rpms
/
certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:3daa648b6be22a9acd727d24f8adcad7b948309f
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8s
rpms:imports/c9/certmonger-0.79.17-2.el9
rpms:imports/c8/certmonger-0.79.17-2.el8
rpms:imports/c9/certmonger-0.79.17-1.el9
rpms:imports/c9-beta/certmonger-0.79.17-1.el9
rpms:imports/c8-beta/certmonger-0.79.17-2.el8
rpms:imports/c8s/certmonger-0.79.17-2.el8
rpms:imports/c9/certmonger-0.79.14-7.el9
rpms:imports/c9-beta/certmonger-0.79.14-7.el9
rpms:imports/c9/certmonger-0.79.14-5.el9
rpms:imports/c8/certmonger-0.79.13-5.el8
rpms:imports/c8-beta/certmonger-0.79.13-5.el8
rpms:imports/c9-beta/certmonger-0.79.14-5.el9
rpms:imports/c9-beta/certmonger-0.79.14-3.el9
rpms:imports/c8s/certmonger-0.79.13-5.el8
rpms:imports/c8/certmonger-0.79.13-3.el8
rpms:imports/c8s/certmonger-0.79.13-4.el8
rpms:imports/c8-beta/certmonger-0.79.13-2.el8
rpms:imports/c8-beta/certmonger-0.79.7-14.el8
rpms:imports/c8-beta/certmonger-0.79.7-3.el8
rpms:imports/c8s/certmonger-0.79.13-2.el8
rpms:imports/c8s/certmonger-0.79.7-15.el8
rpms:imports/c8s/certmonger-0.79.7-14.el8
rpms:imports/c8s/certmonger-0.79.7-13.el8
rpms:imports/c8s/certmonger-0.79.7-6.el8
rpms:imports/c8/certmonger-0.79.13-2.el8
rpms:imports/c8/certmonger-0.79.7-15.el8
rpms:imports/c8/certmonger-0.79.7-6.el8
rpms:imports/c8/certmonger-0.79.7-3.el8
rpms:imports/c8/certmonger-0.79.6-5.el8
...
compare: rpms:1ae2cc706edd1ce94a49c8a53be61329641b2e3c
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c9/certmonger-0.79.17-2.el9
rpms:imports/c8/certmonger-0.79.17-2.el8
rpms:imports/c9/certmonger-0.79.17-1.el9
rpms:imports/c9-beta/certmonger-0.79.17-1.el9
rpms:imports/c8-beta/certmonger-0.79.17-2.el8
rpms:imports/c8s/certmonger-0.79.17-2.el8
rpms:imports/c9/certmonger-0.79.14-7.el9
rpms:imports/c9-beta/certmonger-0.79.14-7.el9
rpms:imports/c9/certmonger-0.79.14-5.el9
rpms:imports/c8/certmonger-0.79.13-5.el8
rpms:imports/c8-beta/certmonger-0.79.13-5.el8
rpms:imports/c9-beta/certmonger-0.79.14-5.el9
rpms:imports/c9-beta/certmonger-0.79.14-3.el9
rpms:imports/c8s/certmonger-0.79.13-5.el8
rpms:imports/c8/certmonger-0.79.13-3.el8
rpms:imports/c8s/certmonger-0.79.13-4.el8
rpms:imports/c8-beta/certmonger-0.79.13-2.el8
rpms:imports/c8-beta/certmonger-0.79.7-14.el8
rpms:imports/c8-beta/certmonger-0.79.7-3.el8
rpms:imports/c8s/certmonger-0.79.13-2.el8
rpms:imports/c8s/certmonger-0.79.7-15.el8
rpms:imports/c8s/certmonger-0.79.7-14.el8
rpms:imports/c8s/certmonger-0.79.7-13.el8
rpms:imports/c8s/certmonger-0.79.7-6.el8
rpms:imports/c8/certmonger-0.79.13-2.el8
rpms:imports/c8/certmonger-0.79.7-15.el8
rpms:imports/c8/certmonger-0.79.7-6.el8
rpms:imports/c8/certmonger-0.79.7-3.el8
rpms:imports/c8/certmonger-0.79.6-5.el8

10 Commits
3daa648b6b ... 1ae2cc706e

Author SHA1 Message Date
Rob Crittenden 1ae2cc706e Rebase to upstream 0.79.17 2023-05-18 10:31:30 +00:00
Rob Crittenden 247b3ff94d 0.79.14-7 
- Disable support for DSA keys (#2066439)

It causes a segmentation error in FIPS mode and doesn't work with
default policy.

Resolves: #2066439
 2022-04-08 14:27:48 -04:00
Rob Crittenden 010cc6087f 0.79.14-6 
- Certificate format validation when adding the SCEP server's CA
  (#1492112)
- Replace some SHA1 usages with SHA256 in the unit tests needed
  becaus of OpenSSL 3 update

Resolves: #1492112
 2022-03-17 16:13:46 -04:00
Rob Crittenden ea4ff2c97f 0.79.14-5 
- Certmonger SCEP renewal should not use old challenges (#1990926)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001082)
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
  with critical=FALSE (#2012261)
- Re-enable 003-csrgen test

Resolves: #1990926, #2001082, #2012261
 2021-10-11 09:16:10 -04:00
Rob Crittenden 148ef5cdf6 0.79.14-4 
- Fix FTBFS due to change in OpenSSL 3.0.0-beta2 API

Resolves: #2008451
 2021-09-28 13:30:48 -04:00
Mohan Boddu 496758426b Rebuilt for IMA sigs, glibc 2.34, aarch64 flags 
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
 2021-08-09 19:34:59 +00:00
Rob Crittenden 20cf69589a 0.79.14-2 
- Re-enable LTO

Resolves: #1986099
 2021-07-28 13:31:28 -04:00
Kaleemullah Siddiqui 3d836c474c Missing tier0 gating tests added 
Tier0 tests were part of RHEL8 which were
not added in RHEL9 in following
commit 96aed6bf63
Now added with this change which will execute
the tier0 tests in osci

Related: rhbz#1947473

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
 2021-06-22 15:43:19 +05:30
Rob Crittenden 30316ac150 Rebase to upstream 0.79.14 
Resolves: #1969537
 2021-06-21 11:57:31 -04:00
Mohan Boddu 15670d850d Rebuilt for RHEL 9 BETA for openssl 3.0 
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
 2021-06-16 03:22:49 +00:00
25 changed files with 224 additions and 206465 deletions
Show Stats Expand all files Collapse all files

1
.certmonger.metadata Normal file
View File

@ -0,0 +1 @@
ab77485e556d96c5c2b885ee3d0f27794276dfee certmonger-0.79.17.tar.gz

2
.gitignore vendored
View File

@ -130,3 +130,5 @@ certmonger-0.28.tar.gz
/certmonger-0.79.11.tar.gz
/certmonger-0.79.12.tar.gz
/certmonger-0.79.13.tar.gz
/certmonger-0.79.14.tar.gz
/certmonger-0.79.17.tar.gz

