ca9081 100644
|
||||
--- a/src/ipa.c
|
||||
+++ b/src/ipa.c
|
||||
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
/* Now look up the root certificates for the domain. */
|
||||
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
|
||||
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
|
||||
- free(basedn);
|
||||
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
}
|
||||
+ free(basedn);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
fprintf(stderr, "Error searching '%s': %s.\n",
|
||||
ldn, ldap_err2string(rc));
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,931 +0,0 @@
|
||||
From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:50:16 -0400
|
||||
Subject: [PATCH 33/39] Improve logging in SCEP helper
|
||||
|
||||
Always check return value of cm_pkcs7_verify_signed() and return
|
||||
a unique error message.
|
||||
|
||||
Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
|
||||
so they appear by default.
|
||||
|
||||
Centralize logging across scep.c and pkcs7.c to reduce code
|
||||
duplication.
|
||||
|
||||
Check the return code to cm_pkcs7_verify_signed in all cases.
|
||||
|
||||
Add the last available message, if any, to the error returned
|
||||
via stdout to certmonger as a hint to what is going on.
|
||||
---
|
||||
src/pkcs7.c | 111 +++++++++++++++++++++++++++---------------------
|
||||
src/pkcs7.h | 2 +
|
||||
src/scep.c | 59 ++++++++++---------------
|
||||
src/scepgen-n.c | 28 ++++++------
|
||||
src/scepgen-o.c | 72 ++++++++++++++++---------------
|
||||
src/scepgen.c | 2 +-
|
||||
6 files changed, 140 insertions(+), 134 deletions(-)
|
||||
|
||||
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
||||
index 6de1775..29420b9 100644
|
||||
--- a/src/pkcs7.c
|
||||
+++ b/src/pkcs7.c
|
||||
@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+log_pkcs7_errors(int level, char *msg)
|
||||
+{
|
||||
+ char buf[LINE_MAX] = "";
|
||||
+ long error;
|
||||
+ int nss_err;
|
||||
+
|
||||
+ cm_log(level, "%s\n", msg);
|
||||
+ while ((error = ERR_get_error()) != 0) {
|
||||
+ memset(buf, '\0', sizeof(buf));
|
||||
+ ERR_error_string_n(error, buf, sizeof(buf));
|
||||
+ cm_log(level, "%s\n", buf);
|
||||
+ }
|
||||
+ nss_err = PORT_GetError();
|
||||
+ if (nss_err < 0) {
|
||||
+ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
int
|
||||
cm_pkcs7_parsev(unsigned int flags, void *parent,
|
||||
char **certleaf, char **certtop, char ***certothers,
|
||||
@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
|
||||
in = BIO_new_mem_buf(encryption_cert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
if (recipient == NULL) {
|
||||
- cm_log(1, "Error parsing recipient certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
BIO_free(in);
|
||||
|
||||
recipients = sk_X509_new(util_o_cert_cmp);
|
||||
if (recipients == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
sk_X509_push(recipients, recipient);
|
||||
|
||||
in = BIO_new_mem_buf(data, dlength);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
|
||||
@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
BIO_free(in);
|
||||
|
||||
if (p7 == NULL) {
|
||||
- cm_log(1, "Error encrypting signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encrypting signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
len = i2d_PKCS7(p7, NULL);
|
||||
if (len < 0) {
|
||||
- cm_log(1, "Error encoding encrypted signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
dp7 = malloc(len);
|
||||
if (dp7 == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = dp7;
|
||||
if (i2d_PKCS7(p7, &u) != len) {
|
||||
- cm_log(1, "Error encoding encrypted signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
*enveloped = dp7;
|
||||
@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
|
||||
|
||||
in = BIO_new_mem_buf(csr, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (req == NULL) {
|
||||
- cm_log(1, "Error parsing certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
dlen = i2d_X509_REQ(req, NULL);
|
||||
if (dlen < 0) {
|
||||
- cm_log(1, "Error encoding certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
dreq = malloc(dlen);
|
||||
if (dreq == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = dreq;
|
||||
if (i2d_X509_REQ(req, &u) != dlen) {
|
||||
- cm_log(1, "Error encoding certificate signing request.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
|
||||
goto done;
|
||||
}
|
||||
ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
|
||||
@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
||||
|
||||
in = BIO_new_mem_buf(cacert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (ca == NULL) {
|
||||
- cm_log(1, "Error parsing CA certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing CA certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
in = BIO_new_mem_buf(minicert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (mini == NULL) {
|
||||
- cm_log(1, "Error parsing client certificate.\n");
|
||||
+ log_pkcs7_errors(0, "Error parsing client certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
|
||||
if (issuerlen < 0) {
|
||||
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
||||
+ cm_log(0, "Error encoding CA certificate issuer name.\n");
|
||||
goto done;
|
||||
}
|
||||
issuer = malloc(issuerlen);
|
||||
if (issuer == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = issuer;
|
||||
if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
|
||||
- cm_log(1, "Error encoding CA certificate issuer name.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
|
||||
if (subjectlen < 0) {
|
||||
- cm_log(1, "Error encoding client certificate subject name.\n");
|
||||
+ cm_log(0, "Error encoding client certificate subject name.\n");
|
||||
goto done;
|
||||
}
|
||||
subject = malloc(subjectlen);
|
||||
if (subject == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
u = subject;
|
||||
if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
|
||||
- cm_log(1, "Error encoding client certificate subject name.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
|
||||
goto done;
|
||||
}
|
||||
+ PORT_SetError(0);
|
||||
+ ERR_clear_error();
|
||||
memset(&issuerandsubject, 0, sizeof(issuerandsubject));
|
||||
issuerandsubject.issuer.data = issuer;
|
||||
issuerandsubject.issuer.len = issuerlen;
|
||||
@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
|
||||
issuerandsubject.subject.len = subjectlen;
|
||||
if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
|
||||
cm_pkcs7_ias_template) != &encoded) {
|
||||
- cm_log(1, "Error encoding issuer and subject names.\n");
|
||||
+ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
|
||||
goto done;
|
||||
}
|
||||
*ias = malloc(encoded.len);
|
||||
@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
u = data;
|
||||
p7 = d2i_PKCS7(NULL, &u, length);
|
||||
if ((p7 == NULL) || (u != data + length)) {
|
||||
- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
|
||||
+ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
|
||||
goto done;
|
||||
}
|
||||
if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
|
||||
- cm_log(1, "PKCS#7 data is not signed-data.\n");
|
||||
+ cm_log(0, "PKCS#7 data is not signed-data.\n");
|
||||
goto done;
|
||||
}
|
||||
store = X509_STORE_new();
|
||||
if (store == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
|
||||
certs = sk_X509_new(util_o_cert_cmp);
|
||||
if (certs == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
|
||||
s = talloc_strdup(parent, roots[i]);
|
||||
if (s == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
/* In case one of these is multiple PEM certificates
|
||||
@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
in = BIO_new_mem_buf(p, q - p);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Error parsing chain certificate.\n");
|
||||
+ cm_log(0, "Error parsing chain certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
X509_STORE_add_cert(store, x);
|
||||
@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
|
||||
s = talloc_strdup(parent, othercerts[i]);
|
||||
if (s == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
/* In case one of these is multiple PEM certificates
|
||||
@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
in = BIO_new_mem_buf(p, q - p);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Error parsing chain certificate.\n");
|
||||
+ cm_log(0, "Error parsing chain certificate.\n");
|
||||
goto done;
|
||||
}
|
||||
sk_X509_push(certs, x);
|
||||
@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
out = BIO_new(BIO_s_mem());
|
||||
if (out == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
if (roots != NULL) {
|
||||
@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
for (i = 0; i < sk_X509_num(certs); i++) {
|
||||
x = X509_dup(sk_X509_value(certs, i));
|
||||
if (x == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
PKCS7_add_certificate(p7, x);
|
||||
}
|
||||
if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
|
||||
- cm_log(1, "Message failed verification.\n");
|
||||
+ cm_log(0, "Message failed verification.\n");
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
p7s = p7->d.sign;
|
||||
if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
|
||||
- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
|
||||
+ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
|
||||
goto done;
|
||||
}
|
||||
si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
|
||||
@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
encapsulated = p7s->contents;
|
||||
if (expected_content_type != NID_undef) {
|
||||
if (encapsulated == NULL) {
|
||||
- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
|
||||
+ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
|
||||
goto done;
|
||||
}
|
||||
if ((encapsulated->type == NULL) ||
|
||||
(OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
|
||||
- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
|
||||
+ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
|
||||
OBJ_nid2ln(expected_content_type),
|
||||
encapsulated->type ?
|
||||
OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
|
||||
@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
}
|
||||
if (attrs == NULL) {
|
||||
- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
|
||||
+ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
|
||||
goto done;
|
||||
}
|
||||
ret = 0;
|
||||
@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
if (*payload_length > 0) {
|
||||
*payload = talloc_size(parent, *payload_length + 1);
|
||||
if (*payload == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
goto done;
|
||||
}
|
||||
memcpy(*payload, s, *payload_length);
|
||||
@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
}
|
||||
}
|
||||
done:
|
||||
- if (ret != 0) {
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
- }
|
||||
if (p7 != NULL) {
|
||||
PKCS7_free(p7);
|
||||
}
|
||||
diff --git a/src/pkcs7.h b/src/pkcs7.h
|
||||
index 097f7ca..fae52f8 100644
|
||||
--- a/src/pkcs7.h
|
||||
+++ b/src/pkcs7.h
|
||||
@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
size_t *recipient_nonce_length,
|
||||
unsigned char **payload, size_t *payload_length);
|
||||
|
||||
+void log_pkcs7_errors(int level, char *msg);
|
||||
+
|
||||
#endif
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index b37711c..0b8bef9 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -428,11 +428,15 @@ main(int argc, const char **argv)
|
||||
if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
|
||||
tmp1 = cm_submit_u_base64_from_text(rekey_message);
|
||||
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
||||
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
||||
NULL, &msgtype, NULL, NULL,
|
||||
NULL, NULL,
|
||||
NULL, NULL, NULL, NULL);
|
||||
+ if (i != 0) {
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "rekey PKCSReq.\n");
|
||||
+ }
|
||||
if ((msgtype == NULL) ||
|
||||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
||||
@@ -454,11 +458,15 @@ main(int argc, const char **argv)
|
||||
if ((message != NULL) && (strlen(message) != 0)) {
|
||||
tmp1 = cm_submit_u_base64_from_text(message);
|
||||
tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
|
||||
- cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
+ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
|
||||
NULL, NULL, NID_pkcs7_data, ctx, NULL,
|
||||
&sent_tx, &msgtype, NULL, NULL,
|
||||
&sent_nonce, &sent_nonce_length,
|
||||
NULL, NULL, NULL, NULL);
|
||||
+ if (i != 0) {
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "message.\n");
|
||||
+ }
|
||||
if ((msgtype == NULL) ||
|
||||
((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
|
||||
@@ -933,14 +941,16 @@ main(int argc, const char **argv)
|
||||
&payload, &payload_length);
|
||||
if (i != 0) {
|
||||
printf(_("Error: failed to verify signature on "
|
||||
- "server response.\n"));
|
||||
- cm_log(1, "Error: failed to verify signature on "
|
||||
- "server response.\n");
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
+ "server response. "));
|
||||
+ error = ERR_peek_last_error();
|
||||
+ if (error != 0) {
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ printf("%s", buf);
|
||||
}
|
||||
+ printf("\n");
|
||||
+ log_pkcs7_errors(0, "Error: failed to verify signature on "
|
||||
+ "server response.\n");
|
||||
s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
|
||||
results_length2);
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
|
||||
p7 = d2i_PKCS7(NULL, &u, payload_length);
|
||||
if (p7 == NULL) {
|
||||
printf(_("Error: couldn't parse signed-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
- s = cm_store_base64_from_bin(ctx,
|
||||
- (unsigned char *) results2,
|
||||
- results_length2);
|
||||
- s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
- fprintf(stderr, "Full reply:\n%s", s);
|
||||
- free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
- }
|
||||
- if (!PKCS7_type_is_enveloped(p7)) {
|
||||
- printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if (!PKCS7_type_is_enveloped(p7)) {
|
||||
printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: signed-data payload is not "
|
||||
+ "enveloped-data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
|
||||
(p7->d.enveloped->enc_data->content_type == NULL) ||
|
||||
(OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
|
||||
printf(_("Error: enveloped-data payload is not data.\n"));
|
||||
- while ((error = ERR_get_error()) != 0) {
|
||||
- memset(buf, '\0', sizeof(buf));
|
||||
- ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
- }
|
||||
+ log_pkcs7_errors(0, "Error: enveloped-data payload is "
|
||||
+ "not data.\n");
|
||||
s = cm_store_base64_from_bin(ctx,
|
||||
(unsigned char *) results2,
|
||||
results_length2);
|
||||
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
|
||||
index 8c67b12..ce73c31 100644
|
||||
--- a/src/scepgen-n.c
|
||||
+++ b/src/scepgen-n.c
|
||||
@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
return;
|
||||
}
|
||||
if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
|
||||
- cm_log(1, "More than one signer, not sure what to do.\n");
|
||||
+ cm_log(0, "More than one signer, not sure what to do.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
|
||||
salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
|
||||
u = sabuf = malloc(salen);
|
||||
if (sabuf == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
|
||||
@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
* that ourselves. */
|
||||
l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
|
||||
if (l != salen) {
|
||||
- cm_log(1, "Error encoding attributes.\n");
|
||||
+ cm_log(0, "Error encoding attributes.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
|
||||
digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
|
||||
sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
|
||||
if (sigalg == SEC_OID_UNKNOWN) {
|
||||
- cm_log(1, "Unable to match digest algorithm and key.\n");
|
||||
+ cm_log(0, "Unable to match digest algorithm and key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (SEC_SignData(&signature, sabuf, salen, privkey,
|
||||
sigalg) != SECSuccess) {
|
||||
- cm_log(1, "Error re-signing: %s.\n",
|
||||
+ cm_log(0, "Error re-signing: %s.\n",
|
||||
PR_ErrorToName(PORT_GetError()));
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
|
||||
if (ca->cm_ca_encryption_cert == NULL) {
|
||||
- cm_log(1, "Can't generate new SCEP request data without "
|
||||
+ cm_log(0, "Can't generate new SCEP request data without "
|
||||
"the RA/CA encryption certificate.\n");
|
||||
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
||||
}
|
||||
@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
fprintf(status, "Error opening database "
|
||||
"'%s': %s.\n",
|
||||
entry->cm_key_storage_location, es);
|
||||
- cm_log(1, "Error opening database '%s': %s.\n",
|
||||
+ cm_log(0, "Error opening database '%s': %s.\n",
|
||||
entry->cm_key_storage_location, es);
|
||||
} else {
|
||||
fprintf(status, "Error opening database '%s'.\n",
|
||||
entry->cm_key_storage_location);
|
||||
- cm_log(1, "Error opening database '%s'.\n",
|
||||
+ cm_log(0, "Error opening database '%s'.\n",
|
||||
entry->cm_key_storage_location);
|
||||
}
|
||||
switch (ec) {
|
||||
@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
+ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
}
|
||||
|
||||
@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cm_log(1, "Generating dummy key.\n");
|
||||
key = EVP_PKEY_new();
|
||||
if (key == NULL) {
|
||||
- cm_log(1, "Error allocating new key.\n");
|
||||
+ cm_log(0, "Error allocating new key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
exponent = BN_new();
|
||||
if (exponent == NULL) {
|
||||
- cm_log(1, "Error setting up exponent.\n");
|
||||
+ cm_log(0, "Error setting up exponent.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL) {
|
||||
- cm_log(1, "Error allocating new RSA key.\n");
|
||||
+ cm_log(0, "Error allocating new RSA key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
retry_gen:
|
||||
if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
|
||||
- cm_log(1, "Error generating key.\n");
|
||||
+ cm_log(0, "Error generating key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
|
||||
@@ -228,7 +228,7 @@ retry_gen:
|
||||
if ((keys->privkey->keyType != rsaKey) ||
|
||||
((keys->privkey_next != NULL) &&
|
||||
(keys->privkey_next->keyType != rsaKey))) {
|
||||
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
||||
}
|
||||
|
||||
diff --git a/src/scepgen-o.c b/src/scepgen-o.c
|
||||
index 010abb7..a431815 100644
|
||||
--- a/src/scepgen-o.c
|
||||
+++ b/src/scepgen-o.c
|
||||
@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
||||
keyfp = fopen(filename, "r");
|
||||
if (keyfp == NULL) {
|
||||
if (errno != ENOENT) {
|
||||
- cm_log(1, "Error opening key file \"%s\" "
|
||||
+ cm_log(0, "Error opening key file \"%s\" "
|
||||
"for reading: %s.\n",
|
||||
filename, strerror(errno));
|
||||
}
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (cm_pin_read_for_key(entry, &pin) != 0) {
|
||||
- cm_log(1, "Internal error reading key encryption PIN.\n");
|
||||
+ cm_log(0, "Internal error reading key encryption PIN.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH);
|
||||
}
|
||||
memset(&cb_data, 0, sizeof(cb_data));
|
||||
@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
|
||||
cm_pin_read_for_key_ossl_cb, &cb_data);
|
||||
if (pkey == NULL) {
|
||||
error = errno;
|
||||
- cm_log(1, "Error reading private key '%s': %s.\n",
|
||||
+ cm_log(0, "Error reading private key '%s': %s.\n",
|
||||
filename, strerror(error));
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
||||
} else {
|
||||
if ((pin != NULL) &&
|
||||
(strlen(pin) > 0) &&
|
||||
(cb_data.n_attempts == 0)) {
|
||||
- cm_log(1, "PIN was not needed to read private "
|
||||
+ cm_log(0, "PIN was not needed to read private "
|
||||
"key '%s', though one was provided. "
|
||||
"Treating this as an error.\n",
|
||||
filename);
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
|
||||
}
|
||||
@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
|
||||
if ((pem != NULL) && (strlen(pem) > 0)) {
|
||||
in = BIO_new_mem_buf(pem, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (cert == NULL) {
|
||||
- cm_log(1, "Error parsing certificate \"%s\".\n", pem);
|
||||
+ cm_log(0, "Error parsing certificate \"%s\".\n", pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
return cert;
|
||||
@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
|
||||
if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
|
||||
in = BIO_new_mem_buf(this->cm_cert, -1);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
BIO_free(in);
|
||||
if (cert == NULL) {
|
||||
- cm_log(1, "Error parsing certificate.\n");
|
||||
+ cm_log(0, "Error parsing certificate.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (sk == NULL) {
|
||||
sk = sk_X509_new(util_o_cert_cmp);
|
||||
if (sk == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
}
|
||||
@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
|
||||
in = BIO_new_mem_buf(data, data_length);
|
||||
if (in == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
ret = PKCS7_sign(signer, key, certs, in, flags);
|
||||
if (ret == NULL) {
|
||||
- cm_log(1, "Error signing data.\n");
|
||||
+ cm_log(0, "Error signing data.\n");
|
||||
goto errors;
|
||||
}
|
||||
BIO_free(in);
|
||||
|
||||
/* Set the digest to use for signing. */
|
||||
if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
|
||||
- cm_log(1, "Error signing data: %d signers.\n",
|
||||
+ cm_log(0, "Error signing data: %d signers.\n",
|
||||
sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
|
||||
goto errors;
|
||||
}
|
||||
@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
PKCS7_content_new(ret, NID_pkcs7_data);
|
||||
out = PKCS7_dataInit(ret, NULL);
|
||||
if (out == NULL) {
|
||||
- cm_log(1, "Error signing data.\n");
|
||||
+ cm_log(0, "Error signing data.\n");
|
||||
goto errors;
|
||||
}
|
||||
BIO_write(out, data, data_length);
|
||||
@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
|
||||
errors:
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
util_o_init();
|
||||
ERR_load_crypto_strings();
|
||||
if (RAND_status() != 1) {
|
||||
- cm_log(1, "PRNG not seeded for generating key.\n");
|
||||
+ cm_log(0, "PRNG not seeded for generating key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
if (RAND_bytes(nonce, nonce_length) == -1) {
|
||||
- cm_log(1, "PRNG unable to generate nonce.\n");
|
||||
+ cm_log(0, "PRNG unable to generate nonce.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
|
||||
entry->cm_minicert);
|
||||
if (pem == NULL) {
|
||||
- cm_log(1, "Out of memory.\n");
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
new_cert = cert_from_pem(pem, entry);
|
||||
if (new_cert == NULL) {
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cipher = cm_prefs_des;
|
||||
}
|
||||
else {
|
||||
- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
||||
+ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
digest = cm_prefs_md5;
|
||||
}
|
||||
else {
|
||||
- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
||||
+ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
ca->cm_ca_encryption_issuer_cert,
|
||||
entry->cm_cert,
|
||||
&old_ias, &old_ias_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
||||
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
ca->cm_ca_encryption_issuer_cert,
|
||||
pem,
|
||||
&new_ias, &new_ias_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped issuer-and-subject.\n");
|
||||
+ cm_log(0, "Error generating enveloped issuer-and-subject.\n");
|
||||
free(pem);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
|
||||
entry->cm_csr,
|
||||
&csr, &csr_length) != 0) {
|
||||
- cm_log(1, "Error generating enveloped CSR.\n");
|
||||
+ cm_log(0, "Error generating enveloped CSR.\n");
|
||||
+ while ((error = ERR_get_error()) != 0) {
|
||||
+ ERR_error_string_n(error, buf, sizeof(buf));
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
+ }
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
|
||||
@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* the matching key. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(old_cert, old_pkey);
|
||||
@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* if we do, we did that in another code path. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(new_cert, old_pkey);
|
||||
@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
* any previously-issued certificate won't match. */
|
||||
pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
|
||||
if (pubkey == NULL) {
|
||||
- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
||||
+ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
util_X509_set_pubkey(new_cert, new_pkey);
|
||||
@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
X509_free(new_cert);
|
||||
while ((error = ERR_get_error()) != 0) {
|
||||
ERR_error_string_n(error, buf, sizeof(buf));
|
||||
- cm_log(1, "%s\n", buf);
|
||||
+ cm_log(0, "%s\n", buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
|
||||
if (ca->cm_ca_encryption_cert == NULL) {
|
||||
- cm_log(1, "Can't generate new SCEP request data without "
|
||||
+ cm_log(0, "Can't generate new SCEP request data without "
|
||||
"the RA/CA encryption certificate.\n");
|
||||
_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
|
||||
}
|
||||
|
||||
old_pkey = key_from_file(entry->cm_key_storage_location, entry);
|
||||
if (old_pkey == NULL) {
|
||||
- cm_log(1, "Error reading key from file \"%s\".\n",
|
||||
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
||||
entry->cm_key_storage_location);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
filename = util_build_next_filename(entry->cm_key_storage_location,
|
||||
entry->cm_key_next_marker);
|
||||
if (filename == NULL) {
|
||||
- cm_log(1, "Error opening key file \"%s\" "
|
||||
+ cm_log(0, "Error opening key file \"%s\" "
|
||||
"for reading: %s.\n",
|
||||
filename, strerror(errno));
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
}
|
||||
new_pkey = key_from_file(filename, entry);
|
||||
if (new_pkey == NULL) {
|
||||
- cm_log(1, "Error reading key from file \"%s\".\n",
|
||||
+ cm_log(0, "Error reading key from file \"%s\".\n",
|
||||
filename);
|
||||
free(filename);
|
||||
_exit(CM_SUB_STATUS_INTERNAL_ERROR);
|
||||
@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
|
||||
((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
|
||||
- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
+ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n");
|
||||
_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
|
||||
}
|
||||
|
||||
diff --git a/src/scepgen.c b/src/scepgen.c
|
||||
index eaf2b7c..115446f 100644
|
||||
--- a/src/scepgen.c
|
||||
+++ b/src/scepgen.c
|
||||
@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
|
||||
{
|
||||
switch (entry->cm_key_storage_type) {
|
||||
case cm_key_storage_none:
|
||||
- cm_log(1, "Can't generate new SCEP data for %s('%s') without "
|
||||
+ cm_log(0, "Can't generate new SCEP data for %s('%s') without "
|
||||
"the key, and we don't know where that is or should "
|
||||
"be.\n", entry->cm_busname, entry->cm_nickname);
|
||||
break;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 18:15:02 -0500
|
||||
Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
|
||||
add-scep-ca
|
||||
|
||||
This option was silently dropped from the helper arguments even
|
||||
if requested on the add-scep-ca CLI and was only passed to the
|
||||
dbus helper.
|
||||
|
||||
Add as many -v as requested though the scep helper only logs at
|
||||
most at level 1.
|
||||
---
|
||||
src/getcert.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 4713dd1..3d78a73 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
certs ? "-I" : "",
|
||||
certs ? shell_escape(globals.tctx, certs) : "",
|
||||
prefer_non_renewal ? "-n" : "");
|
||||
+ for (c = 0; c < verbose; c++) {
|
||||
+ command = talloc_strdup_append(command, " -v");
|
||||
+ }
|
||||
if (command == NULL) {
|
||||
printf(_("Error building command line.\n"));
|
||||
exit(1);
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,422 +0,0 @@
|
||||
From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
|
||||
From: Your Name <you@example.com>
|
||||
Date: Tue, 14 Apr 2020 13:17:14 +0000
|
||||
Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
|
||||
finished
|
||||
|
||||
The talloc context was freed in only a few cases and the curl
|
||||
context was never freed.
