certmonger/certmonger-x509-req-to-x509.patch

Backported from master.

commit 254a4b852a7c4c3cec4e99a0ae485a497fe09760
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Tue Nov 27 12:18:51 2012 -0500

    check for errors from X509_REQ_to_X509()

commit 8a8a95489bb35271542999d07bdd62d7aca177ac
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Tue Nov 27 18:32:06 2012 -0500

    present failure to self-sign as rejection

diff --git a/src/submit-so.c b/src/submit-so.c
index 7ad799e..39c3d33 100644
--- a/src/submit-so.c
+++ b/src/submit-so.c
@@ -117,45 +117,52 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 							cert = X509_REQ_to_X509(req,
 										0,
 										pkey);
-							ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
-							ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
-							X509_set_version(cert, 2);
-							/* set the serial number */
-							cm_log(3, "Setting certificate serial number \"%s\".\n",
-							       ca->cm_ca_internal_serial);
-							serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
-							seriall = strlen(serial) / 2;
-							seriald = talloc_size(ca, seriall);
-							cm_store_hex_to_bin(serial, seriald, seriall);
-							serialtmp = seriald;
-							seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
-							X509_set_serialNumber(cert, seriali);
+							if (cert != NULL) {
+								ASN1_TIME_set(cert->cert_info->validity->notBefore, now);
+								ASN1_TIME_set(cert->cert_info->validity->notAfter, now + life);
+								X509_set_version(cert, 2);
+								/* set the serial number */
+								cm_log(3, "Setting certificate serial number \"%s\".\n",
+								       ca->cm_ca_internal_serial);
+								serial = cm_store_serial_to_der(ca, ca->cm_ca_internal_serial);
+								seriall = strlen(serial) / 2;
+								seriald = talloc_size(ca, seriall);
+								cm_store_hex_to_bin(serial, seriald, seriall);
+								serialtmp = seriald;
+								seriali = d2i_ASN1_INTEGER(NULL, &serialtmp, seriall);
+								X509_set_serialNumber(cert, seriali);
 #ifdef HAVE_UUID
-							if (cm_prefs_populate_unique_id()) {
-								if (cm_submit_uuid_new(uuid) == 0) {
-									cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
-									if (cert->cert_info->subjectUID != NULL) {
-										ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
-										cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
-										if (cert->cert_info->issuerUID != NULL) {
-											ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
+								if (cm_prefs_populate_unique_id()) {
+									if (cm_submit_uuid_new(uuid) == 0) {
+										cert->cert_info->subjectUID = M_ASN1_BIT_STRING_new();
+										if (cert->cert_info->subjectUID != NULL) {
+											ASN1_BIT_STRING_set(cert->cert_info->subjectUID, uuid, 16);
+											cert->cert_info->issuerUID = M_ASN1_BIT_STRING_new();
+											if (cert->cert_info->issuerUID != NULL) {
+												ASN1_BIT_STRING_set(cert->cert_info->issuerUID, uuid, 16);
+											}
 										}
 									}
 								}
-							}
 #endif
-							/* add basic constraints */
-							cert->cert_info->extensions = X509_REQ_get_extensions(req);
-							basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
-							basicd = talloc_size(ca, basicl);
-							cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
-							basictmp = basicd;
-							basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
-							X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
+								/* add basic constraints */
+								cert->cert_info->extensions = X509_REQ_get_extensions(req);
+								basicl = strlen(CM_BASIC_CONSTRAINT_NOT_CA) / 2;
+								basicd = talloc_size(ca, basicl);
+								cm_store_hex_to_bin(CM_BASIC_CONSTRAINT_NOT_CA, basicd, basicl);
+								basictmp = basicd;
+								basic = d2i_BASIC_CONSTRAINTS(NULL, &basictmp, basicl);
+								X509_add1_ext_i2d(cert, NID_basic_constraints, basic, 1, 0);
+								/* finish up */
+								X509_sign(cert, pkey,
+									  cm_prefs_ossl_hash());
+								status = 0;
+							} else {
+								cm_log(1, "Error building "
+								       "certificate from "
+								       "signing request.\n");
+								status = 2;
+ 							}
-							/* finish up */
-							X509_sign(cert, pkey,
-								  cm_prefs_ossl_hash());
-							status = 0;
 						} else {
 							cm_log(1, "Error reading "
 							       "signing request.\n");
@@ -260,7 +261,12 @@ static int
 cm_submit_so_rejected(struct cm_store_entry *entry,
 		      struct cm_submit_state *state)
 {
-	return -1; /* it never gets rejected */
+	int status;
+	status = cm_subproc_get_exitstatus(entry, state->subproc);
+	if (!WIFEXITED(status) || (WEXITSTATUS(status) != 2)) {
+		return -1; /* it should never get rejected */
+	}
+	return 0;
 }
 
 /* Check if the CA was unreachable. */