29
0001-Don-t-free-soptions-while-it-is-still-needed.patch
View File

@ -1,29 +0,0 @@
From c5270bde4dab84f18c347e82376ef00733865247 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 1 Jul 2020 10:46:50 -0400
Subject: [PATCH] Don't free soptions while it is still needed
Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
to avoid leaking soptions and aoptions.
https://pagure.io/certmonger/issue/163
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/dogtag.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 91c9c588..faf81f97 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -579,7 +579,6 @@ main(int argc, const char **argv)
pin = NULL;
}
}
- free(soptions);
/* Add client creds. */
if (uid != NULL) {
uid = cm_submit_u_url_encode(uid);
--
2.25.4

38
0001-Fix-local-CA-to-work-under-FIPS.patch
View File

@ -1,38 +0,0 @@
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 14 Apr 2021 15:34:48 -0400
Subject: [PATCH] Fix local CA to work under FIPS
The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS. This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.
---
src/local.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/local.c b/src/local.c
index 92bea144..2f50ac77 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
#include <openssl/asn1.h>
#include <openssl/err.h>
+#include <openssl/obj_mac.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
return CM_SUBMIT_STATUS_UNREACHABLE;
}
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
- cas, 0, 0, 0, 0, 0);
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
+ 0, 0, 0);
if (p12 != NULL) {
if (!i2d_PKCS12_fp(fp, p12)) {
fclose(fp);
--
2.26.3

28
0002-Don-t-send-SIGKILL-to-children-give-them-a-chance-to.patch
View File

@ -1,28 +0,0 @@
From 00e948049acf0ca1b61ed9c2b8579b06b4bcb46a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Aug 2020 14:33:17 -0400
Subject: [PATCH 02/11] Don't send SIGKILL to children, give them a chance to
die
This was causing issues in IPA which uses a lock file to
serialize some operations. The kill was leaving the lock in
place causing things to time out.
---
src/subproc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/subproc.c b/src/subproc.c
index 8df836ae..70d4ed93 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -240,7 +240,6 @@ cm_subproc_done(struct cm_subproc_state *state)
if (state != NULL) {
if (state->pid != -1) {
- kill(state->pid, SIGKILL);
do {
pid = waitpid(state->pid, &state->status, 0);
cm_log(4, "Waited for %ld, got %ld.\n",
--
2.25.4

573
0002-candidate-openssl-3.0-compat-fixes.patch
View File

@ -1,573 +0,0 @@
From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 May 2021 15:40:53 -0400
Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
---
src/keyiread-o.c | 16 +++++--
src/util-o.c | 2 +
tests/001-keyiread-ec/run.sh | 2 +-
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-sql/prequal.sh | 5 +++
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-ec/run.sh | 2 +-
tests/003-csrgen-rsa/run.sh | 2 +-
tests/003-csrgen/run.sh | 2 +-
tests/004-selfsign-ec/run.sh | 2 +-
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/run.sh | 2 +-
tests/025-casave/run.sh | 2 +-
tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
tests/026-local/expected.out | 74 +------------------------------
tests/026-local/run.sh | 11 ++++-
tests/030-rekey/expected.out | 4 --
tests/030-rekey/run.sh | 10 +----
tests/036-getcert/run.sh | 2 +-
21 files changed, 184 insertions(+), 103 deletions(-)
create mode 100755 tests/002-keygen-sql/prequal.sh
create mode 100644 tests/026-local/expected.openssl1
create mode 100644 tests/026-local/expected.openssl3
diff --git a/src/keyiread-o.c b/src/keyiread-o.c
index 9fceacf6..51f7f829 100644
--- a/src/keyiread-o.c
+++ b/src/keyiread-o.c
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(pkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(nextpkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
} else {
diff --git a/src/util-o.c b/src/util-o.c
index 0415014a..2208ab64 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -46,6 +46,7 @@
void
util_o_init(void)
{
+#if OPENSSL_VERSION_MAJOR < 3
#if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
OpenSSL_add_all_algorithms();
#elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
@@ -53,6 +54,7 @@ util_o_init(void)
#else
SSL_library_init();
#endif
+#endif
}
char *
diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
index 3045f6d0..8a810d15 100755
--- a/tests/001-keyiread-ec/run.sh
+++ b/tests/001-keyiread-ec/run.sh
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
EOF
$toolsdir/keyiread entry.nss.$size
# Export the key.
- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
echo Error exporting key for $size, continuing.
continue
fi
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c6b4d38b..997ce000 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index 25acdbd8..3a2502a6 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-sql/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 8bb609c5..e7e6525f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -2,7 +2,7 @@
cd "$tmpdir"
-scheme="${scheme:-dbm:}"
+scheme="${scheme:-sql:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..408ea526 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..9c11c708 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..2a674679 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
index 9d5bd11f..d1161fe5 100755
--- a/tests/004-selfsign-ec/run.sh
+++ b/tests/004-selfsign-ec/run.sh
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the certificate and key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index c1dd4c80..b0cc71d2 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index eb1df4ee..ea00f4d7 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
index d81df82f..089d8223 100755
--- a/tests/025-casave/run.sh
+++ b/tests/025-casave/run.sh
@@ -2,7 +2,7 @@
cd $tmpdir
-scheme="${scheme:-dbm}"
+scheme="${scheme:-sql}"
cat > $tmpdir/entrycb1 <<- EOF
id=EntryCB1
ca_name=CAB1
diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
new file mode 100644
index 00000000..1f81c7ce
--- /dev/null
+++ b/tests/026-local/expected.openssl1
@@ -0,0 +1,73 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
new file mode 100644
index 00000000..05666ccc
--- /dev/null
+++ b/tests/026-local/expected.openssl3
@@ -0,0 +1,68 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
index 1f81c7ce..64afb8f5 100644
--- a/tests/026-local/expected.out
+++ b/tests/026-local/expected.out
@@ -1,73 +1 @@
-[key]
-OK.
-[csr]
-Certificate Request:
- Data:
- Version: 1 (0x0)
- Subject: CN=Babs Jensen's Signer
- Attributes:
- friendlyName :unable to print attribute
- Requested Extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[issue]
-[issuer]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Local Signing Authority, CN=$UUID
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- (160 bits)
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
-[subject]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Babs Jensen's Signer
- X509v3 extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[verify]
-cert: OK
-OK.
+# purposely empty
diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
index 6f0e74c9..3e7ade56 100755
--- a/tests/026-local/run.sh
+++ b/tests/026-local/run.sh
@@ -1,4 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+
+openssl cmp -h > /dev/null 2>&1
+if [ $? == 1 ]; then
+ cp expected.openssl1 expected.out
+else
+ cp expected.openssl3 expected.out
+fi
+
+set -e
cd $tmpdir
diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
index e9a04221..8a9ac3fa 100644
--- a/tests/030-rekey/expected.out
+++ b/tests/030-rekey/expected.out
@@ -11,7 +11,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -98,7 +97,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -185,7 +183,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -270,7 +267,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
index 07fea683..7b9125ec 100755
--- a/tests/030-rekey/run.sh
+++ b/tests/030-rekey/run.sh
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -m 4660 -f pinfile
# Export the certificate and key.
- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
# Grab a copy of the public key.
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
echo '(submit OpenSSL)'
$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
grep ^key.\*count= entry.openssl.$size | LANG=C sort
- # Now compare the self-signed certificates built from the keys.
- if ! cmp cert.nss.$size cert.openssl.$size ; then
- echo First round certificates differ:
- cat cert.nss.$size cert.openssl.$size
- exit 1
- else
- echo First round certificates OK.
- fi
# Now generate new keys, CSRs, and certificates (NSS).
echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
index 1c99803d..bcb821d7 100755
--- a/tests/036-getcert/run.sh
+++ b/tests/036-getcert/run.sh
@@ -51,7 +51,7 @@ listdb() {
}
extract() {
- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
echo -n cert:
--
2.26.3