|
||||
---
|
||||
src/scep.c | 127 ++++++++++++++++++++++++++++++++-----------------
|
||||
src/submit-h.c | 15 +++++-
|
||||
src/submit-h.h | 1 +
|
||||
3 files changed, 97 insertions(+), 46 deletions(-)
|
||||
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 0b8bef9..4d00692 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -199,7 +199,7 @@ int
|
||||
main(int argc, const char **argv)
|
||||
{
|
||||
const char *url = NULL, *results = NULL, *results2 = NULL;
|
||||
- struct cm_submit_h_context *hctx;
|
||||
+ struct cm_submit_h_context *hctx = NULL;
|
||||
int c, verbose = 0, results_length = 0, results_length2 = 0, i;
|
||||
int prefer_non_renewal = 0, can_renewal = 0;
|
||||
int response_code = 0, response_code2 = 0;
|
||||
@@ -225,7 +225,8 @@ main(int argc, const char **argv)
|
||||
size_t payload_length;
|
||||
long error;
|
||||
PKCS7 *p7;
|
||||
- poptContext pctx;
|
||||
+ int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ poptContext pctx = NULL;
|
||||
struct poptOption popts[] = {
|
||||
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
|
||||
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
|
||||
@@ -388,8 +389,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((message == NULL) || (strlen(message) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
@@ -408,8 +409,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((message == NULL) || (strlen(message) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
@@ -420,8 +421,8 @@ main(int argc, const char **argv)
|
||||
/* Supply help output, if it's needed. */
|
||||
if (missing_args) {
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
- free(cainfo);
|
||||
- return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
/* Check the rekey PKCSReq message, if we have one. */
|
||||
@@ -505,7 +506,6 @@ main(int argc, const char **argv)
|
||||
verbose > 1 ?
|
||||
cm_submit_h_curl_verbose_on :
|
||||
cm_submit_h_curl_verbose_off);
|
||||
- free(cainfo);
|
||||
cm_submit_h_run(hctx);
|
||||
content_type = cm_submit_h_result_type(hctx);
|
||||
if (content_type == NULL) {
|
||||
@@ -551,7 +551,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
} else
|
||||
if (verbose > 0) {
|
||||
if (tmp2 == rekey_message) {
|
||||
@@ -576,7 +577,8 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
|
||||
printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
|
||||
- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
|
||||
+ goto done;
|
||||
} else
|
||||
if (verbose > 0) {
|
||||
if (tmp2 == rekey_message) {
|
||||
@@ -638,7 +640,8 @@ main(int argc, const char **argv)
|
||||
cm_submit_h_result_code(hctx),
|
||||
url);
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
switch (op) {
|
||||
case op_unset:
|
||||
@@ -651,16 +654,19 @@ main(int argc, const char **argv)
|
||||
response_code, url);
|
||||
if (response_code == 500) {
|
||||
/* The server might recover, right? */
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
} else {
|
||||
/* Maybe not? */
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
if (results == NULL) {
|
||||
printf(_("Internal error: no response to \"%s?%s\".\n"),
|
||||
url, params);
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
case op_get_cert_initial:
|
||||
@@ -685,10 +691,12 @@ main(int argc, const char **argv)
|
||||
fprintf(stderr, "Result is surprisingly large, "
|
||||
"suppressing it.\n");
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
}
|
||||
printf("%s\n", results);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
break;
|
||||
case op_get_ca_certs:
|
||||
if ((strcasecmp(content_type,
|
||||
@@ -697,7 +705,8 @@ main(int argc, const char **argv)
|
||||
"application/x-x509-ca-ra-cert") != 0)) {
|
||||
printf(_("Server reply was of unexpected MIME type "
|
||||
"\"%s\".\n"), content_type);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (racert == NULL) {
|
||||
racertp = &racert;
|
||||
@@ -710,7 +719,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) racert;
|
||||
lengths[n_buffers] = strlen(racert);
|
||||
@@ -727,7 +737,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) cacert;
|
||||
lengths[n_buffers] = strlen(cacert);
|
||||
@@ -741,7 +752,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results;
|
||||
lengths[n_buffers] = results_length;
|
||||
@@ -755,7 +767,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results2;
|
||||
lengths[n_buffers] = results_length2;
|
||||
@@ -850,7 +863,8 @@ main(int argc, const char **argv)
|
||||
n_buffers + 1);
|
||||
if ((buffers == NULL) || (lengths == NULL)) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
buffers[n_buffers] = (unsigned char *) results2;
|
||||
lengths[n_buffers] = results_length2;
|
||||
@@ -882,11 +896,11 @@ main(int argc, const char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- talloc_free(ctx);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
} else {
|
||||
- talloc_free(ctx);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
case op_get_cert_initial:
|
||||
@@ -957,42 +971,50 @@ main(int argc, const char **argv)
|
||||
fprintf(stderr, "%s", s);
|
||||
cm_log(1, "%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((msgtype == NULL) ||
|
||||
(strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
|
||||
printf(_("Error: reply was not a CertRep (%s).\n"),
|
||||
msgtype ? msgtype : "none");
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (tx == NULL) {
|
||||
printf(_("Error: reply is missing transactionId.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (sent_tx != NULL) {
|
||||
if (strcmp(sent_tx, tx) != 0) {
|
||||
printf(_("Error: reply contains a "
|
||||
"different transactionId.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
}
|
||||
if (pkistatus == NULL) {
|
||||
printf(_("Error: reply is missing pkiStatus.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (recipient_nonce == NULL) {
|
||||
printf(_("Error: reply is missing recipientNonce.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((recipient_nonce_length != sent_nonce_length) ||
|
||||
(memcmp(recipient_nonce, sent_nonce,
|
||||
sent_nonce_length) != 0)) {
|
||||
printf(_("Error: reply nonce doesn't match request.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (sender_nonce == NULL) {
|
||||
printf(_("Error: reply is missing senderNonce.\n"));
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
|
||||
s = cm_store_base64_from_bin(ctx, sender_nonce,
|
||||
sender_nonce_length);
|
||||
printf("%s\n", s);
|
||||
- return CM_SUBMIT_STATUS_WAIT;
|
||||
+ rval = CM_SUBMIT_STATUS_WAIT;
|
||||
+ goto done;
|
||||
} else
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
|
||||
printf(_("Server returned failure code \"%s\".\n"),
|
||||
failinfo);
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_REJECTED;
|
||||
+ rval = CM_SUBMIT_STATUS_REJECTED;
|
||||
+ goto done;
|
||||
} else
|
||||
if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
|
||||
if (verbose > 0) {
|
||||
@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if (!PKCS7_type_is_enveloped(p7)) {
|
||||
printf(_("Error: signed-data payload is not enveloped-data.\n"));
|
||||
@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
if ((p7->d.enveloped == NULL) ||
|
||||
(p7->d.enveloped->enc_data == NULL) ||
|
||||
@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
fprintf(stderr, "Full reply:\n%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
s = cm_store_base64_from_bin(ctx, payload,
|
||||
payload_length);
|
||||
s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
|
||||
printf("%s", s);
|
||||
free(s);
|
||||
- return CM_SUBMIT_STATUS_ISSUED;
|
||||
+ rval = CM_SUBMIT_STATUS_ISSUED;
|
||||
+ goto done;
|
||||
} else {
|
||||
if (verbose > 0) {
|
||||
fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
|
||||
}
|
||||
printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
|
||||
pkistatus);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
} else {
|
||||
printf(_("Server reply was of unexpected MIME type "
|
||||
"\"%s\".\n"), content_type);
|
||||
printf("Full reply:\n%.*s", results_length2, results2);
|
||||
- return CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
|
||||
+ goto done;
|
||||
}
|
||||
break;
|
||||
}
|
||||
- return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
+
|
||||
+done:
|
||||
+ if (pctx) {
|
||||
+ poptFreeContext(pctx);
|
||||
+ }
|
||||
+ free(cainfo);
|
||||
+ free(id);
|
||||
+ cm_submit_h_cleanup(hctx);
|
||||
+ talloc_free(ctx);
|
||||
+ return rval;
|
||||
}
|
||||
diff --git a/src/submit-h.c b/src/submit-h.c
|
||||
index 33f9b39..9b507db 100644
|
||||
--- a/src/submit-h.c
|
||||
+++ b/src/submit-h.c
|
||||
@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+void
|
||||
+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
|
||||
+{
|
||||
+
|
||||
+ if (ctx != NULL && ctx->curl != NULL) {
|
||||
+ curl_easy_cleanup(ctx->curl);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
#ifdef CM_SUBMIT_H_MAIN
|
||||
int
|
||||
main(int argc, const char **argv)
|
||||
@@ -307,7 +316,7 @@ main(int argc, const char **argv)
|
||||
enum cm_submit_h_opt_negotiate negotiate;
|
||||
enum cm_submit_h_opt_delegate negotiate_delegate;
|
||||
enum cm_submit_h_opt_clientauth clientauth;
|
||||
- int c, fd, l, verbose = 0, length = 0;
|
||||
+ int c, fd, l, verbose = 0, length = 0, rval = 0;
|
||||
char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
|
||||
char *pinfile;
|
||||
const char *method, *url;
|
||||
@@ -423,6 +432,8 @@ main(int argc, const char **argv)
|
||||
cm_submit_h_result_code(ctx),
|
||||
cm_submit_h_result_code_text(ctx));
|
||||
}
|
||||
- return cm_submit_h_result_code(ctx);
|
||||
+ rval = cm_submit_h_result_code(ctx);
|
||||
+ cm_submit_h_cleanup(ctx);
|
||||
+ return rval;
|
||||
}
|
||||
#endif
|
||||
diff --git a/src/submit-h.h b/src/submit-h.h
|
||||
index 1283c53..931cc89 100644
|
||||
--- a/src/submit-h.h
|
||||
+++ b/src/submit-h.h
|
||||
@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
|
||||
const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
|
||||
const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
|
||||
const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
|
||||
+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
|
||||
|
||||
#endif
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,232 +0,0 @@
|
||||
From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 15 Apr 2020 17:16:42 -0400
|
||||
Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
|
||||
collected
|
||||
|
||||
Put cacert into the ca store, the racert at the top of the
|
||||
othercerts list. Then we parse certs, placing all ca certs
|
||||
we find into the ca store, and all other certs we find after
|
||||
the racert.
|
||||
|
||||
Variables are renamed to match the cm_pkcs7_parse() and
|
||||
cm_pkcs7_verify_signed() calls.
|
||||
|
||||
A special case for IPA (dogtag) was added because dogtag
|
||||
uses its CA cert to sign the PKCS7 so it is both an RA cert
|
||||
and a CA cert. If a self-signed CA is detected and no other
|
||||
certs are provided then the CA is treated as the RA.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
|
||||
|
||||
Graham Leggett did the majority of the work on this patch.
|
||||
---
|
||||
src/pkcs7.c | 18 +++++++++
|
||||
src/pkcs7.h | 1 +
|
||||
src/scep.c | 104 +++++++++++++++++++++++++++++++++++-----------------
|
||||
3 files changed, 89 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
||||
index 29420b9..f81174f 100644
|
||||
--- a/src/pkcs7.c
|
||||
+++ b/src/pkcs7.c
|
||||
@@ -1189,3 +1189,21 @@ done:
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+/* Return 0 if we think "issuer" could have issued "issued", which includes
|
||||
+ * self-signing. */
|
||||
+int
|
||||
+cm_selfsigned(char *cert)
|
||||
+{
|
||||
+ BIO *in;
|
||||
+ X509 *c;
|
||||
+
|
||||
+ in = BIO_new_mem_buf(cert, -1);
|
||||
+ if (in == NULL) {
|
||||
+ cm_log(0, "Out of memory.\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ c = PEM_read_bio_X509(in, NULL, NULL, NULL);
|
||||
+ BIO_free(in);
|
||||
+ return(issuerissued(c, c));
|
||||
+}
|
||||
diff --git a/src/pkcs7.h b/src/pkcs7.h
|
||||
index fae52f8..cbde1bc 100644
|
||||
--- a/src/pkcs7.h
|
||||
+++ b/src/pkcs7.h
|
||||
@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
unsigned char **recipient_nonce,
|
||||
size_t *recipient_nonce_length,
|
||||
unsigned char **payload, size_t *payload_length);
|
||||
+int cm_selfsigned(char *cert);
|
||||
|
||||
void log_pkcs7_errors(int level, char *msg);
|
||||
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 4d00692..b80278e 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -211,12 +211,12 @@ main(int argc, const char **argv)
|
||||
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
|
||||
void *ctx;
|
||||
char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
|
||||
- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
|
||||
+ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
|
||||
char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
|
||||
char buf[LINE_MAX] = "";
|
||||
const unsigned char **buffers = NULL;
|
||||
size_t n_buffers = 0, *lengths = NULL, j;
|
||||
- const char *cacerts[3], **racerts;
|
||||
+ const char *root[3], **othercerts;
|
||||
dbus_bool_t missing_args = FALSE;
|
||||
char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
|
||||
unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
|
||||
@@ -871,27 +871,27 @@ main(int argc, const char **argv)
|
||||
n_buffers++;
|
||||
}
|
||||
if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
|
||||
- racertp, cacertp, &othercerts,
|
||||
+ racertp, cacertp, &certothers,
|
||||
NULL, NULL,
|
||||
n_buffers, buffers, lengths) == 0) {
|
||||
if (racert != NULL) {
|
||||
printf("%s", racert);
|
||||
if (cacert != NULL) {
|
||||
printf("%s", cacert);
|
||||
- if (othercerts != NULL) {
|
||||
+ if (certothers != NULL) {
|
||||
for (c = 0;
|
||||
- othercerts[c] != NULL;
|
||||
+ certothers[c] != NULL;
|
||||
c++) {
|
||||
printf("%s",
|
||||
- othercerts[c]);
|
||||
+ certothers[c]);
|
||||
}
|
||||
}
|
||||
if ((dracert != NULL) &&
|
||||
- (cert_among(dracert, racert, cacert, othercerts) != 0)) {
|
||||
+ (cert_among(dracert, racert, cacert, certothers) != 0)) {
|
||||
printf("%s", dracert);
|
||||
}
|
||||
if ((dcacert != NULL) &&
|
||||
- (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
|
||||
+ (cert_among(dcacert, racert, cacert, certothers) != 0)) {
|
||||
printf("%s", dcacert);
|
||||
}
|
||||
}
|
||||
@@ -907,47 +907,83 @@ main(int argc, const char **argv)
|
||||
case op_pkcsreq:
|
||||
if ((content_type2 != NULL) && (strcasecmp(content_type2,
|
||||
"application/x-pki-message") == 0)) {
|
||||
- memset(&cacerts, 0, sizeof(cacerts));
|
||||
- cacerts[0] = cacert ? cacert : racert;
|
||||
- cacerts[1] = cacert ? racert : NULL;
|
||||
- cacerts[2] = NULL;
|
||||
- racerts = NULL;
|
||||
+ /*
|
||||
+ * At this point, we have:
|
||||
+ * - zero or more ra certs; and
|
||||
+ * - zero or more ca certificates; and
|
||||
+ * - zero or more other certificates; that
|
||||
+ * need to be reordered so that the leaf
|
||||
+ * certificates go first, the ca certificates
|
||||
+ * are separated into a seperate certificate
|
||||
+ * store, and the other certificates go after
|
||||
+ * the leaf certificates.
|
||||
+ *
|
||||
+ * To do this we put cacert into the ca store,
|
||||
+ * the racert at the top of the othercerts list.
|
||||
+ * Then we parse certs, placing all ca certs
|
||||
+ * we find into the ca store, and all other
|
||||
+ * certs we find after the racert.
|
||||
+ *
|
||||
+ * As a limitation of cm_pkcs7_parse(), we
|
||||
+ * can only isolate one ca certificate in the
|
||||
+ * list of other certificates.
|
||||
+ */
|
||||
+ /* handle the other certs */
|
||||
if ((certs != NULL) &&
|
||||
(cm_pkcs7_parse(0, ctx,
|
||||
- &cert1, &cert2, &othercerts,
|
||||
+ &certleaf, &certtop, &certothers,
|
||||
NULL, NULL,
|
||||
(const unsigned char *) certs,
|
||||
strlen(certs), NULL) == 0)) {
|
||||
- for (c = 0;
|
||||
- (othercerts != NULL) &&
|
||||
- (othercerts[c] != NULL);
|
||||
- c++) {
|
||||
- continue;
|
||||
+ /* Special case for IPA which uses dogtag which signs SCEP
|
||||
+ * certs using the CA cert and the typical way to get
|
||||
+ * verification to work is to use -I /etc/ipa/ca.crt.
|
||||
+ * Because cm_pkcs7_parse explicitly doesn't allow
|
||||
+ * certleaf to equal certtop we end up with no CAs so verification
|
||||
+ * fails.
|
||||
+ *
|
||||
+ * So if cacert and certleaf are both NULL and certtop is
|
||||
+ * self-signed then assume the IPA case and set certtop equal
|
||||
+ * to certleaf.
|
||||
+ */
|
||||
+ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
|
||||
+ if (cm_selfsigned(certleaf) == 0) {
|
||||
+ certtop = certleaf;
|
||||
+ }
|
||||
}
|
||||
- racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
|
||||
+ memset(&root, 0, sizeof(root));
|
||||
+ root[0] = cacert ? cacert : certtop ? certtop : NULL;
|
||||
+ root[1] = cacert ? certtop : NULL;
|
||||
+ root[2] = NULL;
|
||||
for (c = 0;
|
||||
- (othercerts != NULL) &&
|
||||
- (othercerts[c] != NULL);
|
||||
+ (certothers != NULL) &&
|
||||
+ (certothers[c] != NULL);
|
||||
c++) {
|
||||
- racerts[c] = othercerts[c];
|
||||
- }
|
||||
- if (cacert != NULL) {
|
||||
- racerts[c++] = cacert;
|
||||
+ continue;
|
||||
}
|
||||
- if (cert1 != NULL) {
|
||||
- racerts[c++] = cert1;
|
||||
+ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
|
||||
+ c = 0;
|
||||
+ if (racert != NULL) {
|
||||
+ othercerts[c++] = racert;
|
||||
}
|
||||
- if (cert2 != NULL) {
|
||||
- racerts[c++] = cert2;
|
||||
+ if (certleaf != NULL) {
|
||||
+ othercerts[c++] = certleaf;
|
||||
}
|
||||
- if (racert != NULL) {
|
||||
- racerts[c++] = racert;
|
||||
+ while (certothers != NULL && *certothers != NULL) {
|
||||
+ othercerts[c++] = *certothers++;
|
||||
}
|
||||
- racerts[c++] = NULL;
|
||||
+ othercerts[c++] = NULL;
|
||||
+ }
|
||||
+ else {
|
||||
+ root[0] = cacert;
|
||||
+ root[1] = NULL;
|
||||
+ othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
|
||||
+ othercerts[0] = racert ? racert : NULL;
|
||||
+ othercerts[1] = NULL;
|
||||
}
|
||||
ERR_clear_error();
|
||||
i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
|
||||
- cacerts, racerts,
|
||||
+ root, othercerts,
|
||||
NID_pkcs7_data, ctx, NULL,
|
||||
&tx, &msgtype, &pkistatus, &failinfo,
|
||||
&sender_nonce, &sender_nonce_length,
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,173 +0,0 @@
|
||||
From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:29:50 -0400
|
||||
Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
|
||||
chain
|
||||
|
||||
The -R option was doing double-duty for the SCEP CA.
|
||||
|
||||
1. It was required if the SCEP URL used TLS
|
||||
2. It override the CA certificate downloaded from the SCEP server
|
||||
|
||||
If the chains were different then validating the SCEP responses would
|
||||
fail.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1808613
|
||||
---
|
||||
src/certmonger-scep-submit.8.in | 14 +++++++++-----
|
||||
src/getcert-add-scep-ca.1.in | 12 ++++++++----
|
||||
src/getcert.c | 6 +++++-
|
||||
src/scep.c | 13 ++++++-------
|
||||
4 files changed, 28 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
|
||||
index 95d674a..42ffcd6 100644
|
||||
--- a/src/certmonger-scep-submit.8.in
|
||||
+++ b/src/certmonger-scep-submit.8.in
|
||||
@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
|
||||
[-r ra-cert-file]
|
||||
[-R ca-cert-file]
|
||||
[-I other-certs-file]
|
||||
+[-N ca-cert-file]
|
||||
[-i ca-identifier]
|
||||
[-v]
|
||||
[-n]
|
||||
@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
|
||||
always required.
|
||||
.TP
|
||||
\fB\-R\fR CA-certificate-file
|
||||
-The location of the SCEP server's CA certificate, which was used to
|
||||
-issue the SCEP server's certificate, or the SCEP server's own
|
||||
-certificate, if it is self-signed, in PEM form. If the URL specified
|
||||
-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
|
||||
-required.
|
||||
+The location of the CA certificate which was used to issue the SCEP web
|
||||
+server's certificate in PEM form. If the URL specified with the
|
||||
+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
|
||||
+.TP
|
||||
+\fB\-N\fR ca-certificate-file
|
||||
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
|
||||
+A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
+be specified for troubleshooting purposes.
|
||||
.TP
|
||||
\fB\-r\fR RA-certificate-file
|
||||
The location of the SCEP server's RA certificate, which is expected to
|
||||
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
|
||||
index 11ab4ce..bf07306 100644
|
||||
--- a/src/getcert-add-scep-ca.1.in
|
||||
+++ b/src/getcert-add-scep-ca.1.in
|
||||
@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be
|
||||
specified.
|
||||
.TP
|
||||
\fB\-R\fR ca-certificate-file
|
||||
-The location of a PEM-formatted copy of the SCEP server's CA's certificate.
|
||||
-A discovered value is supplied by the certmonger daemon for use in verifying
|
||||
-the signature on data returned by the SCEP server, but it is not used for
|
||||
-verifying HTTPS server certificates.
|
||||
+The location of a PEM-formatted copy of the CA's certificate used to verify
|
||||
+the TLS connection the SCEP server.
|
||||
+
|
||||
This option must be specified if the URL is an \fIhttps\fR location.
|
||||
.TP
|
||||
+\fB\-N\fR ca-certificate-file
|
||||
+The location of a PEM-formatted copy of the SCEP server's CA certificate.
|
||||
+A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
+be specified for troubleshooting purposes.
|
||||
+.TP
|
||||
\fB\-r\fR ra-certificate-file
|
||||
The location of a PEM-formatted copy of the SCEP server's RA's certificate.
|
||||
A discovered value is normally supplied by the certmonger daemon, but one can
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 3d78a73..493771f 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
|
||||
char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
|
||||
char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
|
||||
+ char *signingca = NULL;
|
||||
const char *err;
|
||||
int c, prefer_non_renewal = 0, verbose = 0;
|
||||
dbus_bool_t b;
|
||||
@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
|
||||
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
|
||||
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
|
||||
@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
return 1;
|
||||
}
|
||||
command = talloc_asprintf(globals.tctx,
|
||||
- "%s -u %s %s %s %s %s %s %s %s",
|
||||
+ "%s -u %s %s %s %s %s %s %s %s %s %s",
|
||||
shell_escape(globals.tctx,
|
||||
CM_SCEP_HELPER_PATH),
|
||||
shell_escape(globals.tctx, url),
|
||||
@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
racert ? shell_escape(globals.tctx, racert) : "",
|
||||
certs ? "-I" : "",
|
||||
certs ? shell_escape(globals.tctx, certs) : "",
|
||||
+ signingca ? "-N" : "",
|
||||
+ signingca ? shell_escape(globals.tctx, signingca) : "",
|
||||
prefer_non_renewal ? "-n" : "");
|
||||
for (c = 0; c < verbose; c++) {
|
||||
command = talloc_strdup_append(command, " -v");
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index b80278e..4294cda 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -206,7 +206,6 @@ main(int argc, const char **argv)
|
||||
enum known_ops op = op_unset;
|
||||
const char *id = NULL;
|
||||
char *cainfo = NULL;
|
||||
- char *poptarg;
|
||||
char *message = NULL, *rekey_message = NULL;
|
||||
const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
|
||||
void *ctx;
|
||||
@@ -235,8 +234,9 @@ main(int argc, const char **argv)
|
||||
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
|
||||
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
|
||||
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
|
||||
- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
|
||||
+ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
|
||||
{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
|
||||
{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
|
||||
POPT_AUTOHELP
|
||||
@@ -329,9 +329,10 @@ main(int argc, const char **argv)
|
||||
racert = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
break;
|
||||
case 'R':
|
||||
- poptarg = poptGetOptArg(pctx);
|
||||
- cainfo = strdup(poptarg);
|
||||
- cacert = cm_submit_u_from_file(poptarg);
|
||||
+ cainfo = poptGetOptArg(pctx);
|
||||
+ break;
|
||||
+ case 'N':
|
||||
+ cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
break;
|
||||
case 'I':
|
||||
certs = cm_submit_u_from_file(poptGetOptArg(pctx));
|
||||
@@ -340,7 +341,6 @@ main(int argc, const char **argv)
|
||||
}
|
||||
if (c != -1) {
|
||||
poptPrintUsage(pctx, stdout, 0);
|
||||
- free(cainfo);
|
||||
return CM_SUBMIT_STATUS_UNCONFIGURED;
|
||||
}
|
||||
|
||||
@@ -1189,7 +1189,6 @@ done:
|
||||
if (pctx) {
|
||||
poptFreeContext(pctx);
|
||||
}
|
||||
- free(cainfo);
|
||||
free(id);
|
||||
cm_submit_h_cleanup(hctx);
|
||||
talloc_free(ctx);
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,53 +0,0 @@
|
||||
From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:33:35 -0400
|
||||
Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template
|
||||
in output
|
||||
|
||||
---
|
||||
src/getcert.c | 16 ++++++++++++++++
|
||||
tests/028-dbus/expected.out | 1 +
|
||||
2 files changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 493771f..42281af 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv)
|
||||
printf("\t\t%s\n", as[j]);
|
||||
}
|
||||
}
|
||||
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
|
||||
+ CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx);
|
||||
+ if (s1 != NULL && strlen(s1) > 0) {
|
||||
+ printf(_("\tprofile: %s\n"), s1);
|
||||
+ }
|
||||
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
|
||||
+ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
|
||||
+ verbose, globals.tctx);
|
||||
+ if (s1 != NULL && strlen(s1) > 0) {
|
||||
+ printf(_("\tms v2 template: %s\n"), s1);
|
||||
+ }
|
||||
+ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
|
||||
+ CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx);
|
||||
+ if (s1 != NULL && strlen(s1) > 0) {
|
||||
+ printf(_("\tissuer template: %s\n"), s1);
|
||||
+ }
|
||||
printf(_("\tpre-save command: %s\n"),
|
||||
query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
|
||||
CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx));
|
||||
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
|
||||
index 1d8bec4..a25eb34 100644
|
||||
--- a/tests/028-dbus/expected.out
|
||||
+++ b/tests/028-dbus/expected.out
|
||||
@@ -15,6 +15,7 @@ Request ID 'Buddy':
|
||||
key usage: digitalSignature,dataEncipherment
|
||||
eku: id-kp-serverAuth
|
||||
certificate template/profile: SomeProfileName
|
||||
+ profile: SomeProfileName
|
||||
pre-save command: echo Pre
|
||||
post-save command: echo Post
|
||||
track: yes
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 16:34:53 -0400
|
||||
Subject: [PATCH 39/39] Fix broken -N option configuration
|
||||
|
||||
There was an extra NULL value which caused it to not work.