204174
0003-Remove-empty-translation-files.patch
View File

File diff suppressed because it is too large Load Diff

34
0003-Temporarily-disable-the-csrgen-tests.patch
View File

@ -1,34 +0,0 @@
From 0228a6e2d2ef28ab26a722ed893dc8eed4e751fe Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 May 2021 18:03:52 -0400
Subject: [PATCH 2/3] Temporarily disable the csrgen tests
They fail due to BZ https://bugzilla.redhat.com/show_bug.cgi?id=1961687
---
tests/Makefile.am | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34bf..f53bb4cd 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -359,8 +359,6 @@ subdirs = \
001-keyiread \
001-keyiread-rsa \
002-keygen-rsa \
- 003-csrgen \
- 003-csrgen-rsa \
004-selfsign \
004-selfsign-rsa \
005-dbusm \
@@ -425,7 +423,6 @@ if HAVE_EC
subdirs += \
001-keyiread-ec \
002-keygen-ec \
- 003-csrgen-ec \
004-selfsign-ec
endif
--
2.26.3

28
0004-remove-dead-make-targets.patch
View File

@ -1,28 +0,0 @@
From 93974735c31e653acc0d3de7e1cb165dbe764aef Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 16 Sep 2020 15:49:00 +1000
Subject: [PATCH 04/11] remove dead make targets
Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
but left dangling references to those files in tests/Makefile.am,
breaking the build. Delete references to the deleted files.
---
tests/Makefile.am | 2 --
1 file changed, 2 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c1ce8412..013d34bf 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -156,8 +156,6 @@ EXTRA_DIST = \
002-keygen-dsa/prequal.sh \
002-keygen-dsa/run.sh \
002-keygen-dsa/expected.out \
- 002-keygen-dsa/expected.out.2 \
- 002-keygen-dsa/expected.out.3 \
002-keygen-ec/prequal.sh \
002-keygen-ec/run.sh \
002-keygen-ec/expected.out \
--
2.25.4

201
0005-Require-jansson-for-IPA-RPC-calls-make-xmlrpc-option.patch
View File

@ -1,201 +0,0 @@
From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:52:13 -0400
Subject: [PATCH 05/11] Require jansson for IPA RPC calls, make xmlrpc optional
xmlrpc is now only used for certmaster
IPA will only make JSON RPC calls to retrieve certificates
---
configure.ac | 59 ++++++++++++++++++++++++++++++-------------------
src/Makefile.am | 33 ++++++++++++++++++++-------
2 files changed, 61 insertions(+), 31 deletions(-)
diff --git a/configure.ac b/configure.ac
index abcd6d84..14991244 100644
--- a/configure.ac
+++ b/configure.ac
@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
CPPFLAGS="$savedCPPFLAGS"
LDFLAGS="$savedLDFLAGS"
- dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
- savedCFLAGS="$CFLAGS"
- CFLAGS=
- AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
- AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
- if test -z "$XMLRPC_C_CONFIG" ; then
- AC_MSG_ERROR(xmlrpc-c-config not found)
- fi
- AC_MSG_CHECKING(for XMLRPC CFLAGS)
- XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
- AC_MSG_RESULT([$XMLRPC_CFLAGS])
- AC_SUBST(XMLRPC_CFLAGS)
- AC_MSG_CHECKING(for XMLRPC LIBS)
- XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
- AC_MSG_RESULT([$XMLRPC_LIBS])
- AC_SUBST(XMLRPC_LIBS)
- CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
- AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
- [
- #include <xmlrpc-c/client.h>
- #include <xmlrpc-c/transport.h>
- ])
- CFLAGS="$savedCFLAGS"
+ PKG_CHECK_MODULES(JANSSON,jansson)
+ have_jansson=true
+
+ AC_ARG_WITH([xmlrpc],
+ [AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
+ [with_xmlrpc=${with_xmlrpc}],
+ [with_xmlrpc=no])
+ AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
+ [include XMLRPC support])])
+ AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
+
+ AS_IF([test x"$with_xmlrpc" = xyes], [
+ dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
+ savedCFLAGS="$CFLAGS"
+ CFLAGS=
+ AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
+ AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
+ if test -z "$XMLRPC_C_CONFIG" ; then
+ AC_MSG_ERROR(xmlrpc-c-config not found)
+ fi
+ AC_MSG_CHECKING(for XMLRPC CFLAGS)
+ XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
+ AC_MSG_RESULT([$XMLRPC_CFLAGS])
+ AC_SUBST(XMLRPC_CFLAGS)
+ AC_MSG_CHECKING(for XMLRPC LIBS)
+ XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
+ AC_MSG_RESULT([$XMLRPC_LIBS])
+ AC_SUBST(XMLRPC_LIBS)
+ CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
+ AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
+ [
+ #include <xmlrpc-c/client.h>
+ #include <xmlrpc-c/transport.h>
+ ])
+ CFLAGS="$savedCFLAGS"
+ ])
savedCFLAGS="$CFLAGS"
savedCPPFLAGS="$CPPFLAGS"
diff --git a/src/Makefile.am b/src/Makefile.am
index 5343dbc4..13bd87d9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
endif
man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
- selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
+ selfsign-getcert.1 ipa-getcert.1 \
getcert-resubmit.1 certmonger-ipa-submit.8 \
- certmonger-certmaster-submit.8 \
certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
certmonger-local-submit.8 getcert-status.1 \
certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
getcert-remove-ca.1 getcert-rekey.1
+if WITH_XMLRPC
+man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
+endif
pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
pkgsysconf_DATA = certmonger.conf
EXTRA_PROGRAMS =
@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
submit-sn.c \
submit-u.c \
submit-u.h \
- submit-x.c \
- submit-x.h \
subproc.c \
subproc.h \
tdbus.c \
@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
util-m.h \
util-n.c \
util-n.h
+if WITH_XMLRPC
+libcm_a_SOURCES += \
+ submit-x.c \
+ submit-x.h
+endif
libcm_o_a_SOURCES =
if HAVE_OPENSSL
libcm_o_a_SOURCES += \
@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
ipa_getcert_LDADD = $(getcert_LDADD)
endif
if WITH_IPA
+if WITH_XMLRPC
bin_PROGRAMS += certmaster-getcert
certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
certmaster_getcert_LDADD = $(getcert_LDADD)
endif
+endif
bin_PROGRAMS += selfsign-getcert
selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
certmonger_session_LDADD = libcm.a \
$(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
-noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
+noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
+if WITH_XMLRPC
+noinst_PROGRAMS += submit-x
+endif
tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
+if WITH_XMLRPC
submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
tm.c tm.h
submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
+endif
toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
if WITH_CERTMASTER
+if WITH_XMLRPC
pkglibexec_PROGRAMS += certmaster-submit
endif
+endif
if WITH_IPA
pkglibexec_PROGRAMS += ipa-submit
endif
@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
pkglibexec_PROGRAMS += scep-submit
endif
noinst_PROGRAMS += submit-h submit-d
-ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
- submit-x.c submit-x.h submit-u.c submit-u.h \
+ submit-h.c submit-h.h submit-u.c submit-u.h \
submit-e.h util.c util.h log.c log.h tm.c tm.h
ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
- $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+ $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
+ $(JANSSON_LIBS)
+if WITH_XMLRPC
certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
tm.c tm.h
certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+endif
dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
$(NSS_CFLAGS) $(CURL_CFLAGS) \
-DDOGTAG_IPA_RENEW_AGENT=1
--
2.25.4