|
||||
---
|
||||
src/getcert.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 42281af..5c8dc94 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
|
||||
{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
|
||||
{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
|
||||
- {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
+ {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
|
||||
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
|
||||
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
|
||||
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,52 +0,0 @@
|
||||
From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 30 Apr 2020 12:46:41 -0400
|
||||
Subject: [PATCH] Address an include issue discovered by coverity
|
||||
|
||||
nspr.h isn't included so use PORT_ErrorToString() instead
|
||||
of PR_ErrorToString(), and remain consistent with the
|
||||
other PORT calls even though they directly translate
|
||||
to their NSPR equivalents.
|
||||
|
||||
Also remove a couple of unused variables in pkcs7.c
|
||||
---
|
||||
src/pkcs7.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/pkcs7.c b/src/pkcs7.c
|
||||
index f81174f..a569256 100644
|
||||
--- a/src/pkcs7.c
|
||||
+++ b/src/pkcs7.c
|
||||
@@ -57,6 +57,9 @@
|
||||
#define _(_text) (_text)
|
||||
#endif
|
||||
|
||||
+/* taken from nspr4.h */
|
||||
+#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */
|
||||
+
|
||||
/* Return 0 if we think "issuer" could have issued "issued", which includes
|
||||
* self-signing. */
|
||||
static int
|
||||
@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg)
|
||||
}
|
||||
nss_err = PORT_GetError();
|
||||
if (nss_err < 0) {
|
||||
- cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
|
||||
+ cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
|
||||
PKCS7_SIGNER_INFO *si;
|
||||
BIO *in, *out = NULL;
|
||||
const unsigned char *u;
|
||||
- char *s, buf[LINE_MAX], *p, *q;
|
||||
+ char *s, *p, *q;
|
||||
int ret = -1, i;
|
||||
- long error;
|
||||
|
||||
if (digest != NULL) {
|
||||
*digest = NULL;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,237 +0,0 @@
|
||||
From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Apr 2020 13:26:14 -0400
|
||||
Subject: [PATCH] Ensure that files read in have a trailing new-line
|
||||
|
||||
In SCEP when retrieving the CA chain the certificates passed in
|
||||
on the command-line (RA agent and CA cert) area printed along with
|
||||
the contents of what was retrieved remotely.
|
||||
|
||||
If one of the filesystem certificates lacks a newline then the
|
||||
output will be jumbled like:
|
||||
|
||||
-----END CERTIFICATE----------BEGIN CERTIFICATE-----\n
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1814976
|
||||
---
|
||||
src/submit-u.c | 11 +++++++
|
||||
tests/039-fromfile/expected.out | 4 +++
|
||||
tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++
|
||||
tests/Makefile.am | 10 ++++--
|
||||
tests/tools/Makefile.am | 6 +++-
|
||||
tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++
|
||||
6 files changed, 134 insertions(+), 4 deletions(-)
|
||||
create mode 100644 tests/039-fromfile/expected.out
|
||||
create mode 100755 tests/039-fromfile/run.sh
|
||||
create mode 100644 tests/tools/fromfile.c
|
||||
|
||||
diff --git a/src/submit-u.c b/src/submit-u.c
|
||||
index b0b45ba..dca23a7 100644
|
||||
--- a/src/submit-u.c
|
||||
+++ b/src/submit-u.c
|
||||
@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename)
|
||||
}
|
||||
if (csr == NULL) {
|
||||
csr = strdup("");
|
||||
+ } else {
|
||||
+ int length = strlen(csr);
|
||||
+ if (csr[length-1] != '\n') {
|
||||
+ length += 1;
|
||||
+ csr = realloc(csr, length + 1);
|
||||
+ if (csr == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ csr[length - 1] = '\n';
|
||||
+ csr[length] = '\0';
|
||||
+ }
|
||||
}
|
||||
return csr;
|
||||
}
|
||||
diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out
|
||||
new file mode 100644
|
||||
index 0000000..9191a57
|
||||
--- /dev/null
|
||||
+++ b/tests/039-fromfile/expected.out
|
||||
@@ -0,0 +1,4 @@
|
||||
+[trailing_nl]
|
||||
+Ok
|
||||
+[no_trailing_nl]
|
||||
+Ok
|
||||
diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh
|
||||
new file mode 100755
|
||||
index 0000000..8bae773
|
||||
--- /dev/null
|
||||
+++ b/tests/039-fromfile/run.sh
|
||||
@@ -0,0 +1,55 @@
|
||||
+#!/bin/bash -e
|
||||
+
|
||||
+cd $tmpdir
|
||||
+
|
||||
+cat > $tmpdir/trailing_nl <<- EOF
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
|
||||
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
|
||||
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
|
||||
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
|
||||
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
|
||||
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
|
||||
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
|
||||
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
|
||||
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
|
||||
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
|
||||
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
|
||||
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
|
||||
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
|
||||
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
|
||||
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
|
||||
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
|
||||
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
|
||||
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
|
||||
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
|
||||
+8gM=
|
||||
+-----END CERTIFICATE-----
|
||||
+EOF
|
||||
+cat > $tmpdir/no_trailing_nl <<- EOF
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
|
||||
+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
|
||||
+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
|
||||
+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
|
||||
+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
|
||||
+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
|
||||
+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
|
||||
+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
|
||||
+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
|
||||
+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
|
||||
+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
|
||||
+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
|
||||
+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
|
||||
+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
|
||||
+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
|
||||
+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
|
||||
+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
|
||||
+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
|
||||
+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
|
||||
+8gM=
|
||||
+EOF
|
||||
+echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl
|
||||
+
|
||||
+$toolsdir/fromfile trailing_nl
|
||||
+$toolsdir/fromfile no_trailing_nl
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index fe368dc..1552c48 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -127,7 +127,9 @@ CLEANFILES = \
|
||||
037-rekey2/actual.out \
|
||||
037-rekey2/actual.err \
|
||||
038-ms-v2-template/actual.out \
|
||||
- 038-ms-v2-template/actual.err
|
||||
+ 038-ms-v2-template/actual.err \
|
||||
+ 039-fromfile/actual.out \
|
||||
+ 039-fromfile/actual.err
|
||||
EXTRA_DIST = \
|
||||
run-tests.sh functions certmonger.conf tools/cachain.sh \
|
||||
001-keyiread/run.sh \
|
||||
@@ -349,7 +351,8 @@ EXTRA_DIST = \
|
||||
037-rekey2/run.sh \
|
||||
038-ms-v2-template/expected.out \
|
||||
038-ms-v2-template/extract-extdata.py \
|
||||
- 038-ms-v2-template/run.sh
|
||||
+ 038-ms-v2-template/run.sh \
|
||||
+ 039-fromfile/run.sh
|
||||
|
||||
subdirs = \
|
||||
001-keyiread \
|
||||
@@ -392,7 +395,8 @@ subdirs = \
|
||||
035-json \
|
||||
036-getcert \
|
||||
037-rekey2 \
|
||||
- 038-ms-v2-template
|
||||
+ 038-ms-v2-template \
|
||||
+ 039-fromfile
|
||||
|
||||
if HAVE_DBM_NSSDB
|
||||
subdirs += \
|
||||
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
|
||||
index 39fa954..e0d2f08 100644
|
||||
--- a/tests/tools/Makefile.am
|
||||
+++ b/tests/tools/Makefile.am
|
||||
@@ -16,7 +16,7 @@ endif
|
||||
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
|
||||
name2oid iterate prefs dates listnicks pem2base base2pem \
|
||||
dparse payload checksig base64 cadata citerate casave hooks \
|
||||
- libexecdir canon srv addcinfo ls json json-utf8 printenv
|
||||
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
|
||||
noinst_LIBRARIES = libtools.a
|
||||
if HAVE_OPENSSL
|
||||
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
|
||||
@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD)
|
||||
|
||||
srv_SOURCES = srv.c
|
||||
srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD)
|
||||
+
|
||||
+fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS)
|
||||
+fromfile_SOURCES = fromfile.c
|
||||
+fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS)
|
||||
diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c
|
||||
new file mode 100644
|
||||
index 0000000..bb70507
|
||||
--- /dev/null
|
||||
+++ b/tests/tools/fromfile.c
|
||||
@@ -0,0 +1,52 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2020 Red Hat, Inc.
|
||||
+ *
|
||||
+ * This program is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#include "../../src/config.h"
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <errno.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#include <krb5.h>
|
||||
+
|
||||
+#include "../../src/submit-u.h"
|
||||
+#include "../../src/submit-u.c"
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ int i, result = 0;
|
||||
+ char *cert;
|
||||
+
|
||||
+ for (i = 1; i < argc; i++) {
|
||||
+ printf("[%s]\n", argv[i]);
|
||||
+ cert = cm_submit_u_from_file(argv[i]);
|
||||
+ if (cert == NULL) {
|
||||
+ printf("OOM error\n");
|
||||
+ result = 1;
|
||||
+ }
|
||||
+ else if (cert[strlen(cert) - 1] != '\n') {
|
||||
+ printf("Missing trailing newline\n");
|
||||
+ result = 1;
|
||||
+ } else {
|
||||
+ printf("Ok\n");
|
||||
+ }
|
||||
+ free(cert);
|
||||
+ }
|
||||
+ return result;
|
||||
+}
|
||||
--
|
||||
2.18.4
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,757 +0,0 @@
|
||||
From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 14 May 2020 14:37:31 -0400
|
||||
Subject: [PATCH 43/43] Add long options to command-line help
|
||||
|
||||
The command-line help mostly consisted of only the short options.