93
0006-Make-xmlrpc-optional-in-the-certmonger-spec-file-dis.patch
View File

@ -1,93 +0,0 @@
From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:53:50 -0400
Subject: [PATCH 06/11] Make xmlrpc optional in the certmonger spec file,
disable certmaster
This disables certmaster support by default since it requires
xmlrpc
---
certmonger.spec | 22 +++++++++++++++++++++-
configure.ac | 1 +
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index e1f5536e..a8e1d2e8 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -24,6 +24,8 @@
%global sysvinitdir %{_initrddir}
%endif
+%bcond_with xmlrpc
+
Name: certmonger
Version: 0.79.11
Release: 1%{?dist}
@@ -37,6 +39,7 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
+BuildRequires: krb5-devel
BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
BuildRequires: autoconf, automake, gcc, gettext-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@@ -50,7 +53,11 @@ BuildRequires: libcurl-devel
%else
BuildRequires: curl-devel
%endif
-BuildRequires: libxml2-devel, xmlrpc-c-devel
+BuildRequires: libxml2-devel
+%if %{with xmlrpc}
+BuildRequires: xmlrpc-c-devel
+%endif
+BuildRequires: jansson-devel
%if 0%{?rhel} && 0%{?rhel} < 6
BuildRequires: bind-libbind-devel
BuildRequires: mktemp
@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
--enable-tmpfiles \
%endif
--with-homedir=/run/certmonger \
+%if %{with xmlrpc}
+ --with-xmlrpc \
+%endif
--with-tmpdir=/run/certmonger --enable-pie --enable-now
+%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
# tell us about libxmlrpc_client, but we need more. Work around.
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
+%else
+make %{?_smp_mflags}
+%endif
%install
rm -rf $RPM_BUILD_ROOT
@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
if test $1 -eq 1 ; then
%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
fi
+%if %{without xmlrpc}
+# remove any existing certmaster CA configuration
+if test $1 -gt 1 ; then
+ %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+fi
+%endif
%if %{systemd}
if test $1 -eq 1 ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
diff --git a/configure.ac b/configure.ac
index 14991244..f2964856 100644
--- a/configure.ac
+++ b/configure.ac
@@ -876,6 +876,7 @@ else
AM_CONDITIONAL(HAVE_EC,false)
AM_CONDITIONAL(WITH_IPA,false)
AM_CONDITIONAL(WITH_CERTMASTER,false)
+ AM_CONDITIONAL(WITH_XMLRPC,false)
AM_CONDITIONAL(WITH_LOCAL,false)
AM_CONDITIONAL(HAVE_UUID,false)
fi
--
2.25.4

155
0007-Add-Referer-header-option-to-the-submit-h-API.patch
View File

@ -1,155 +0,0 @@
From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:55:36 -0400
Subject: [PATCH 07/11] Add Referer header option to the submit-h API
This will allow IPA API requests that require the Referer header
to be set.
---
src/dogtag.c | 2 +-
src/scep.c | 6 +++---
src/submit-d.c | 2 +-
src/submit-h.c | 20 +++++++++++++++-----
src/submit-h.h | 1 +
5 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index faf81f97..d36ac008 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -691,7 +691,7 @@ main(int argc, const char **argv)
/* Submit the form(s). */
hctx = NULL;
while (url != NULL) {
- hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/scep.c b/src/scep.c
index c74ca574..e384e8da 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -496,7 +496,7 @@ main(int argc, const char **argv)
}
/* Submit the first request. */
- hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
cainfo, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -593,7 +593,7 @@ main(int argc, const char **argv)
}
/* Submit a second HTTP request if we have one to make. */
if (params2 != NULL) {
- hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -794,7 +794,7 @@ main(int argc, const char **argv)
OP_GET_CA_CERT
"&message=%d", i++);
hctx = cm_submit_h_init(ctx, "GET", url, params,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-d.c b/src/submit-d.c
index 3adaa4a6..f1877c34 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1188,7 +1188,7 @@ restart:
fprintf(stderr, "url = \"%s%s%s\"\n", uri,
params ? "?" : "", params ? params : "");
}
- hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-h.c b/src/submit-h.c
index 9b507dbe..c04909b1 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -51,7 +51,7 @@
struct cm_submit_h_context {
int ret;
long response_code;
- char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
+ char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
int result_length;
char *sslcert, *sslkey, *sslpass;
enum cm_submit_h_opt_negotiate negotiate;
@@ -66,7 +66,7 @@ struct cm_submit_h_context *
cm_submit_h_init(void *parent,
const char *method, const char *uri, const char *args,
const char *content_type, const char *accept,
- const char *cainfo, const char *capath,
+ const char *referer, const char *cainfo, const char *capath,
const char *sslcert, const char *sslkey, const char *sslpass,
enum cm_submit_h_opt_negotiate neg,
enum cm_submit_h_opt_delegate del,
@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
ctx->ctype = content_type ?
talloc_strdup(ctx, content_type) :
NULL;
+ ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
}
}
if (ctx->negotiate == cm_submit_h_negotiate_on) {
-#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
+#if defined(CURLAUTH_NEGOTIATE)
curl_easy_setopt(ctx->curl,
CURLOPT_HTTPAUTH,
- CURLAUTH_GSSNEGOTIATE);
+ CURLAUTH_NEGOTIATE);
+ curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
#else
cm_log(-1,
"warning: libcurl doesn't appear to support "
@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
header);
}
}
+ if (ctx->referer != NULL) {
+ header = talloc_asprintf(ctx, "Referer: %s",
+ ctx->referer);
+ if (header != NULL) {
+ headers = curl_slist_append(headers,
+ header);
+ }
+ }
curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
append_result);
@@ -415,7 +425,7 @@ main(int argc, const char **argv)
}
ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
- ctype, accept,
+ ctype, accept, NULL,
cainfo, capath, sslcert, sslkey, sslpass,
negotiate, negotiate_delegate,
clientauth, cm_submit_h_env_modify_on,
diff --git a/src/submit-h.h b/src/submit-h.h
index 931cc890..b33544af 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
const char *args,
const char *content_type,
const char *accept,
+ const char *referer,
const char *cainfo,
const char *capath,
const char *sslcert,
--
2.25.4

838
0008-Switch-IPA-calls-to-use-the-JSON-RPC-endpoint-instea.patch
View File

@ -1,838 +0,0 @@
From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:57:38 -0400
Subject: [PATCH 08/11] Switch IPA calls to use the JSON-RPC endpoint instead
of XMLRPC
IPA has provided a JSON-RPC interface for many years now and has
long term plans to drop support for XMLRPC.
---
src/ipa.c | 546 ++++++++++++++++++++++++++++++++++++++--------
src/store-files.c | 2 +
2 files changed, 463 insertions(+), 85 deletions(-)
diff --git a/src/ipa.c b/src/ipa.c
index e4295826..8c089e68 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -33,8 +33,7 @@
#include <talloc.h>
-#include <xmlrpc-c/client.h>
-#include <xmlrpc-c/transport.h>
+#include <jansson.h>
#include <ldap.h>
#include <krb5.h>
@@ -46,7 +45,7 @@
#include "store.h"
#include "submit-e.h"
#include "submit-u.h"
-#include "submit-x.h"
+#include "submit-h.h"
#include "util.h"
#ifdef ENABLE_NLS
@@ -56,6 +55,229 @@
#define _(_text) (_text)
#endif
+static char *
+get_error_message(krb5_context ctx, krb5_error_code kcode)
+{
+ const char *ret;
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
+ ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
+ if (ret == NULL) {
+ ret = error_message(kcode);
+ }
+#else
+ ret = error_message(kcode);
+#endif
+ return strdup(ret);
+}
+
+char *
+cm_submit_ccache_realm(char **msg)
+{
+ krb5_context ctx;
+ krb5_ccache ccache;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_data *data;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing Kerberos: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_default(ctx, &ccache);
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving default ccache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_get_principal(ctx, ccache, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error reading default principal: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ data = krb5_princ_realm(ctx, princ);
+ if (data == NULL) {
+ fprintf(stderr, "Error retrieving principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Error retrieving principal realm.\n";
+ }
+ return NULL;
+ }
+ ret = malloc(data->length + 1);
+ if (ret == NULL) {
+ fprintf(stderr, "Out of memory for principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Out of memory for principal realm.\n";
+ }
+ return NULL;
+ }
+ memcpy(ret, data->data, data->length);
+ ret[data->length] = '\0';
+ return ret;
+}
+
+krb5_error_code
+cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
+{
+ krb5_context ctx;
+ krb5_keytab keytab;
+ krb5_ccache ccache;
+ krb5_creds creds;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_get_init_creds_opt gicopts, *gicoptsp;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ ret = get_error_message(ctx, kret);
+ fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ if (ktname != NULL) {
+ kret = krb5_kt_resolve(ctx, ktname, &keytab);
+ } else {
+ kret = krb5_kt_default(ctx, &keytab);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving keytab: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ princ = NULL;
+ if (principal != NULL) {
+ kret = krb5_parse_name(ctx, principal, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error parsing \"%s\": %s.\n",
+ principal, ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ } else {
+ kret = krb5_sname_to_principal(ctx, NULL, NULL,
+ KRB5_NT_SRV_HST, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error building client name: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ }
+ memset(&creds, 0, sizeof(creds));
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ memset(&gicopts, 0, sizeof(gicopts));
+ gicoptsp = NULL;
+ kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
+ if (kret != 0) {
+ fprintf(stderr, "Internal error: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+#else
+ krb5_get_init_creds_opt_init(&gicopts);
+ gicoptsp = &gicopts;
+#endif
+ krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
+ kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
+ 0, NULL, gicoptsp);
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ krb5_get_init_creds_opt_free(ctx, gicoptsp);
+#endif
+ if (kret != 0) {
+ fprintf(stderr, "Error obtaining initial credentials: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ ccache = NULL;
+ kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
+ &ccache);
+ if (kret == 0) {
+ kret = krb5_cc_initialize(ctx, ccache, creds.client);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ kret = krb5_cc_store_cred(ctx, ccache, &creds);
+ if (kret != 0) {
+ fprintf(stderr,
+ "Error storing creds in credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ krb5_cc_close(ctx, ccache);
+ krb5_kt_close(ctx, keytab);
+ krb5_free_principal(ctx, princ);
+ krb5_free_context(ctx);
+ putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
+ return 0;
+}
+
static int
interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
{
@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
}
static int
-cm_locate_xmlrpc_service(const char *server,
+cm_locate_jsonrpc_service(const char *server,
int ldap_uri_cmd, const char *ldap_uri,
const char *host,
const char *domain,
@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
LDAPDN rdn;
struct berval *lbv;
char *lattrs[2] = {"cn", NULL};
- const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
+ const char *relativedn = "cn=masters,cn=ipa,cn=etc";
+ char *dn;
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
int i, j, rc, n;
unsigned int flags;
+ int rval = 0;
+ int alloc_basedn = 0;
*uris = NULL;
@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
- free(basedn);
- return i;
+ rval = i;
+ goto done;
}
+ alloc_basedn = 1;
}
if (basedn == NULL) {
printf(_("Unable to determine base DN of "
"domain information on IPA server.\n"));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Now look up the names of the master CAs. */
snprintf(lfilter, sizeof(lfilter),
@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
"(ipaConfigString=enabledService)"
")", service);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
+ if (alloc_basedn) {
+ free(basedn);
+ }
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Read their parents' for "cn" values. */
n = ldap_count_entries(ld, lresult);
if (n == 0) {
fprintf(stderr, "No CA masters found.\n");
ldap_msgfree(lresult);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list = talloc_array_ptrtype(NULL, list, n + 2);
if (list == NULL) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
i = 0;
for (lmsg = ldap_first_entry(ld, lresult);
@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
switch (flags & 0x0f) {
case LDAP_AVA_STRING:
list[i] = talloc_asprintf(list,
- "https://%.*s/ipa/xml",
+ "https://%.*s/ipa/json",
(int) lbv->bv_len,
lbv->bv_val);
if (list[i] != NULL) {
@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
ldap_dnfree(rdn);
}
}
+ ldap_memfree(dn);
}
ldap_msgfree(lresult);
if (i == 0) {
free(list);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list[i] = NULL;
*uris = list;
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+
+done:
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+
+ return rval;
+}
+
+/*
+ * Parse the JSON response from the IPA server.
+ *
+ * It will return one of three types of values:
+ *
+ * < 0 is failure to parse JSON output
+ * 0 is success, no errors were found
+ * > 0 is the IPA API error code
+ */
+static int
+parse_json_result(const char *result, char **error_message) {
+ json_error_t j_error;
+
+ json_t *j_root = NULL;
+ json_t *j_error_obj = NULL;
+
+ int error_code = 0;
+
+ j_root = json_loads(result, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ return -1;
+ }
+
+ j_error_obj = json_object_get(j_root, "error");
+ if (!j_error_obj || json_is_null(j_error_obj)) {
+ json_decref(j_root);
+ return 0; // no errors
+ }
+
+ if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
+ "code", &error_code,
+ "message", error_message) != 0) {
+ cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
+ json_decref(j_root);
+ return -1;
+ }
+
+ cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
+ json_decref(j_root);
+ return error_code;
}
/* Make an XML-RPC request to the "cert_request" method. */
@@ -344,63 +628,98 @@ static int
submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
const char *uid, const char *pwd, const char *csr,
const char *reqprinc, const char *profile,
- const char *issuer)
+ const char *issuer, int verbose)
{
- struct cm_submit_x_context *ctx;
- const char *args[2];
+ void *ctx;
+ struct cm_submit_h_context *hctx;
char *s, *p;
int i;
+ json_t *json_req = NULL;
+ json_error_t j_error;
+ const char *results = NULL;
+ char *json_str = NULL;
+ char *error_message = NULL;
+ char *referer = NULL;
+ int rval = 0;
+ json_t *j_root = NULL;
+ json_t *j_result_outer = NULL;
+ json_t *j_result = NULL;
+ json_t *j_cert = NULL;
+ const char *certificate = NULL;
if ((uri == NULL) || (strlen(uri) == 0)) {
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Prepare to make an XML-RPC request. */
+ ctx = talloc_new(NULL);
+
+ referer = talloc_asprintf(ctx, "%s", uri);
+
+ /* Prepare to make a JSON-RPC request. */
submit:
- if ((uid != NULL) && (pwd != NULL) &&
- (strlen(uid) > 0) && (strlen(pwd) > 0)) {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, uid, pwd,
- cm_submit_x_negotiate_off,
- cm_submit_x_delegate_off);;
- } else {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, NULL, NULL,