|
||||
Add the long-option and clean up some of the output.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1782838
|
||||
---
|
||||
src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------
|
||||
src/scep.c | 2 +-
|
||||
2 files changed, 345 insertions(+), 193 deletions(-)
|
||||
|
||||
diff --git a/src/getcert.c b/src/getcert.c
|
||||
index 5c8dc94..84e0bf3 100644
|
||||
--- a/src/getcert.c
|
||||
+++ b/src/getcert.c
|
||||
@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
|
||||
+ N_(" (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -k FILE PEM file for private key\n"),
|
||||
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
|
||||
+ N_(" -k FILE, --keyfile=FILE\n"),
|
||||
+ N_(" PEM file for private key\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" PEM file for certificate (only valid with -k)\n"),
|
||||
N_("* If keys are to be encrypted:\n"),
|
||||
- N_(" -p FILE file which holds the encryption PIN\n"),
|
||||
- N_(" -P PIN PIN value\n"),
|
||||
+ N_(" -p FILE, --pinfile=FILE\n"),
|
||||
+ N_(" file which holds the encryption PIN\n"),
|
||||
+ N_(" -P PIN, --pin=PIN PIN value\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Certificate handling settings:\n"),
|
||||
- N_(" -I NAME nickname to assign to the request\n"),
|
||||
- N_(" -G TYPE type of key to be generated if one is not already in place\n"),
|
||||
- N_(" -g SIZE size of key to be generated if one is not already in place\n"),
|
||||
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
|
||||
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
|
||||
+ N_(" -I NAME, --new-id=NAME\n"),
|
||||
+ N_(" new nickname to give to tracking request\n"),
|
||||
+ N_(" -G TYPE, --key-type=TYPE\n"),
|
||||
+ N_(" type of key to be generated if one is not already\n"),
|
||||
+ N_(" in place\n"),
|
||||
+ N_(" -g BITS, --key-size=BITS\n"),
|
||||
+ N_(" size of key to be generated if one is not already\n"),
|
||||
+ N_(" in place\n"),
|
||||
+ N_(" -r, --renew attempt to renew the certificate when\n"),
|
||||
+ N_(" expiration nears (default)\n"),
|
||||
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
|
||||
+ N_(" expiration nears\n"),
|
||||
#ifndef FORCE_CA
|
||||
- N_(" -c CA use the specified CA rather than the default\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
|
||||
+ N_(" -T PROFILE, --profile=NAME\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named profile or template\n"),
|
||||
N_(" --ms-template-spec SPEC\n"),
|
||||
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
|
||||
+ N_(" include V2 template specifier in CSR\n"),
|
||||
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named issuer\n"),
|
||||
N_("* Parameters for the signing request:\n"),
|
||||
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
|
||||
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
|
||||
- N_(" -u KEYUSAGE set requested key usage value\n"),
|
||||
- N_(" -K NAME set requested principal name\n"),
|
||||
- N_(" -D DNSNAME set requested DNS name\n"),
|
||||
- N_(" -E EMAIL set requested email address\n"),
|
||||
- N_(" -A ADDRESS set requested IP address\n"),
|
||||
- N_(" -l FILE file which holds an optional challenge password\n"),
|
||||
- N_(" -L PASSWORD an optional challenge password value\n"),
|
||||
+ N_(" -N NAME, --subject-name=NAME\n"),
|
||||
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
|
||||
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
|
||||
+ N_(" override requested extended key usage OID\n"),
|
||||
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
|
||||
+ N_(" set requested key usage value\n"),
|
||||
+ N_(" -K NAME, --principal=NAME\n"),
|
||||
+ N_(" override requested principal name\n"),
|
||||
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
|
||||
+ N_(" override requested DNS name\n"),
|
||||
+ N_(" -E EMAIL, --email=EMAIL\n"),
|
||||
+ N_(" override requested email address\n"),
|
||||
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
|
||||
+ N_(" override requested IP address\n"),
|
||||
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
|
||||
+ N_(" file which holds an optional challenge password\n"),
|
||||
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
|
||||
+ N_(" an optional challenge password value\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -B command to run before saving the certificate\n"),
|
||||
- N_(" -C command to run after saving the certificate\n"),
|
||||
- N_(" -F file in which to store the CA's certificates\n"),
|
||||
- N_(" -a NSS database in which to store the CA's certificates\n"),
|
||||
- N_(" -w try to wait for the certificate to be issued\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
|
||||
+ N_(" command to run before saving the certificate\n"),
|
||||
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
|
||||
+ N_(" command to run after saving the certificate\n"),
|
||||
+ N_(" -F FILE, --ca-file=FILE\n"),
|
||||
+ N_(" file in which to store the CA's certificates\n"),
|
||||
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
|
||||
+ N_(" NSS database in which to store the CA's certificates\n"),
|
||||
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
|
||||
+ N_(" --wait-timeout TIMEOUT\n"),
|
||||
+ N_(" Maximum time to wait for the certificateto be issued\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
+ N_(" -o OWNER, --key-owner=OWNER\n"),
|
||||
+ N_(" owner information for private key\n"),
|
||||
+ N_(" -m MODE, --key-perms=MODE\n"),
|
||||
+ N_(" file permissions for private key\n"),
|
||||
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
|
||||
+ N_(" owner information for certificate\n"),
|
||||
+ N_(" -M MODE, --cert-perms=MODE\n"),
|
||||
+ N_(" file permissions for certificate\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *start_tracking_help[] = {
|
||||
@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* If modifying an existing request:\n"),
|
||||
- N_(" -i NAME nickname of an existing tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname of an existing tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
|
||||
+ N_(" (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -k FILE PEM file for private key\n"),
|
||||
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
|
||||
+ N_(" -k FILE, --keyfile=FILE\n"),
|
||||
+ N_(" PEM file for private key\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" PEM file for certificate (only valid with -k)\n"),
|
||||
N_("* If keys are encrypted:\n"),
|
||||
- N_(" -p FILE file which holds the encryption PIN\n"),
|
||||
- N_(" -P PIN PIN value\n"),
|
||||
+ N_(" -p FILE, --pinfile=FILE\n"),
|
||||
+ N_(" file which holds the encryption PIN\n"),
|
||||
+ N_(" -P PIN, --pin=PIN PIN value\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Certificate handling settings:\n"),
|
||||
- N_(" -I NAME nickname to give to tracking request\n"),
|
||||
- N_(" -r attempt to renew the certificate when expiration nears (default)\n"),
|
||||
- N_(" -R don't attempt to renew the certificate when expiration nears\n"),
|
||||
+ N_(" -I NAME, --new-id=NAME\n"),
|
||||
+ N_(" nickname to give to tracking request\n"),
|
||||
+ N_(" -r, --renew attempt to renew the certificate when\n"),
|
||||
+ N_(" expiration nears (default)\n"),
|
||||
+ N_(" -R, --no-renew don't attempt to renew the certificate when\n"),
|
||||
+ N_(" expiration nears\n"),
|
||||
#ifndef FORCE_CA
|
||||
- N_(" -c CA use the specified CA rather than the default\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
|
||||
+ N_(" -T PROFILE, --profile=NAME\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named profile or template\n"),
|
||||
N_(" --ms-template-spec SPEC\n"),
|
||||
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
|
||||
+ N_(" include V2 template specifier in CSR\n"),
|
||||
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named issuer\n"),
|
||||
N_("* Parameters for the signing request at renewal time:\n"),
|
||||
- N_(" -U EXTUSAGE override requested extended key usage OID\n"),
|
||||
- N_(" -u KEYUSAGE set requested key usage value\n"),
|
||||
- N_(" -K NAME override requested principal name\n"),
|
||||
- N_(" -D DNSNAME override requested DNS name\n"),
|
||||
- N_(" -E EMAIL override requested email address\n"),
|
||||
- N_(" -A ADDRESS override requested IP address\n"),
|
||||
- N_(" -l FILE file which holds an optional challenge password\n"),
|
||||
- N_(" -L PASSWORD an optional challenge password value\n"),
|
||||
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
|
||||
+ N_(" override requested extended key usage OID\n"),
|
||||
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
|
||||
+ N_(" set requested key usage value\n"),
|
||||
+ N_(" -K NAME, --principal=NAME\n"),
|
||||
+ N_(" override requested principal name\n"),
|
||||
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
|
||||
+ N_(" override requested DNS name\n"),
|
||||
+ N_(" -E EMAIL, --email=EMAIL\n"),
|
||||
+ N_(" override requested email address\n"),
|
||||
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
|
||||
+ N_(" override requested IP address\n"),
|
||||
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
|
||||
+ N_(" file which holds an optional challenge password\n"),
|
||||
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
|
||||
+ N_(" an optional challenge password value\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -B command to run before saving the certificate\n"),
|
||||
- N_(" -C command to run after saving the certificate\n"),
|
||||
- N_(" -F file in which to store the CA's certificates\n"),
|
||||
- N_(" -a NSS database in which to store the CA's certificates\n"),
|
||||
- N_(" -w try to wait for the certificate to be issued\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
|
||||
+ N_(" command to run before saving the certificate\n"),
|
||||
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
|
||||
+ N_(" command to run after saving the certificate\n"),
|
||||
+ N_(" -F FILE, --ca-file=FILE\n"),
|
||||
+ N_(" file in which to store the CA's certificates\n"),
|
||||
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
|
||||
+ N_(" NSS database in which to store the CA's certificates\n"),
|
||||
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
|
||||
+ N_(" --wait-timeout TIMEOUT\n"),
|
||||
+ N_(" Maximum time to wait for the certificateto be issued\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
+ N_(" -o OWNER, --key-owner=OWNER\n"),
|
||||
+ N_(" owner information for private key\n"),
|
||||
+ N_(" -m MODE, --key-perms=MODE\n"),
|
||||
+ N_(" file permissions for private key\n"),
|
||||
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
|
||||
+ N_(" owner information for certificate\n"),
|
||||
+ N_(" -M MODE, --cert-perms=MODE\n"),
|
||||
+ N_(" file permissions for certificate\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *stop_tracking_help[] = {
|
||||
@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* By request identifier:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -k FILE PEM file for private key\n"),
|
||||
- N_(" -f FILE PEM file for certificate (only valid with -k)\n"),
|
||||
+ N_(" -k FILE, --keyfile=FILE\n"),
|
||||
+ N_(" PEM file for private key\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" PEM file for certificate (only valid with -k)\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
+ "\n",
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *resubmit_help[] = {
|
||||
@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* By request identifier:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
|
||||
+ N_(" (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
N_(" -f FILE PEM file for certificate\n"),
|
||||
"\n",
|
||||
N_("* If keys are encrypted:\n"),
|
||||
- N_(" -p FILE file which holds the encryption PIN\n"),
|
||||
- N_(" -P PIN PIN value\n"),
|
||||
+ N_(" -p FILE, --pinfile=FILE\n"),
|
||||
+ N_(" file which holds the encryption PIN\n"),
|
||||
+ N_(" -P PIN, --pin=PIN PIN value\n"),
|
||||
"\n",
|
||||
N_("* New parameter values for the signing request:\n"),
|
||||
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
|
||||
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
|
||||
- N_(" -u KEYUSAGE set requested key usage value\n"),
|
||||
- N_(" -K NAME set requested principal name\n"),
|
||||
- N_(" -D DNSNAME set requested DNS name\n"),
|
||||
- N_(" -E EMAIL set requested email address\n"),
|
||||
- N_(" -A ADDRESS set requested IP address\n"),
|
||||
- N_(" -l FILE file which holds an optional challenge password\n"),
|
||||
- N_(" -L PASSWORD an optional challenge password value\n"),
|
||||
+ N_(" -N NAME, --subject-name=NAME\n"),
|
||||
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
|
||||
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
|
||||
+ N_(" override requested extended key usage OID\n"),
|
||||
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
|
||||
+ N_(" set requested key usage value\n"),
|
||||
+ N_(" -K NAME, --principal=NAME\n"),
|
||||
+ N_(" override requested principal name\n"),
|
||||
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
|
||||
+ N_(" override requested DNS name\n"),
|
||||
+ N_(" -E EMAIL, --email=EMAIL\n"),
|
||||
+ N_(" override requested email address\n"),
|
||||
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
|
||||
+ N_(" override requested IP address\n"),
|
||||
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
|
||||
+ N_(" file which holds an optional challenge password\n"),
|
||||
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
|
||||
+ N_(" an optional challenge password value\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Certificate handling settings:\n"),
|
||||
- N_(" -I NAME new nickname to give to tracking request\n"),
|
||||
+ N_(" -I NAME, --new-id=NAME\n"),
|
||||
+ N_(" nickname to give to tracking request\n"),
|
||||
#ifndef FORCE_CA
|
||||
- N_(" -c CA use the specified CA rather than the current one\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
|
||||
+ N_(" -T PROFILE, --profile=NAME\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named profile or template\n"),
|
||||
N_(" --ms-template-spec SPEC\n"),
|
||||
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
|
||||
+ N_(" include V2 template specifier in CSR\n"),
|
||||
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named issuer\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -B command to run before saving the certificate\n"),
|
||||
- N_(" -C command to run after saving the certificate\n"),
|
||||
- N_(" -F file in which to store the CA's certificates\n"),
|
||||
- N_(" -a NSS database in which to store the CA's certificates\n"),
|
||||
- N_(" -w try to wait for the certificate to be issued\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
|
||||
+ N_(" command to run before saving the certificate\n"),
|
||||
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
|
||||
+ N_(" command to run after saving the certificate\n"),
|
||||
+ N_(" -F FILE, --ca-file=FILE\n"),
|
||||
+ N_(" file in which to store the CA's certificates\n"),
|
||||
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
|
||||
+ N_(" NSS database in which to store the CA's certificates\n"),
|
||||
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
|
||||
+ N_(" --wait-timeout TIMEOUT\n"),
|
||||
+ N_(" Maximum time to wait for the certificateto be issued\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
+ N_(" -o OWNER, --key-owner=OWNER\n"),
|
||||
+ N_(" owner information for private key\n"),
|
||||
+ N_(" -m MODE, --key-perms=MODE\n"),
|
||||
+ N_(" file permissions for private key\n"),
|
||||
+ N_(" -O OWNER, --cert-owner=OWNER\n"),
|
||||
+ N_(" owner information for certificate\n"),
|
||||
+ N_(" -M MODE, --cert-perms=MODE\n"),
|
||||
+ N_(" file permissions for certificate\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *rekey_help[] = {
|
||||
@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* By request identifier:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
|
||||
+ N_(" (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -f FILE PEM file for certificate\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" PEM file for certificate\n"),
|
||||
"\n",
|
||||
N_("* If keys are encrypted:\n"),
|
||||
- N_(" -p FILE file which holds the encryption PIN\n"),
|
||||
- N_(" -P PIN PIN value\n"),
|
||||
+ N_(" -p FILE, --pinfile=FILE\n"),
|
||||
+ N_(" file which holds the encryption PIN\n"),
|
||||
+ N_(" -P PIN, --pin=PIN PIN value\n"),
|
||||
"\n",
|
||||
N_("* New parameter values for the signing request:\n"),
|
||||
- N_(" -N NAME set requested subject name (default: CN=<hostname>)\n"),
|
||||
- N_(" -U EXTUSAGE set requested extended key usage OID\n"),
|
||||
- N_(" -u KEYUSAGE set requested key usage value\n"),
|
||||
- N_(" -K NAME set requested principal name\n"),
|
||||
- N_(" -D DNSNAME set requested DNS name\n"),
|
||||
- N_(" -E EMAIL set requested email address\n"),
|
||||
- N_(" -A ADDRESS set requested IP address\n"),
|
||||
- N_(" -l FILE file which holds an optional challenge password\n"),
|
||||
- N_(" -L PASSWORD an optional challenge password value\n"),
|
||||
+ N_(" -N NAME, --subject-name=NAME\n"),
|
||||
+ N_(" set requested subject name (default: CN=<hostname>)\n"),
|
||||
+ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
|
||||
+ N_(" override requested extended key usage OID\n"),
|
||||
+ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
|
||||
+ N_(" set requested key usage value\n"),
|
||||
+ N_(" -K NAME, --principal=NAME\n"),
|
||||
+ N_(" override requested principal name\n"),
|
||||
+ N_(" -D DNSNAME, --dns=DNSNAME\n"),
|
||||
+ N_(" override requested DNS name\n"),
|
||||
+ N_(" -E EMAIL, --email=EMAIL\n"),
|
||||
+ N_(" override requested email address\n"),
|
||||
+ N_(" -A ADDRESS, --ip-address=ADDRESS\n"),
|
||||
+ N_(" override requested IP address\n"),
|
||||
+ N_(" -l FILE, --challenge-password-file=FILE\n"),
|
||||
+ N_(" file which holds an optional challenge password\n"),
|
||||
+ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"),
|
||||
+ N_(" an optional challenge password value\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Certificate handling settings:\n"),
|
||||
- N_(" -I NAME new nickname to give to tracking request\n"),
|
||||
+ N_(" -I NAME, --new-id=NAME\n"),
|
||||
+ N_(" new nickname to give to tracking request\n"),
|
||||
#ifndef FORCE_CA
|
||||
- N_(" -c CA use the specified CA rather than the current one\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"),
|
||||
+ N_(" -T PROFILE, --profile=NAME\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named profile or template\n"),
|
||||
N_(" --ms-template-spec SPEC\n"),
|
||||
- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"),
|
||||
- N_(" -G TYPE type of new key to be generated\n"),
|
||||
- N_(" -g SIZE size of new key to be generated\n"),
|
||||
+ N_(" include V2 template specifier in CSR\n"),
|
||||
+ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
|
||||
+ N_(" -X ISSUER, --issuer=ISSUER\n"),
|
||||
+ N_(" ask the CA to process the request using the\n"),
|
||||
+ N_(" named issuer\n"),
|
||||
+ N_(" -G TYPE, --key-type=TYPE\n"),
|
||||
+ N_(" type of key to be generated if one is not already\n"),
|
||||
+ N_(" in place\n"),
|
||||
+ N_(" -g BITS, --key-size=BITS\n"),
|
||||
+ N_(" size of key to be generated if one is not already\n"),
|
||||
+ N_(" in place\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -B command to run before saving the certificate\n"),
|
||||
- N_(" -C command to run after saving the certificate\n"),
|
||||
- N_(" -F file in which to store the CA's certificates\n"),
|
||||
- N_(" -a NSS database in which to store the CA's certificates\n"),
|
||||
- N_(" -w try to wait for the certificate to be issued\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -B COMMAND, --before-command=COMMAND\n"),
|
||||
+ N_(" command to run before saving the certificate\n"),
|
||||
+ N_(" -C COMMAND, --after-command=COMMAND\n"),
|
||||
+ N_(" command to run after saving the certificate\n"),
|
||||
+ N_(" -F FILE, --ca-file=FILE\n"),
|
||||
+ N_(" file in which to store the CA's certificates\n"),
|
||||
+ N_(" -a DIR, --ca-dbdir=DIR\n"),
|
||||
+ N_(" NSS database in which to store the CA's certificates\n"),
|
||||
+ N_(" -w, --wait try to wait for the certificate to be issued\n"),
|
||||
+ N_(" --wait-timeout TIMEOUT\n"),
|
||||
+ N_(" Maximum time to wait for the certificateto be issued\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *list_help[] = {
|
||||
@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category)
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* General options:\n"),
|
||||
#ifndef FORCE_CA
|
||||
- N_(" -c CA list only requests and certs associated with this CA\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
- N_(" -r list only information about outstanding requests\n"),
|
||||
- N_(" -t list only information about tracked certificates\n"),
|
||||
- N_(" -u display times in UTC instead of local time\n"),
|
||||
+ N_(" -r, --requests-only list only information about outstanding requests\n"),
|
||||
+ N_(" -t, --tracking-only list only information about tracked certificates\n"),
|
||||
+ N_(" -u, --utc display times in UTC instead of local time\n"),
|
||||
N_("* If selecting a specific request:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR only list requests and certs which use this NSS database\n"),
|
||||
- N_(" -n NAME only list requests and certs which use this nickname\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -f FILE only list requests and certs stored in this PEM file\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" only list requests and certs stored in this PEM file\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *refresh_help[] = {
|
||||
N_("Usage: %s refresh [options]\n"),
|
||||
"\n",
|
||||
N_("* General options:\n"),
|
||||
- N_(" -a refresh information about all outstanding requests\n"),
|
||||
+ N_(" -a, --all refresh information about all outstanding requests\n"),
|
||||
"\n",
|
||||
N_("Required arguments:\n"),
|
||||
N_("* By request identifier:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* If using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR NSS database for key and cert\n"),
|
||||
- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"),
|
||||
- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
+ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"),
|
||||
+ N_(" (only valid with -d)\n"),
|
||||
N_("* If using files for storage:\n"),
|
||||
- N_(" -f FILE PEM file for certificate\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" PEM file for certificate\n"),
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
+ N_("* Other options:\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *status_help[] = {
|
||||
@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* Selecting a specific request:\n"),
|
||||
- N_(" -i NAME nickname for tracking request\n"),
|
||||
+ N_(" -i NAME, --id=NAME nickname for tracking request\n"),
|
||||
N_("* When using an NSS database for storage:\n"),
|
||||
- N_(" -d DIR return status for the request in this NSS database\n"),
|
||||
- N_(" -n NAME return status for cert which uses this nickname\n"),
|
||||
+ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"),
|
||||
+ N_(" -n NAME, --nickname NAME\n"),
|
||||
+ N_(" nickname for NSS-based storage (only valid with -d)\n"),
|
||||
N_("* When using files for storage:\n"),
|
||||
- N_(" -f FILE return status for cert stored in this PEM file\n"),
|
||||
+ N_(" -f FILE, --certfile=FILE\n"),
|
||||
+ N_(" return status for cert stored in this PEM file\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *list_cas_help[] = {
|
||||
@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category)
|
||||
N_("Optional arguments:\n"),
|
||||
#ifndef FORCE_CA
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA list only information about the CA with this name\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
#endif
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *refresh_ca_help[] = {
|
||||
@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category)
|
||||
N_("Optional arguments:\n"),
|
||||
#ifndef FORCE_CA
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA refresh information about the CA with this name\n"),
|
||||
- N_(" -a refresh information about all known CAs\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
+ N_(" -a, --all refresh information about all known CAs\n"),
|
||||
#endif
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
#ifndef FORCE_CA
|
||||
@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA nickname to give to the new CA configuration\n"),
|
||||
- N_(" -e CMD helper command to run to communicate with CA\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *add_scep_ca_help[] = {
|
||||
@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA nickname to give to the new CA configuration\n"),
|
||||
- N_(" -u URL location of SCEP server\n"),
|
||||
- N_(" -i ID CA identifier\n"),
|
||||
- N_(" -R FILE file containing CA's certificate\n"),
|
||||
- N_(" -r FILE file containing RA's certificate\n"),
|
||||
- N_(" -I FILE file containing certificates in RA's certifying chain\n"),
|
||||
- N_(" -n prefer not to use the SCEP Renewal feature\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
+ N_(" -u URL, --URL URL location of SCEP server\n"),
|
||||
+ N_(" -i ID, --id ID CA identifier\n"),
|
||||
+ N_(" -R FILE, --cacert=FILE\n"),
|
||||
+ N_(" file containing web server's certificate\n"),
|
||||
+ N_(" -r FILE, --racert=FILE\n"),
|
||||
+ N_(" file containing RA's certificate\n"),
|
||||
+ N_(" -N FILE, --signingca=FILE\n"),
|
||||
+ N_(" file containing CA's certificate\n"),
|
||||
+ N_(" -I FILE, --other-certs=FILE\n"),
|
||||
+ N_(" file containing certificates in RA's certifying chain\n"),
|
||||
+ N_(" -n, --non-renewal prefer not to use the SCEP Renewal feature\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *modify_ca_help[] = {
|
||||
@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA nickname of the CA configuration\n"),
|
||||
- N_(" -e CMD updated helper command to run to communicate with CA\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
+ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
const char *remove_ca_help[] = {
|
||||
@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category)
|
||||
"\n",
|
||||
N_("Optional arguments:\n"),
|
||||
N_("* General options:\n"),
|
||||
- N_(" -c CA nickname of CA configuration to remove\n"),
|
||||
+ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"),
|
||||
N_("* Bus options:\n"),
|
||||
- N_(" -S connect to the certmonger service on the system bus\n"),
|
||||
- N_(" -s connect to the certmonger service on the session bus\n"),
|
||||
+ N_(" -S, --system connect to the certmonger service on the system bus\n"),
|
||||
+ N_(" -s, --session connect to the certmonger service on the session bus\n"),
|
||||
N_("* Other options:\n"),
|
||||
- N_(" -v report all details of errors\n"),
|
||||
+ N_(" -v, --verbose report all details of errors\n"),
|
||||
NULL,
|
||||
};
|
||||
#endif
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 4294cda..4dde1ce 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -230,7 +230,7 @@ main(int argc, const char **argv)
|
||||
{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
|
||||
{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
|
||||
{"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL},
|
||||
- {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL},
|
||||
+ {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL},
|
||||
{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
|
||||
{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
|
||||
{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,151 +0,0 @@
|
||||
From bf409dbab5f5910de6c2691f978bb8644532728a Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 18 May 2020 15:01:02 -0400
|
||||
Subject: [PATCH] Adapt to the new behavior of disconnect in dbus-broker
|
||||
|
||||
The dbus server was replaced in Fedora-29 to use dbus-broker.
|
||||
|
||||
This server does not allow reconnects on a disconnect. certmonger
|
||||
was crashing as a result.