- cm_submit_x_negotiate_on,
- cm_submit_x_delegate_on);
+ json_req = json_pack_ex(&j_error, 0,
+ "{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
+ "method", "cert_request",
+ "params",
+ csr,
+ "principal", reqprinc,
+ "profile_id", profile,
+ "cacn", issuer,
+ "add", 1);
+ if (!json_req) {
+ cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- if (ctx == NULL) {
- fprintf(stderr, "Error setting up for XMLRPC to %s on "
- "the client.\n", uri);
- printf(_("Error setting up for XMLRPC on the client.\n"));
+ json_str = json_dumps(json_req, 0);
+ json_decref(json_req);
+ if (!json_str) {
+ cm_log(0, "json_dumps() failed\n");
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Add the CSR contents as the sole unnamed argument. */
- args[0] = csr;
- args[1] = NULL;
- cm_submit_x_add_arg_as(ctx, args);
- /* Add the principal name named argument. */
- cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
- /* Add the requested profile name named argument. */
- if (profile != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
- }
- /* Add the requested CA issuer named argument. */
- if (issuer != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
+ hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
+ "application/json", "application/json",
+ referer, cainfo, capath,
+ NULL, NULL, NULL,
+ cm_submit_h_negotiate_on,
+ cm_submit_h_delegate_off,
+ cm_submit_h_clientauth_off,
+ cm_submit_h_env_modify_off,
+ verbose > 1 ?
+ cm_submit_h_curl_verbose_on :
+ cm_submit_h_curl_verbose_off);
+ free(json_str);
+
+ if (hctx == NULL) {
+ fprintf(stderr, "Error setting up JSON-RPC to %s on "
+ "the client.\n", uri);
+ printf(_("Error setting up for JSON-RPC on the client.\n"));
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto cleanup;
}
- /* Tell the server to add entries for a principal if one
- * doesn't exist yet. */
- cm_submit_x_add_named_arg_b(ctx, "add", 1);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
- cm_submit_x_run(ctx);
+ cm_submit_h_run(hctx);
/* Check the results. */
- if (cm_submit_x_faulted(ctx) == 0) {
- i = cm_submit_x_fault_code(ctx);
+
+ results = cm_submit_h_results(hctx, NULL);
+ cm_log(1, "%s\n", results);
+ if (cm_submit_h_response_code(hctx) != 200) {
+ cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
+ cm_submit_h_response_code(hctx));
+ cm_log(0, "code = %d, code_text = \"%s\"\n",
+ cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ i = parse_json_result(results, &error_message);
+ if (i < 0) {
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ if (i > 0) {
/* Interpret the error. See errors.py to get the
* classifications. */
switch (i / 1000) {
@@ -424,8 +743,9 @@ submit:
}
printf("Server at %s denied our request, "
"giving up: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_REJECTED;
+ error_message);
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto cleanup;
break;
case 1: /* authentication error - transient? */
case 4: /* execution error - transient? */
@@ -433,22 +753,51 @@ submit:
default:
printf("Server at %s failed request, "
"will retry: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ error_message);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
break;
}
- } else
- if (cm_submit_x_has_results(ctx) == 0) {
- if (cm_submit_x_get_named_s(ctx, "certificate",
- &s) == 0) {
+ } else {
+ j_root = json_loads(results, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result_outer = json_object_get(j_root, "result");
+ if (!j_result_outer) {
+ cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result = json_object_get(j_result_outer, "result");
+ if (!j_result) {
+ cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_cert = json_object_get(j_result, "certificate");
+ if (!j_cert) {
+ cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ certificate = json_string_value(j_cert);
+
+ if (certificate) {
/* If we got a certificate, we're probably
* okay. */
- fprintf(stderr, "Certificate: \"%s\"\n", s);
- s = cm_submit_u_base64_from_text(s);
+ fprintf(stderr, "Certificate: \"%s\"\n", certificate);
+ s = cm_submit_u_base64_from_text(certificate);
if (s == NULL) {
printf("Out of memory parsing server "
"response, will retry.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
}
p = cm_submit_u_pem_from_base64("CERTIFICATE",
FALSE, s);
@@ -457,15 +806,19 @@ submit:
}
free(s);
free(p);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto cleanup;
} else {
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
}
- } else {
- /* No useful response, no fault. Try again, from
- * scratch, later. */
- return CM_SUBMIT_STATUS_UNREACHABLE;
}
+
+cleanup:
+ json_decref(j_root);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+
+ return rval;
}
static int
@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
const char *server, int ldap_uri_cmd, const char *ldap_uri,
const char *host, const char *domain, char *basedn,
const char *uid, const char *pwd, const char *csr,
- const char *reqprinc, const char *profile, const char *issuer)
+ const char *reqprinc, const char *profile, const char *issuer,
+ int verbose)
{
int i, u;
char **uris;
i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
(i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
- u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
+ u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
host, domain, basedn, "CA", &uris);
if ((u == 0) && (uris != NULL)) {
for (u = 0; uris[u] != NULL; u++) {
@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
}
i = submit_or_poll_uri(uris[u], cainfo, capath,
uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
(i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
talloc_free(uris);
@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
return CM_SUBMIT_STATUS_ISSUED;
}
/* Read our realm name from our ccache. */
- realm = cm_submit_x_ccache_realm(&kerr);
+ realm = cm_submit_ccache_realm(&kerr);
/* Read all of the certificates. */
for (lmsg = ldap_first_entry(ld, lresult);
lmsg != NULL;
@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
ldap_msgfree(lresult);
free(realm);
free(kerr);
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
return CM_SUBMIT_STATUS_ISSUED;
}
@@ -600,7 +957,8 @@ main(int argc, const char **argv)
char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
- int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
+ const char *jsonrpc_uri = NULL;
+ int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
const char *mode = CM_OP_SUBMIT;
char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
krb5_error_code kret;
@@ -609,6 +967,7 @@ main(int argc, const char **argv)
{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
+ {"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
while ((c = poptGetNextOpt(pctx)) > 0) {
switch (c) {
- case 'H':
- xmlrpc_uri = poptGetOptArg(pctx);
- xmlrpc_uri_cmd++;
+ case 'H': /* XMLRPC URI kept for backwards compatibility */
+ case 'J':
+ jsonrpc_uri = poptGetOptArg(pctx);
+ jsonrpc_uri_cmd++;
break;
case 'L':
ldap_uri = poptGetOptArg(pctx);
@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
"global",
"xmlrpc_uri");
}
+ if (jsonrpc_uri == NULL) {
+ jsonrpc_uri = get_config_entry(ipaconfig,
+ "global",
+ "jsonrpc_uri");
+ }
if (ldap_uri == NULL) {
/* Preferred, but likely to only be set on a
* server. */
@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
}
}
}
+ free(ipaconfig);
csr = NULL;
memset(uri, '\0', sizeof(uri));
memset(ldn, '\0', sizeof(ldn));
@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
(getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
}
- if ((server != NULL) && !xmlrpc_uri_cmd) {
+ if ((server != NULL) && !jsonrpc_uri_cmd) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", server);
+ "https://%s/ipa/json", server);
+ } else
+ if (jsonrpc_uri != NULL) {
+ snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
} else
if (xmlrpc_uri != NULL) {
- snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
+ /* strip off the trailing xml and replace with json */
+ if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
+ printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
+ }
+ snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
+ strcat(uri, "json");
} else
if (host != NULL) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", host);
+ "https://%s/ipa/json", host);
}
/* Read the CSR from the environment, or from the file named on
@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
/* Setup a ccache unless we're told to use the default one. */
kerr = NULL;
if (make_keytab_ccache &&
- ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
+ ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
fprintf(stderr, "Error setting up ccache at the client: %s.\n",
kerr);
if (ktname == NULL) {
@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
- issuer);
+ issuer, verbose);
free(csr);
free(profile);
free(issuer);
free(reqprinc);
+ free(basedn);
return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
diff --git a/src/store-files.c b/src/store-files.c
index 4c3b2232..85ac692e 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#ifdef WITH_XMLRPC
#ifdef WITH_CERTMASTER
/* Make sure we get at least one certmaster entry. */
for (k = 0; k < j; k++) {
@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#endif
#ifdef WITH_IPA
/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
for (k = 0; k < j; k++) {
--
2.25.4

201
0009-Remove-the-certmaster-CA-from-the-028-dbus-test.patch
View File

@ -1,201 +0,0 @@
From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:28:08 -0400
Subject: [PATCH 09/11] Remove the certmaster CA from the 028-dbus test
The certmaster CA is disabled by default so no longer look for it
in the dbus test.
This test will fail if certmaster is enabled. There is currently no
mechanism to dynamically enable/disable features of the tests. It
can be added if it comes up but its unclear if anyoen took advantage
of the certmaster support in the first place.
---
tests/028-dbus/expected.out | 130 ++----------------------------------
1 file changed, 6 insertions(+), 124 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 4d6a9a59..ca7de34f 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -34,10 +34,6 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
- is-default: no
- ca-type: EXTERNAL
- helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -182,7 +178,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
- <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -957,7 +952,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="xml_data" type="s" direction="out"/>
- </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
- <method name="Get">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="out"/>
- </method>
- <method name="Set">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="in"/>
- </method>
- <method name="GetAll">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="props" type="a{sv}" direction="out"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface_name" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidated_properties" type="as"/>
- </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
- <method name="get_config_file_path">
- <arg name="path" type="s" direction="out"/>
- </method>
- <method name="get_nickname">
- <arg name="nickname" type="s" direction="out"/>
- </method>
- <property name="nickname" type="s" access="read"/>
- <property name="aka" type="s" access="read"/>
- <method name="get_is_default">
- <arg name="default" type="b" direction="out"/>
- </method>
- <property name="is-default" type="b" access="readwrite"/>
- <method name="get_type">
- <arg name="type" type="s" direction="out"/>
- </method>
- <method name="get_serial">
- <arg name="serial_hex" type="s" direction="out"/>
- </method>
- <method name="get_location">
- <arg name="path" type="s" direction="out"/>
- </method>
- <property name="external-helper" type="s" access="readwrite"/>
- <method name="get_issuer_names">
- <arg name="names" type="as" direction="out"/>
- </method>
- <method name="refresh">
- <arg name="working" type="b" direction="out"/>
- </method>
- <property name="ca-error" type="s" access="read"/>
- <property name="issuer-names" type="as" access="read"/>
- <property name="root-certs" type="a(ss)" access="read"/>
- <property name="root-other-certs" type="a(ss)" access="read"/>
- <property name="other-certs" type="a(ss)" access="read"/>
- <property name="required-enroll-attributes" type="as" access="read"/>
- <property name="required-renew-attributes" type="as" access="read"/>
- <property name="supported-profiles" type="as" access="read"/>
- <property name="default-profile" type="s" access="read"/>
- <property name="root-cert-files" type="as" access="readwrite"/>
- <property name="root-other-cert-files" type="as" access="readwrite"/>
- <property name="other-cert-files" type="as" access="readwrite"/>
- <property name="root-cert-nssdbs" type="as" access="readwrite"/>
- <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="ca-presave-command" type="s" access="read"/>
- <property name="ca-presave-uid" type="s" access="read"/>
- <property name="ca-postsave-command" type="s" access="read"/>
- <property name="ca-postsave-uid" type="s" access="read"/>
- <property name="scep-cipher" type="s" access="readwrite"/>
- <property name="scep-digest" type="s" access="readwrite"/>
- <property name="scep-ca-identifier" type="s" access="readwrite"/>
- <property name="scep-ca-capabilities" type="as" access="read"/>
- <property name="scep-ra-cert" type="s" access="read"/>
- <property name="scep-ca-cert" type="s" access="read"/>
- <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-
--
2.25.4

38
0010-Add-a-local-srpm-target-to-build-an-srpm-from-the-cu.patch
View File

@ -1,38 +0,0 @@
From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:29:41 -0400
Subject: [PATCH 10/11] Add a local-srpm target to build an srpm from the
current checkout
The srpm target will pull the origin master branch and build from
that so it isn't useful for testing local changes.
---
Makefile.am | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 16d103ec..883c5932 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
local-archive:
$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
+local-srpm:
+ repo=`pwd`; \
+ tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
+ if test -d "$$tmpdir" ; then \
+ git clone . $$tmpdir;\
+ cd $$tmpdir;\
+ ./make-srpm.sh;\
+ cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
+ chmod -R u+rw $$tmpdir;\
+ rm -fr $$tmpdir;\
+ fi
+
srpm:
repo=`pwd`; \
tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
--
2.25.4