|
||||
|
||||
The only way to directly pass a message between the dbus queue and
|
||||
the main tevent handle is via a signal. So when a disconnect is
|
||||
detected send a SIGTERM to getpid() in order to force a graceful
|
||||
shutdown.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1687698
|
||||
---
|
||||
src/tdbus.c | 61 ++++++++++-------------------------------------------
|
||||
1 file changed, 11 insertions(+), 50 deletions(-)
|
||||
|
||||
diff --git a/src/tdbus.c b/src/tdbus.c
|
||||
index a81b534..402022e 100644
|
||||
--- a/src/tdbus.c
|
||||
+++ b/src/tdbus.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <signal.h>
|
||||
|
||||
#include <talloc.h>
|
||||
#include <tevent.h>
|
||||
@@ -522,60 +523,24 @@ cm_tdbus_timeout_cleanup(void *data)
|
||||
}
|
||||
|
||||
static void
|
||||
-cm_tdbus_reconnect(struct tevent_context *ec, struct tevent_timer *timer,
|
||||
+cm_tdbus_disconnected(struct tevent_context *ec, struct tevent_timer *timer,
|
||||
struct timeval current_time, void *pvt)
|
||||
{
|
||||
- const char *bus_desc;
|
||||
struct tdbus_connection *tdb;
|
||||
- struct timeval later;
|
||||
- dbus_bool_t exit_on_disconnect = TRUE;
|
||||
+ pid_t pid;
|
||||
|
||||
tdb = pvt;
|
||||
talloc_free(timer);
|
||||
if ((tdb->conn == NULL) ||
|
||||
!dbus_connection_get_is_connected(tdb->conn)) {
|
||||
- /* Close the current connection and open a new one. */
|
||||
+ /* Close the current connection and exit. */
|
||||
if (tdb->conn != NULL) {
|
||||
dbus_connection_unref(tdb->conn);
|
||||
tdb->conn = NULL;
|
||||
}
|
||||
- bus_desc = NULL;
|
||||
- switch (tdb->conn_type) {
|
||||
- case cm_tdbus_system:
|
||||
- cm_log(1, "Attempting to reconnect to system bus.\n");
|
||||
- tdb->conn = dbus_bus_get(DBUS_BUS_SYSTEM, NULL);
|
||||
- cm_set_conn_ptr(tdb->data, tdb->conn);
|
||||
- /* Don't exit if we get disconnected. */
|
||||
- exit_on_disconnect = FALSE;
|
||||
- bus_desc = "system";
|
||||
- break;
|
||||
- case cm_tdbus_session:
|
||||
- cm_log(1, "Attempting to reconnect to session bus.\n");
|
||||
- tdb->conn = dbus_bus_get(DBUS_BUS_SESSION, NULL);
|
||||
- cm_set_conn_ptr(tdb->data, tdb->conn);
|
||||
- /* Exit if we get disconnected. */
|
||||
- exit_on_disconnect = TRUE;
|
||||
- bus_desc = "session";
|
||||
- break;
|
||||
- case cm_tdbus_private:
|
||||
- abort();
|
||||
- break;
|
||||
- }
|
||||
- if ((tdb->conn != NULL) &&
|
||||
- dbus_connection_get_is_connected(tdb->conn)) {
|
||||
- /* We're reconnected; reset our handlers. */
|
||||
- cm_log(1, "Reconnected to %s bus.\n", bus_desc);
|
||||
- dbus_connection_set_exit_on_disconnect(tdb->conn,
|
||||
- exit_on_disconnect);
|
||||
- cm_tdbus_setup_public_connection(tdb, tdb->conn,
|
||||
- bus_desc, NULL);
|
||||
- } else {
|
||||
- /* Try reconnecting again later. */
|
||||
- later = tevent_timeval_current_ofs(CM_DBUS_RECONNECT_TIMEOUT, 0),
|
||||
- tevent_add_timer(ec, tdb, later,
|
||||
- cm_tdbus_reconnect,
|
||||
- tdb);
|
||||
- }
|
||||
+ pid = getpid();
|
||||
+ cm_log(0, "Disconnected from dbus, exiting with SIGTERM.\n");
|
||||
+ kill(pid, SIGTERM);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -585,12 +550,12 @@ cm_tdbus_filter(DBusConnection *conn, DBusMessage *dmessage, void *data)
|
||||
struct tdbus_connection *tdb = data;
|
||||
const char *destination, *unique_name, *path, *interface, *member;
|
||||
|
||||
- /* If we're disconnected, queue a reconnect. */
|
||||
+ /* If we're disconnected, queue an exit. */
|
||||
if ((tdb->conn_type != cm_tdbus_private) &&
|
||||
!dbus_connection_get_is_connected(conn)) {
|
||||
tevent_add_timer(talloc_parent(tdb), tdb,
|
||||
tevent_timeval_current(),
|
||||
- cm_tdbus_reconnect,
|
||||
+ cm_tdbus_disconnected,
|
||||
tdb);
|
||||
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
|
||||
}
|
||||
@@ -745,7 +710,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
|
||||
DBusError err;
|
||||
const char *bus_desc;
|
||||
struct tdbus_connection *tdb;
|
||||
- dbus_bool_t exit_on_disconnect;
|
||||
|
||||
/* Build our own context. */
|
||||
tdb = talloc_ptrtype(ec, tdb);
|
||||
@@ -764,15 +728,11 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
|
||||
case cm_tdbus_system:
|
||||
conn = dbus_bus_get(DBUS_BUS_SYSTEM, error);
|
||||
cm_set_conn_ptr(data, conn);
|
||||
- /* Don't exit if we get disconnected. */
|
||||
- exit_on_disconnect = FALSE;
|
||||
bus_desc = "system";
|
||||
break;
|
||||
case cm_tdbus_session:
|
||||
conn = dbus_bus_get(DBUS_BUS_SESSION, error);
|
||||
cm_set_conn_ptr(data, conn);
|
||||
- /* Exit if we get disconnected. */
|
||||
- exit_on_disconnect = TRUE;
|
||||
bus_desc = "session";
|
||||
break;
|
||||
case cm_tdbus_private:
|
||||
@@ -784,7 +744,8 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
|
||||
talloc_free(tdb);
|
||||
return -1;
|
||||
}
|
||||
- dbus_connection_set_exit_on_disconnect(conn, exit_on_disconnect);
|
||||
+ /* Exit on disconnect is handled in cm_tdbus_disconnected(). */
|
||||
+ dbus_connection_set_exit_on_disconnect(conn, FALSE);
|
||||
tdb->conn = conn;
|
||||
tdb->conn_type = bus_type;
|
||||
tdb->data = data;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,62 +0,0 @@
|
||||
From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 22 May 2020 12:58:44 -0400
|
||||
Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert
|
||||
requests
|
||||
|
||||
The guttman spec is quite unclear on this and in the GetCACaps
|
||||
section doesn't mention &message at all. It only appears in the
|
||||
generic GET requests section 4.1
|
||||
|
||||
The nourse spec is clearer and requires &message=CA-IDENT on
|
||||
GetCACaps requests.
|
||||
|
||||
AD 2012 R2 servers also require message on GetCACert requests.
|
||||
|
||||
This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1839181
|
||||
https://pagure.io/certmonger/issue/103
|
||||
---
|
||||
src/scep.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/scep.c b/src/scep.c
|
||||
index 4dde1ce..11ebd6f 100644
|
||||
--- a/src/scep.c
|
||||
+++ b/src/scep.c
|
||||
@@ -370,11 +370,11 @@ main(int argc, const char **argv)
|
||||
break;
|
||||
case op_get_ca_caps:
|
||||
/* Only step: read capabilities for the daemon. */
|
||||
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
|
||||
break;
|
||||
case op_get_ca_certs:
|
||||
/* First step: get the root certificate. */
|
||||
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT);
|
||||
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id);
|
||||
break;
|
||||
case op_get_cert_initial:
|
||||
if ((racert == NULL) || (strlen(racert) == 0)) {
|
||||
@@ -393,7 +393,7 @@ main(int argc, const char **argv)
|
||||
goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
|
||||
}
|
||||
break;
|
||||
case op_pkcsreq:
|
||||
@@ -413,7 +413,7 @@ main(int argc, const char **argv)
|
||||
goto done;
|
||||
}
|
||||
/* First step: read capabilities for our use. */
|
||||
- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
|
||||
+ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
|
||||
}
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.25.4
|
||||
|
@ -7,9 +7,11 @@
|
||||
|
||||
%global sysvinitdir %{_initddir}
|
||||
|
||||
%bcond_without xmlrpc
|
||||
|
||||
Name: certmonger
|
||||
Version: 0.79.7
|
||||
Release: 14%{?dist}
|
||||
Version: 0.79.13
|
||||
Release: 2%{?dist}
|
||||
Summary: Certificate status monitor and PKI enrollment client
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -17,6 +19,9 @@ License: GPLv3+
|
||||
URL: http://pagure.io/certmonger/
|
||||
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
|
||||
|
||||
Patch0001: 0001-Don-t-run-the-002-keygen-tests-when-root.patch
|
||||
Patch0002: 0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: gettext-devel
|
||||
@ -31,7 +36,11 @@ BuildRequires: openssl-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: libtalloc-devel, libtevent-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libxml2-devel, xmlrpc-c-devel
|
||||
BuildRequires: libxml2-devel
|
||||
%if %{with xmlrpc}
|
||||
BuildRequires: xmlrpc-c-devel
|
||||
%endif
|
||||
BuildRequires: jansson-devel
|
||||
# Required for 'make check':
|
||||
# for diff and cmp
|
||||
BuildRequires: diffutils
|
||||
@ -51,7 +60,7 @@ BuildRequires: /usr/bin/which
|
||||
BuildRequires: popt-devel
|
||||
# for make check
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-devel
|
||||
|
||||
# we need a running system bus
|
||||
Requires: dbus
|
||||
@ -80,74 +89,13 @@ Requires(post): /sbin/chkconfig, /sbin/service
|
||||
Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
|
||||
%endif
|
||||
|
||||
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
|
||||
Patch2: 0002-Convert-tests-to-use-python3.patch
|
||||
Patch18: 0018-clang-more-Dead-assignment.patch
|
||||
Patch19: 0019-clang-more-Memory-leaks.patch
|
||||
Patch20: 0020-clang-Avoid-buffer-overflow.patch
|
||||
Patch21: 0021-clang-Garbage-value-possible.patch
|
||||
Patch22: 0022-Uninitialized-variable.patch
|
||||
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
|
||||
Patch24: 0024-Add-missing-return-type-declaration.patch
|
||||
Patch25: 0025-Discards-const-qualifier.patch
|
||||
Patch26: 0026-Optimize-closing-open-file-descriptors.patch
|
||||
Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
|
||||
Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
|
||||
Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
|
||||
Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
|
||||
Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
|
||||
Patch32: 0032-Fix-use-after-free-issue.patch
|
||||
Patch33: 0033-Improve-logging-in-SCEP-helper.patch
|
||||
Patch34: 0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
|
||||
Patch35: 0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
|
||||
Patch36: 0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
|
||||
Patch37: 0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
|
||||
Patch38: 0038-Include-template-profile-issuer-and-MS-cert-template.patch
|
||||
Patch39: 0039-Fix-broken-N-option-configuration.patch
|
||||
Patch40: 0040-Address-an-include-issue-discovered-by-coverity.patch
|
||||
Patch41: 0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
|
||||
Patch42: 0042-Add-long-command-line-options-to-man-pages.patch
|
||||
Patch43: 0043-Add-long-options-to-command-line-help.patch
|
||||
Patch44: 0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
|
||||
Patch45: 0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
|
||||
|
||||
|
||||
%description
|
||||
Certmonger is a service which is primarily concerned with getting your
|
||||
system enrolled with a certificate authority (CA) and keeping it enrolled.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
%patch43 -p1
|
||||
%patch44 -p1
|
||||
%patch45 -p1
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
autoreconf -i -f
|
||||
@ -162,10 +110,17 @@ autoreconf -i -f
|
||||
--enable-tmpfiles \
|
||||
%endif
|
||||
--with-homedir=/run/certmonger \
|
||||
%if %{with xmlrpc}
|
||||
--with-xmlrpc \
|
||||
%endif
|
||||
--with-tmpdir=/run/certmonger --enable-pie --enable-now
|
||||
%if %{with xmlrpc}
|
||||
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
|
||||
# tell us about libxmlrpc_client, but we need more. Work around.
|
||||
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
|
||||
%else
|
||||
make %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -185,6 +140,12 @@ make check
|
||||
if test $1 -eq 1 ; then
|
||||
%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
|
||||
fi
|
||||
%if %{without xmlrpc}
|
||||
# remove any existing certmaster CA configuration
|
||||
if test $1 -gt 1 ; then
|
||||
%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
|
||||
fi
|
||||
%endif
|
||||
%if %{systemd}
|
||||
if test $1 -eq 1 ; then
|
||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||
@ -274,6 +235,16 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
|
||||
- Rebuild with xmlrpc-c support enabled (#1687698)
|
||||
|
||||
* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
|
||||
- Rebase to 0.79.13 (#1891743)
|
||||
|
||||
* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
|
||||
- Replace the previous fix for dbus restarting with PartOf in the
|
||||
certmonger systemd service file to link the two (#1687698)
|
||||
|
||||
* Tue Jun 2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
|
||||
- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user