26
0011-Silence-a-rpm-macro-warning-with-an-unescaped-in-a-c.patch
View File

@ -1,26 +0,0 @@
From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:30:10 -0400
Subject: [PATCH 11/11] Silence a rpm macro warning with an unescaped % in a
comment
---
certmonger.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index a8e1d2e8..f2abd307 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -35,7 +35,7 @@ Group: System Environment/Daemons
License: GPLv3+
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
-#Source1: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
+#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
--
2.25.4

46
certmonger.spec
View File

@ -18,9 +18,6 @@
%global tmpfiles 0
%endif
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1960658
%define _lto_cflags %{nil}
%if 0%{?fedora} > 9 || 0%{?rhel} > 5
%global sysvinitdir %{_initddir}
%else
@ -30,8 +27,8 @@
%bcond_with xmlrpc
Name: certmonger
Version: 0.79.13
Release: 5%{?dist}
Version: 0.79.17
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+
@ -39,9 +36,6 @@ URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch0001: 0001-Fix-local-CA-to-work-under-FIPS.patch
Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch
Patch0003: 0003-Temporarily-disable-the-csrgen-tests.patch
BuildRequires: autoconf
BuildRequires: automake
@ -90,6 +84,7 @@ BuildRequires: /usr/bin/which
# for dbus tests
BuildRequires: python3-dbus
BuildRequires: popt-devel
BuildRequires: sed
# we need a running system bus
Requires: dbus
@ -153,6 +148,7 @@ autoreconf -i -f
%if %{with xmlrpc}
--with-xmlrpc \
%endif
--disable-dsa \
--with-tmpdir=/run/certmonger --enable-pie --enable-now
%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@ -270,6 +266,40 @@ exit 0
%endif
%changelog
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17
* Thu Apr 07 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-7
- Disable DSA (#2066439)
* Thu Mar 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
- Certificate format validation when adding the SCEP server's CA
(#1492112)
- Replace some SHA1 usages with SHA256 in the unit tests
* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
- Certmonger SCEP renewal should not use old challenges (#1990926)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001082)
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
with critical=FALSE (#2012261)
* Tue Sep 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-4
- Fix FTBFS due to change in OpenSSL 3.0.0-beta2 API (#2008451)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.14-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-2
- Re-enable LTO (#1986099)
* Thu Jun 17 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
- Update to upstream 0.79.14 (#1969537)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.13-6
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed May 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
- Port to OpenSSL 3.0 (#1952930)

1
gating.yaml
View File

@ -4,4 +4,5 @@ product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

2
sources
View File

@ -1 +1 @@
SHA512 (certmonger-0.79.13.tar.gz) = 4d7f8e1e001991886c4f5d999a906d3adb3900c3667c6a1c808f1f9baaf297693e0d85e25a0ff44e1c7a0eac9495ae346dd1bcd45e823582c9f18cab14ccdc9f
SHA512 (certmonger-0.79.17.tar.gz) = ed631cbfc0a757143af912549cecf65346994107f27651022ada8c70f0ed1bac7ee053a99b9a13290b844999710a3207aa0e7718428f3a3b6e5dd0d5db3a88a9

1
tests/.fmf/version Normal file
View File

@ -0,0 +1 @@
1

5
tests/provision.fmf Normal file
View File

@ -0,0 +1,5 @@
---
standard-inventory-qcow2:
qemu:
m: 2G

18
tests/tests.yml Normal file
View File

@ -0,0 +1,18 @@
---
- hosts: localhost
tags: [ always ]
tasks:
- set_fact:
our_required_packages:
- wget # upstream-testsuite-execution-and-rebuild-test needs wget command
- yum-utils # upstream-testsuite-execution-and-rebuild-test needs yum-builddep command
- rpm-build # upstream-testsuite-execution-and-rebuild-test needs rpmbuild command
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-beakerlib
tests:
- upstream-testsuite-execution-and-rebuild-test
required_packages: "{{ our_required_packages }}"

72
tests/upstream-testsuite-execution-and-rebuild-test/Makefile Normal file
View File

@ -0,0 +1,72 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
# Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
# Author: Ales Marecek <amarecek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Based on sudo rebuild test
export TEST=/CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Rob Crittenden <rcritten@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution." >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 30m" >> $(METADATA)
@echo "RunFor: sudo" >> $(METADATA)
@echo "Requires: sudo" >> $(METADATA)
@echo "Requires: sed" >> $(METADATA)
@echo "Requires: grep" >> $(METADATA)
@echo "Requires: rpm-build" >> $(METADATA)
@echo "Requires: yum-utils" >> $(METADATA)
@echo "Requires: make" >> $(METADATA)
@echo "Requires: libcap-devel" >> $(METADATA)
@echo "Requires: audit-libs-devel" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/upstream-testsuite-execution-and-rebuild-test/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
Description: This test rebuild certmonger source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
Author: Rob Crittenden <rcritten@redhat.com>

82
tests/upstream-testsuite-execution-and-rebuild-test/runtest.sh Normal file
View File

@ -0,0 +1,82 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
# Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
# Author: Ales Marecek <amarecek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Based on sudo rebuild test
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="certmonger"
_SPEC_DIR="$(rpm --eval=%_specdir)"
_BUILD_DIR="$(rpm --eval=%_builddir)"
_LOG_REBUILD_F="${PACKAGE}-rebuild.log"
_LOG_TESTSUITE_F="${PACKAGE}-testsuite.log"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
# Source package is needed for code inspection
rlFetchSrcForInstalled "${PACKAGE}" || yumdownloader --source "${PACKAGE}"
rlRun "find . -size 0 -delete" 0 "Remove empty src.rpm-s"
rlRun "yum-builddep -y --nogpgcheck ${PACKAGE}-*.src.rpm" 0 "Installing build dependencies"
[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*" 0 "Cleaning build directory"
rlRun "rpm -ivh ${PACKAGE}-*.src.rpm" 0 "Installing source rpm"
rlPhaseEnd
rlPhaseStartTest
rlRun "QA_RPATHS=0x0002 rpmbuild -ba ${_SPEC_DIR}/${PACKAGE}.spec" 0 "Test: Rebuild of source '${PACKAGE}' package"
rlGetPhaseState
if [ $? -eq 0 ]; then
cd ${_BUILD_DIR}/${PACKAGE}-*
rlRun -s "make check" 0 "Test: Upstream testsuite"
cd ${TmpDir}
while read -r I; do
if [[ "$I" =~ $(echo '([^:]+): .+ tests run, .+ errors, (.*)% success rate') ]]; then
[[ "${BASH_REMATCH[2]}" == "100" ]]
rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
elif [[ "$I" =~ $(echo "([^:]+): .+ tests passed; (.+)/.+ tests failed") ]]; then
[[ "${BASH_REMATCH[2]}" == "0" ]]
rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
fi
done < $rlRun_LOG
rm -f $rlRun_LOG
else
rlFail "Skipping testsuite part because rebuild part failed."
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd